Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Configuring LoadMaster for Common Criteria Conformance

This document details the configuration settings that must be modified from their default values so that LoadMaster operation and behavior conforms to the Common Criteria standard.

Follow the instructions in this document to install and license LoadMaster, and to make the configuration changes required after installation to bring the system into “Common Criteria operating mode”.

Target Release

These instructions have been prepared for LMOS Version 7.2.48.5, which is the evaluated image. The instructions apply to all subsequent LMOS Version 7.2 releases.

LoadMaster is listed as under evaluation for Common Criteria conformance on the NIAP website.

Installation Process

The only prerequisite is the deployment, licensing, and initial configuration of LoadMaster. A separate VMware platform installation document is available from the Kemp website to guide you through this process. Please note the following:

  • You need a console connected during the initial boot process
  • After boot, you will use the console to set the IP address data for the LoadMaster
  • You’ll need to create a Kemp ID in order to license the unit online; it’s a simple process that is confirmed via email.
  • When you reach the point in the VMware platform installation document where LoadMaster is licensed, be sure to choose the Online Licensing option, specify the Kemp ID and password you created, and accept the license provided by the licensing server.

CC Configuration Process

Once you complete the steps in the above document, follow the steps in these sub-sections prior to beginning testing.

Log In

  1. Log in to the UI via HTTPS using the IP address assigned during installation, the ‘bal’ administrative login, and the password you specified during installation.
    • Download the LoadMaster issuing CA RSA certificate and install it in the management workstation certificate store and/or the browser certificate store.

Set Minimum Password Length

  1. In the left frame menu, click System Configuration > System Administration > User Management to set the desired Minimum Password Length (default is 8).

Set ECC Ciphers for Self-Signed Certificates and Outbound Connections

  1. In the left frame menu, click Certificates & Security > Remote Access:
  2. In the Self-Signed Certificate Handling drop-down, select EC Certs with an RSA signature. This will autogenerate a new self-signed LoadMaster certificate and assign it to the WUI interface.
  3. Download the LoadMaster ECC Issuing CA Certificate and install in the management workstation certificate store and/or browser certificate store.
  4. In the Self-Signed Certificate Handlingdrop-down, select EC Certs with an EC signature. This will autogenerate a new self-signed LoadMaster certificate and assign it to the WUI interface. If you did not download and install the LoadMaster ECC issuing CA certificate, you will no longer be able to use the WUI. Use the console and perform a factory reset and start over. Factory reset does not change the “bal” password. [Note: When set to this value, all Certificate Signing Requests generated on the Certificates & Security > Generate CSR page will also use EC signatures.]
  5. In the Outbound Connection Cipher Set drop-down, select an appropriate Custom ECC Cipher Suite Set. (Please see Appendix A for a list of the specific ciphers included in this cipher set and notes in relation to this item.)

Secure Remote Logging

  1. In the left frame menu, click System Configuration > Logging Options > Syslog Options:
    1. Add a remote log collector by entering an IP address into the Syslog Host box, specify the logging level to export, and click the Add Syslog Host
    2. In the Remote Syslog Port text box, enter any port other than 601 and click Set Port to enable log export over secure TCP on that port.
    3. Ensure that Remote Syslog Protocol is configured as TLS for so that TOE can talk to Remote Syslog server over SSL.
    4. For server certification validates, ensure that the Server Certificate Validation option is enabled.

Note: secure syslog channel is restricted to TLSv1.1 and TLSv1.2

Set LoadMaster to use ECC Ciphers

Set Admin UI for Certificate Login, TLS and Custom ECC Cipher Set

  1. In the left frame menu, click Certificates & Security > Intermediate Certificates and use the controls there to upload the issuing CA and associated Root CA certificate needed to validate admin client connections to the UI.
  2. In the left frame menu, click Certificates & Security > Admin WUI Access:
    1. In the WUI Cipher Set drop-down, select an appropriate Custom ECC Cipher Suite Set that has been generated. The Custom Cipher Suite Set can be generated from Security & Certificates > Cipher Sets
    2. Enable/Disable TLS Protocols as required.
    3. Set a Pre-Auth Click Through Banner (this is required for Certificate based authentication to the UI).
  3. In the left frame menu, click System Configuration > System Administration >User Management
    1. Create a user account that exactly matches the Principal Name on the certificate you will use for administrative access (select the option to create the account without a password)
    2. Assign privileges to the account just created. Use “All Rights” for the first account added.
  4. In the left frame menu, click Certificates & Security > Remote Access:
  5. Set the Admin Login field to Password or Client Certificate
  6. Test login using the associated certificate. If this fails, clear cookies, close browser, reopen browser and try again. If this still fails, clear cookies, close browser, reopen browser, bypass certificate request and sign in using the “bal” account.

Disable SSH Access

  1. In the left frame menu, click Certificates & Security > Remote Access, and disable the Allow Remote SSH Access check box.

Enable OCSP Checking and Stapling

  1. In the left frame menu, click Certificates & Security > OCSP Configuration:
    1. Enter the OCSP Server IP address and click Set Address.
    2. Enter the OCSP Server Port and click Set Port.
    3. Enter the OCSP URL and click Set URL.
    4. Enable the Enable OCSP Checking check box.

Notes:

  1. The Use SSL option must be disabled for OCSP checking in Common Criteria operating mode, and the OCSP server must be configured to accept unencrypted connections from LoadMaster.
  2. The Authority Information Access (AIA) certificate field is an X.509 v3 certificate extension. It may contain the following information:
    • The CA issuer access method: how to retrieve information about the certificate issuer.
    • The OCSP access method: the address of the OCSP server from which revocation information can be retrieved.

If present, the AIA field is given precedence and will be used. If the AIA is not present or appears invalid, the OCSP Server configuration details above will be used. Also note the following:

  • LDAPS: AIA information from the server certificate is honoured if Certificates & Security > OCSP Configuration > OCSP Checking is enabled.
  • Syslog-NG: AIA information from the server certificate is honoured if Certificates & Security > OCSP Configuration > OCSP Checking is enabled.
  • UI Authentication: AIA information from the client certificate is honoured if the Certificates & Security > Remote Access > Administrator Access > Admin Login Method parameter is set to Client certificate required (verify via OCSP).

Set the CLI Banner

  1. In the left frame menu, click Certificates & Security > Remote Access, type in an SSH Pre-Auth Banner and click Set Pre-Auth Message. This banner is also used for the CLI (even if SSH is disabled).

Disable CLI Virtual Service Administration

  1. To disable CLI VS administration (to meet logging requirements):
    1. In the left frame menu, click System Configuration > Logging Options > System Logs and then do the following:
    2. In the page at right, click the Debug Options
    3. Click Disable CLI VS [Note that the button and label now read: Enable CLI VS Management.]

Setup Admin UI Access via LDAP

  1. To set up an LDAP domain, click Certificates & Security > LDAP Configuration. Follow the instructions in the UI guide here.
  2. To set up admin UI (bal account) access via LDAP/AD:
    1. In the left frame menu, click Certificates & Security > Remote Access.
    2. In the page at right, click the WUI Authorizations
    3. Follow the instructions in the UI guide here.
    4. Note: LDAPS channel is restricted to TLSv1.1 and TLSv1.2

Note: Virtual Service (VS) and ESP SSO configuration should not be present and is out of scope for CC on the LoadMaster.

Lockdown Admin UI logon to Certificate Only with OCSP validation

  1. In the left frame menu, click Certificates & Security > Remote Access
    1. Set the Admin Login field to Client Certificate Required (Verify via OCSP)
    2. Sign out, clear cookies in browser, close browser, reopen browser and verify certificate logon works
    3. If login fails, you will need to use the Console interface to reset the web administrative settings to allow you to sign in using a password.

Logging for Admin UI logon

  1. In the left frame menu, click System Configuration -> Network Options
    1. Set the Log SSL errors to “All errors”

Appendix: Further Information

Link to UI Guide:
https://support.kemptechnologies.com/hc/en-us/articles/213906303

Link to CLI guide:
https://support.kemptechnologies.com/hc/en-us/articles/203128129

 


Comments