Vinod Subramaniam

Securing Hitachi Command Director 8.0.0-00

Blog Post created by Vinod Subramaniam on May 13, 2014

A.     Securing Hitachi Command Director 8.0.0-00

 

1.      Stop Hitachi Command Director

 

C:\Users\Administrator>sc query HitachiCommandDirector

 

SERVICE_NAME: HitachiCommandDirector

TYPE : 10  WIN32_OWN_PROCESS

STATE : 4  RUNNING

(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0  (0x0)

SERVICE_EXIT_CODE : 0  (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

 

C:\Users\Administrator>sc stop HitachiCommandDirector

 

SERVICE_NAME: HitachiCommandDirector

TYPE : 10  WIN32_OWN_PROCESS

STATE : 3  STOP_PENDING

(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0  (0x0)

SERVICE_EXIT_CODE : 0  (0x0)

CHECKPOINT : 0x2

WAIT_HINT : 0xbb8

 

C:\Users\Administrator>sc query HitachiCommandDirector

 

SERVICE_NAME: HitachiCommandDirector

TYPE : 10  WIN32_OWN_PROCESS

STATE : 1  STOPPED

WIN32_EXIT_CODE : 0  (0x0)

SERVICE_EXIT_CODE : 0  (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

 
 

 

2.      Create a Server Key Store

 

C:\Users\Administrator>set PATH=%PATH%;C:\Program Files\Hitachi\CommandDirector\jre\bin

 

C:\Users\Administrat. or>echo %PATH%

C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Hitachi\CommandDirector\jre\bin

 

C:\Program Files\Hitachi\CommandDirector\jre\lib\security>keytool -genkey -alias WindowsHost1-HCMD.pem -dname "CN=WindowsHost1,OU=SAN,O=ADP,L=Alpharetta,ST=GA,C=US" -keyalg RSA -keypass WindowsHost1.pass -storepass WindowsHost1.pass -validity 3650 -keystore WindowsHost1.HCMD.keystore

 

C:\Program Files\Hitachi\CommandDirector\jre\lib\security>keytool -export -alias WindowsHost1-HCMD.pem -storepass WindowsHost1.pass -file WindowsHost1.HCMD.cert -keystore WindowsHost1.HCMD.keystore

 

3.      Edit server.xml and point to the keystore from step B above

 

C:\Program Files\Hitachi\CommandDirector\tomcat\conf>notepad server.xml

 

BEFORE

 

   <! -- To enable SSL uncomment the below directive and add keystoreFile path and keystorePass -->

   <!--

   <Connector

          protocol="org.apache.coyote.http11.Http11Protocol"

port="25016" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100"  maxThreads="200" scheme="https" secure="true" SSLEnabled="true"

       clientAuth="false" sslProtocol="TLS"/>

         -->

 

 
 

 

AFTER

 

<Connector

       protocol="org.apache.coyote.http11.Http11Protocol"

port="25016" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100"  maxThreads="200" scheme="https" secure="true" SSLEnabled="true"

keystoreFile=”C:\Program Files\Hitachi\CommandDirector\jre\lib\security\WindowsHost1.HCMD.keystore”

keystorePass=”WindowsHost1.pass”

clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

 

 

4.      Enable SSL in custom.properties

 

C:\Program Files\Hitachi\CommandDirector\conf>notepad custom.properties

 

#Set value to true to enable secure mode in HCmD. Default value is false. 

            • hcmd.is.secure.connection=true

 

5.      Start HiCommand Director

 

 

C:\Program Files\Hitachi\CommandDirector\conf>sc start HitachiCommandDirector

 

SERVICE_NAME: HitachiCommandDirector

TYPE               : 10  WIN32_OWN_PROCESS

STATE              : 2  START_PENDING

                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE    : 0  (0x0)

SERVICE_EXIT_CODE  : 0  (0x0)

CHECKPOINT         : 0x0

WAIT_HINT          : 0x7d0

PID                : 3200

FLAGS              :

 
 

 

 

 

6.      Connect to https://windowshost1:25016 and add the certificate to the trusted root store.

 

 

 
 

 

7.      Import the HDVM certificate

 

Copy the certificate to C:\Program Files\Hitachi\CommandDirector\jre\lib\security

Import the HDVM certificate into the HCMD keystore

 

C:\Program Files\Hitachi\CommandDirector\jre\lib\security>keytool -import -v -trustcacerts -alias rhel64-2-hdvm-java -file rhel64-2-hdvm-java.cert -keystore WindowsHost1.HCMD.keystore -storepass WindowsHost1.pass

Owner: CN=RHEL64-2, OU=SAN, O=ADP, L=Alpharetta, ST=GA, C=US

Issuer: CN=RHEL64-2, OU=SAN, O=ADP, L=Alpharetta, ST=GA, C=US

Serial number: 536d6f44

Valid from: Fri May 09 17:13:56 PDT 2014 until: Mon May 06 17:13:56 PDT 2024

Certificate fingerprints:

MD5: 06:F1:E9:B1:17:7D:72:6A:0F:92:0F:87:F8:BC:D4:4E

         SHA1: 7F:FE:A9:CC:F2:A1:62:0E:7C:5B:4A:60:D6:42:90:3C:14:C0:62:C4

SHA256: 67:98:3F:CE:17:08:5F:BC:AE:16:D3:35:A2:7F:0D:15:8E:72:2F:72:A0:47:48:2A:D9:7B:64:85:76:8D:12:71

Signature algorithm name: SHA256withRSA

Version: 3

Trust this certificate? [no]:  yes

Certificate was added to keystore

[Storing WindowsHost1.HCMD.keystore]

 
 

 

 

8.      Modify custom.properties

 

C:\Program Files\Hitachi\CommandDirector\conf>notepad custom.properties

 

#Set value to true to enable secure mode in HCmD. Default value is false. 

hcmd.is.secure.connection=true

 

#true value indicates that HCmD will trust all target server like Host Data Collector.

#false value indicates that HCmD will trust target server based on the Trust store configured.

# In case of false value, HSCP will be able to communicate with HDC

# if the public key of HDC has been imported to the provided Trust store.

hscp.https.trustallservers=false

 

#Trust store file name with complete path. This value will be only used if hscp.https.trustallservers is set to false.

hscp.https.truststore.file="C:/Program Files/Hitachi/CommandDirector/jre/lib/security/WindowsHost1.HCMD.keystore"

 

#Password to access the Trust store file provided in property hscp.https.truststore.file.

hscp.https.truststore.pass="WindowsHost1.pass"

 

 

9.      Stop and start Hitachi Command Director

 
 

 

10.  Access the AgentForRAIDExtension server and enable SSL

 

1. Stop the AgentForRAIDExtension service

 

[root@RHEL64-2 bin]# pwd

/opt/jp1pc/agtd/AgentforRAIDExtension/bin

[root@RHEL64-2 bin]# ./AgentforRAIDExtension stop

Using CATALINA_BASE:   /opt/jp1pc/agtd/AgentforRAIDExtension/tomcat

Using CATALINA_HOME:   /opt/jp1pc/agtd/AgentforRAIDExtension/tomcat

Using CATALINA_TMPDIR: /opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/temp

Using JRE_HOME: /opt/jp1pc/agtd/AgentforRAIDExtension/jre

Using CLASSPATH: /opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/bin/bootstrap.jar

May 9, 2014 11:15:12 PM org.apache.catalina.startup.ClassLoaderFactory validateFile

WARNING: Problem with directory [/opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/lib/hibernate], exists: [false], isDirectory: [false], canRead: [false]

May 9, 2014 11:15:12 PM org.apache.catalina.startup.ClassLoaderFactory validateFile

WARNING: Problem with directory [/opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/lib/axis], exists: [false], isDirectory: [false], canRead: [false]

May 9, 2014 11:15:12 PM org.apache.catalina.startup.ClassLoaderFactory validateFile

WARNING: Problem with directory [/opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/lib/hostprobe], exists: [false], isDirectory: [false], canRead: [false]

 

2.  Generate a self-signed certificate for AgentForRAIDExtension service

 

[root@RHEL64-2 bin]# pwd

/opt/jp1pc/agtd/AgentforRAIDExtension/jre/bin

 

[root@RHEL64-2 bin]# ./keytool -genkey -alias `hostname`-HCMD.pem -dname "CN=$(hostname),OU=SAN,O=ADP,L=Alpharetta,ST=GA,C=US" -keyalg RSA -keypass `hostname`.pass -storepass `hostname`.pass -validity 3650 -keystore `hostname`.HCMD.keystore

 

[root@RHEL64-2 bin]# ./keytool -export -alias `hostname`-HCMD.pem -storepass `hostname`.pass -file `hostname`.HCMD.cert -keystore `hostname`.HCMD.keystore

Certificate stored in file <RHEL64-2.HCMD.cert>

 

 
 

 

 

1.      Edit /opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/conf/server.xml

 

    <!-- To enable SSL uncomment the below directive and add keystoreFile path and keystorePass -->

<Connector

protocol="org.apache.coyote.http11.Http11Protocol"

      port="25076" minSpareThreads="5" maxSpareThreads="75" enableLookups="true"    

disableUploadTimeout="true" acceptCount="100"

maxThreads="200" scheme="https" secure="true" SSLEnabled="true"

keystoreFile="/opt/jp1pc/agtd/AgentforRAIDExtension/jre/bin/RHEL64-2.HCMD.keystore"

                keystorePass="RHEL64-2.pass"

clientAuth="false" sslProtocol="TLS"            ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />

 

2.      Edit /opt/jp1pc/agtd/AgentforRAIDExtension/conf/system.properties

 

[root@RHEL64-2 conf]# pwd

/opt/jp1pc/agtd/AgentforRAIDExtension/conf

 

[root@RHEL64-2 conf]# more system.properties

 

#true value indicates that RAE will trust all target servers for HTTPS communication.

#false value will require that value for property rae.https.truststore.file and rae.https.truststore.pass is provided.

#In case of false value, RAE will be able to communicate with only trusted servers based on the provided Trust store.

rae.https.trustallservers=false

 

#Trust store file name with complete path. This value will be only used if rae.https.trustallservers is set to false.

rae.https.truststore.file=="/opt/jp1pc/agtd/AgentforRAIDExtension/jre/bin/RHEL64-2.HCMD.keystore"

 

#Password to access the Trust store file provided in property rae.https.truststore.file.

rae.https.truststore.pass="RHEL64-2.pass"

 

#Set value to true to enable secure mode in RAE. Default value is false.

rae.is.secure.connection=true

 

3.      Stop and start AgentforRAIDExtension

 

[root@RHEL64-2 bin]# ./AgentforRAIDExtension start

Starting HCmD Agent for RAID Extension...

Using CATALINA_BASE:   /opt/jp1pc/agtd/AgentforRAIDExtension/tomcat

Using CATALINA_HOME:   /opt/jp1pc/agtd/AgentforRAIDExtension/tomcat

Using CATALINA_TMPDIR: /opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/temp

Using JRE_HOME: /opt/jp1pc/agtd/AgentforRAIDExtension/jre

Using CLASSPATH:       /opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/bin/bootstrap.jar

Using CATALINA_PID: /opt/jp1pc/agtd/AgentforRAIDExtension/run.pid

Existing PID file found during start.

Removing/clearing stale PID file.

[root@RHEL64-2 bin]# ps -ef | grep Agentfor

root      6130     1 99 23:40 pts/1    00:00:06 /opt/jp1pc/agtd/AgentforRAIDExtension/jre/bin/java -Djava.util.logging.config.file=/opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/conf/logging.properties -Dorion.home=/opt/jp1pc/agtd/AgentforRAIDExtension -Xms256m -Xmx1536m -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/endorsed -classpath /opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/bin/bootstrap.jar -Dcatalina.base=/opt/jp1pc/agtd/AgentforRAIDExtension/tomcat -Dcatalina.home=/opt/jp1pc/agtd/AgentforRAIDExtension/tomcat -Djava.io.tmpdir=/opt/jp1pc/agtd/AgentforRAIDExtension/tomcat/temp org.apache.catalina.startup.Bootstrap start

 

4.      Copy RHEL64-2.HCMD.cert  to the Command Director Server Folder C:\Program Files\Hitachi\CommandDirector\jre\lib\security

 
 

 

 

5.      Import RHEL64-2.HCMD.cert into the HCMD keystore

 

C:\Program Files\Hitachi\CommandDirector\jre\lib\security>keytool -import -v -trustcacerts -alias rhel64-2-hcmd -file RHEL64-2.HCMD.cert -keystore WindowsHost1.HCMD.keystore -storepass WindowsHost1.pass

Owner: CN=RHEL64-2, OU=SAN, O=ADP, L=Alpharetta, ST=GA, C=US

Issuer: CN=RHEL64-2, OU=SAN, O=ADP, L=Alpharetta, ST=GA, C=US

Serial number: 143b35da

Valid from: Fri May 09 23:19:22 PDT 2014 until: Mon May 06 23:19:22 PDT 2024

Certificate fingerprints:

MD5: A2:0F:D7:B9:B0:2E:C5:64:CF:C3:20:BD:30:67:94:0B

         SHA1: 2D:3D:0E:A6:CA:15:15:EC:60:EA:DC:E3:94:76:09:67:83:7F:31:E1

SHA256: 32:26:BF:F6:42:AA:C6:4F:03:79:82:07:F5:A9:9D:28:6D:C3:71:60:C2:A6:F6:5B:A2:AB:6B:4C:A3:E9:18:2C

Signature algorithm name: SHA256withRSA

Version: 3

 

Extensions:

 

#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 3A 19 B7 7E 0A 25 6E 83   33 BB B9 AB D1 16 FD 08  :....%n.3.......

0010: 18 8E 03 F3                                        ....

]

]

 

Trust this certificate? [no]:  yes

Certificate was added to keystore

[Storing WindowsHost1.HCMD.keystore]

 

6.      Stop and restart HiCommand Director

Outcomes