Administrative Guide
Contents
1. Layer 7 Technologies Secure Installation Guide v8 0 ngaa LAYER 7 TECHNOLOGIES Layer 7 Technologies Secure Installation Guide Contents INtRODUCUON PA A E E E E whinlelssanstial E E EEE wh iieedd 1 OOE E EE A E EE E E eines E E oi 1 Evaluated Configuratio a tic icitevivahsthestes sictdsvtehissscs ftvyiatevies featd sated tesaceslcayiel E hetia ETa 2 Objectives for Operational ENVIFONMENM cccccceesseeeeeeeeeceeseeeeeeeseeeeeseaeeeeneeeeseeseeeeeeeaeeesnneeeeees 2 Security Requirements PU GUNG sisiane ineeie ai rE Ta A Administrative User Account Configuration Audits for Changes to Password Policies User Authentication Identification 006 Security ROIOS ce ceeccsetceceeeeeessssseeceseeessssseaeeeeees Replay Detection cccsccsseceeesssssseseseeessessnanee Time Stamps otis seated cevevatsasscee Sevteksdsstideresivers ees e Secure Transport Via TLS cccccccceseesssesseeeees Cryptographic Suites cccceesseeceesseeeeeeseeeeeeeeee Appendix A Audits for Management Role Changes ON ADDO TO OW W Introduction This guide describes how to configure the Layer 7 SecureSpan SOA Gateway v8 0 for secure installation to conform to Common Criteria requirements Prerequisites This guide assumes that the SecureSpan SOA Gateway v8 0 has been set up and configured according to the Layer 7 Installation and Maintenance Manual Appliance Edition A correctly2. INFO Role 0000000000000000fffffffffffffc 7c Manage Email Listeners updated INFO Role 0000000000000000fffffffffffffa88 Manage Firewall Rules updated INFO Role 0000000000000000ffffffffffffff38 Manage Internal Users and Groups updated INFO Role 0000000000000000fffffffffffffc4a Manage JDBC Connections updated INFO Role 0000000000000000fffffffffffffd12 Manage Listen Ports updated INFO Role 0000000000000000fffffffffffffce0 Manage Log Sinks updated INFO Role 0000000000000000fffffffffffffd 76 Manage Message Destinations updated INFO Role 0000000000000000fffffffffffffo82 Manage Password Policies updated INFO Role 0000000000000000fffffffffffffob4 Manage Private Keys updated INFO Role 0000000000000000fffffffffffffbe6 Manage Secure Passwords updated INFO Role 0000000000000000fffffffffffffc18 Manage UDDI Registries updated jLAYER7 TECHNOLOGIES Fes Na Audit when user removed from role INFO Role 0000000000000000fffffffffffffda8 Manage Certificates truststore updated INFO Role 0000000000000000fffffffffffffd44 Manage Cluster Properties updated INFO Role 0000000000000000fffffffffffffdda Manage Cluster Status updated INFO Role 0000000000000000fffffffffffffa56 Manage Custom Key Value Store updated INFO Role 0000000000000000fffffffffffffc7c Manage Email Listeners updated INFO Role 0000000000000000fffffffffffffa88 Manage Firewall Rules updated INFO Role 000000
3. messages add the Add Timestamp assertion to your policy To enforce the presence of a timestamp in the target message add the Require Timestamp assertion to the policy For more information see the following in the Layer 7 Policy Authoring User Manual FPT_STM 1 Add Timestamp Assertion Require Timestamp Assertion Secure Transport via TLS To ensure transport level confidentiality and integrity include the Require SSL or TLS Transport assertion in your policy For more information see Require SSL or TLS Transport Assertion in the Layer 7 Policy Authoring User Manual FTP_ITC 1 1 1 FTP_ITC 1 2 Layer 7 Technologies Secure Installation Guide v8 0 ga LAYER 7 TECHNOLOGIES Cryptographic Suites The Layer 7 SOA Gateway can be configured to use third party cryptographic suites FTP_TRP 1 1 Note To enable FIPS compliant cryptographic algorithms you need to set the security fips enabled cluster property to true For details see Miscellaneous Cluster Properties in the Layer 7 Policy Manager User Manual Layer 7 Technologies Secure Installation Guide v8 0 TECHNOLOGIES amp 99 LAYER 7 Appendix A Audits for Management Role Changes The Gateway will log the following audits whenever a user is added to or removed from a management role These audits are visible in the Gateway Audit Event window FAU_GEN 1 Table 3 Audits for management role changes Role Administrator Audi
4. INFO Role 5726551c1ab368126cc8ff60dd10a1b7 Manage lt Service name gt Service 5726551c1ab368126cc8ff60dd10a1b0 updated 44c5f7b1aac091ea118908b01154ebee Manage lt policy name gt Policy 44c5f7b1aac091ea118908b01154ebea updated INFO Role 5726551c1ab368126cc8ff60dd10a1b7 Manage lt Service name gt Service 5726551c1ab368126cc8ff60dd10a1b0 updated Manage INFO Role OOOOOOOOOOOOOOOOFFfFFTTFTTIffb1e INFO Role 0000000000000000fffffffffffffo1e Administrative Manage Administrative Accounts Manage Administrative Accounts Accounts Configuration updated Configuration updated Configuration Role Manage Certificates Manage Cluster Properties Manage Cluster Status Manage Custom Key Value Store Manage Email Listeners Manage Firewall Rules Manage Internal Users and Groups Manage JDBC Connections Manage Listen Ports Manage Log Sinks Manage Message Destinations Manage Password Policies Manage Private Keys Manage Secure Passwords Manage UDDI Registries Layer 7 Technologies Secure Installation Guide v8 0 Audit when user added to role INFO Role 0000000000000000fffffffffffffda8 Manage Certificates truststore updated INFO Role 0000000000000000fffffffffffffd44 Manage Cluster Properties updated INFO Role 0000000000000000fffffffffffffdda Manage Cluster Status updated INFO Role 0000000000000000fffffffffffffa56 Manage Custom Key Value Store updated
5. OE USERID This section describes the objectives for the Policy Manager operational environment and any additional steps you must take to achieve these objectives Table 1 Operational environment objectives ESM Policy Manager PP Description There will be one or more administrators of the Operational Environment that will be responsible for providing subject identity to attribute mappings within the TOE The Operational Environment will provide a remote location for storage of audit data Those responsible for the TOE must ensure that the TOE is delivered installed managed and operated in a secure manner Personnel working as TOE administrators shall be carefully selected and trained for proper operation of the TOE One or more ESM Access Control products will be deployed in the Operational Environment to protect organizational assets The Operational Environment must be able to identify a user requesting access to the TOE Specific configuration required None Assigning administrators to the operational environment is covered by the topics Managing Roles and Adding a User or Group to a Role None Configuring a remote location for audits is described in the topic Managing the Audit Sink None None None None Logging in to the Gateway is described in the topic Connecting to the Gateway Layer 7 Technologies Secure Installation Guide v8 0 Identifier OE AUDIT OE INST
6. configured SOA Gateway largely conforms to the evaluated configuration The remainder of this document provides additional information Copyright 2014 CA All rights reserved All trademarks trade names service marks and logos referenced herein belong to their respective companies This document is for your informational purposes only To the extent permitted by applicable law CA provides this document As Is without warranty of any kind including without limitation any implied warranties of merchantability or fitness for a particular purpose or non infringement In no event will CA be liable for any loss or damage direct or indirect from the use of this document including without limitation lost profits business interruption goodwill or lost data even if CA is expressly advised of such damages Document last updated March 6 2014 Layer 7 Technologies Secure Installation Guide v8 0 Evaluated Configuration eS gj LAYER 7 TECHNOLOGIES The evaluated configuration is achieved once the Layer 7 SOA Gateway v8 0 is configured according to the Layer 7 Installation and Maintenance Manual Appliance Edition Note the following e Hardware Security Modules either PCI or network may be optionally installed on the Gateway appliance e The browser client version of the Policy Manager may not be used Objectives for Operational Environment Identifier OE ADMIN OE AUDIT OE INSTAL OE PERSON OE PROTECT
7. the Gateway Audit Viewer whenever a user is added or removed from management roles See Appendix A on page 8 FAU_GEN 1 The Gateway will audit changes to password policies When the password policy is altered from the default STIG settings the following audits are generated and are available in the Gateway Audit Events window FAU_GEN 1 Layer 7 Technologies Secure Installation Guide v8 0 ngaa LAYER 7 TECHNOLOGIES Node Gateway1 Time 20131217 09 49 41 463 Severity WARNING Message Password requirements are below STIG minimum for Internal Identity Provider Audit Record ID 8d2eb19dcd9926170dc3e349f775707b Event Type System Message Node IP 10 242 12 139 Action Password Policy Validation Component SecureSpan Gateway Server Password Policy Service Entity name Password Policy Service To enable auditing on the Gateway add the Audit Messages in Policy assertion into the service policy To disable auditing remove this assertion from the policy FAU_GEN 1 1 Information about the audit events can be view in the Gateway Audit Events window see Gateway Audit Events in the Layer 7 Policy Manager User Manual FAU_GEN 1 2 FCO_NRR 2 2 The auditing subsystem in the Layer 7 SOA Gateway involves a complex interaction between the configuration of the Audit Messages in Policy assertion and several cluster properties For more information see Message Auditing in the Layer 7 Policy
8. 0000000000ffffffffffffff38 Manage Internal Users and Groups updated INFO Role 0000000000000000fffffffffffffc4a Manage JDBC Connections updated INFO Role 0000000000000000fffffffffffffd12 Manage Listen Ports updated INFO Role 0000000000000000fffffffffffffce0 Manage Log Sinks updated INFO Role 0000000000000000fffffffffffffd7 6 Manage Message Destinations updated INFO Role 0000000000000000fffffffffffffo82 Manage Password Policies updated INFO Role 0000000000000000fffffffffffffob4 Manage Private Keys updated INFO Role 0000000000000000fffffffffffffbe6 Manage Secure Passwords updated INFO Role 0000000000000000fffffffffffffc18 Manage UDDI Registries updated Role Manage SiteMinder Configuration Manage Web Services Publish External Identity Providers Publish Web Services Search Users and Groups View name Folder View name Log Sink View Audit Records View Service Metrics Layer 7 Technologies Secure Installation Guide v8 0 Audit when user added to role INFO Role 0000000000000000fffffffffffffa24 Manage SiteMinder Configuration updated INFO Role 0000000000000000fffffffffffffe70 Manage Webservices updated INFO Role 0000000000000000ffffffffffffffOG Publish External Identity Providers updated INFO Role 0000000000000000fffffffffffffea2 Publish Webservices updated INFO Role 0000000000000000fffffffffffffed4 Search Users and Groups updated INFO Rol
9. AL OE POLICY OE PROTECT OE USERID OE TIME Description The Operational Environment will provide a remote location for storage of audit data Those responsible for the TOE must ensure that the TOE is delivered installed managed and operated in a manner that is consistent with IT security The Operational Environment will provide a policy that the TOE will enforce The Operational Environment will protect the TOE from unauthorized modifications and access to its functions and data The Operational Environment must be able to identify the user and convey validation of this to the TOE The Operational Environment must provide a reliable timestamp to the TOE amp 99 LAYER 7 TECHNOLOGIES Table 2 Operational environment objectives ESM Access Control PP Specific configuration required None Configuring a remote location for audits is described in the topic Managing the Audit Sink None None Configuring policies is described in the topic Working with Service Policies None None User is validated when logging into the Gateway see topic Connecting to the Gateway None Use of timestamps is described in the topics Add Timestamp Assertion and Require Timestamp Assertion Security Requirements This section describes any additional configuration required to meet the security requirements for Common Criteria Auditing The Gateway will display an event in
10. Manage Account Policies in the Policy Manager The minimum password length should be 16 FIA_SOS 1 1 Configure various other user account settings such as maximum login attempts lockout duration and session expiry period using the Manage Administrative User Account Policy task under Tasks gt Manage Account Policies in the Policy Manager FIA_AFL 1 1 FIA_AFL 1 2 FTA_SSL_EXT 1 1 FTA_SSL 3 1 For more information refer to the following topics in the Layer 7 Policy Manager User Manual Managing Password Policy Managing Administrative User Account Policy Audits for Changes to Password Policies When a password policy is changed the following audits are recorded to the log INFO IdentityProviderPasswordPolicy 0000000000000000F FFF FFFFFFFFFFFE updated changed serializedProps Log INFO 1655 com 17tech server admin IdentityProviderPasswordPolicy 0000000000000000f fF FFFFFFFFFFFFFE updated changed serializedProps Upon changing password policy if password policy is below STIG Requirement doesn t matter if before the change whether the policy is STIG or not WARNING Password requirements are below STIG minimum for Internal Identity Provider Log WARNING 59 com 17tech server Password requirements are below STIG minimum for Internal Identity Provider Note that the numbers next to the severity levels are line numbers not audit code numbers and may be subject to change FIA_SOS 1 1 User Authentic
11. Manager User Manual Older audit records non SEVERE events older than 7 days can be purged using the Gateway Audit Events windows The deletion of audit records is restricted only to those who have the Administrator or Gateway Maintenance roles FAU_STG 1 1 When connection to a repository is lost the Gateway will stop writing to the Syslog When connection is restored the Gateway will resume writing to the Syslog For brief outages the logged information is cached on the Gateway until connection is restored FAU_STG_EXT 1 Audits can also be archived using the FTP Audit Archiver feature For more information refer to the following topics in the Layer 7 Policy Manager User Manual FTP Audit Archiver Audit Archiver Cluster Properties used to configure thresholds etc Audit events may be logged to an internal Gateway database file or to an external Syslog server For information on how to configure this see Managing Log Sinks in the Layer 7 Policy Manager User Manual FAU_STG_EXT 1 1 1Note that the Gateway Maintenance role by itself will not allow this a user would need other roles that allow cluster node information to be read such as Manage lt name gt Service or Operator Layer 7 Technologies Secure Installation Guide v8 0 a TP LAYER 7 TECHNOLOGIES Administrative User Account Configuration Configure the password requirements as necessary using the Manage Password Policy task under Tasks gt
12. Node Gatewayl Time 20131217 15 26 35 692 Severity INFO Message Role 0000000000000000fffffffffffffd76 Manage Message Destinations updated Audit Record ID Event Type Manager Action Admin User Name admin Admin User ID Admin IP 10 242 12 249 Action Object Changed Entity Name Manage Message Destinations Entity ID Entity Type 5726551c1ab368126cc8ff60dd10a414 00000000000000000000000000000003 Identity Provider ID 0000000000000000fffffffffffffffe 0000000000000000fffffffffffffd76 gateway common security rbac Role Figure 1 Example audit in Gateway Audit Events window 10
13. ation Identification To authenticate and identity a user in a policy insert one of the following authentication assertions into the policy FIA_UAU 2 FIA_UID 2 Authenticate Against Identity Provider Assertion Authenticate User or Group Assertion For more information about these assertions see the Layer 7 Policy Authoring User Manual Layer 7 Technologies Secure Installation Guide v8 0 ngaa LAYER 7 TECHNOLOGIES Security Roles The Gateway comes with a set of predefined roles that you can assign to users to control access to the system These are defined in the topic Predefined Roles and Permissions in the Layer 7 Policy Manager User Manual FMT_MSA 1 1 FMT_MSA 1 2 Create custom roles control access to audits log sinks and service policies Only authorized personnel should have access to these For more information see Managing Roles in the Layer 7 Policy Manager User Manual FMT_MOF 1 1 FMT_MOF 1 2 Note Be especially careful about which users get the roles Administrator and Operator These roles have the ability to query the entire system FMT_MOF_EXT 1 Replay Detection To protect against replay attacks add the Protect Against Message Replay assertion to your policy For more information see Protect Against Message Replay Assertion in the Layer 7 Policy Authoring User Manual FPT_RPL 1 Time Stamps To insert a signed timestamp element to the SOAP security header of all target
14. e 5726551c1ab368126cc8ff60dd10a36b View lt folder name gt Folder 5726551c1ab368126cc8ff60dd10a343 updated INFO Role 5726551c1ab368126cc8ff60dd10a3f8 View lt log sink name gt Log Sink 5726551c1ab368126cc8ff60dd10a3f6 updated INFO Role 0000000000000000fffffffffffffe3e View Audit Records updated INFO Role 0000000000000000fffffffffffffeoc View Service Metrics updated TECHNOLOGIES amp gj LAYER 7 Audit when user removed from role INFO Role 0000000000000000fffffffffffffa24 Manage SiteMinder Configuration updated INFO Role 0000000000000000fffffffffffffe70 Manage Webservices updated INFO Role 0000000000000000ffffffffffffffOG Publish External Identity Providers updated INFO Role 0000000000000000fffffffffffffea2 Publish Webservices updated INFO Role 0000000000000000fffffffffffffed4 Search Users and Groups updated INFO Role 5726551c1ab368126cc8ff60dd10a36b View lt folder name gt Folder 5726551c1ab368126cc8ff60dd10a343 updated INFO Role 5726551c1ab368126cc8ff60dd10a3f8 View lt log sink name gt Log Sink 5726551c1ab368126cc8ff60dd10a3f6 updated INFO Role 0000000000000000fffffffffffffe3e View Audit Records updated INFO Role 0000000000000000fffffffffffffe0c View Service Metrics updated Additional information is displayed about the audit when viewed in the Gateway Audit Event window The following illustration is an example Details
15. t when user added to role INFO Role 0000000000000000ffffffffffffff9c Administrator updated Audit when user removed from role INFO Role 0000000000000000ffffffffffffff9c Administrator updated Operator INFO Role 0000000000000000ffffffffffffff6a INFO Role 0000000000000000ffffffffffffff6a Operator updated Operator updated Gateway INFO Role 0000000000000000fffffffffffffcae INFO Role 0000000000000000fffffffffffffcae Maintenance Gateway Maintenance updated Gateway Maintenance updated Invoke Audit INFO Role 0000000000000000fffffffffffffo50 INFO Role 0000000000000000fffffffffffffo50 Viewer Policy Invoke Audit Viewer Policy updated Invoke Audit Viewer Policy updated Manage INFO Role INFO Role name Folder 5726551c1ab368126cc8ff60dd10a345 Manage lt folder name gt Folder 5726551c1ab368126cc8ff60dd10a343 updated 5726551c1ab368126cc8ff60dd10a345 Manage lt folder name gt Folder 5726551c1ab368126cc8ff60dd10a343 updated Manage INFO Role INFO Role name 5726551c1ab368126cc8ff60dd10a385 5726551c1ab368126cc8ff60dd10a385 Identity Manage lt IP Name gt Identity Provider Manage lt IP Name gt Identity Provider Provider 5726551c1ab368126cc8ff60dd10a383 5726551c1ab368126cc8ff60dd10a383 updated updated Manage INFO Role INFO Role name Policy Manage name Service 44c5f7b1aac091ea118908b01154ebee Manage lt policy name gt Policy 44c5f7b1aac091ea118908b01154ebea updated
Download Pdf Manuals
Related Search