Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2002 Legato Systems, Inc. Authentication Version 1 Katrina Illari d1614 Authentication Version 1 Katrina Illari d1614 03 June 2005 Legato Confidential.

Published byRoss Chase Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2002 Legato Systems, Inc. Authentication Version 1 Katrina Illari d1614 Authentication Version 1 Katrina Illari d1614 03 June 2005 Legato Confidential."— Presentation transcript:

1 Copyright © 2002 Legato Systems, Inc. Authentication Version 1 Katrina Illari d1614 Authentication Version 1 Katrina Illari d1614 03 June 2005 Legato Confidential

2 Legato Systems, Inc - Confidential and Proprietary 2 Introduction Prerequisites for attending this TOI session Overview and Benefits of the new feature Installation considerations How to configure/enable the feature Using the feature Licensing considerations Architecture and internal Design Debugging techniques and tips Questions and Answers

3 Legato Systems, Inc - Confidential and Proprietary 3 Prerequisites Audience should understand basic NetWorker administration, including the use of resources to configure and monitor NetWorker’s operation.

4 Legato Systems, Inc - Confidential and Proprietary 4 Overview and Benefits What problems are being solved The current authentication scheme used by NetWorker is rather weak. How its being solved This feature introduces authentication through SSL and a trusted authentication daemon.

5 Legato Systems, Inc - Confidential and Proprietary 5 Overview and Benefits (cont.) The feature adds a new authentication method called GSS Legato v1. The authentication flavor for this new method is called RPCSEC_GSS. RPCSEC_GSS is a standard which describes how to use a GSS-APIs library with RPC (GSS-API is another standard). We implemented a GSS-APIs library that talks to a trusted daemon (nsrexecd) to get credentials.

6 Legato Systems, Inc - Confidential and Proprietary 6 Overview and Benefits (cont.) Backwards compatibility or security? In order for NetWorker to be secure, the older authentication methods should be disabled In order for NetWorker to be backwards compatible with other versions of NetWorker, the older authentication methods should still be allowed. Answer: Let the user decide which one they want. The user can select which authentication methods are allowed on a per-network/per-host basis.

7 Legato Systems, Inc - Confidential and Proprietary 7 Overview and Benefits (cont.) Other changes to consider: Nsrexecd is now multithreaded and there is only one nsrexecd process running at a time (on Unix and Windows). The nsrla.res file is replaced by the nsrladb directory structure. This directory is of similar structure as the nsrdb directory structure.

8 Legato Systems, Inc - Confidential and Proprietary 8 Overview and Benefits (cont.) System requirements to use feature: In order to use the new authentication mechanism, the NetWorker client, NetWorker server, and NetWorker storage node that the client uses must be using NetWorker 7.3 or later. Where to learn more Doc repository, d1614

9 Legato Systems, Inc - Confidential and Proprietary 9 Installation Considerations Changes to installation No visible changes to installation prompts. New binaries installed: None. Special processing that will occur during installation : None.

10 Legato Systems, Inc - Confidential and Proprietary 10 Configuring the Feature There are a number of new resources and attributes in nsrexecd’s rap database (nsrladb). There are some new attributes in the “NSRLA” resource. There is a new resource called “NSR peer information”. There is a new key word for all administrator lists, the remote access list and the users attribute in the NSR usergroup resource.

11 Legato Systems, Inc - Confidential and Proprietary 11 Configuring the Feature (cont.) NSRLA: “auth methods” attribute: Used to specify which authentication methods should be used to communicate with a peer. For NetWorker clients, servers, and storage nodes. The attribute is multiple valued and each value must have the following format: “IP/mask,auth1/auth2/…” auth1 and auth2 are the allowed auth methods. Allowed values for auth1 and auth2 are nsrauth and oldauth. Mask is not required. Example: “137.69.168.22,nsrauth” Example: “137.69.168.0/24,nsrauth” Example: “137.69.0.0/255.255.0.0,nsrauth/oldauth” Important: The attribute is order dependent! The first match that is found in the list is the one that is used.

12 Legato Systems, Inc - Confidential and Proprietary 12 Configuring the Feature (cont.) NSRLA: name, NetWorker Instance ID, certificate, private key. The name and NetWorker Instance ID attributes are used to identify a machine. The certificate and private key are used to authenticate a machine. Important: If this information is lost, then the machine will not be able to authenticate to other machines using the GSS Legato v1 authentication method! If you do loose the information, then things can still be fixed so that the GSS Legato v1 authentication will work again. The steps to fix the issue are rather tedious though…

13 Legato Systems, Inc - Confidential and Proprietary 13 Configuring the Feature (cont.) NSRLA: NW instance info operations, NW instance info file These values are used to change the identification and authentication information (name, private key, etc.) There are three values that you can set “NW instance info operations” to: “export”, “import”, and “new keys”. Export: export all attributes required for identification and authentication. The file name where the attributes will be exported is expected in the NW instance info file attribute. Import: import all attributes required for identification and authentication. The file name where the attributes will be read from is expected in the NW instance info file attribute. New Keys: Use this value to reset the private key and certificate. The name and NetWorker Instance ID attributes will not be reset.

14 Legato Systems, Inc - Confidential and Proprietary 14 Configuring the Feature (cont.) NSR peer information resource This resource is generated and updated by the system. It is used to store the peer’s certificate and identification information. The resource is in nsrexecd’s RAP database The resource is used on NetWorker clients, servers and storage nodes. The resource attributes are: name, NetWorker Instance ID, certificate, Change certificate, certificate file to load. Change certificate: used to load/clear a certificate for a particular client manually. To manually load a certificate, set the “Change certificate” attribute to “Load certificate from file” and then set the attribute: “Certificate file to load” to the file name which contains the certificate in PEM format. To clear a certificate, either delete the whole resource for the peer or change the “Change certificate” attribute to “Clear certificate”

15 Legato Systems, Inc - Confidential and Proprietary 15 Configuring the Feature (cont.) new keyword for all administrator lists, the remote access list and the users attribute in the NSR usergroup resource: Currently for these attributes, one can specify a user by entering a series of comma separated name=value criteria that the user has to match: user=username,host=hostname Current keywords are: user, host, domain, group, isroot, domaintype, domainsid, usersid, and domainpdc. The value of the host keyword can only be authenticated using DNS lookups of your incoming IP address. A new keyword was added called: nwinstname or nwinstancename. This value can be authenticated using the SSL certificates (so it is more secure to use this key word than using the host keyword). The value of this keyword should be set to the “name” value in the NSRLA resource that the user is logging in from.

16 Legato Systems, Inc - Confidential and Proprietary 16 Using the Feature: changes After configuring the feature, few steps are needed to use the feature. Important: If the NSRLA resource gets deleted (by deleting the /nsr/res/nsrladb directory or Windows equivalent), then GSS Legato authentication will fail to function correctly. The next slide will concentrate on how to recover from deleting the NSRLA resource.

17 Legato Systems, Inc - Confidential and Proprietary 17 Using the Feature : changes (cont.) What to do if you deleted your NSRLA resource? If you know before hand that you need to delete this resource, then first export it using the “NW instance info operations” attribute. Then re- import the information afterwards. I would recommend that this export operation be performed as soon as NetWorker is installed/upgraded and then the resulting export file should be treated with the care that the user gives to their ssh key.

18 Legato Systems, Inc - Confidential and Proprietary 18 Using the Feature : changes (cont.) What if NSRLA was deleted and the authentication/identification information was not saved? Then you have to go to all of the machines that your machine communicated with and either delete the NSR peer information resource for your machine, or clear the certificate for your machine. This operation can be done using nsradmin or NMC The user doing it must be in the administrator’s list for the NSR peer information resource.

19 Legato Systems, Inc - Confidential and Proprietary 19 Using the Feature : changes (cont.) If NSRLA gets deleted and the previous instructions were not followed, what would happen? GSS Legato v1 authentication will not be used. If the remote machines do not allow the older authentication methods, then authentication with those machines will fail. You will see the following error message in the remote machine’s daemon.log file: ‘07/11/05 18:26:34 nsrexecd: SYSTEM error: There is already a machine using the name: "nightshade". Either choose a different name for your machine, or delete the "NSR peer information" entry for "nightshade“ on host: "shadow" (severity 5, number 13)’ In my example error message, I deleted the NSRLA resource on machine: nightshade and then tried to communicate with machine: shadow. The error message appeared in shadow’s daemon.log file.

20 Legato Systems, Inc - Confidential and Proprietary 20 Licensing Considerations No changes in licensing model.

21 Legato Systems, Inc - Confidential and Proprietary 21 Questions and Answers Any questions that have not been answered yet?

22 Legato Systems, Inc - Confidential and Proprietary 22 Architecture and Internal Design (cont.) How does the TCP client and daemon decide which authentication method will be used? The client binary first checks which authentication methods it should use to contact a particular host. This information is retrieved at program startup (for all hosts) from nsrexecd. It will then try each authentication method in order of most secure to least secure until it finds one that works, or it runs out of methods that it should try.

23 Legato Systems, Inc - Confidential and Proprietary 23 Architecture and Internal Design (cont.) Daemons also look up the authentication methods that they are allowed to use when communicating with different machines at startup. When a daemon receives an incoming connection it checks which authentication method the client is using. If it is using an allowed authentication method (for that host), then it will allow the RPC to be processed. If it is using an authentication method that is not allowed, then the daemon will return an RPC error without ever looking at the RPC contents.

24 Legato Systems, Inc - Confidential and Proprietary 24 Architecture and Internal Design (cont.) GSS Legato v1 design overview: Users are authenticated using the file system. Machines are authenticated using SSL and self signed certificates.

25 Legato Systems, Inc - Confidential and Proprietary 25 Architecture and Internal Design (cont.) GSS Legato v1 design details: When a client binary needs to get authenticated, it gathers information about the user running it and the groups that user belongs to using operating system calls. It sends this information to the local nsrexecd along with information about who it wants to contact (hostname, program number, and version number). The local nsrexecd verifies that the user belongs to all of the groups that they claim to belong to.

26 Legato Systems, Inc - Confidential and Proprietary 26 Architecture and Internal Design (cont.) GSS Legato v1 design details (cont.): if the user wants to communicate with a remote daemon: Nsrexecd opens a connection with the nsrexecd on the machine where the daemon is. Both nsrexecds send their NetWorker instance Ids Then each nsrexecd looks to see if it already has a certificate for the remote nsrexecd. –If it does then that certificate is used to authenticate the connection –If it does not, then the nsrexecd requests that the peer send the certificate.

27 Legato Systems, Inc - Confidential and Proprietary 27 Architecture and Internal Design (cont.) GSS Legato v1 design details (cont.): if the user wants to communicate with a remote daemon (cont.): Once the certificate negotiations are done, the nsrexecds will change the channel to an SSL channel using the certificates to authenticate the connection. The local nsrexecd will send the user identification information and generate and send half of each session key The remote nsrexecd will then look up the privileges that the user has and generate the other halves of the each session key. The privilege information and session key halves that the remote nsrexecd generated are sent back to the local nsrexecd.

28 Legato Systems, Inc - Confidential and Proprietary 28 Architecture and Internal Design (cont.) GSS Legato v1 design details (cont.): if the user wants to communicate with a local daemon: The local nsrexecd just looks up the user’s privilege information (the SSL connection is not needed). It also generates the session keys. After the both nsrexecds have the privilege information, user identification, and session keys, all the information to create a session is available. Now all that needs to be done is user authentication.

29 Legato Systems, Inc - Confidential and Proprietary 29 Architecture and Internal Design (cont.) GSS Legato v1 design details (cont.): User authentication. Now, all of the session information: the session keys, the session id, the user identification and privileges are stored in a file in /nsr/tmp/sec. This file is a temporary file which is only readable by the user that requested authentication. The user is required to open the file and use the session keys to authenticate to nsrexecd. If this is not done in one minute, then the authentication has failed and the file is removed. If the operation is completed before the minute is up, then authentication has succeeded (so far). The local nsrexecd tells the remote nsrexecd that the authentication succeeded.

30 Legato Systems, Inc - Confidential and Proprietary 30 Architecture and Internal Design (cont.) GSS Legato v1 design details (cont.): Then the client binary takes the session ID and sends it to the daemon that they want to talk to. The daemon uses the session ID to look up the rest of the session information in the local nsrexecd. The session keys are used to produce an HMAC of the RPC header. The daemon verifies the HMACS. If the HMAC is not correct then the RPC is rejected before being processed.

31 Legato Systems, Inc - Confidential and Proprietary 31 Debugging Techniques and Tips How to obtain debugging or tracking information Using higher debug levels like “–D 3” on processes can be very enlightening. Nsrexecd is particularly useful to run at higher debug levels Level 1 will cause more messages to be printed out for fatal errors. Level 3 will cause most useful messages to be printed out. No messages for this feature have higher debug level than 10.

32 Legato Systems, Inc - Confidential and Proprietary 32 Debugging Techniques and Tips (cont.) Don’t delete the NSRLA resource (by deleting /nsr/res/nsrladb or Window equivalent). Customers may not be expecting the consequences of deleting this resource. When looking for error messages, be sure to check the daemon.log file on all of the machines. For security reasons, sometimes an error will be printed in the NetWorker client’s daemon.log and other times it will be printed in the server’s or storage node’s daemon.log. Sometimes a short, non-detailed message will appear on one machine and a more detailed message will appear on the machine it is trying to communicate with. The error messages and their meaning will be documented in the error message guide.

33 Legato Systems, Inc - Confidential and Proprietary 33 Debugging Techniques and Tips (cont.) New debugging tools dbgcommand –p Debug=

34 Legato Systems, Inc - Confidential and Proprietary 34 Known Issues and Limitations Known issues and/or bugs Limitations If your NSRLA resource gets deleted and you do not have a backup of your authentication/identification information, then you will have to do some work to be able to talk to other NetWorker machines again.

35 Legato Systems, Inc - Confidential and Proprietary 35 Questions and Answers Any questions that have not been answered yet?

36 Legato Systems, Inc - Confidential and Proprietary 36 Demonstration Demonstrate: Updating the auth methods attribute. Updating the administrator’s list to specify a user by NetWorker instance name. Demonstrate a save using GSS Legato v1 authentication (use debug mode to show what is going on).

37 Legato Systems, Inc - Confidential and Proprietary 37 Questions and Answers Any questions that have not been answered yet? Thanks for attending

Download ppt "Copyright © 2002 Legato Systems, Inc. Authentication Version 1 Katrina Illari d1614 Authentication Version 1 Katrina Illari d1614 03 June 2005 Legato Confidential."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.

Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.
ClearCube Data Failover 3.0 Overview and Demonstration Rev. 5-30-03.

ClearCube Data Failover 3.0 Overview and Demonstration Rev
ClearCube Blade Manager 4.0 Overview and Demonstration Rev. 11-09-04.

ClearCube Blade Manager 4.0 Overview and Demonstration Rev
●June 17 th, 2014 08:15 AM – 09:15 AM ●Barry Phelps ●Support Engineer – ArtiosCAD Esko FlexNet Licensing.

●June 17 th, :15 AM – 09:15 AM ●Barry Phelps ●Support Engineer – ArtiosCAD Esko FlexNet Licensing.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
NetAcumen ActiveX Download Instructions

NetAcumen ActiveX Download Instructions
Copyright © 2002 Legato Systems, Inc. Legato Confidential.

Copyright © 2002 Legato Systems, Inc. Legato Confidential.
Unauthorized Reproduction Prohibited SkyPoint Alarm Integration Add-On Using OnGuard Alarms to create events in SkyPoint Also called ‘SkyPoint V0’ CR4400.

Unauthorized Reproduction Prohibited SkyPoint Alarm Integration Add-On Using OnGuard Alarms to create events in SkyPoint Also called ‘SkyPoint V0’ CR4400.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
NETOP ONDEMAND What’s new in version 2.1? DECEMBER 09 NETOP ONDEMAND1.

NETOP ONDEMAND What’s new in version 2.1? DECEMBER 09 NETOP ONDEMAND1.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Implementing High Availability

Implementing High Availability

Similar presentations

Ads by Google