Chapter 3. Server Security
3.1. Configuring Firewall Ports
A new appliance starts with a few standard ports open:
- 22 for SSH communication
- 80 for HTTP access to the appliance
- 443 for HTTPS access to the appliance
- 5432 for the appliance database
You might need to restrict or open access to certain services on your appliance in the future. In such situations, use the following method:
Use
firewalldto enable a service or port, specifying the zone in use. For example, to open the LDAP port:[root@ ~]# firewall-cmd --zone=manageiq --permanent --add-port=389/tcp
The following table lists the appliance’s main services and their respective ports.
Table 3.1. Ports Used by Red Hat CloudForms
| Initiator (CFME Role if applicable) | Receiver (CFME Role if applicable) | Application | TCP Port | UDP Port | Purpose |
|---|---|---|---|---|---|
| Administrator (Internet Browser) | CFME appliance (User Interface) | HTTPS | 443 | Access to CFME appliance User Interface | |
| Administrator (Internet Browser) | CFME appliance (User Interface) | HTTP | 80 | Redirect Web Browser to HTTPS service (443) | |
| Service Catalog or other integration through Web Service | CFME appliance (Web Service) | HTTPS | 443 | Access to CFME appliance Web Service | |
| CFME appliance | NFS Server | NFS | 2049 | 2049 | Embedded NFS VM scanning |
| CFME appliance (User Interface) | Any Virtual Machine | TCP | 903 | VM Remote Console (if using MKS plug-in) | |
| CFME appliance (User Interface) | Any Virtual Machine | TCP | 5900-5999 | VM Remote Console (if using VNC) | |
| CFME appliance (any role) | CFME appliance running the VMDB | PostgreSQL Named Pipes | 5432 | CFME appliance connectivity to the CFME Database (PostgreSQL) | |
| CFME Subordinate Region VMDB appliance(Database Synchronization) | CFME Master Region VMDB appliance | PostgreSQL Named Pipes | 5432 | Regional VMDB node replication up to Master VMDB node (PostgreSQL only) | |
| CFME appliance(Authentication through LDAP) | LDAP Server (AD or other) | LDAP | 389 | LDAP integration | |
| CFME appliance (Authentication through LDAPs) | LDAP Server (AD or other) | LDAPs | 636 | LDAPS integration | |
| SNMP Agent | CFME appliance (Notifier) | SNMP (UDP) | 161 | SNMP Polling | |
| CFME appliance (Notifier) | SNMP Server | SNMP (TCP) | 162 | SNMP Trap Send | |
| CFME appliance (Notifier) | Mail server | SMTP | 25 | SNMP Trap Send | |
| CFME appliance (any role) | NTP Server | NTP | 123 | Time Source | |
| CFME appliance | CFME SmartProxy installed on VMware ESX Server | HTTPS | 1139 | Communication with SmartProxy | |
| CFME SmartProxy installed on VMware ESX Server | CFME appliance | HTTPS | 443 | SmartProxy Heartbeat | |
| CFME appliance | DNS Server | UDP | 53 | DNS Lookups |
The following tables detail the ports used by Red Hat CloudForms to communicate with providers.
Table 3.2. Red Hat Enterprise Virtualization Ports Used by Red Hat CloudForms
| Initiator (CFME Role if applicable) | Receiver (CFME Role if applicable) | Application | TCP Port | UDP Port | Purpose |
|---|---|---|---|---|---|
| CFME appliance (SmartProxy) | RHEV-M Server | HTTPS | 8443 | API communications to RHEV-M environment (Inventory, Operations, SmartProxy) | |
| CFME appliance (C&U) | RHEV-M Server | PostgreSQL | 5432 | RHEV-M History Database (Database connectivity not enabled by default). See How to access the RHEV-M Postgres DB from a remote machine. | |
| CFME appliance | RHEV-H Hosts or RHEL Hypervisors | SSH | 22 | SSH connections. | |
| CFME appliance | RHEV-H Hosts or RHEL Hypervisors | DirectLUN | Direct LUN hook must be installed and enabled for embedded VM scanning on FC or iSCSI storage devices. Not a tcp/udp connection. |
Table 3.3. Red Hat OpenStack Platform Ports Used by Red Hat CloudForms
| Initiator (CFME Role if applicable) | Receiver (CFME Role if applicable) | Application | TCP Port | UDP Port | Purpose |
|---|---|---|---|---|---|
| CFME appliance | RHOS (Keystone) | HTTP REST API | 5000 | Authentication and Service Entry Point | |
| CFME appliance | RHOS (Nova) | HTTP REST API | 8774 | Compute Resources | |
| CFME appliance (C&U) | RHOS (Ceilometer) | HTTP REST API | 8777 | Metrics for Capacity and Utilization | |
| CFME appliance | RHOS (Glance) | HTTP REST API | 9292 | Authentication and Service Entry Point | |
| CFME appliance | RHOS (AMQP) | AMQP | 5672 | Events Integration | |
| CFME appliance | RHOS (Neutron) | HTTP REST API | 9696 | Networking | |
| CFME appliance | RHOS (Cinder) | HTTP REST API | 8776 | Block Storage |
Table 3.4. OpenShift Container Platform Ports Used by CloudForms Management Engine
| Initiator (CFME Role if applicable) | Receiver (CFME Role if applicable) | Application | TCP Port | UDP Port | Purpose |
|---|---|---|---|---|---|
| CFME Appliance | OpenShift Master Node(s) (or Load Balancer) | HTTPS | 8443 or 443 | Required for communication to the OpenShift API. Dependent on OpenShift configuration. | |
| CFME Appliance | OpenShift Infrastructure Node(s) (or Load Balancer) | HTTPS | 443 | Metrics and logging |
Table 3.5. VMware vSphere Ports Used by Red Hat CloudForms
| Initiator (CFME Role if applicable) | Receiver (CFME Role if applicable) | Application | TCP Port | UDP Port | Purpose |
|---|---|---|---|---|---|
| CFME appliance(Management System Inventory, Management System Operations, C & U Data Collection, SmartProxy) | vCenter | HTTPS | 443 | CFME appliance running any of these roles will initiate communication with vCenter on this port | |
| CFME appliance (SmartProxy) | ESX, ESXi Host | HTTPS | 443 | CFME appliance | |
| CFME appliance (SmartProxy) | ESX Hosts (if analyzing VMs through host) | SOAP over HTTPS | 902 | Communication from CFME appliance to hosts | |
| CFME appliance (SmartProxy) | vCenter (if analyzing VMs through VC) | SOAP over HTTPS | 902 | Communication from CFME appliance to vCenters | |
| CFME appliance(SmartProxy) | ESX Hosts (not needed for ESXi) | SSH | 22 | CFME appliance console access (ssh) to ESX hosts |
Table 3.6. SCVMM Ports Used by Red Hat CloudForms
| Initiator (CFME Role if applicable) | Receiver (CFME Role if applicable) | Application | TCP Port | UDP Port | Purpose |
|---|---|---|---|---|---|
| CFME appliance | Hyper-V Host (VMM agent) | WinRM/RPC/NetBIOS/SMB (over TCP) | 80/135/139/445 | Communication from CFME appliance to Host | |
| CFME appliance | Hyper-V Host (file transfer) | HTTPS (using BITS) | 443 | Communication from CFME appliance to Host | |
| CFME appliance | VM Guest Agent (file transfer) | HTTPS (using BITS) | 443 | Communication from CFME appliance to VM Guest Agent | |
| CFME appliance | VMware ESX 3.0/3.5 Host (file transfer) | SFTP | 22 | Communication from CFME appliance to ESX Host | |
| CFME appliance | VMware ESXi Host (file transfer) | SSH/HTTPS (using BITS) | 443 | Communication from CFME appliance to ESX Host | |
| CFME appliance | WSUS Server (data channel) | HTTP | 80/443 | Communication from CFME appliance to Server | |
| CFME appliance | SQL Server database (remote) | TDS | 1433 | CFME appliance connectivity to the Database | |
| CFME appliance | Load Balancer | Load balancer config provider | 80/443 | ||
| CFME appliance | Hyper-V host in untrusted domain or perimeter network (File Transfer) | TCP | 443 | CFME appliance connectivity to the host | |
| CFME appliance | Hyper-V Host (file transfer) | BITS | 443 | Communication from CFME appliance to Host | |
| CFME appliance | VMware Web Services | WCF | 443 |
Table 3.7. Azure Ports Used by Red Hat CloudForms
| Initiator (CFME Role if applicable) | Receiver (CFME Role if applicable) | Application | TCP Port | UDP Port | Purpose |
|---|---|---|---|---|---|
| CFME appliance | SQL Management (*.database.windows.net) | TDS | 1433 | CFME appliance connectivity to the Database | |
| CFME appliance | Upload into Storage (*.blob.core.windows.net) | HTTP/HTTPS | 80/443 | ||
| CFME appliance | Service Bus Relay HTTP Mode (*.servicebus.windows.net) | SB over HTTP | 80 | ||
| CFME appliance | Service Bus Pubsub over REST (*.servicebus.windows.net) | HTTPS | 443 | ||
| CFME appliance | Access Control (*.accesscontrol.windows.net) | HTTPS | 443 |
Table 3.8. Google Compute Engine Ports Used by CloudForms Management Engine
| Initiator (CFME Role if applicable) | Receiver (CFME Role if applicable) | Application | TCP Port | UDP Port | Purpose |
|---|---|---|---|---|---|
| CFME Appliance | Google Cloud SDK | HTTPS | 443 | Communication from CFME Appliance to Google Cloud Platform resources |
To provide your Red Hat CloudForms infrastructure with an extra layer of security, use a network layer firewall to restrict port access.
3.2. Generating SSL Certificates for Your Appliance and Database
It is important to enhance the security of SSL communication of your appliances, which, depending on your setup, may include your database appliance. The appliance image ships with a default SSL certificate. It is recommended to replace this certificate with your own certificate, either signed by a trusted Certificate Authority (CA) or self-signed.
3.2.1. Creating a Certificate Signing Request
The first step is to determine the host name of your appliance or database appliance by running the following command:
$ hostname
The next step is to create a Certificate Signing Request (CSR) using the openssl command:
[root@ ~]# openssl req -new -newkey rsa:2048 -out appliance.csr -keyout appliance.key
This command generates a 2048-bit RSA private key and asks for a passphrase for the key.
Generating a 2048 bit RSA private key ..................+++ ...........................+++ writing new private key to 'appliance.key' Enter PEM pass phrase: ********** Verifying - Enter PEM pass phrase: **********
The command then provides a questionnaire requesting certain details for the key. Fill out this questionnaire. Use the output of the hostname command to specify the Common Name.
For example:
Country Name (2 letter code) [XX]:US State or Province Name (full name) []:North Carolina Locality Name (eg, city) [Default City]:Raleigh Organization Name (eg, company) [Default Company Ltd]:Red Hat CloudForms Organizational Unit Name (eg, section) []:Customer Content Services Common Name (eg, your name or your server's hostname) []:$(hostname) Email Address []:example@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Running the command produces two files:
-
appliance.key- The private key -
appliance.csr- The Certificate Signing Request (CSR)
At this stage, you would send the CSR to a trusted Certificate Authority (CA) and in return they would send you a signed certificate.
3.2.2. Creating a Self-signed Certificate
As an alternative to obtaining a signed certificate, you can use the appliance.key and appliance.csr files to create a self-signed certificate by running the following openssl commands:
[root@ ~]# openssl rsa -in appliance.key -out server.cer.key [root@ ~]# openssl x509 -in appliance.csr -out server.cer -req -signkey server.cer.key -days 3650
This produces two files:
-
server.cer.key- The private key for your signed certificate -
server.cer- The self-signed certificate
3.2.3. Enabling Your Certificate
Despite whether you used a trusted CA or self-signed the certificate, you should now have your own certificate for your appliance.
Copy the certificate and key files to the certificate directory on the appliance:
[root@ ~]# cp ~/server.cer.key /var/www/miq/vmdb/certs/server.cer.key [root@ ~]# cp ~/server.cer /var/www/miq/vmdb/certs/server.cer
After the certificate and key files have been copied, restart the appliance:
[root@ ~]# systemctl restart evmserverd
The appliance now uses your own certificate.
If your environment consists of multiple appliances connecting to a single database appliance, you can use your certificate and key files to set up SSL for the database connection. For more information, see Section 4.2, “Configuring the Database to use SSL”.
Updates from the Red Hat Content Delivery Network might overwrite these certificate and key files. Make sure to copy your own certificate and key files to the certificate directory after performing an update to your appliance.
See also the following article for information on replacing SSL certificates in Red Hat CloudForms : https://access.redhat.com/articles/449033.
3.3. Creating Custom Encryption Keys
To avoid storing passwords in plain text, Red Hat CloudForms appliances use an encryption key to encode and decode passwords. Each appliance stores the key in the /var/www/miq/vmdb/certs/v2_key. Changing the encryption key is recommended during setting up new Red Hat CloudForms appliances only.
Red Hat does not recommend changing the encryption key for an existing appliance as the ability to decrypt the password will be lost, affecting all stored passwords in Red Hat CloudForms.
To generate a new encryption key:
-
Log in to the console of your master appliance as the
rootuser. -
Run the
appliance_consolecommand. The Red Hat CloudForms appliance information screen appears. - Press any key to view the appliance menu.
- Select Generate Custom Encryption Key.
-
A prompt asks if for confirmation to overwrite the existing key. Enter
Y. -
Enter
1for1) Create key. - The appliance generates the new key. Press any key to complete this procedure.
This completes the procedure for generating the new key. If you have external Red Hat CloudForms appliances, you must share this key to ensure your whole Red Hat CloudForms infrastructure is using consistent encryption. Failure to use the same key results in encryption and decryption problems.
To copy an encryption key:
-
Log in to the console of an external appliance as the
rootuser. -
Run the
appliance_consolecommand. The Red Hat CloudForms appliance information screen appears. - Press any key to view the appliance menu.
- Select Generate Custom Encryption Key.
-
A prompt asks if for confirmation to overwrite the existing key. Enter
Y. -
Select
Fetch key from remote machine. - Enter the hostname or IP address of the master appliance.
-
Enter the username for SSH access to the master appliance. Use the default
rootuser. - Enter the password for SSH access to the master appliance.
-
Enter the location of the remote key. Accept the default as
/var/www/miq/vmdb/certs/v2_key. - The appliance copies the new key from the remote server. Press any key to complete this procedure.
After distributing the new key, all appliances require an update to the database configuration. For all appliances, log in as the root user and run the following commands replacing dbpassword with your database password:
[root@{productname_short_l} ~]# fix_auth --databaseyml --hostname localhost --password dbpassword
[root@{productname_short_l} ~]# systemctl restart evmserverdThis completes the new encryption key generation for your Red Hat CloudForms infrastructure.
3.4. Applying SCAP Standards
The Security Content Automation Protocol (SCAP) is a set of standards to assist with vulnerability management and policy compliance. Red Hat CloudForms provides a set of SCAP standards to apply to your appliance. View these SCAP rules in the /var/www/miq/lib/appliance_console/config/scap_rules.yml file.
To apply the SCAP standards to your appliance’s server:
-
Log in to the appliance as the
rootuser. -
Enter the
appliance_consolecommand. The Red Hat CloudForms Appliance summary screen displays. -
Press
Enterto manually configure settings. -
Select
Harden Appliance Using SCAP Configuration. The appliance console displays the following:
Harden Appliance Using SCAP Configuration Locking down the appliance for SCAP...
The appliance applies the SCAP settings from the
scap_rules.ymlfile.- When complete, press any key to return to the summary screen.
The appliance now meets the SCAP standards set in the scap_rules.yml file.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.