Novell Cool Solutions

Securing your ZENworks Configuration Management server



By:

February 3, 2008 10:48 am

Reads:14,400

Comments:0

Score:5

Print/PDF

This is the first in a series of posts about securing your ZENworks Configuration Management server.

Written at: Draper, UT

The usual rules about physical security of production servers should always be followed – depending on your environment this may mean a secure server room with controlled access all the way through to biometric controlled access to a datacenter.

We also recommend the usual operating system level security too; anti-virus, host firewall, controlled access to the console.

The third piece of the security is enforcing good change control and release management. For those of you adopting ITIL best practices this should be relatively easy.

Finally – the ZENworks specific pieces.

There are several configuration files that should be protected on the server. These contain the LDAP proxy credentials for connecting to the user sources (Active Directory or eDirectory) and the ‘server secrets’ for the server.

1. CASA realms

The ZENworks Configuration Management primary server uses CASA to provide cross platform, cross directory authentication and authorisation.

The User Sources are configured within the ZENworks Control Center. (Configuration –> User Sources)

User Sources

If you look at a configured User Source you will see the connection information:

User Source detail

This information is stored in an xml document on each primary server.

%ZENWORKS_HOME%\share\ats\etc\svc\iaRealms.xml

If you look at this file you will see the credentials in cleartext:

%ZENWORKS_HOME%\share\ats\etc\svc\iaRealms.xml

<bci:realm desc="Directory" connectorType="org.bandit.ia.connectors.LDAPConnectorInitialCtxFactory" id="zenlab.evilzenscientist.com">
    <bci:env prop="java.naming.security.authentication" value="simple" />
    <bci:env prop="java.naming.security.principal" value="administrator@zenlab" />
    <bci:env prop="java.naming.security.credentials" value="foobarpassword" />
    <bci:env prop="java.naming.referral" value="follow" />
    <bci:env prop="com.novell.casa.authtoksvc.searchroot" value="OU=ZENlab users,DC=zenlab,DC=evilzenscientist,DC=com" />
    <bci:env prop="java.naming.ldap.attributes.binary" value="objectGUID" />
    <bci:env prop="com.novell.casa.authtoksvc.directory_type" value="ActiveDirectory" />
    <bci:connection xsi:type="bci:LDAPConnector">
      <address>ldap://10.0.0.200:389</address>
    </bci:connection>
  </bci:realm>

It is for this reason that we recommend using a non-privileged LDAP user; auditing that account and also ensuring that access to the ZENWORKS_HOME directory on your primary servers is restricted to administrators.

2. Primary server secrets and keys

The ZENworks Configuration Management primary server also stores the certificates and encrypted connection data on the filesystem.

Always worth protecting the entire content of this directory; also make sure you have a backup copy of this data.

%ZENWORKS_HOME%\conf\security

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Categories: Uncategorized

0

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS