Network UPS Tools User Manual

Recommendations

Info

Network UPS Tools User Manual 41 / 84 Install the client-side certificate Use the following commands to install the client-side certificate: mkdir chmod 0755 cp upsd.crt /.0 Example: mkdir /usr/local/ups/etc/certs chmod 0755 /usr/local/ups/etc/certs cp upsd.crt /usr/local/ups/etc/certs/0123abcd.0 If you already have a file with that name in there, increment the 0 until you get a unique filename that works. If you have multiple client systems (like upsmon slaves), be sure to install this file on them as well. We recommend making a directory under your existing confpath to keep everything in the same place. Remember the path you created, since you will need to put it in upsmon.conf later. It must not be writable by unprivileged users, since someone could insert a new client certificate and fool upsmon into trusting a fake upsd. Create the combined file for upsd To do so, use the below commands: cat upsd.crt upsd.key > upsd.pem chown root:nut upsd.pem chmod 0640 upsd.pem This file must be kept secure, since anyone possessing it could pretend to be upsd and harvest authentication data if they get a hold of port 3493. Having it be owned by root and readable by group nut allows upsd to read the file without being able to change the contents. This is done to minimize the impact if someone should break into upsd. NUT reads the key and certificate files after dropping privileges and forking. Note on certification authorities (CAs) and signed keys There are probably other ways to handle this, involving keys which have been signed by a CA you recognize. Contact your local SSL guru. Install the server-side certificate Install the certificate with the following command: mv upsd.pem Example: mv upsd.pem /usr/local/ups/etc/upsd.pem After that, edit your upsd.conf and tell it where to find it: CERTFILE /usr/local/ups/etc/upsd.pem
Network UPS Tools User Manual 42 / 84 Clean up the temporary files rm -f upsd.crt upsd.key Restart upsd It should come back up without any complaints. If it says something about keys or certificates, then you probably missed a step. If you run upsd as a separate user id (like nutsrv), make sure that user can read the upsd.pem file. Point upsmon at the certificates Edit your upsmon.conf, and tell it where the CERTPATH is: CERTPATH Example: CERTPATH /usr/local/ups/etc/certs Recommended: make upsmon verify all connections with certificates Put this in upsmon.conf: CERTVERIFY 1 Without this, there is no guarantee that the upsd is the right host. Enabling this greatly reduces the risk of man in the middle attacks. This effectively forces the use of SSL, so don’t use this unless all of your upsd hosts are ready for SSL and have their certificates in order. Recommended: force upsmon to use SSL Again in upsmon.conf: FORCESSL 1 If you don’t use CERTVERIFY 1, then this will at least make sure that nobody can sniff your sessions without a large effort. Setting this will make upsmon drop connections if the remote upsd doesn’t support SSL, so don’t use it unless all of them have it running. 9.5.2 NSS backend usage This section describes how to enable NUT SSL support using Mozilla NSS. Install NSS Install Mozilla NSS as usual, either from source or binary packages. If using binary packages, be sure to include the developer libraries, and nss-tools (for certutil). Recompile and install NUT Recompile NUT from source, starting with configure --with-nss. Then install everything as usual.
Page 1 and 2: Network UPS Tools User Manual i Net
Page 3 and 4: Network UPS Tools User Manual iii C
Page 5 and 6: Network UPS Tools User Manual v Ins
Page 7 and 8: Network UPS Tools User Manual vii 9
Page 9 and 10: Network UPS Tools User Manual ix F
Page 11 and 12: Network UPS Tools User Manual xi J.
Page 13 and 14: Network UPS Tools User Manual 2 / 8
Page 21 and 22: Network UPS Tools User Manual 10 /
Page 51: Network UPS Tools User Manual 40 /
Page 95: Network UPS Tools User Manual 84 /

Network UPS Tools User Manual

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?