Chapter 2. Appliance Security

2.1. Setting the Password for the Administrative User

Red Hat CloudForms Management Engine uses a unique admin user to control all functions in the web-based user interface. After installing the appliance, change the default password of the admin to restrict administrative access to the appliance’s UI.

Changing the admin password uses the same process as changing any standard user in the appliance.

Procedure: Changing the admin Password

  1. Access your appliance through your web browser and login
  2. Navigate to ConfigureConfiguration.
  3. In the accordion tree on the left, click on Access Control, then select the Administrator under the Users section. This displays the details for the admin user.
  4. On the details page, select ConfigurationEdit this user from the toolbar.
  5. Enter a new password in the Change Password / Confirm Password fields.
  6. Click Save at the bottom of the page.
  7. Log out of the user interface.

  8. Test your new password by logging into the user interface.

    Also test your new password in the appliance console.

The Red Hat CloudForms Appliance now has a non-default admin password. This restricts access to your appliance’s administrative functions.

2.2. Registering and Updating CloudForms Management Engine

An important part of securing Red Hat CloudForms Management Engine is to ensure your appliances use the latest packages. Package updates to the appliance contain patches for any software bugs, including possible security bugs.

The Red Hat Updates page enables you to edit register and update appliances. This includes either registering the appliance to Red Hat’s Content Delivery Network (CDN) or to a Red Hat Satellite server.

The following tools are used during the update process:

  • Yum provides package installation, updates, and dependency checking.
  • Red Hat Subscription Manager manages subscriptions and entitlements.
  • Red Hat Satellite Server runs at customer locations providing local system registration and updates from inside the customer’s firewall.
Important

The update worker synchronizes the VMDB with the status of available CloudForms Management Engine content every 12 hours.

Note

Servers with the RHN Mirror role also act as a repository for other Appliances to pull CloudForms Management Engine packages updates.

The Red Hat Updates page enables you to register appliances. You need the following to register:

  • Your Red Hat Account login or Red Hat Network Satellite login
  • A Red Hat subscription that covers your product

Procedure: Registering a CloudForms Management Engine Appliance

  1. Log in to the Appliance as the root user.
  2. Navigate to ConfigureConfiguration. Select Region in the accordion menu and click the Red Hat Updates tab.
  3. In Red Hat Software Updates, click Edit Registration.

  4. You can register the CloudForms Management Engine Appliance using one of three available options:

    • Red Hat Subscription Management
    • Red Hat Satellite 5

    • Red Hat Satellite 6

      The Subscription Management Service you register with will provide your systems with updates and allow additional management.

To register with Red Hat Subscription Management:

  1. In Register to, select Red Hat Subscription Management.
  2. Enter Red Hat Subscription Management Address. The default is subscription.rhn.redhat.com.
  3. Enter Repository Name. The default is cf-me-5.4-for-rhel-6-rpms rhel-server-rhscl-6-rpms, which are the Red Hat CloudForms repository and the Red Hat Software Collections repository.
  4. To use a HTTP proxy, select Use HTTP Proxy and enter your proxy details.
  5. Enter your Red Hat account information; click Validate.
  6. Click Save.

To register with Red Hat Satellite 5:

  1. In Register to, select Red Hat Satellite 5.
  2. Enter Red Hat Satellite 5 Address. The default is subscription.rhn.redhat.com.
  3. Enter Repository Name. The default is rhel-x86_64-server-6-cf-me-4.0 rhel-x86_64-server-6-rhscl-1, which are the Red Hat CloudForms repository and the Red Hat Software Collections repository.
  4. To use a HTTP proxy, select Use HTTP Proxy and enter your proxy details.
  5. Enter your Red Hat Satellite account information.
  6. Click Save.

To register with Red Hat Satellite 6:

  1. In Register to, select Red Hat Satellite 6.
  2. Enter Red Hat Satellite 6 Address. The default is subscription.rhn.redhat.com.
  3. Enter Repository Name. The default is cf-me-5.4-for-rhel-6-rpms rhel-server-rhscl-6-rpms, which are the Red Hat CloudForms repository and the Red Hat Software Collections repository.
  4. To use a HTTP proxy, select Use HTTP Proxy and enter your proxy details.
  5. Enter your Red Hat Satellite account information; click Validate.
  6. Click Save.

After registering, the following options are available in the Appliance Updates section of the Red Hat Updates tab:

OptionUse

Check for Updates

Checks for available updates using yum.

Register

Attempts to register the appliance if it is not already registered. CloudForms Management Engine subscribes to the rhel-x86_64-server-6-cf-me-3 RHN channel for RHN registered appliances, and to the products designated by Red Hat product certification for subscription-manager registered appliances. The Red Hat Enterprise Linux channels are enabled by default on registration. In addition, CloudForms Management Engine checks for updates after registering.

Apply CFME Update

Applies updates to CloudForms Management Engine packages only. Specifically, this option runs the yum -y update cfme-appliance command. This command installs every package listed in the dependency tree if it is not already installed. If a specific version of a package is required, that version of the package is installed or upgraded. No other packages, such as PostgreSQL or Red Hat Enterprise Linux, are updated.

2.3. Configuring Host-Based Access Control Rules on your IPA Server

Red Hat CloudForms provides support for external authentication using an IPA server. However, there are certain recommendations to enhance security to your appliance, such as creating a specific user group and host group that can access the appliance authentication service.

Run the following steps on your IPA server.

  • Create a user group and restrict access to only the Red Hat CloudForms users 

    [root@ipa ~]# ipa group-add cloudforms_users --desc="CloudForms Users"
[root@ipa ~]# ipa group-add-member cloudforms_users --users=testuser1,testuser2

  • Create a host group and restrict access to your appliance hosts: 

    [root@ipa ~]# ipa hostgroup-add cloudforms_hosts --desc "CloudForms hosts"
[root@ipa ~]# ipa hostgroup-add-member cloudforms_hosts --hosts=appliance1.example.com,appliance2.example.com

  • Add rules to allow the host group and user group access to the Red Hat CloudForms HTTP service: 

    [root@ipa ~]# ipa hbacrule-add cloudforms_access --srchostcat=all
[root@ipa ~]# ipa hbacrule-add-service cloudforms_access --hbacsvcs httpd-auth
[root@ipa ~]# ipa hbacrule-add-user cloudforms_access --groups cloudforms_users
[root@ipa ~]# ipa hbacrule-add-host cloudforms_access --hostgroups cloudforms_hosts

  • Remove the default rule on your IPA server to allow access to all: 

    [root@ipa ~]# ipa hbacrule-disable allow_all

This ensures only users in the cloudforms_users group can access the authentication service (http-auth) on the appliances in the cloudforms_hosts host group.