1. Kemp Support
2. Knowledge Base
3. Security

Configuring LoadMaster for Common Criteria Conformance

Updated: February 15, 2023 22:53

This document details the configuration settings that must be modified from their default values so that LoadMaster operation and behavior conforms to the Common Criteria standard.

Follow the instructions in this document to install and license LoadMaster, and to make the configuration changes required after installation to bring the system into Common Criteria operating mode.

Progress Kemp LoadMaster is listed on the Common Criteria Certified Products webpage under Network and Network-Related Devices and Systems. Click here to view LoadMaster's Common Criteria certificate.

Target Releases

These instructions apply to LMOS Version 7.2.48.8 and subsequent LMOS Version 7.2 updates.

Installation Process

The only prerequisite is the deployment, licensing, and initial configuration of LoadMaster. See the Installation Guides available for various platforms that will guide you through this process. Please note the following:

• You need a console connected during the initial boot process
• After boot, you will use the console to set the IP address data for the LoadMaster
• You’ll need to create a Kemp ID in order to license the unit online; it’s a simple process that is confirmed via email.
• When you reach the point in the installation document where LoadMaster is licensed, choose the appropriate licensing option. Be sure to have your Kemp ID and password handy.

CC Configuration Process

Once you complete the steps in the above document, follow the steps in these sub-sections prior to beginning testing.

Log In

1. Log in to the UI via HTTPS using the IP address assigned during installation, the ‘bal’ administrative login, and the password you specified during installation.
   • Download the LoadMaster issuing CA RSA certificate and install it in the management workstation certificate store and/or the browser certificate store.

Set Minimum Password Length

2. In the left frame menu, click System Configuration > System Administration > User Management to set the desired Minimum Password Length (default is 8).

Set ECC Ciphers for Self-Signed Certificates and Outbound Connections

3. In the left frame menu, click Certificates & Security > Remote Access:
4. In the Self-Signed Certificate Handling drop-down, select EC Certs with an RSA signature. This will autogenerate a new self-signed LoadMaster certificate and assign it to the WUI interface.
5. Download the LoadMaster ECC Issuing CA Certificate and install in the management workstation certificate store and/or browser certificate store. [Do not skip this step! See the NOTE below.]
6. In the Self-Signed Certificate Handling drop-down, select EC Certs with an EC signature. This will autogenerate a new self-signed LoadMaster certificate and assign it to the WUI interface. When set to this value, all Certificate Signing Requests generated on the Certificates & Security > Generate CSR page will also use EC signatures.

• • NOTE: If you did not download and install the LoadMaster ECC issuing CA certificate in the previous step, you will no longer be able to use the WUI. To recover, open the LoadMaster console CLI, perform a factory reset, and start over. Factory reset does not change the “bal” password.

7. In the Outbound Connection Cipher Set drop-down, select the ECDSA_BestPractices cipher set. 

Secure Remote Logging

8. In the left frame menu, click System Configuration > Logging Options > Syslog Options:
   1. Add a remote log collector by entering an IP address into the Syslog Host box, specify the logging level to export, and click the Add Syslog Host
   2. In the Remote Syslog Port text box, enter any port other than 601 and click Set Port to enable log export over secure TCP on that port.
   3. Ensure that Remote Syslog Protocol is configured as TLS for so that TOE can talk to Remote Syslog server over SSL.
   4. For server certification validates, ensure that the Server Certificate Validation option is enabled.

Note: The secure syslog channel is restricted to TLSv1.1 and TLSv1.2

Set Admin UI for Certificate Login, TLS, and Custom ECC Cipher Set

9. In the left frame menu, click Certificates & Security > Intermediate Certificates and use the controls there to upload the issuing CA and associated Root CA certificate needed to validate admin client connections to the UI.
10. In the left frame menu, click Certificates & Security > Admin WUI Access:
    1. In the WUI Cipher Set drop-down, select the ECDSA_BestPractices cipher set.
    2. Enable/Disable TLS Protocols as required.
    3. Set a Pre-Auth Click Through Banner (this is required for Certificate based authentication to the UI).
11. In the left frame menu, click System Configuration > System Administration >User Management
    1. Create a user account that exactly matches the Principal Name on the certificate you will use for administrative access (select the option to create the account without a password)
    2. Assign privileges to the account just created. Use All Rights for the first account added.
12. In the left frame menu, click Certificates & Security > Remote Access:
13. Set the Admin Login field to Password or Client Certificate
14. Test login using the associated certificate. If this fails, clear cookies, close browser, reopen browser and try again. If this still fails, clear cookies, close browser, reopen browser, bypass certificate request and sign in using the “bal” account.

Disable SSH Access

15. In the left frame menu, click Certificates & Security > Remote Access, and disable the Allow Remote SSH Access check box.

Enable OCSP Checking and Stapling

16. In the left frame menu, click Certificates & Security > OCSP Configuration:
    1. Enter the OCSP Server IP address and click Set Address.
    2. Enter the OCSP Server Port and click Set Port.
    3. Enter the OCSP URL and click Set URL.
    4. Enable the Enable OCSP Checking check box.

Notes:

1. The Use SSL option must be disabled for OCSP checking in Common Criteria operating mode, and the OCSP server must be configured to accept unencrypted connections from LoadMaster.
2. The Authority Information Access (AIA) certificate field is an X.509 v3 certificate extension. It may contain the following information:
   • The CA issuer access method: how to retrieve information about the certificate issuer.
   • The OCSP access method: the address of the OCSP server from which revocation information can be retrieved.
3. If present, the AIA field is given precedence and will be used. If the AIA is not present or appears invalid, the OCSP Server configuration details above will be used. Also note the following:
   • LDAPS: AIA information from the server certificate is honoured if Certificates & Security > OCSP Configuration > OCSP Checking is enabled.
   • Syslog-NG: AIA information from the server certificate is honoured if Certificates & Security > OCSP Configuration > OCSP Checking is enabled.
   • UI Authentication: AIA information from the client certificate is honoured if the Certificates & Security > Remote Access > Administrator Access > Admin Login Method parameter is set to Client certificate required (verify via OCSP).

Set the CLI Banner

17. In the left frame menu, click Certificates & Security > Remote Access, type in an SSH Pre-Auth Banner and click Set Pre-Auth Message. This banner is also used for the CLI (even if SSH is disabled).

Disable CLI Virtual Service Administration

18. CLI VS administration must be disabled because CLI service changes are not audited. Do the following:
    1. In the left frame menu, click System Configuration > Logging Options > System Logs and then do the following:
    2. In the page at right, click the Debug Options
    3. Click Disable CLI VS [Note that the button and label now read: Enable CLI VS Management.]

Setup Admin UI Access via LDAP

19. To set up an LDAP domain, click Certificates & Security > LDAP Configuration. Follow the instructions in the UI guide here.
20. To set up admin UI (bal account) access via LDAP/AD:
    1. In the left frame menu, click Certificates & Security > Remote Access.
    2. In the page at right, click the WUI Authorizations
    3. Follow the instructions in the UI guide here.
       • Note: The secure LDAPS channel is restricted to TLSv1.1 and TLSv1.2

Lockdown Admin UI logon to Certificate Only with OCSP validation

21. In the left frame menu, click Certificates & Security > Remote Access
    1. Set the Admin Login field to Client Certificate Required (Verify via OCSP)
    2. Sign out, clear cookies in browser, close browser, reopen browser and verify certificate logon works.
    3. If login fails, you will need to use the Console interface to reset the web administrative settings to allow you to sign in using a password.

Logging for Admin UI logon

22. In the left frame menu, click System Configuration -> Network Options
    1. Set the Log SSL errors to “All errors”

The system is now configured for Common Criteria conformant operation.

Appendix: Further Information

Link to UI Guide:
https://support.kemptechnologies.com/hc/en-us/articles/213906303

Link to CLI guide:
https://support.kemptechnologies.com/hc/en-us/articles/203128129

 

---

Comments