Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Configuring LoadMaster for Common Criteria Conformance

This document details the configuration settings that must be modified from their default values so that LoadMaster operation and behavior conforms to the Common Criteria standard. LoadMaster is currently in the process of achieving Common Criteria certification.

Contents

Common Criteria Configuration Instructions
   Target Release
   Installation Process
   CC Configuration Process
   Log In
   Set Minimum Password Length
   Set ECC Ciphers for Self-Signed Certificates and Outbound Connections
   Secure Remote Logging
   Set LoadMaster to use ECC Ciphers
   Set Admin UI for Certificate Login, TLS and Custom ECC Cipher Suite Set
   Disable SSH Access
   Enable OCSP Checking and Stapling
   Set the CLI Banner
   Disable CLI Virtual Service Administration
   Setup Admin UI Access via LDAP
   Lockdown Admin UI logon to Certificate Only with OCSP validation
   Logging for Admin UI logon.
Appendix A: Elliptical Curve Cipher Set
Appendix B: Installing an Update Image
Appendix C: Further Information

 

Common Criteria Configuration Instructions

Follow the instructions in this document to install and license LoadMaster, and to make the configuration changes required after installation to bring the system into Common Criteria (CC) mode.

Target Release

These instructions have been prepared for LMOS Version 7.2.48.5. They apply to all subsequent LMOS Version 7.2 releases.

Installation Process

The only prerequisite is the deployment, licensing, and initial configuration of LoadMaster. The LoadMaster documentation includes a complete set of Installation Guides for all supported platforms. For example, a separate VMware platform installation document is available to guide you through this process. Please note the following:

  • You need a console connected during the initial boot process
  • After boot, you will use the console to set the IP address data for the LoadMaster
  • You’ll need to create a Kemp ID in order to license the unit online; it’s a simple process that is confirmed via email.
  • When you reach the point in the VMware platform installation document where LoadMaster is licensed, be sure to choose the Online Licensing option, specify the Kemp ID and password you created, and accept the license provided by the licensing server.

CC Configuration Process

Once you complete the steps above, follow the steps in this section to configure the LoadMaster for Common Criteria operating mode.

Log In

  1. Log in to the UI via HTTPS using the IP address assigned during installation, the ‘bal’ administrative login, and the password you specified during installation.
    • Download the LoadMaster issuing CA RSA certificate and install it in the management workstation certificate store and/or the browser certificate store.

Set the Minimum Password Length

  1. In the left frame menu, click System Configuration > System Administration > User Management to set the desired Minimum Password Length (default is 8).

Set ECC Ciphers for Self-Signed Certificates and Outbound Connections

  1. In the left frame menu, click Certificates & Security > Remote Access:
  2. In the Self-Signed Certificate Handling drop-down, select EC Certs with an RSA signature. This will autogenerate a new self-signed LoadMaster certificate and assign it to the WUI interface.
  3. Download the LoadMaster ECC Issuing CA Certificate and install in the management workstation certificate store and/or browser certificate store.
  4. In the Self-Signed Certificate Handling drop-down, select EC Certs with an EC signature. This will autogenerate a new self-signed LoadMaster certificate and assign it to the WUI interface. If you did not download and install the LoadMaster ECC issuing CA certificate, you will no longer be able to use the WUI. Use the console and perform a factory reset and start over. Factory reset does not change the “bal” password. [Note: When set to this value, all Certificate Signing Requests generated on the Certificates & Security > Generate CSR page will also use EC signatures.]
  5. In the Outbound Connection Cipher Set drop-down, select an appropriate Custom ECC Cipher Suite Set. (Please see Appendix A for a list of the specific ciphers included in this cipher set and notes in relation to this item.)

Secure Remote Logging

  1. In the left frame menu, click System Configuration > Logging Options > Syslog Options:
    • Add a remote log collector by entering an IP address into the Syslog Host box, specify the logging level to export, and click the Add Syslog Host
    • In the Remote Syslog Port text box, enter any port other than 601 and click Set Port to enable log export over secure TCP on that port.
    • Ensure that Remote Syslog Protocol is configured as TLS for so that TOE can talk to Remote Syslog server over SSL.
    • For server certification validates, ensure that the Server Certificate Validation option is enabled.

Note: The secure syslog channel is restricted to TLSv1.1 and TLSv1.2.

Set Admin UI for Certificate Login, TLS, and Custom ECC Cipher Suite Set

  1. In the left frame menu, click Certificates & Security > Intermediate Certificates and use the controls there to upload the issuing CA and associated Root CA certificate needed to validate admin client connections to the UI.
  2. In the left frame menu, click Certificates & Security > Admin WUI Access:
    1. In the WUI Cipher Set drop-down, select an appropriate Custom ECC Cipher Suite Set that has been generated. The Custom Cipher Suite Set can be generated from Security & Certificates > Cipher Sets
    2. Enable/Disable TLS Protocols as required.
    3. Set a Pre-Auth Click Through Banner (this is required for Certificate based authentication to the UI).
  3. In the left frame menu, click System Configuration > System Administration >User Management
    1. Create a user account that exactly matches the Principal Name on the certificate you will use for administrative access (select the option to create the account without a password)
    2. Assign privileges to the account just created. Use “All Rights” for the first account added.
  4. In the left frame menu, click Certificates & Security > Remote Access:
  5. Set the Admin Login field to Password or Client Certificate
  6. Test login using the associated certificate. If this fails, clear cookies, close browser, reopen browser and try again. If this still fails, clear cookies, close browser, reopen browser, bypass certificate request and sign in using the “bal” account.

Disable SSH Access

  1. In the left frame menu, click Certificates & Security > Remote Access, and disable the Allow Remote SSH Access check box.

Enable OCSP Checking and Stapling

  1. In the left frame menu, click Certificates & Security > OCSP Configuration:
    1. Enter the OCSP Server IP address and click Set Address.
    2. Enter the OCSP Server Port and click Set Port.
    3. Enter the OCSP URL and click Set URL.
    4. Enable the Enable OCSP Checking check box.

Notes:

        1. The Use SSL option must be disabled for OCSP checking in Common Criteria operating mode, and the OCSP server must be configured to accept unencrypted connections from LoadMaster.
        2. The Authority Information Access (AIA) certificate field is an X.509 v3 certificate extension. It may contain the following information:
        • The CA issuer access method: how to retrieve information about the certificate issuer.
        • The OCSP access method: the address of the OCSP server from which revocation information can be retrieved.

If present, the AIA field is given precedence and will be used. If the AIA is not present or appears invalid, the OCSP Server configuration details above will be used. Also note the following:

        • LDAPS: AIA information from the server certificate is honoured if Certificates & Security > OCSP Configuration > OCSP Checking is enabled.
        • Syslog-NG: AIA information from the server certificate is honoured if Certificates & Security > OCSP Configuration > OCSP Checking is enabled.
        • UI Authentication: AIA information from the client certificate is honoured if the Certificates & Security > Remote Access > Administrator Access > Admin Login Method parameter is set to Client certificate required (verify via OCSP).

Set the CLI Banner

  1. In the left frame menu, click Certificates & Security > Remote Access, type in an SSH Pre-Auth Banner and click Set Pre-Auth Message. This banner is also used for the CLI (even if SSH is disabled).

Disable CLI Virtual Service Administration

  1. To disable CLI VS administration (to meet logging requirements):
    1. In the left frame menu, click System Configuration > Logging Options > System Logs and then do the following:
    2. In the page at right, click the Debug Options
    3. Click Disable CLI VS [Note that the button and label now read: Enable CLI VS Management.]

Setup Admin UI Access via LDAP

  1. To set up an LDAP domain, click Certificates & Security > LDAP Configuration. Follow the instructions in the UI guide here.
  2. To set up admin UI (bal account) access via LDAP/AD:
    1. In the left frame menu, click Certificates & Security > Remote Access.
    2. In the page at right, click the WUI Authorizations
    3. Follow the instructions in the UI guide here.
    4. Note: LDAPS channel is restricted to TLSv1.1 and TLSv1.2

Lockdown Admin UI logon to Certificate Only with OCSP validation

  1. In the left frame menu, click Certificates & Security > Remote Access
    1. Set the Admin Login field to Client Certificate Required (Verify via OCSP)
    2. Sign out, clear cookies in browser, close browser, reopen browser and verify certificate logon works
    3. If login fails, you will need to use the Console interface to reset the web administrative settings to allow you to sign in using a password.

Logging for Admin UI logon

  1. In the left frame menu, click System Configuration -> Network Options
    1. Set the Log SSL errors to “All errors”.

Appendix A: Elliptical Curve Cipher Set

A Custom ECC Cipher Suite set can be configured with the claimed cipher suites. Currently the ST claims:

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

The Custom ECC Cipher Suite set can be configured under Certificates & Security > Cipher Sets.

Appendix B: Installing an Update Image

Upgrade images are available from the Kemp website LoadMaster downloads page.

To install an update image on LoadMaster:

  1. Unzip the archive received from Kemp on a laptop or other device with a browser.
    • In it are the update image and an XML file.
  2. Open the LoadMaster UI and navigate to System Configuration > System Administration > Update Software.
  3. Click on the Browse button next to Software Update File and select the update image from Step 1.
  4. Click on the Browse button next to Verification File and select the XML file from Step 1.
  5. Click Update Machine. After the system validates the image, you’ll be asked to confirm the installation to continue.
  6. Once the update is completed, the system asks you to confirm rebooting the system.

Once the system reboots and the UI becomes active again, you can log in.

Appendix C: Further Information

LoadMaster Administrator's Guide

LoadMaster Console CLI Guide

 


Comments