Professional Documents
Culture Documents
Installation Guide
Version 3.0.1
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Nokia reserves the right to make changes without further notice to any products herein.
TRADEMARKS
Nokia is a registered trademark of Nokia Corporation.
Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation in the U.S. and/or other
countries.
SecurID is a registered trademark of RSA Security INC.
SSH Certifier is either a registered trademark or trademark of SSH Communications Security Oyj in the United States
and/or other countries.
Check Point, FireWall-1, and OPSEC are trademarks or registered trademarks of Check Point Software Technologies
Ltd.
Other products mentioned in this document are trademarks or registered trademarks of their respective holders.
50110
Telephone 1-888-477-4566 or
1-650-625-2000
Fax 1-650-691-2170
Europe, Nokia House, Summit Avenue Tel: UK: +44 161 601 8908
Middle East, Southwood, Farnborough Tel: France: +33 170 708 166
and Africa Hampshire GU14 ONG UK email: ipsecurity.emea@nokia.com
Email: tac.support@nokia.com
Americas Europe
Asia-Pacific
Voice: +65-67232999
Fax: +65-67232897
050113
This guide describes how to install and initially configure Nokia Security Service Manager
(SSM) and Nokia Mobile VPN Client. The information in this guide is useful to network
administrators, system administrators, and user managers.
This preface provides the following information:
In This Guide
Conventions This Guide Uses
Related Documentation
In This Guide
This guide is organized into the following chapters:
Chapter 1, Introducing Nokia Security Service Manager provides an overview of the SSM
components and functions and describes how to use SSM to set up automatic content
delivery to mobile devices.
Chapter 2, Installing Nokia Security Service Manager describes how to install and initially
configure SSM.
Chapter 3, Configuring Nokia Security Service Manager contains use cases that are
examples of how to configure SSM to extend the enterprise network to mobile devices.
Notices
Caution
Cautions indicate potential equipment damage, equipment malfunction, loss of
performance, loss of data, or interruption of service.
Note
Notes provide information of special interest or recommendations.
Command-Line Conventions
This section defines the elements of commands that are available in SSM. You might encounter
one or more of the following elements on a command-line path.
command This required element is usually the product name or other short
word that invokes the product or calls the compiler or preprocessor
script for a compiled Nokia product. It might appear alone or
precede one or more options. You must spell a command exactly
as shown and use lowercase letters.
For example:
https://company.com:443
"" Quotation marks are literal symbols that you must enter as shown.
Text Conventions
Table 2 describes the text conventions this guide uses.
bold monospace font Indicates text you enter or type, for example:
# configure nat
Key names Keys that you press simultaneously are linked by a plus sign (+):
Press Ctrl + Alt + Del.
Menu commands Menu commands are separated by a greater than sign (>):
Choose File > Open.
The words enter and type Enter indicates you type something and then press the Return or
Enter key.
Do not press the Return or Enter key when an instruction says
type.
Menu Items
The greater than sign (>), with spaces before and after the sign, separates items in menus.
For example, Start > Programs > Nokia > Nokia Security Service Manager indicates that you
first choose Start, then choose the Programs menu command, then choose Nokia, and finally
choose Nokia Security Service Manager.
Related Documentation
You can download the following additional documentation from the Nokia customer support
Web site at https://support.nokia.com/:
Nokia Security Service Manager Release Notes describe known issues in the current release.
Nokia Security Service Manager Planning Sheet helps you plan network topology before
you install SSM.
Nokia Security Service Manager Administration Guide provides detailed information about
how to use SSM.
Nokia Security Service Manager Help provides detailed information about how to use the
SSM graphical user interface (GUI).
To open the help, choose Help > Help Topics in the SSM GUI.
Nokia Mobile VPN Client Release Notes
Nokia Mobile VPN Client Quick Reference Guide
Nokia Mobile VPN Client Users Guide
Nokia Mobile VPN Client Help provides detailed information about how to use Mobile
VPN Client.
The support Web site also contains list of mobile devices that have been tested to support Mobile
VPN Client. You must register to access the Web site.
Local and remote network users have the same requirements for quick, easy access to resources
over their corporate networks. And yet, remote network traffic needs protection through
encrypted VPN tunneling, antivirus scanning, and appropriate security policies. In addition,
network transactions need privacy and integrity while remote users need to be authenticated and
authorized for access to networks and network services.
Nokia Security Service Manager (SSM) addresses the initial deployment, subsequent
configuration management, and public-key infrastructure (PKI) related requirements of mobile
devices in an Internet protocol security (IPSec) virtual private network (VPN). SSM provides a
scalable solution for enterprises to extend their VPN to the mobile domain.
Figure 1 illustrates how SSM works in combination with other hardware, software, and services
to create a mobile VPN.
Figure 1 Mobile VPN System Components
SSM
Firewall/ enrollment
VPN gateway
gateway
SSM
Internet management
station
VPN policy
Operator management
mobile network software
External
Nokia
authentication
SSM
server
Web
Nokia server Mail gateway
Mobile VPN Client (SMTP)
00365
VPN policy management softwaremanages the VPN gateway. You use policy
management software to create VPN policies and profiles and export them to the SSM
database.
Nokia Security Service Managerdelivers security policy and other files to large numbers
of authorized users.
External authentication serverauthenticates access to SSM.
External certification authority (CA)serves the certification requests that it receives
from Mobile VPN Client through SSM.
Mail gatewayuses the simple mail transfer protocol (SMTP) to send notifications to
users.
Enrollment
gateway (EGW)
Nokia SSM
Web server Management
and Web site station:
GUI and CLI 00366
Server
The server component consists of server and database. The server implements the core
functionality of SSM. The database is an embedded relational database that stores information
about users, user groups, VPN policies, other files, and their properties.
Enrollment Gateway
The enrollment gateway (EGW) component provides online certificate enrollment for Mobile
VPN Client. The EGW receives certification requests from Mobile VPN Client. The EGW uses
the server to authenticate and authorize the certification requests and then forwards the
certification requests to an internal or external CA.
You can specify that an EGW entity acts as an internal CA. The automatic content update service
uses certificates that an internal CA issues. An internal CA stores certificates, certificate
revocation lists (CRL), and other data in the database.
You must obtain additional licenses to use internal CAs for other purposes than automatic
content update.
Web Server
The Web server component acts as an external interface to SSM:
Mobile VPN Client sends certification requests to the Web server, which forwards them to
the EGW through the server.
Mobile VPN Client connects to the Web server for automatic content updates from the
database.
VPN policy management software exports VPN policies to the database through the Web
server.
The VPN gateway might send CRL requests to the Web server, which forwards them to the
EGW through the server.
Users access a Web site that the Web server hosts to download content.
Management Station
The management station component consists of a graphical user interface (GUI) and command-
line interface (CLI). You can use the GUI and CLI to manage SSM. You can install and run the
management station on one or several computers.
For information about how to use the GUI and CLI to accomplish system administrators tasks,
see the Nokia Security Service Manager Administration Guide.
SAP database
Mail
Intranet
Web
content VPN gateway
Internet
Mobile
network
Nokia
Mobile VPN Client
00369
Mobile VPN Client is an IPSec VPN application that allows mobile employees to use the
wireless infrastructure to create encrypted connections from their mobile device to a corporate
network. Once a mobile employee authenticates to the corporate VPN successfully, all data that
travels between the mobile device and the corporate network is encrypted, no matter what the
mobile application. Furthermore, the stringent security that is inherent in an IPSec VPN helps
ensure that the recipient receives data exactly as the sender sent it. IPSec also helps protect
against electronic data theft and man-in-the-middle attacks.
Mobile Devices
00370
System administrators must accomplish the tasks that the following sections describe to extend
an IPSec VPN to mobile devices:
Configuring Client Access to VPN Gateways
Managing Content
Managing Users and User Groups
Authenticating Users to Nokia Security Service Manager
Using Online Certificate Enrollment
Using Nokia Mobile VPN Client
To automate some of these steps, use example configuration scripts to specify settings for the
automatic content update service. For more information about how to use example configuration
scripts, see the Nokia Security Service Manager Getting Started Guide.
Certificate-Based Authentication
You can use one of two methods to allow users to use digital certificates as an authentication
method. You can set up a VPN policy that:
Includes private keys and digital certificates.
Forces each user to generate their own key pair and use online certificate enrollment to
request their own certificate from a CA.
Nokia recommends that you use online certificate enrollment to request certificates from an
internal or external CA.
Legacy Authentication
A VPN gateway can support the following types of legacy authentication:
Shared secretsusernames and fixed passwords authenticate users. More typically, VPN
gateways use shared secrets to authenticate each other in a site-to-site VPN.
Challenge-response authenticationduring challenge-response authentication, the VPN
gateway authenticates with a certificate and the user authenticates with a legacy
authentication method in an open-ended exchange until they satisfy the VPN gateway.
The VPN client informs the VPN gateway that it will use challenge-response authentication
and names a legacy authentication method. The VPN gateway responds with its certificate.
The certificate authenticates the VPN gateway to the VPN client. The VPN client then uses
the legacy authentication method to authenticate to the VPN gateway.
XAUTH
Cisco VPN 3000 Series Concentrator support extended authentication within IKE (XAUTH).
XAUTH is a method to use unidirectional authentication mechanisms such as RADIUS,
SecurID, and one-time passwords within IKE.
A client policy contains all the information that a VPN client needs to establish VPN tunnels to a
VPN gateway.
A generic profile lacks user-specific information, such as client certificates and private keys. To
provide this information, users do the following:
Employ user names and passwords or certificates to authenticate to the VPN gateway.
Use online certificate enrollment to acquire certificates and private keys.
After you create client policies or profiles, export them to the SSM database for installation to
mobile devices.
For examples of how to configure client access to IP VPN Gateway, see Chapter 3, Configuring
Nokia Security Service Manager. For more information about how to use VPN Manager, see
the Nokia IP VPN Gateway Configuration Guide.
Managing Content
You can use SSM to deliver content, such as a VPN policy or Mobile VPN Client software to
large numbers of users. All content in the database has an associated multipurpose Internet mail
extensions (MIME) type that describes the content.
You do not use SSM to create content. Use VPN policy management software to configure VPN
policies and export them to SSM. Use the SSM GUI or CLI to map the VPN policies to users
and user groups. Mobile VPN Client connects to the SSM Web server, the automatic content
update service checks for new, updated, or deleted VPN policies in the SSM database, and
Mobile VPN Client installs VPN policies to the mobile device or removes them.
Use some other tool to create other types of content and then add the content to the database.
Users can download the content that you map to them or to their user groups from the Web site.
You cannot add identical content to the database under two different names. The following
properties uniquely identify a content entry in the database:
Fingerprint that SSM generates from the content
MIME type
Originator of the content
You can specify settings for VPN access points and renewing VPN certificates that are
associated with a VPN policy and use the automatic content update service to deliver them to
mobile devices.
Content properties authorize users to enroll certificates from a CA. To authorize users, SSM
compares the properties of users and the content that you map to users in the database to the
fields in the certification request. For more information about how to authorize certificate
enrollment, see Authorizing Certificate Enrollment on page 26.
DMZ
SSM
Firewall/ server
VPN and database
gateway
SSM
Internet enrollment
gateway
SSM
Operator management
mobile network station
RADIUS or
LDAP server
Nokia
SSM SAP
Windows Web database
Clients/ server
Laptop Corporate
Policy Mobile Devices/ email
Mobile Devices
Policy
Corporate
Telecommuters Web services
00371
Figure 5 illustrates the user groups that you can create in SSM to map VPN policies to users.
Figure 5 User Groups
You map VPN policies to the user groups. Because users and groups inherit content, the users
have access to different numbers of VPN policies. For example, users whom you map to the
MobileDevices user group have access to the content that you map to the MobileDevices user
group and to the Telecommuters user group.
Notifying Users
You can send notifications to users and user groups by email. SSM uses SMTP to deliver
notifications. SSM can deliver notifications to users GSM phones, if their email addresses point
to an SMS gateway that understands SMTP.
Authentication Methods
You can use the following authentication methods to authenticate users to the SSM Web site and
automatic content update service:
Local authenticationSSM checks the logon name and password of the user against a
local database. Only one local database can exist at a time.
One-time password authenticationAdministrators use the GUI to generate passwords
for users whom they add to the database. Administrators set a predefined authentication
server called One-time password as the users authentication server. SSM checks the logon
name and password of the user against the database and removes the password from the
database. Another authentication method, such as certificates, subsequently authenticates
users.
RADIUS authenticationSSM checks the logon name and password of the user against a
RADIUS server. Optionally, SSM drops the domain name part of the user identifier before
authentication. The passwords can be either normal passwords or one-time passwords that
users generate with token cards, such as RSA SecurID. Several instances of this
authentication method can exist at the same time.
LDAP authenticationSSM searches for the user by logon name from an LDAP server.
Optionally, SSM drops the domain name part of the logon name before the search. When the
user is found, an LDAP bind is done using the users distinguished name (DN) and
password. Several instances of this authentication method can exist at the same time.
Certificate authenticationthe user presents a certificate, which must be valid, and a
signature. The certificate is valid if it is signed by the CA that you define as the
authentication server, if it is within its validity period, and if it has not been revoked. If the
signature was signed with the certificate, the user is considered authenticated. The
rfc822Name subject alternative name extension field in the certificate maps the user to an
existing SSM logon name.
In SSM v3.0, certification authentication is only supported for the automatic content update
service. The first time users log on to SSM with Mobile VPN Client, one of the other
authentication methods authenticates users. During the first connection, Mobile VPN Client
requests certification for the users from the SSM internal CA. Certificates subsequently
authenticate users to the automatic content update service. Users might need to use the other
authentication methods again if their certificates expire.
When certificates are about to expire, Mobile VPN Client enrolls new certificates. Specify the
threshold for renewing certificates for the automatic content update service in the
client.properties configuration file, acu.cert.renewal setting.
Mobile VPN Client uses the automatic content update service to enroll VPN certificates for
users. Mobile VPN Client enrolls new VPN certificates when they expire. The enrollment begins
when users activate a VPN policy and the renewal period for the certificate that is associated
with the VPN policy has expired. Use the SSM CLI to specify the certificate renewal period as a
property of the VPN policy.
Note
Even if you remove users from an external authentication server, certificates grant users
access to SSM until they expire. Remove users from SSM as well as from the external
authentication server to deny them access to SSM.
For more information about how to use Mobile VPN Client, see the Nokia Mobile VPN Client
Users Guide.
This chapter describes how to install Nokia Security Service Manager (SSM):
Choosing an Installation Option
Minimum System Requirements
Preparing for the Installation
Using the Nokia Security Service Manager Installer
After the Installation
For information about how to configure SSM, see Chapter 3, Configuring Nokia Security
Service Manager.
Note
Use the Nokia Security Service Manager Planning Sheet to plan your network topology
before you install SSM.
Figure 7 illustrates an installation where the SSM components are installed on four separate
computers. The Web server is in the demilitarized zone (DMZ) and the other SSM components
are on the intranet. A firewall is placed between the Web server and SSM server.
Figure 7 Installing All SSM Components on Separate Computers
DMZ Nokia
Security Service Manager
Firewall/
VPN gateway
Server
and database
Enrollment
gateway (EGW)
Nokia SSM
Web server Management
and Web site station:
GUI and CLI 00366
Security Considerations
The security of the SSM installation is affected by where you install the SSM components.
The Web server component acts as an external interface to SSM, so applications and users must
be able to access it. You have the following options to install the Web server:
Install the Web server in the DMZ and place a firewall between the Web server and server.
Install the Web server on the intranet and use a proxy server between the intranet and the
public network.
Install the server and Web server on network segments that allow only the minimum network
traffic to pass in and out. For example, place the Web server in Ethernet segments that do not
contain any other servers.
Install the server and EGW on the intranet to help protect them from attacks. Preferably, use a
firewall to separate the network segment from the rest of the intranet.
You can set up the EGW to connect to an external CA for online certificate enrollment. If the CA
is in the public network, you can use a proxy server for communication between the EGW and
CA.
If you do not use a proxy server, install the EGW in a part of the intranet where it can connect to
the external CA. The EGW must be able to initiate TCP/IP communication to the CA over the
public network.
Perform the following tasks on the server and Web server to prevent unauthorized access to
SSM:
Install the most recent security patches.
Remove unnecessary services that might provide attackers with access to SSM.
Deny unauthorized operating system root-level access to the computers to which you install
SSM.
Note
Content and logs require additional disk space on the server, Web server, and management
station.
Installing J2RE
SSM server requires Java 2 Runtime Edition (J2RE) v1.4.2_04, 32-bit, which is not preinstalled
on Windows or RedHat Enterprise Linux v3.0. The version that is preinstalled on Solaris might
be older than the version that SSM requires. The SSM installer checks that the correct J2RE
version is installed and prompts you to install v1.4.2_04, if necessary.
A separate management station installation also supports J2RE v1.5.
You can download J2RE v1.4.2_04 or v1.5 from the Sun Web site. Install J2RE as root.
Note
J2RE 64-bit is not supported if you run SSM on Sun SPARC Solaris.
For the SSM CLI to support characters that the US-ASCII character set does not include, such as
the Scandinavian characters, install J2RE in custom mode and select the additional languages
support option.
For more information about setting operating system file permissions, see Setting File
Permissions and Creating a Startup Script on page 49.
Installation Settings
When you install or configure SSM, you specify values for the fields that Table 4 describes. Find
out the values before you begin the installation.
The values are stored in the SSM configuration files, which are in the installation_directory/etc
directory. Back up the configuration files after installation. Do not change the values manually.
Use the GUI or CLI to modify the properties of the system manager account. For more
information about how to modify user properties, see the Nokia Security Service Manager
Administration Guide or the SSM Help.
Server
Note
Root must own the installation directory or you compromise root. In addition,
only root can have write access to the directories between the root directory
and the installation directory or you compromise root.
Host name The fully qualified host name or IP address of the server.
The other SSM components use this value to communicate with the server.
Do not use the value localhost.
In Linux, the default value is the host name of the computer.
Port base Reserve this port number and the six following port numbers for SSM. By
default, port numbers 26773 through 26779 are used.
You cannot use port numbers in the anonymous port range in the computer.
By default the anonymous port range starts from port 32768.
For more information about protocols and port numbers, see the Nokia
Security Service Manager Administration Guide.
Save passphrase Select this option to save the passphrase in the server.properties
configuration file.
SSM uses the passphrase to encrypt private keys, so the passphrase must
not be compromised. Save the passphrase in server.properties only if you can
be sure that unauthorized persons cannot see it.
A more secure method to save the passphrase is to use the mcs
rootproperties management command script that saves the server
passphrase in the root.properties configuration file in encrypted format. Only
root can access root.properties.
If you do not save the passphrase in server.properties or root.properties, SSM
asks you to enter it each time you start the server.
Subject DN Specify default values for the subject name of certificates that the internal CAs
issue and the subject name of the Web server certificate.
Specify the following settings in the subject DN:
CCountry (use the two-letter ISO 3166 country codes)
OOrganization
OUOrganization unit (optional)
Default authentication Default domain part of the logon names that authenticate users to SSM.
domain For example, customer.com.
Do not include the at sign (@) in the value that you define, because SSM
automatically adds it.
If a logon name does not contain a domain name, SSM appends the default
domain name to the logon name when SSM adds the user to the database
and when users log on to SSM.
For example, peter.jones@customer.com.
Logon name The logon name authenticates the system administrator when he or she
accesses the GUI or CLI.
You can decide the logon name format. Logon names are from 1 to 128
characters long.
Mobile phone The mobile phone number of the system administrator. Use the international
format: +country code phone number. Optional.
Web server
Host name The fully qualified host name or IP address of the Web server.
Use the first DNS address of the server in full format including the domain
name.
In Linux, the default value is the host name of the computer.
For scalability, give different host names to the Web server and server even in
a one-computer installation. This makes it possible to move the Web server to
another computer to improve performance.
For more information about distributing SSM to several computers, see the
Nokia Security Service Manager Administration Guide.
You cannot use the value localhost as the host name of the Web server.
Server certificate file The path to the server certificate and trusted certificate store that the installer
or configuration script creates during the installation of the server component.
By default, the installer or configuration script calls the certificate store
certs.jks and creates it in the installation_directory/etc directory.
You need certs.jks when you install the Web server and management station
on a separate computer. Copy certs.jks to the Web server or management
station in a secure way.
Note
If you distribute SSM to several computers, always install the server component first.
Note
You cannot install SSM as root in Solaris.
3. The J2RE directory must be in the system path for the duration of the installation. To set the
path, enter the following command at the command prompt:
JAVA_HOME=/J2RE_installation_directory
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME PATH
4. Enter the following command to start the SSM installer:
java -jar Setup.jar
java -cp Setup.jar run -console
5. Specify the installation directory.
The default directory is nssm in the current users home directory. Change the default
directory to /opt/nssm, for example.
If you install several SSM instances in the same computer, install them in different
directories.
6. Select the SSM components to install.
Table 4 explains the settings that you need to specify.
7. Follow the directions of the installer until the installation is complete.
8. If you install the server, copy SSM licenses to the installation_directory/etc/licenses
directory.
9. Set file permissions and create a startup script to enable automatic startup of SSM:
a. Log on as root.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script:
./mcs rootinstall
For more information, see Setting File Permissions and Creating a Startup Script on
page 49.
10. Start SSM to check that the installation was successful and that all the services start up:
a. Log on as the process owner.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script to start
SSM:
./mcs start
d. Enter the passphrase that you specified when you installed the server component, unless
you saved the passphrase in the server.properties or root.properties configuration files.
e. At the command prompt, execute the following management command script to check
that all the SSM services started up:
./mcs status
f. Use a Web browser to access the URL of the Web site to verify the Web server
installation:
https://host_name[:port]
Note
If the Web server does not start, check that you executed the ./mcs rootinstall
management command script to set file permissions.
11. If you install the Web server, the installer generates a private key and creates a PKCS #10
certification request and a self-signed certificate for the Web server. You can use the self-
signed certificate to check that the SSM installation succeeds and that SSM starts up.
The Web server certificate authenticates the Web server to:
VPN policy management applications and the SSM policy push command that create
SSL connections to the Web server to export VPN policies to the SSM database
Users who use the SSM Web site to download content.
Before you can export VPN policies to SSM, you must send the certification request to an
internal or external CA to sign. For more information, see To obtain a TLS/SSL certificate
on page 51.
8. Start SSM to check that the installation was successful and that all the services start up:
a. Change to the installation_directory/bin directory.
b. At the command prompt, execute the following management command script to start
SSM:
./mcs start
9. At the command prompt, execute the following management command script to check that
all the SSM services started up:
./mcs status
10. Use a Web browser to access the URL of the Web site to verify the Web server installation:
https://host_name[:port]
Note
If you distribute SSM to several computers, always install and configure the server
component first.
During the installation, the process owner needs least execute (x) access rights to the installer
file and read (r) access rights to the .tgz files.
Note
You cannot run the ./installer script as root.
2. The J2RE directory must be in the system path for the duration of the installation. To set the
path, enter the following command at the command prompt:
JAVA_HOME=/J2RE_installation_directory>
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME PATH
./web-config
--server=server_hostname
--webserver=hostname
[ --portbase=server_port_base ]
[ --servercert=server_certificate_file ]
[ --httpport=HTTP_port ]
[ --httpsport=HTTPS_port ]
[ --passphrase=server_passphrase
--savepassphrase ]
[ --help ]
Follow the instructions that the configuration script displays until the configuration is
complete.
The configuration scripts prompts you to enter values for country, organization, and
organization unit. Specify the same values as for the server-config script.
If the Web server host name cannot be resolved to a public IP address, you receive an
error message. To solve the problem, modify the /etc/hosts file or define nsswitch.conf to
resolve host names from DNS before it looks in the hosts file. You can either remove the
host name from the hosts file or add the IP address of the Web server external interface to
the hosts file. Then run the web-config script again.
c. Run the egw-config script to configure the EGW. If you leave an optional field empty, the
configuration script inserts the default value for the field:
./egw-config
--server=server_hostname
[ --portbase=server_port_base ]
[ --passphrase=server_passphrase
--savepassphrase ]
[ --help ]
When you install the management station in a separate Linux computer, run the
management-config script to configure the management station. If you leave an optional
field empty, the configuration script inserts the default value for the field:
./management-config
--server=server_hostname
[ --portbase=server_port_base ]
[ --servercert=server_certificate_file ]
[ --help ]
7. Set file permissions and create a startup script to enable automatic startup of SSM:
a. Log on as root.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script:
./mcs rootinstall
For more information, see Setting File Permissions and Creating a Startup Script on
page 49.
8. Start SSM to check that the installation was successful and that all the services start up:
a. Log on as the process owner.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script to start
SSM:
./mcs start
d. Enter the passphrase that you specified when you installed the server component, unless
you saved the passphrase in the server.properties or root.properties configuration files.
e. At the command prompt, execute the following management command script to check
that all the SSM services started up:
./mcs status
f. Use a Web browser to access the URL of the Web site to verify the Web server
installation:
https://host_name[:port]
Note
If the Web server does not start, check that you executed the ./mcs rootinstall
management command script to set file permissions.
9. If you install the Web server, the configuration script generates a private key and creates a
PKCS #10 certification request and a self-signed certificate for the Web server. You can use
the self-signed certificate to check that the SSM installation succeeds and that SSM starts
up.
The Web server certificate authenticates the Web server to:
VPN policy management applications and the SSM policy push command that create
SSL connections to the Web server to export VPN policies to the SSM database
Users who use the SSM Web site to download content.
Before you can export VPN policies to SSM, you must send the certification request to an
internal or external CA to sign. For more information, see To obtain a TLS/SSL certificate
on page 51.
Note
If you use Nokia IP VPN, install Nokia VPN Manager before you install the SSM
management station. This enables you to start the SSM GUI directly from VPN Manager and
to export profiles from VPN Manager to the SSM database.
Process Watchdog
The starter process runs in the background and acts as a watchdog for the processes that it starts,
except for the Web server process. The starter process restarts processes when necessary and
records the following information in installation_directory/logs/starter.log:
Process ID (pid) of the process that stopped
Command line of the process that restarted
Note
SSM does not allow you to use the internal CA that issues certificates for the automatic
content update service to sign the TLS/SSL certificate of the Web server. You can create
another SSM internal CA for this purpose.
You can use an example configuration script to create an internal CA and enroll the server
certificate from the internal CA.
This chapter contains examples of how to extend the enterprise network to mobile devices and
how to move from legacy authentication to certificate-based authentication:
Extending the Enterprise Network to Mobile Devices
Moving from Legacy Authentication to Certificate-Based Authentication
Using an External CA
DMZ
SSM
server
and database
Firewall/
VPN SSM
gateway enrollment
gateway
Internet SSM
management
station
Operator Policy
mobile network management
software
RADIUS or
Nokia LDAP server
SSM
Web Mail gateway
Nokia server (SMTP)
Mobile VPN Client
00367
Extending the enterprise network to mobile devices includes the following tasks:
Specifying Settings for Automatic Content Update
Specifying Settings for a RADIUS Server
Creating a Content Manager Account
Configuring Client Access Policy for Challenge-Response Authentication to VPN Gateways
Deploying Policies to Mobile Devices
Specifying Settings for VPN Access Points
Installing Software and Settings on Mobile Devices
The following sections describe the preceding tasks at a general level. For detailed information
about a task and the options that you have, see the Nokia Security Service Manager
Administration Guide or the SSM Help.
Note
You can skip this task if you use the quick installation script in Linux. The quick installation
script runs the example configuration script to specify the settings for you.
Set up the SSM automatic content update service to automate updates of VPN policies and VPN
certificates to mobile devices. The automatic content update service receives content update
requests from Mobile VPN Client, processes the requests, and sends responses to Mobile VPN
Client.
The automatic content update service uses HTTP for transport. The Web server handles the
HTTP communication with Mobile VPN Client and processes the messages.
When you start the Web server for the first time, the Web server performs the following
operations to initialize:
Opens a secure connection to the SSM server.
Fetches an automatic content update service certificate and key pair and caches them for use
when the Web server processes content update requests.
To create an encrypted connection to the server, the Web server uses a shared secret. SSM
generates the shared secret from a passphrase that you enter when you install the Web server.
The automatic content update service uses this connection later to serve requests that do not
include user authentication information.
Use the SSM example configuration script to specify settings for the automatic content update
service. Use the SSM GUI to check the settings. The settings must be in place for the use case to
succeed.
You can save the settings as a SIS file that you can install to mobile devices.
To save settings for the automatic content update service as SIS files
1. Log on as the process owner.
2. Change to the installation_directory/bin directory.
3. To start the CLI and make the SIS file, enter the following command:
./cli sis acu
SSM saves the settings as the file serverconf.sis in the installation_directory/bin directory in
Windows and the specified directory or current directory in Solaris and Linux.
The sis acu command makes a SIS file that is compatible with the Nokia 9500
communicators and Nokia 9300 smartphones.
For more information about how to make SIS files that are compatible with other supported
mobile devices, see the Nokia Security Service Manager Administration Guide.
4. Deliver the SIS file to users in a secure way together with Mobile VPN Client.
Note
You can skip this task if you use the quick installation script in Linux. The quick installation
script runs the example configuration script to create the content manager for you.
You need a content manager account to export VPN policies from VPN policy management
software to the SSM database and use policy push to create VPN policies in the database. The
commands that you use to export or create VPN policies require that you specify the content
manager logon name and password
Use an SSM example configuration script to create a content manager.
3. Choose Gateway > Properties > Client Access > IPSec Clients > Client Access to configure
IP VPN Gateway to use challenge-response authentication.
a. In the Challenge Response Clients group, check the Allow clients to connect using
Challenge Response authentication box.
b. Click Password or SecurID or both to select authentication methods.
4. Choose Local Configuration > Services > External Authentication and specify settings for a
RADIUS server:
In the Set the order of authentication methods field, set RADIUS to 1.
In the Usage group, check the Client access box.
Click New to specify settings for a RADIUS server.
5. Choose Gateway > Properties > Local Configuration > Services > DNS to specify domain
name system (DNS) servers for the internal network.
Mobile VPN Client uses DNS services when users select VPN access points to access the
enterprise network.
To view which DNS server Mobile VPN Client uses, choose Gateway > Properties > Client
Access > IPSec Clients > Internal Addressing.
6. Click the Remote Clients tab to configure mobile devices:
a. Choose Profile > New to create a generic profile for challenge-response authentication.
Give the profile the name MobileDeviceProfile.
b. If you use IP VPN Gateway v6.3, select Nokia Mobile VPN Client in the Generate
profiles for list.
c. Click New to create an new gateway access filter.
Give the filter the name MobileDeviceAccessFilter.
d. In the Establish tunnels to remote gateway list, select the VPN gateway that the Mobile
VPN Client connects to.
e. If you use internal addressing, check the Assign client IP address from the Default IP
Address pool box.
f. In the Select an IKE policy list, select the IKE policy for mobile device access that you
specify in step 2.
g. In the Use authentication method group, select the Challenge Response option.
7. Click Profile > Export Profiles to Nokia Security Service Manager to export profiles to
SSM.
8. Use the SSM content manager account to log on to SSM.
For detailed information about using VPN Manager, see the Nokia IP VPN Gateway
Configuration Guide.
Note
This section contains examples of how to use the SmartDashboard NG with Application
Intelligence (NG_AI) software to configure client access. For more information about how to
use other SmartDashboard software versions, see Check Point product documentation.
Configuring client access to the IP security platform includes the following steps:
To add a RADIUS server to a host node
To create user groups
To create an external user profile for challenge-response authentication
To add an SSM internal CA to SmartDashboard
To edit Check Point gateway properties
To add rules
To use Office Mode
To set a port number for NAT traversal
To export the generic client profile to the SSM database
Note
Do not add the certificate of the SSM internal CA that issues certificates for the automatic
content update.
1. Choose Manage > Servers and OPSEC Applications > New > Certificate Authority and add
the SSM internal CA, CompanyVPNCA, to establish trust between Check Point and SSM.
2. Give the SSM internal CA the name CompanyVPNCA.
3. Click the OPSEC PKI tab and then Get to import the CA certificate of CompanyVPNCA.
4. If you publish the CRL of CompanyVPNCA to an LDAP server, check the LDAP Server(s)
(Requires an LDAP Account Unit) box.
5. If you publish the CRL of CompanyVPNCA to the SSM Web site, check the HTTP Server(s)
box.
Click View to check the CRL distribution points from where the VPN gateway fetches the
CRL.
Add the certificates of the following CAs to SmartDashboard:
CA that issues a device certificate for the VPN gateway
CA that issues the certificate of the SSM Web server
6. In the Certificate Properties dialog box, click Get to get the certificate.
7. Choose Policy > Install to send the changes to the gateway.
Note
Save the configuration. If the connection closes before you save the configuration, you
lose all the changes.
To add rules
1. Choose Rules > Add Rule.
2. Add a policy rule and select a user group to accept encrypted traffic to and from that user
group through the remote access community.
3. Add a policy rule to accept HTTP traffic from Mobile VPN Client through the Internet to the
SSM Web server.
Examples The public interface of the VPN gateway has the IP address 60.21.163.193/29 and the
private internal addressing pool is in the range 100.21.163.128 through 135. Use the
following netmask for the IP address 100.21.163.1:
255.255.255.128
Use the following netmask for an IP Pool network:
255.255.255.128
The definitions split your network into two different networks, which solves routing
problems. To use the same network, specify routes on the hosts.
3. Edit the Check Point gateway properties:
a. Click Remote Access > Office Mode.
b. Select Allow Office Mode to all users or Offer Office Mode to group to restrict access to
office mode to a group.
c. Select the Manual (using IP pool) option and select the internal addressing network in the
Allocate IP from network list.
d. Click Optional Parameters to select DNS and WINS servers for Mobile VPN Client.
To request a device certificate for the VPN gateway from the SSM internal CA
1. In the Cisco VPN 3000 Concentrator Series Manager, choose Administration > Certificate
Management > Click here to enroll with a Certificate Authority > Enroll via PKCS10
Request (Manual) to create a PKCS #10 certification request:
a. Enter values in the Common Name (CN), Organization (O), Country (C), and Key Size
fields.
The CN appears in digital certificate lists. Enter the common name
IdentityfromCompanyVPNCA.
b. Click Enroll.
2. Use the SSM GUI to import the certification request to SSM for CompanyVPNCA to sign:
a. Choose Services > Certificate Enrollment > CompanyVPNCA > Certificates issued >
Create New > Import PKCS #10 file > Browse to locate the certificate file.
You can also paste the certificate to the field.
b. Click Export to save the certificate as a file.
3. In the Cisco VPN 3000 Concentrator Series Manager, choose Administration > Certificate
Management > Installation > Install certificate obtained via enrollment.
4. Click Install > Upload File from Workstation and click Browse to locate the certificate file.
5. Click Install.
The device certificate appears in the Certificate Manager in the Identity Certificates list.
2. Choose Configuration > Policy Management > Traffic Management > SAs > Add to define
an IPSec security association for challenge-response authentication:
a. Give the security association the name Challenge-response.
b. In IPSec Parameters, select the following values to match the default configuration in the
policy push templates:
In the Authentication Algorithm list, select ESP/SHA/HMAC-160.
In the Encryption Algorithm list, select AES-256.
c. In IKE Parameters, select the device certificate of the VPN gateway,
IdentityfromCompanyVPNCA, in the Digital Certificate list.
d. In the Certificate Transmission group, select the Identity certificate only option.
e. Select IKE-3DES-SHA-Challenge-Response in the IKE Proposal list.
For more information about the settings that Mobile VPN Client supports, see the Nokia
Security Service Manager Administration Guide.
3. Choose Configuration > User Management > Groups > Add Group to create a user group for
challenge-response authentication:
a. Give the user group the name Challenge-ResponseGroup.
You give the group name as the value of the id_value parameter for the SSM policy push
command.
b. Enter a password in the Password field.
c. Select Internal in the Type list.
d. Click the IPSec tab and select Challenge-response in the IPSec SA list.
e. Check the IKE Keepalives box to enable the VPN gateway to monitor the continued
presence of Mobile VPN Client and to report its own presence to Mobile VPN Client.
f. Select Remote Access in the Tunnel Type list.
g. Select RADIUS in the Authentication list.
h. Uncheck the Mode Configuration box.
i. Optionally, click the Client Config tab to specify settings for split tunneling:
In the Split Tunneling Policy group, select the Only tunnel networks in the list option.
In the Split Tunneling Network List, select Protected Network.
j. Click Add.
k. Save the changes.
4. Choose Configuration > System > Servers > Authentication > Add, to specify settings for a
RADIUS server.
5. Alternatively, you can specify RADIUS as the authentication method for a particular user
group.
Choose User Management > Groups, select Challenge-ResponseGroup, and click
Authentication Servers > Add to specify settings for the RADIUS server.
You can use Mobile VPN Client to modify or remove VPN access points.
Note
To set up client access to an enterprise VPN by using certificate-based authentication, you
must first perform the tasks in the section Extending the Enterprise Network to Mobile
Devices on page 53.
Creating an Internal CA
Note
You can skip this task if you use the standalone installation script in Linux. The installation
script runs the example configuration script to create an internal CA for you.
When Mobile VPN Client receives a VPN policy that lacks a private key and client certificate,
Mobile VPN Client must obtain them before it can establish a VPN tunnel. Mobile VPN Client
can use online certificate enrollment to obtain certificates.
Mobile VPN Client creates a public-private key pair and a PKCS #10 certification request and
sends them to a CA. The CA uses a public-key algorithm to certify the public key and issues a
certificate for a user. The CA signs a collection of information that includes the users
distinguished name (DN), subject alternative name, and public key. If the enrollment is
successful, the CA sends back a certificate and Mobile VPN Client is ready to establish a VPN
tunnel.
SSM authenticates and authorizes certification requests from Mobile VPN Client and
automatically enrolls certificates from an internal CA if the authentication and authorization
succeed.
To establish connections between Mobile VPN Client and an internal or external CA through
SSM, you must create an EGW entity and specify settings for each internal or external CA.
Use the SSM example configuration script to create an internal CA, CompanyVPNCA. For more
information, see To use an example configuration script to create an internal CA on page 52.
Specify long lifetimes for device certificates. If the device certificate expires, Mobile
VPN Client cannot authenticate the IP VPN Gateway and connections fail.
c. Press Export to save the certificate as device.cer.
3. In VPN Manager, import the device certificate.
Choose Gateway Properties > Certificates > Device Certificates > Import and locate
device.cer.
4. Choose Actions > Apply Changes to apply the changes to the gateway configuration.
3. In Gateway Access Filters, select MobileDeviceAccessFilter and click Edit to modify the
gateway access filter:
a. In the Use authentication method group, select Certificates.
b. In the Select client access rights by client identity list box, select the *@internal.com
domain.
4. If you use IP VPN Gateway v6.1 or v6.2, perform the following additional steps:
a. In the Certificate Request Information group, check the Enable on-line certificate
enrollment box.
b. In the Domain text box, enter the same domain name as in step 3.
5. Click Profile > Export Profiles to Nokia Security Service Manager to export the profile to
SSM.
6. Use the SSM content manager account to log onto SSM.
If the certificate of a peer does not provide sufficient information to perform an identity
check, the VPN gateway drops the tunnel.
f. Check the IKE Keepalives box to enable the VPN gateway to monitor the continued
presence of Mobile VPN Client and to report its own presence to Mobile VPN Client.
g. Select Remote Access in the Tunnel Type list.
h. Select None in the Authentication list.
i. Select Common Name (CN) in the DN Field box.
j. Uncheck the Mode Configuration box.
k. Optionally, click the Client Config tab to specify settings for split tunneling:
In the Split Tunneling Policy section, select the Only tunnel networks in the list
option.
In the Split Tunneling Networks List, select Protected Network.
5. Click Add
6. Save the changes.
7. Choose Configuration > Policy Management > Group Matching > Policy to configure the
policy for certificate group matching.
8. Check the Default to Group box and select CertificateGroup in the Default to Group list.
Modifying Content
Map the enrollment service content information entry of the internal CA to the user group.
To modify content
1. In the SSM GUI main view, Settings pane, click Content Delivery > User Groups to open
the User Groups view.
2. Search for and select AutomaticContentUpdateUserGroup.
3. Choose Edit > Map to Content.
4. Map the following content to the user group:
MobileDeviceProfile
Enrollment service content information entry for the CompanyVPNCA internal CA to
authorize the user group to enroll certificates from the internal CA
5. If you use the Nokia IP security platform, unmap the generic* profile from the user group.
The next time users update policies from SSM, Mobile VPN Client installs MobileDeviceProfile
in the mobile device and removes the generic* profile from the mobile device.
Using an External CA
The company has set up a VPN to provide remote access to mobile devices. You use certificates
as the method to authenticate users to VPN gateways. Mobile VPN Client automatically enrolls
certificates from the SSM internal CA.
Your task is to move from using an internal CA to using an external CA. Make an agreement
with the CA vendor to use the certificate request syntax (CRS) service in automatic
administration mode and use the SSM GUI to specify settings for the external CA.
Figure 9 Using An External CA
SSM
Firewall/ enrollment
VPN gateway
gateway
SSM
Internet management
station
VPN policy
Operator management
mobile network software
External
Nokia
authentication
SSM
server
Web
Nokia server Mail gateway
Mobile VPN Client (SMTP)
00365
Note
To set up client access to an enterprise VPN by using certificate-based authentication, you
must first perform the tasks in Extending the Enterprise Network to Mobile Devices on
page 53 and Moving from Legacy Authentication to Certificate-Based Authentication on
page 70.
Creating an External CA
Make an agreement with the CA vendor to use the CRS service in automatic administration
mode and use the SSM to specify settings for the external CA.
To create an external CA
1. Start the SSM GUI and choose Services > Certificate Enrollment > Edit > Create New.
2. Give the enrollment gateway entity the name AutomaticCRS.
3. Click the Protocol properties tab, select CRS as the enrollment protocol, and specify the
following settings:
The URL of the CRS service. For example, http://crs.service.vendor.com/cgi-bin/crs.exe.
If EGW is on the intranet, specify the HTTP proxy server that the EGW entity uses to
connect to an external CA.
A CA certificate for the CRS protocol.
A CRS certificate for the CRS protocol.
You receive the CRS certificate from the CA vendor.
A registration authority (RA) certificate and private key for EGW.
You generate a public-private key pair and a certification request that the CA vendor
signs and sends to you.
The organization and organization unit name that you agree on with the CA vendor.
The CA vendor places the organization and organization unit in the SubjectName of the
certificates that it issues. In this example, organization is Customer and organization unit
is Sales.
Enable automatic CRS.
Choose Edit > VPN Global Properties > Policy Configuration > Certification Authorities
and click the right mouse button. Choose Import External Certification Authority > Browse
and locate AutomaticCRS.cer.
3. Select AutomaticCRS to be used for IKE Authentication.
Choose Gateway > Properties > Client Access > IPSec Clients > Client Policy > Select
Certification Authority for IKE authentication and select AutomaticCRS.
h. Click View to display the certification request. Copy and paste the certification request to
a text editor and save it as a file.
i. Use the SSM CLI enroll command to request certification from AutomaticCRS.
j. In the Certificate Properties dialog box, click Get to get the certificate.
Note
If you do not use the NSSM internal CA any more, remove the device certificate of
CompanyVPNCA from the gateway properties.
Note
Save the configuration. If the connection is cut before you save the configuration, you
lose all the changes.
To request a device certificate for the VPN gateway from the external CA
1. Start the Cisco VPN 3000 Concentrator Series Manager.
2. Choose Administration > Certificate Management > Click here to enroll with a Certificate
Authority > Enroll via PKCS10 Request (Manual).
3. Create a PKCS #10 certification request.
The common name (CN) appears in digital certificate lists. Enter the common name
IdentityfromAutomaticCRS.
4. Click Enroll.
5. Use the SSM CLI enroll command to request certification from AutomaticCRS.
6. In the Cisco VPN 3000 Concentrator Series Manager, choose Administration > Certificate
Management > Installation > Install certificate obtained via enrollment.
7. Click Install > Upload File from Workstation and click Browse to locate the certificate file.
8. Click Install.
The device certificate appears in the Certificate Manager in the Identity Certificates list.
Modifying Content
Map the enrollment service content information entry of the external CA to the user group to
authorize the user group to enroll certificates from the external CA.
To modify content
1. In the SSM GUI main view, Settings pane, click Content Delivery > User Groups to open
the User Groups view.
2. Search for and select AutomaticContentUpdateUserGroup.
3. Choose Edit > Map to Content and map the enrollment service content information entry for
the AutomaticCRS external CA to the user group.
This chapter describes how to upgrade and uninstall Nokia Security Service Manager (SSM):
Upgrading Nokia Security Service Manager
Uninstalling Nokia Security Service Manager
c. At the command prompt, execute the following management command script to undo the
changes in file permissions that the rootinstall management command script made:
./mcs rootuninstall
3. Upgrade to SSM v3.0.1:
a. Log on as the process owner.
b. Start the SSM installer:
In Solaris:
java -jar Setup.jar
java -cp Setup.jar run -console
Specify the path to the SSM installation directory and follow the instructions of the setup
wizard.
In Linux:
./installer [ -d installation_directory ] upgrade
where: -d installation_directory is the SSM installation directory.
4. Set file permissions and create a startup script to enable automatic startup of SSM:
a. Log on as root.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script:
./mcs rootinstall
For more information, see Setting File Permissions and Creating a Startup Script on
page 49.
5. Start SSM to check that the installation was successful and that all the services start up:
a. Log on as the process owner.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script to start the
SSM services:
./mcs start
For more information about executing management command scripts, see the Nokia
Security Service Manager Administration Guide.
If you enter an incorrect server passphrase when you start SSM, upgrade fails. The SSM installer
records the following error message to installation_directory/logs/cmd.log:
ERROR DatabaseConnectionPool - Cannot open a new database connection to
host jdbc:postgresql://localhost:26777/vpndb. It either might be JDBC
connection problem or wrong passphrase is given in startup phase.
To complete the upgrade, run the following management command script:
./mcs postupgrade
Then enter the correct server passphrase.
A configuring
Cisco VPN 3000 Concentrator 64
acu.cert.renewal setting 29
Nokia IP Security Platform 60
adding bypass rules to IP security platform 63
Nokia IP VPN Gateway 58
administrators tasks 19
SSM 53
authentication
content
certificate-based 20
delivering 22
challenge-response 20
identifiers 22
shared secrets 20
content manager, creating 57
to SSM 25
create_content_manager example configuration
to VPN 20
script 57
XAUTH 20
create_vpnca example configuration script 52
authorizing users to use functions 23
CRL 17
automatic administration mode, CRS 27
retrieving 62
automatic content update service
certificate 55
handling requests 54 D
renewing certificates 29 Default authentication domain field 39
saving settings as SIS files 55 Directory name field 38
specifying settings 55 distinguished name 27
using 28 DMZ 32
automatic mode, certificate enrollment 27 DNS, viewing and specifying in Check Point
SmartDashboard 64
B
bypass rules, adding to IP security platform 63 E
EGW
C introduction 16
security considerations 32
certificate enrollment
Email field 39
procedure 27
enable.self.provisioning setting 26
renewing certificates 29
enrollment gateway 16
using SSM as RA 28
enrollment protocols, modes 27
certificate request syntax 27
evaluation license 33
certificate-based authentication 20
certificates
automatic content update service 55 F
obtaining TLS/SSL 50 file permissions 49
PKCS #10 certification requests 27 fingerprint, content 22
challenge-response authentication 20 First name field 39
choosing installation options 33
Cisco VPN 3000 Concentrator, configuring 64
G
generic profiles 21
L R
Last name field 39 RA, using SSM as 27
LDAP, specifying settings in CheckPoint RADIUS
SmartDashboard 61 settings in CheckPoint SmartDashboard 60
legacy authentication 20 specifying settings 56
Logon name field 39 registration authority 27
related documentation 14
M remote access, providing to users 23
management station rfc822Name 25
components 17
installing on Windows 48
introduction 17
upgrading on Windows 85
manual mode, certificate enrollment 27
mcs nvm command 58
mcs postupgrade command 84
mcs rootinstall command 41, 46, 49, 84
mcs trustcert command 68
MIME types, using 22
T
TLS/SSL, obtaining certificates 50