Chapter 3. Server Security

3.1. Configuring Firewall Ports

A new appliance starts with a few standard ports open:

  • 22 for SSH communication
  • 80 for HTTP access to the appliance
  • 443 for HTTPS access to the appliance
  • 5432 for the appliance database

You might need to restrict or open access to certain services on your appliance in the future. In such situations, use the following method:

  • Use firewalld to enable a service or port, specifying the zone in use. For example, to open the LDAP port:

    [root@ ~]# firewall-cmd --zone=manageiq --permanent --add-port=389/tcp

The following table lists the appliance’s main services and their respective ports.

Table 3.1. Ports Used by Red Hat CloudForms

Initiator (CFME Role if applicable)Receiver (CFME Role if applicable)ApplicationTCP PortUDP PortPurpose

Administrator (Internet Browser)

CFME appliance (User Interface)

HTTPS

443

 

Access to CFME appliance User Interface

Administrator (Internet Browser)

CFME appliance (User Interface)

HTTP

80

 

Redirect Web Browser to HTTPS service (443)

Service Catalog or other integration through Web Service

CFME appliance (Web Service)

HTTPS

443

 

Access to CFME appliance Web Service

CFME appliance

NFS Server

NFS

2049

2049

Embedded NFS VM scanning

CFME appliance (User Interface)

Any Virtual Machine

TCP

903

 

VM Remote Console (if using MKS plug-in)

CFME appliance (User Interface)

Any Virtual Machine

TCP

5900-5999

 

VM Remote Console (if using VNC)

CFME appliance (any role)

CFME appliance running the VMDB

PostgreSQL Named Pipes

5432

 

CFME appliance connectivity to the CFME Database (PostgreSQL)

CFME Subordinate Region VMDB appliance(Database Synchronization)

CFME Master Region VMDB appliance

PostgreSQL Named Pipes

5432

 

Regional VMDB node replication up to Master VMDB node (PostgreSQL only)

CFME appliance(Authentication through LDAP)

LDAP Server (AD or other)

LDAP

389

 

LDAP integration

CFME appliance (Authentication through LDAPs)

LDAP Server (AD or other)

LDAPs

636

 

LDAPS integration

SNMP Agent

CFME appliance (Notifier)

SNMP (UDP)

 

161

SNMP Polling

CFME appliance (Notifier)

SNMP Server

SNMP (TCP)

162

 

SNMP Trap Send

CFME appliance (Notifier)

Mail server

SMTP

25

 

SNMP Trap Send

CFME appliance (any role)

NTP Server

NTP

 

123

Time Source

CFME appliance

CFME SmartProxy installed on VMware ESX Server

HTTPS

1139

 

Communication with SmartProxy

CFME SmartProxy installed on VMware ESX Server

CFME appliance

HTTPS

443

 

SmartProxy Heartbeat

CFME appliance

DNS Server

UDP

 

53

DNS Lookups

The following tables detail the ports used by Red Hat CloudForms to communicate with providers.

Table 3.2. Red Hat Enterprise Virtualization Ports Used by Red Hat CloudForms

Initiator (CFME Role if applicable)Receiver (CFME Role if applicable)ApplicationTCP PortUDP PortPurpose

CFME appliance (SmartProxy)

RHEV-M Server

HTTPS

8443

 

API communications to RHEV-M environment (Inventory, Operations, SmartProxy)

CFME appliance (C&U)

RHEV-M Server

PostgreSQL

5432

 

RHEV-M History Database (Database connectivity not enabled by default). See How to access the RHEV-M Postgres DB from a remote machine.

CFME appliance

RHEV-H Hosts or RHEL Hypervisors

SSH

22

 

SSH connections.

CFME appliance

RHEV-H Hosts or RHEL Hypervisors

DirectLUN

  

Direct LUN hook must be installed and enabled for embedded VM scanning on FC or iSCSI storage devices. Not a tcp/udp connection.

Table 3.3. Red Hat OpenStack Platform Ports Used by Red Hat CloudForms

Initiator (CFME Role if applicable)Receiver (CFME Role if applicable)ApplicationTCP PortUDP PortPurpose

CFME appliance

RHOS (Keystone)

HTTP REST API

5000

 

Authentication and Service Entry Point

CFME appliance

RHOS (Nova)

HTTP REST API

8774

 

Compute Resources

CFME appliance (C&U)

RHOS (Ceilometer)

HTTP REST API

8777

 

Metrics for Capacity and Utilization

CFME appliance

RHOS (Glance)

HTTP REST API

9292

 

Authentication and Service Entry Point

CFME appliance

RHOS (AMQP)

AMQP

5672

 

Events Integration

CFME appliance

RHOS (Neutron)

HTTP REST API

9696

 

Networking

CFME appliance

RHOS (Cinder)

HTTP REST API

8776

 

Block Storage

Table 3.4. OpenShift Container Platform Ports Used by CloudForms Management Engine

Initiator (CFME Role if applicable)Receiver (CFME Role if applicable)ApplicationTCP PortUDP PortPurpose

CFME Appliance

OpenShift Master Node(s) (or Load Balancer)

HTTPS

8443 or 443

 

Required for communication to the OpenShift API. Dependent on OpenShift configuration.

CFME Appliance

OpenShift Infrastructure Node(s) (or Load Balancer)

HTTPS

443

 

Metrics and logging

Table 3.5. VMware vSphere Ports Used by Red Hat CloudForms

Initiator (CFME Role if applicable)Receiver (CFME Role if applicable)ApplicationTCP PortUDP PortPurpose

CFME appliance(Management System Inventory, Management System Operations, C & U Data Collection, SmartProxy)

vCenter

HTTPS

443

 

CFME appliance running any of these roles will initiate communication with vCenter on this port

CFME appliance (SmartProxy)

ESX, ESXi Host

HTTPS

443

 

CFME appliance

CFME appliance (SmartProxy)

ESX Hosts (if analyzing VMs through host)

SOAP over HTTPS

902

 

Communication from CFME appliance to hosts

CFME appliance (SmartProxy)

vCenter (if analyzing VMs through VC)

SOAP over HTTPS

902

 

Communication from CFME appliance to vCenters

CFME appliance(SmartProxy)

ESX Hosts (not needed for ESXi)

SSH

22

 

CFME appliance console access (ssh) to ESX hosts

Table 3.6. SCVMM Ports Used by Red Hat CloudForms

Initiator (CFME Role if applicable)Receiver (CFME Role if applicable)ApplicationTCP PortUDP PortPurpose

CFME appliance

Hyper-V Host (VMM agent)

WinRM/RPC/NetBIOS/SMB (over TCP)

80/135/139/445

 

Communication from CFME appliance to Host

CFME appliance

Hyper-V Host (file transfer)

HTTPS (using BITS)

443

 

Communication from CFME appliance to Host

CFME appliance

VM Guest Agent (file transfer)

HTTPS (using BITS)

443

 

Communication from CFME appliance to VM Guest Agent

CFME appliance

VMware ESX 3.0/3.5 Host (file transfer)

SFTP

22

 

Communication from CFME appliance to ESX Host

CFME appliance

VMware ESXi Host (file transfer)

SSH/HTTPS (using BITS)

443

 

Communication from CFME appliance to ESX Host

CFME appliance

WSUS Server (data channel)

HTTP

80/443

 

Communication from CFME appliance to Server

CFME appliance

SQL Server database (remote)

TDS

1433

 

CFME appliance connectivity to the Database

CFME appliance

Load Balancer

Load balancer config provider

80/443

  

CFME appliance

Hyper-V host in untrusted domain or perimeter network (File Transfer)

TCP

443

 

CFME appliance connectivity to the host

CFME appliance

Hyper-V Host (file transfer)

BITS

443

 

Communication from CFME appliance to Host

CFME appliance

VMware Web Services

WCF

443

  

Table 3.7. Azure Ports Used by Red Hat CloudForms

Initiator (CFME Role if applicable)Receiver (CFME Role if applicable)ApplicationTCP PortUDP PortPurpose

CFME appliance

SQL Management (*.database.windows.net)

TDS

1433

 

CFME appliance connectivity to the Database

CFME appliance

Upload into Storage (*.blob.core.windows.net)

HTTP/HTTPS

80/443

  

CFME appliance

Service Bus Relay HTTP Mode (*.servicebus.windows.net)

SB over HTTP

80

  

CFME appliance

Service Bus Pubsub over REST (*.servicebus.windows.net)

HTTPS

443

  

CFME appliance

Access Control (*.accesscontrol.windows.net)

HTTPS

443

  

Table 3.8. Google Compute Engine Ports Used by CloudForms Management Engine

Initiator (CFME Role if applicable)Receiver (CFME Role if applicable)ApplicationTCP PortUDP PortPurpose

CFME Appliance

Google Cloud SDK

HTTPS

443

 

Communication from CFME Appliance to Google Cloud Platform resources

Important

To provide your Red Hat CloudForms infrastructure with an extra layer of security, use a network layer firewall to restrict port access.

3.2. Generating SSL Certificates for Your Appliance and Database

It is important to enhance the security of SSL communication of your appliances, which, depending on your setup, may include your database appliance. The appliance image ships with a default SSL certificate. It is recommended to replace this certificate with your own certificate, either signed by a trusted Certificate Authority (CA) or self-signed.

3.2.1. Creating a Certificate Signing Request

The first step is to determine the host name of your appliance or database appliance by running the following command:

$ hostname

The next step is to create a Certificate Signing Request (CSR) using the openssl command:

[root@ ~]# openssl req -new -newkey rsa:2048 -out appliance.csr -keyout appliance.key

This command generates a 2048-bit RSA private key and asks for a passphrase for the key.

Generating a 2048 bit RSA private key
..................+++
...........................+++
writing new private key to 'appliance.key'
Enter PEM pass phrase: **********
Verifying - Enter PEM pass phrase: **********

The command then provides a questionnaire requesting certain details for the key. Fill out this questionnaire. Use the output of the hostname command to specify the Common Name.

For example:

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Raleigh
Organization Name (eg, company) [Default Company Ltd]:Red Hat CloudForms
Organizational Unit Name (eg, section) []:Customer Content Services
Common Name (eg, your name or your server's hostname) []:$(hostname)
Email Address []:example@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Running the command produces two files:

  • appliance.key - The private key
  • appliance.csr - The Certificate Signing Request (CSR)

At this stage, you would send the CSR to a trusted Certificate Authority (CA) and in return they would send you a signed certificate.

3.2.2. Creating a Self-signed Certificate

As an alternative to obtaining a signed certificate, you can use the appliance.key and appliance.csr files to create a self-signed certificate by running the following openssl commands:

[root@ ~]# openssl rsa -in appliance.key -out server.cer.key
[root@ ~]# openssl x509 -in appliance.csr -out server.cer -req -signkey server.cer.key -days 3650

This produces two files:

  • server.cer.key - The private key for your signed certificate
  • server.cer - The self-signed certificate

3.2.3. Enabling Your Certificate

Despite whether you used a trusted CA or self-signed the certificate, you should now have your own certificate for your appliance.

Copy the certificate and key files to the certificate directory on the appliance:

[root@ ~]# cp ~/server.cer.key /var/www/miq/vmdb/certs/server.cer.key
[root@ ~]# cp ~/server.cer /var/www/miq/vmdb/certs/server.cer

After the certificate and key files have been copied, restart the appliance:

[root@ ~]# systemctl restart evmserverd

The appliance now uses your own certificate.

If your environment consists of multiple appliances connecting to a single database appliance, you can use your certificate and key files to set up SSL for the database connection. For more information, see Section 4.2, “Configuring the Database to use SSL”.

Important

Updates from the Red Hat Content Delivery Network might overwrite these certificate and key files. Make sure to copy your own certificate and key files to the certificate directory after performing an update to your appliance.

Note

See also the following article for information on replacing SSL certificates in Red Hat CloudForms : https://access.redhat.com/articles/449033.

3.3. Creating Custom Encryption Keys

To avoid storing passwords in plain text, Red Hat CloudForms appliances use an encryption key to encode and decode passwords. Each appliance stores the key in the /var/www/miq/vmdb/certs/v2_key. Changing the encryption key is recommended during setting up new Red Hat CloudForms appliances only.

Important

Red Hat does not recommend changing the encryption key for an existing appliance as the ability to decrypt the password will be lost, affecting all stored passwords in Red Hat CloudForms.

To generate a new encryption key:

  1. Log in to the console of your master appliance as the root user.
  2. Run the appliance_console command. The Red Hat CloudForms appliance information screen appears.
  3. Press any key to view the appliance menu.
  4. Select Generate Custom Encryption Key.
  5. A prompt asks if for confirmation to overwrite the existing key. Enter Y.
  6. Enter 1 for 1) Create key.
  7. The appliance generates the new key. Press any key to complete this procedure.

This completes the procedure for generating the new key. If you have external Red Hat CloudForms appliances, you must share this key to ensure your whole Red Hat CloudForms infrastructure is using consistent encryption. Failure to use the same key results in encryption and decryption problems.

To copy an encryption key:

  1. Log in to the console of an external appliance as the root user.
  2. Run the appliance_console command. The Red Hat CloudForms appliance information screen appears.
  3. Press any key to view the appliance menu.
  4. Select Generate Custom Encryption Key.
  5. A prompt asks if for confirmation to overwrite the existing key. Enter Y.
  6. Select Fetch key from remote machine.
  7. Enter the hostname or IP address of the master appliance.
  8. Enter the username for SSH access to the master appliance. Use the default root user.
  9. Enter the password for SSH access to the master appliance.
  10. Enter the location of the remote key. Accept the default as /var/www/miq/vmdb/certs/v2_key.
  11. The appliance copies the new key from the remote server. Press any key to complete this procedure.

After distributing the new key, all appliances require an update to the database configuration. For all appliances, log in as the root user and run the following commands replacing dbpassword with your database password:

[root@{productname_short_l} ~]# fix_auth --databaseyml --hostname localhost --password dbpassword
[root@{productname_short_l} ~]# systemctl restart evmserverd

This completes the new encryption key generation for your Red Hat CloudForms infrastructure.

3.4. Applying SCAP Standards

The Security Content Automation Protocol (SCAP) is a set of standards to assist with vulnerability management and policy compliance. Red Hat CloudForms provides a set of SCAP standards to apply to your appliance. View these SCAP rules in the /var/www/miq/lib/appliance_console/config/scap_rules.yml file.

To apply the SCAP standards to your appliance’s server:

  1. Log in to the appliance as the root user.
  2. Enter the appliance_console command. The Red Hat CloudForms Appliance summary screen displays.
  3. Press Enter to manually configure settings.
  4. Select Harden Appliance Using SCAP Configuration.
  5. The appliance console displays the following:

    Harden Appliance Using SCAP Configuration
    
    Locking down the appliance for SCAP...

    The appliance applies the SCAP settings from the scap_rules.yml file.

  6. When complete, press any key to return to the summary screen.

The appliance now meets the SCAP standards set in the scap_rules.yml file.