Policy and Distribution Services uses XMLRPC (Extensible Markup Language Remote Procedure Call) for its normal inter-server communications. XMLRPC optionally provides security for inter-server communication across non-secured connections. Policy and Distribution Services can use this security for inter-server communications between servers across non-secured connections, or between a management workstation and servers across non-secured connections. For example, firewalls, intranets, NAT configurations, and so on.
This inter-server communications security ensures that data received across a non-secured connection is from a trusted source, that it has not been tampered with en route, and that the data received can be trusted by other machines. This is accomplished through the use of signed security certificates and digital signatures.
This security requires modifications to certain text files, and is installed using a ZfS wizard.
For instructions on installing XMLRPC security, see "Installing Additional Security for Non-Secured Connections" in the Installation guide.
The following are instances when you would want inter-server communication security:
ConsoleOne Administration: When you use a workstation to manage a Distributor server across a non-secured connection.
SET Parameters: When you create a SET Parameter policy or a software package for SET parameters, inter-server communication takes place to provide the target server's SET parameter information. This communication could cross a non-secured connection.
Server Down Policy: When you use this policy to down a server, the communication between the downed server and another server watching for it to come back up could cross a non-secured connection.
Review the following sections to understand inter-server communications security using XMLRPC:
The following terms and acronyms are used in the inter-server communications security documentation:
Inter-server communications security uses signed certificates issued by the Certificate Signer (CS), which are valid only within the context of the Novell ZENworks family of products.
The certificates used are not X.509 compliant and cannot be used for any e-commerce or SSL applications.
However, because SSL can be used by inter-server communications security for the ZenCSServlet, X.509 certificates provided by SSL can be used to secure inter-server communications. These certificates could be self-signed or signed by a root CA, such as VeriSign.
When a CS servlet signs a Certificate Signing Request (CSR), the requesting client must authenticate with a username and password via HTTP Basic Authentication. You can secure the username and password by using SSL for the ZenCSServlet.
For information on how to enable SSL for a commercial Web server, see your SSL documentation.
For information on setting up SSL with the ZfS Web Server, see "Configuring the Zen Web Server to Use SSL" in "Configuring Other Related Components" in "Installing Additional Security for Non-Secured Connections" in the Installation guide.
Inter-server communications security uses a password file for the username and password that are authenticated for CSR signing. You can create the password file in a text editor and place it in any secure location. You should also restrict access to the file to only the users who are listed in the file.
Usernames and passwords are both case sensitive. The syntax for the password file is:
username=password
For example:
admin=adminpassword
CSsigner=cspassword
JohnDoe=jdpassword
You should limit the access to the password file to those users included within the file.
In setting up inter-server communications security, the installation program relies on addresses or names of the servers where you want this security enabled. You can use either TCP/IP addresses or fully distinguished DNS server names.
IMPORTANT: For NetWare servers, DNS names cannot have underscores. Distribution sending or receiving errors will occur if the server's DNS name contains underscores. We recommend that you use dashes instead of underscores as word separators.
For the various methods you can use to obtain these addresses or server names, see "Information to Know Before Beginning the Installation" in "Installing Inter-Server Communications Security" in "Installing Additional Security for Non-Secured Connections" in the Installation guide.