Network UPS Tools User Manual

Recommendations

Info

Network UPS Tools User Manual 43 / 84 Create certificate and key for the host NSS (package generally called libnss3-tools) will install a tool called certutil. It will be used to generate certificates and manage certificate database. Certificates should be signed by a certification authorities (CAs). Following commands are typical samples, contact your SSL guru or security officer to follow your company procedures. GENERATE A SERVER CERTIFICATE FOR UPSD: • Create a directory where store the certificate database: mkdir cert_db • Create the certificate database : certutil -N -d cert_db • Import the CA certificate: certutil -A -d cert_db -n "My Root CA" -t "TC,," -a -i rootca.crt • Create a server certificate request (here called My nut server): certutil -R -d cert_db -s "CN=My nut serve r,O=MyCompany,ST=MyState,C=US" -a -o server.req • Make your CA sign the certificate (produces server.crt) • Import the signed certificate into server database: certutil -A -d cert_db -n "My nut server" -a -i se rver.crt -t "„" • Display the content of certificate server: certutil -L -d cert_db Clients and servers in the same host could share the same certificate to authenticate them or use different ones in same or different databases. The same operation can be done in same or different databases to generate other certificates. Create a self-signed CA certificate NSS provides a way to create self-signed certificate which can acting as CA certificate, and to sign other certificates with this CA certificate. This method can be used to provide a CA certification chain without using an "official" certificate authority. GENERATE A SELF-SIGNED CA CERTIFICATE: • Create a directory where store the CA certificate database: mkdir CA_db • Create the certificate database: certutil -N -d CA_db • Generate a certificate for CA: certutil -S -d CA_db -n "My Root CA" -s "CN=My CA,O=MyCompany,ST= MyState,C=US" -t "CT,," -x -2 (Do not forget to answer Yes to the question Is this a CA certificate [y/N]?) • Extract the CA certificate to be able to import it in upsd (or upsmon) certificate database: certutil -L -d CA_db -n "My Root CA" -a -o rootca.crt • Sign a certificate request with the CA certificate (simulate a real CA signature): certutil -C -d CA_db -c "My Root CA" -a -i server.req -o server.crt -2 -6 Install the server-side certificate Just copy the database directory (just the directory and included 3 database .db files) to the right place, such as /usr/local/ ups/etc/: mv cert_db /usr/local/ups/etc/
Network UPS Tools User Manual 44 / 84 upsd (required): certificate database and self certificate Edit the upsd.conf to tell where find the certificate database: CERTPATH /usr/local/ups/etc/cert_db Also tell which is the certificate to send to clients to authenticate itself and the password to decrypt private key associated to certificate: CERTIDENT ’certificate name’ ’database password’ Note Generally, the certificate name is the server domain name, but is not a hard rule. The certificate can be named as useful. upsd (optional): client authentication Note This functionality is disabled by default. To activate it, recompile NUT with WITH_CLIENT_CERTIFICATE_VALIDATION defined: make CFLAGS="-DWITH_CLIENT_CERTIFICATE_VALIDATION" UPSD can accept three levels of client authentication. Just specify it with the directive CERTREQUEST with the corresponding value in the upsd.conf file: • NO: no client authentication. • REQUEST: a certificate is request to the client but it is not strictly validated. If the client does not send any certificate, the connection is closed. • REQUIRE: a certificate is requested to the client and if it is not valid (no validation chain) the connection is closed. Like CA certificates, you can add many trusted client and CA certificates in server’s certificate databases. upsmon (required): upsd authentication In order for upsmon to securely connect to upsd, it must authenticate it. You must associate an upsd host name to security rules in upsmon.conf with the directive CERTHOST. CERTHOST associates a hostname to a certificate name. It also determines whether a SSL connection is mandatory, and if the server certificate must be validated. CERTHOST ’hostname’ ’certificate name’ ’certverify’ ’forcessl’ If the flag forcessl is set to 1, and upsd answers that it can not connect with SSL, the connection closes. If the flag certv erify is set to 1 and the connection is done in SSL, upsd’s certificate is verified and its name must be the specified certificate name. To prevent security leaks, you should set all certverify and forcessl flags to 1 (force SSL connection and validate all certificates for all peers). You can specify CERTVERIFY and FORCESSL directive (to 1 or 0) to define a default security rule to apply to all host not specified with a dedicated CERTHOST directive. If a host is not specified in a CERTHOST directive, its expected certificate name is its hostname.
Page 1 and 2:
Network UPS Tools User Manual i Net
Page 3 and 4: Network UPS Tools User Manual iii C
Page 5 and 6: Network UPS Tools User Manual v Ins
Page 7 and 8: Network UPS Tools User Manual vii 9
Page 9 and 10: Network UPS Tools User Manual ix F
Page 11 and 12: Network UPS Tools User Manual xi J.
Page 13 and 14: Network UPS Tools User Manual 2 / 8
Page 21 and 22: Network UPS Tools User Manual 10 /
Page 53: Network UPS Tools User Manual 42 /
Page 95: Network UPS Tools User Manual 84 /
show all

Network UPS Tools User Manual

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?