|
|
JET 6530 Documentation > Configuration > Configuring JETGuard
Configuring the JETGuard Secure Proxy Server for your
NonStopTM Himalaya
server
The JETGuard Secure Proxy Server runs on your NonStop
Himalaya server under the Guardian environment. It receives
its configuration via TACL startup PARAMs and ASSIGNs. The
installation archive contains a sample GOPROXY TACL
macro file that describes each of the startup PARAMs and
ASSIGNs. We suggest that you modify the GOPROXY file to
specify the attributes applicable to your environment, and
start the JETGuard process by invoking the GOPROXY file
from a TACL session. In many cases, the only parameter that
you will need to set is the CERTIFICATEFILE PARAM.
The steps involved in configuring your JETGuard Secure
Proxy Server are:
- Either:
- Apply to a Certificate Authority (e.g. Thawte, Verisign)
for an SSL Server Certificate for your NonStop
server system (if you don't already have
one). Ensure that the subject name of the
certificate matches the fully qualified IP host name
of your NonStop system - NOT the Guardian
Expand system name.
- Convert your SSL Server
Certificate to PEM so that it can work
with JETGuard.
OR
If you are new to using secure connections, and you do
not already have a certificate issued by a Certificate
Authority, we recommend that you create a self-signed
test certificate to get your development system up and
running quickly. Note that, because your test
certificate is not digitally signed by a Certificate
Authority, JET 6530 end-users will receive a
certificate alert whenever they connect to your NonStop
server as long as JETGuard is using a self-signed test
certificate. Therefore you should only use a test
certificate for testing purposes, and thereafter apply
for and use a certificate issued by a Certificate
Authority. In addition, using a self-signed test
certificate is not as secure as using one issued by a
Certificate Authority.
Modify the GOPROXY file with the
appropriate PARAMs and ASSIGNs
for your environment.
Start the JETGuard Secure Proxy Server by
executing the GOPROXY file from a TACL session
on your NonStop server.
The only mandatory parameter is the CERTIFICATEFILE
PARAM. The value of the CERTIFICATEFILE PARAM must
specify the name of a file that contains your server
certificate in PEM . The server certificate is sent by
JETGuard to the JET 6530 client during the start of a
secure connection. It identifies the server machine to the
client, and also provides an encryption key that is used to
ensure the security of the connection. For more information,
see the sections on Converting a
Certificate Authority-issued certificate and Creating a Test Certificate.
The PARAMs and ASSIGNs recognised by JETGuard are:
| Type |
Name |
Description |
Allowable
Values |
Default
Value |
|---|
| PARAM |
BACKUPCPU |
The number of the desired CPU in
which you want JETGuard's backup process to run. |
An decimal number between 0 and 15 inclusive |
1 |
| PARAM |
CERTIFICATEFILE |
The name of a
file which contains a certificate issued by a Certificate
Authority or a test
certificate, in PEM . This PARAM is
mandatory. |
A valid Guardian file name |
(none) |
| PARAM |
LICENCEFILE |
The name of a
file which contains the licence information
provided by Platypus Partners. |
A valid Guardian file name |
LICENCE |
| PARAM |
RHOST |
The IP name or
numerical IP address of the NonStop server system to
which this JETGuard process is relaying
connections. Since all connections between JETGuard and
the RHOST system are non-encrypted, for security reasons
this parameter should normally specify the local machine
- i.e. 127.0.0.1 |
A valid IP
host name or numerical IP address. |
127.0.0.1 |
| PARAM |
RPORT |
The TCP/IP
port number on which the TN6530 server is listening on
the RHOST machine. The normal value is the Telnet port -
23. You probably don't need to change this
value. |
A decimal number between 1 and 65535 inclusive |
23 |
| PARAM |
LPORT |
The TCP/IP
port number on which this JETGuard server will listen
for incoming secure connections with JET 6530
clients. 992 is the normal value for secure Telnet
sessions. Note: to use this value (or any value less
than 1024), you must start the JETGuard server as a
SUPER group user. Whichever value you choose, your JET
6530 end-users must specify the value as the port
to which they are connecting. |
A decimal number between 1 and 65535 inclusive |
992 |
| PARAM |
TCPPROCESS |
The TCP/IP
server process name that you want JETGuard to use for
its communications. Consult with your NonStop TCP/IP
system administrator to see which process they want you
to use. |
A Guardian process name |
$ZTC0 |
| ASSIGN |
STDERR |
The file (or
process) to which the JETGuard server will report any
errors. For testing purposes, you probably want this to
default to the home terminal of the TACL process that
starts the JETGuard server, but for production, you
should change it to $0 or some other collector
process. |
A Guardian file or process name |
The home terminal of the JETGuard server. |
| PARAM |
PROXYDEBUG |
Specifies that
the JETGuard server should log session tracing and debug
information to its STDERR file. Setting this PARAM to
any value will result in JETGuard logging debug
information. |
Any value |
(empty) |
After your initial testing of JETGuard, you should obtain a
certificate for your NonStop server system from a Certificate
Authority (if you don't already have one). Some examples of
Certificate Authorities are Thawte and Verisign. Server certificates are often
referred to as SSL certificates, or Web Server
certificates. Note that although JETGuard is not a secure web
server, its certificate requirements are identical to that of
a secure web server.
After you have received your server certificate from your
chosen Certificate Authority, you need to convert the
certificate into PEM so that JETGuard can read
it. Generally, Certificate Authorities issue certificates in
PKCS#12 . This section assumes that . If your
Certificate Authority issues you a certificate in a different
, contact Platypus Partners for support.
To convert a PKCS#12 certificate to PEM run
the CERTCONV file from a TACL session. The usage of
CERTCONV is:
CERTCONV <PKCS#12 certificate input
filename> <PEM output
filename>
For example, you could issue the
following commands:
VOLUME $SYSTEM.JETGUARD
CERTCONV CACERT MYCERT
You should then ensure
that you set the value of the CERTIFICATEFILE PARAM (in
your GOPROXY file) to be the name of the PEM
output filename that you chose.
During your initial testing of JETGuard in your
environment, you may find it useful to create your own
self-signed test certificate, rather than wait for a
Certificate Authority to issue you one.
Note: You should only use a test certificate for
testing purposes. Each JET 6530 end-user that connects
to a JETGuard server which is configured to use a test
certificate will receive a warning indicating that the
certificate issuer is untrusted. While you use a test
certificate, your secure connections are open to
"man-in-the-middle" attacks, whereby an interceptor of the
connections could create their own self-signed certificate. It
would be very difficult for the end-users to tell the
difference between your self-signed certificate, and a fake
one.
To create a self-signed test certificate, run the
TESTCERT file from a TACL session. The usage of
TESTCERT is:
TESTCERT [<PEM output
filename>]
The PEM output filename
defaults to "MYCERT". For example, you could issue the
following commands:
VOLUME $SYSTEM.JETGUARD
TESTCERT MYCERT
You will then be prompted
to fill in some details for the certificate. Since this is a
test certificate, their values aren't overly
important. However, it is best if you correctly specify the
fully-qualified IP host name (not your Guardian Expand system
name) of the NonStop server on which JETGuard is running. If
you do not specify this correctly, JET 6530 end-users
will be notified that the server name in the certificate does
not match the name of the server to which they are connecting.
You should then ensure
that you set the value of the CERTIFICATEFILE PARAM (in
your GOPROXY file) to be the name of the PEM
output filename that you chose.
|
