Policy and Distribution Services uses XMLRPC (Extensible Markup Language Remote Procedure Call) for its normal inter-server communications. XMLRPC optionally provides security for inter-server communication across non-secured connections. Policy and Distribution Services can use this security for inter-server communications between servers across non-secured connections, or between a management workstation and servers across non-secured connections. For example, firewalls, intranets, or NAT configurations.
This inter-server communications security ensures that data received across a non-secured connection is from a trusted source, that it has not been tampered with en route, and that the data received can be trusted by other machines. This is accomplished through the use of signed security certificates and digital signatures.
This security requires modifications to certain text files, and is installed using a Server Management wizard.
The following are instances when you could want inter-server communication security:
ConsoleOne administration: When you use a workstation to manage a Distributor server across a non-secured connection.
SET parameters: When you create a SET Parameter policy or a software package for SET parameters, inter-server communication takes place to provide the target server’s SET parameter information. This communication could cross a non-secured connection.
Server Down policy: When you use this policy to down a server, the communication between the downed server and another server watching for it to come back up could cross a non-secured connection.
For instructions on installing XMLRPC security, see Installing Additional Security for Non-Secured Connections
in the Novell ZENworks 7 Server Management Installation Guide.
Review the following sections to understand inter-server communications security using XMLRPC:
The terms and acronyms listed in Table 7-1 are used in this security documentation:
Table 7-1 Inter-Server Communications Security Terms
Inter-server communications security uses signed certificates issued by the Certificate Signer (CS), which are valid only within the context of the Novell ZENworks family of products.
The certificates used are not X.509 compliant and cannot be used for any e‑commerce or SSL applications.
When a CS servlet signs a Certificate Signing Request (CSR), the requesting client must authenticate with a username and password via HTTP Basic Authentication. You can secure the username and password by using SSL. For information on how to enable SSL for a commercial Web server, see your SSL documentation.
Inter-server communications security uses a password file for the username and password that are authenticated for CSR signing. You can create the password file in a text editor and place it in any secure location. You should also restrict access to the file to only the users who are listed in the file.
Usernames and passwords are both case sensitive. The syntax for the password file is:
username=password
For example:
admin=adminpassword CSsigner=cspassword JohnDoe=jdpassword
You should limit the access to the password file to those users included within the file.
In setting up inter-server communications security, the installation program relies on addresses or names of the servers where you want this security enabled. You can use either TCP/IP addresses or fully distinguished DNS server names.
For the various methods you can use to obtain these addresses or server names, see Gather Information for Installation
in the Novell ZENworks 7 Server Management Installation Guide.