Working with Tools

• 1: Configuring the SSH
• 1.1: Specifying SSH Mode
• 1.2: Setting Up Advanced SSH Configuration
• 1.3: Managing SSH Known Hosts
• 1.4: Managing Authorized Keys
• 1.5: Managing Identities
• 1.6: Generating SSH Keys
• 1.7: Configuring the SSH
• 1.8: Customizing the SSH Configurations
• 1.9: Exporting/Importing the SSH Settings
• 1.10: Securing SSH Communication
• 2: Clustering Tool
• 2.1: Creating a TAC using the CLI Manager
• 2.2: Joining an Existing Cluster using the CLI Manager
• 2.3: Cluster Operations
• 2.4: Managing a site
• 2.5: Node Management
• 2.5.1: Show Cluster Nodes and Status
• 2.5.2: Viewing the Cluster Status using the CLI Manager
• 2.5.3: Adding a Remote Node to a Cluster
• 2.5.4: Updating Cluster Information using the CLI Manager
• 2.5.5: Managing Communication Methods for Local Node
• 2.5.6: Managing Local to Remote Node Communication
• 2.5.7: Removing a Node from a Cluster using CLI Manager
• 2.5.8: Uninstalling Cluster Services
• 2.6: Trusted Appliances Cluster
• 2.6.1: Updating Cluster Key
• 2.6.2: Redeploy Local Cluster Configuration to All Nodes
• 2.6.3: Cluster Service Interval
• 2.6.4: Execute Commands as OS Root User
• 3: Working with Xen Paravirtualization Tool
• 4: Working with the File Integrity Monitor Tool
• 5: Rotating Appliance OS Keys
• 6: Managing Removable Drives
• 7: Tuning the Web Services
• 8: Tuning the Service Dispatcher
• 9: Working with Antivirus

1 - Configuring the SSH

The SSH Configuration tool provides a convenient way to examine and manage the SSH configuration that would fit your needs. Changing the SSH configuration may be necessary for special needs, troubleshooting, or advanced non-standard scenarios. By default, the SSH is configured to deny any SSH communication with unknown remote servers. You can allow the authorized users with keys to communicate without passwords. Every time you add a remote host, the system obtains the SSH key for this host, and adds it to the known hosts.

Note: It is recommended to create a backup of the SSH settings/keys before you make any modifications.
For more information for Backup from CLI, refer to here.
For more information for Backup from Web UI, refer to here.

Using Tools > SSH Configuration, you can:

• Specify SSH Mode.
• Specify SSH configuration.
• Manage the hosts that the Appliance can connect to.
• Set the authorized keys.
• Manage the keys that belong to local accounts.
• Generate new SSH server keys.

1.1 - Specifying SSH Mode

Using SSH Mode tool, you can set restrictions for SSH connections. The restrictions can be hardened or made slack according to your needs. Four modes are available, as described in the following table:

1.2 - Setting Up Advanced SSH Configuration

A user with administrative credentials can configure the SSH idle timeout and client authentication settings. The following screen shows the Advanced SSH Configuration.

• In the Idle Timeout field, enter the idle timeout period in seconds. This allows the user to set idle timeout period for the SSH server before logout.

• When you are working on the OS Console using the OpenSSH session, if the session is idle for the specified time, then the OS Console session gets closed. However, you are re-directed to the Administration screen.

• In the Client Authentications field, specify the order for trying the SSH authentication method. This allows you to prefer one method over another. The default for this option is publickey, password.

1.3 - Managing SSH Known Hosts

Using Known Hosts: Hosts I can connect to, you can manage the hosts that you can connect to using SSH. The following table explains the options in the Hosts that I connect to dialog box:

1.4 - Managing Authorized Keys

SSH Authorized keys are used to specify SSH keys that are allowed to connect to this machine without entering the password. The system administrator can create such SSH keys and import the keys to this appliance. This is a standard SSH mechanism to allow secured access to machines without a need to enter a password.

Using the Authorized Keys tool, you can display the keys and delete the list of authorized keys from the Reset List option. This would reject all incoming connections that used the authorized keys reset with this tool.

Examine and manage the users that are authorized to access this host.

1.5 - Managing Identities

Using the Identities menu, you can manage and examine which users can start SSH communication from this host using SSH keys. You can:

• Display the list of such keys that already exist.
• Reset the SSH keys. This means that all SSH keys used for outgoing connections are deleted.
• Add an identity from the list already available by default or create one as required, using the Directory or Filter options.
• Delete an identity. This should be done with extreme care.

1.6 - Generating SSH Keys

Using the Generate SSH Keys, you can create new SSH keys. If you recreate the SSH Keys, then the remote machines that store the current SSH key, will not be able to contact the appliance until you manually update the SSH keys on those machines.

1.7 - Configuring the SSH

SSH is a network protocol that ensures a secure communication over an unsecured network. It comprises of a utility suite which provides high-level authentication encryption over unsecured communication channels. SSH utility suites provide a set of default rules that ensure the security of the appliances. These rules consist of various configurations such as password authentication, log level info, port numbers info, login grace time, strict modes, and so on. These configurations are enabled by default when the SSH service starts. These rules are provided in the sshd_config.orig file under the /etc/ssh directory.

You can customize the SSH rules for your appliances as per your requirements. You can configure the rules in the sshd_config.append file under the /etc/ksa directory.

Warning: To add customised rules or configurations to the SSH configuration file, modify the sshd_config.append file only. It is recommended to use the console for modifying these settings.

For example, if you want to add a match rule for a test user, test_user with the following configurations:

• User can only login with a valid password.
• Only three incorrect password attempts are permitted.
• Requires host-based authentication.

You must add the following configuration for the match rule in the sshd_config.append file. Make sure to restart the SSH service to apply the updated configurations.

Match user test_user
        PasswordAuthentication yes
        MaxAuthTries    3
        HostbasedAuthentication yes 

Ensure that you must enter the valid configurations in the sshd_config.append file.

If the rule added to the file is incorrect, then the SSH service reverts to the default configurations provided in the sshd_config.orig file.

Consider an example where the SSH rule is incorrectly configured by replacing PasswordAuthentication with Password—Authentication. The following code snippet describes the incorrect configuration.

Match user test_user
        Password---Authentication yes
        MaxAuthTries    3
        HostbasedAuthentication yes 

Then, the following message appears on the OS Console when the SSH services restart.

root@protegrity-esa858:/var/www# /etc/init.d/ssh restart
[ ok ] Stopping OpenBSD Secure Shell server: sshd.
The configuration(s) added is incorrect. Reverting to the default configuration.
/etc/ssh/sshd_config: line 274: Bad configuration option: Password---Authentication
/etc/ssh/sshd_config line 274: Directive 'Password---Authentication' is not allowed within a Match block
[ ok ] Starting OpenBSD Secure Shell server: sshd.

If you want to configure the SSH settings for an HA environment, then you must add the rules to both the nodes individually before creating the HA.

For more information about configuring rules to SSH, refer to here.

1.8 - Customizing the SSH Configurations

To configure SSH rules:

1. Login to the CLI Manager with the root credentials.

2. Navigate to Administrator > OS Console.

3. Configure a new rule using a text editor.

   /etc/ksa/sshd_config.append
   

4. Configure the required SSH rule and save the file.

5. Restart the SSH service through the CLI or Web UI.

   • To restart the SSH service from the Web UI, navigate to System > Services > Secured Shell (SSH).
     
   • To restart the SSH service from CLI Manager, navigate to Administration > Services > Secured Shell (SSH).

   The SSH services starts with the customized rules or configurations.

1.9 - Exporting/Importing the SSH Settings

You can backup or restore the SSH settings. To export these configurations, select the Appliance OS configuration option while exporting the custom files.

To import the SSH configurations, select the SSH Settings option.

Warning: You can configure SSH settings and SSH identities that are server-specific. It is recommended to not export or import these SSH settings as it may break the SSH services on the appliance.

For more information on Exporting Custom Files, refer to here.

1.10 - Securing SSH Communication

When the client communicates with the server using SSH protocol, a key exchange process occurs for encrypting and decrypting the communication. During the key exchange process, client and server decide on the cipher suites that must be used for communication. The cipher suites contain different algorithms for securing the communication. One of the algorithms that Protegrity appliances uses is SHA1, which is vulnerable to collision attacks. Thus, to secure the SSH communication, it is recommended to deprecate the SHA1 algorithm. The following steps describe how to remove the SHA1 algorithm from the SSH configuration.

To secure SSH communication:

1. On the CLI Manager, navigate to Administration > OS Console.

2. Navigate to the /etc/ssh directory.

3. Edit the sshd_config.orig file.

4. Remove the following entry:

   MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512
   

5. Remove the following entry:

   KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
   

6. Save the changes and exit the editor.

7. Navigate to the /etc/ksa directory.

8. Edit the sshd_config.append file.

9. Append the following entries to the file.

   MACs hmac-sha2-256,hmac-sha2-512
   KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
   

10. Save the changes and exit the editor.

11. Restart the SSH service using the following command.

    /etc/init.d/ssh restart
    

    The SHA1 algorithm is removed for the SSH communication.

2 - Clustering Tool

Using Tools > Clustering Tool, you can create the Trusted cluster. The trusted cluster can be used to synchronize data from one server to another other one.

For more information about the ports needed for the Trusted cluster, refer to Open Listening Ports.

2.1 - Creating a TAC using the CLI Manager

About Creating a TAC using the CLI

Before creating a TAC, ensure that the SSH Authentication type is set to Public key or Password + PublicKey.

If you are using cloned machines to join a cluster, it is necessary to rotate the keys on all cloned nodes before joining the cluster.

If the cloned machines have proxy authentication, two factor authentication, or TAC enabled, it is recommended to use new machines. This avoids any limitations or conflicts, such as, inconsistent TAC, mismatched node statuses, conflicting nodes, and key rotation failures due to keys in use.

For more information about rotating the keys, refer here.

How to create the TAC using the CLI Manager

To create a cluster using the CLI Manager:

1. In the ESA CLI Manager, navigate to Tools > Clustering > Trusted Appliances Cluster.

   The following screen appears.

   

2. Select Create: Create new cluster.

   The screen to select the communication method appears.

   

3. Select Set preferred method to set the preferred communication method.

   • Select Manage local methods to add, edit, or delete a communication method.
   • For more information about managing communication methods for local node, refer here.

4. Select Done.

   The Cluster Services screen appears and the cluster is created.

2.2 - Joining an Existing Cluster using the CLI Manager

If you are using cloned machines to join a cluster, it is necessary to rotate the keys on all cloned nodes before joining the cluster.

If the cloned machines have proxy authentication, two factor authentication, or TAC enabled, it is recommended to use new machines. This avoids any limitations or conflicts, such as, inconsistent TAC, mismatched node statuses, conflicting nodes, and key rotation failures due to keys in use.

For more information about rotating the keys, refer here.

Important : When assigning a role to the user, ensure that the Can Create JWT Token permission is assigned to the role.
If the Can Create JWT Token permission is unassigned to the role of the required user, then joining the cluster operation fails.
To verify the Can Create JWT Token permission, from the ESA Web UI navigate to Settings > Users > Roles.

To join a cluster using the CLI Manager:

1. In the ESA CLI Manager, navigate to Tools > Clustering > Trusted Appliances Cluster.

2. In the Cluster Services screen, select Join: Join an existing cluster.

   The following screen appears.

   

3. Enter the IP address of the target node in the Node text box.

4. Enter the credentials of the user of the target node in the Username and Password text boxes.

   • Ensure that the user has administrative privileges.
     
   • Select Advanced to manage communication or set the preferred communication method.
     For more information about managing communication methods, refer here.

5. Select Join.

   The node is joined to an existing cluster.

2.3 - Cluster Operations

Using Cluster Operations, you can execute the standard set of commands or copy files from the local node to other nodes in the cluster. You can only execute the commands or copy files to the nodes that are directly connected to the local node.

The following figure displays the Cluster Operations screen.

Executing Commands using the CLI Manager

This section describes the steps to execute commands using the CLI Manager.

To execute commands using the CLI Manager:

1. In the CLI Manager, navigate to Tools > Trusted Appliances Cluster > Cluster Operations: Execute Commands/Deploy Files.

2. Select Execute.

   The Select command screen appears with the following list of commands:

   • Display top 10 CPU Consumers
   • Display top 10 memory Consumers
   • Report free disk space
   • Report free memory space
   • Display TCP/UDP network information
   • Display performance and system counters
   • Display cluster tasks
   • Manually enter a command

3. Select the required command and select Next.

   The following screen appears.

   

4. Select the target node and select Next.

   The Summary screen displaying the output of the selected command appears.

Copying Files from Local Node to Remote Node

This section describes the steps to copy files from local node to remote node.

To copy files from local node to remote nodes:

1. In the CLI Manager, navigate to Tools > Trusted Appliances Cluster > Cluster Operations: Execute Commands/Deploy Files .

   The screen with the appliances connected to the cluster appears.

2. Select Put Files.

   The list of files in the current directory appears. Select Directory to change the current directory

3. Select the required file and select Next.

   The Target Path screen appears.

   

4. Select the required option and select Next.

   The following screen appears.

   

5. Select the target node and select Next.

   The Summary screen confirming the file to be deployed appears.

6. Select Next.

   The files are deployed to the target nodes.

2.4 - Managing a site

Using Site Management, you can perform the following operations:

• Obtain Site Information
• Add a site
• Remove sites added to the cluster, if more than one site exists in the cluster
• Rename a site
• Set the master site

The following screen shows the Site Management screen.

View a Site

You can view the information for all the sites in the cluster by selecting Show sites information. When a cluster is created, a master site with site1 is created by default. The following screen displays the Site Information screen.

Adding Sites to a Cluster

This section describes the steps to add multiple sites to a cluster from the CLI Manager.

To add a site to a cluster:

1. On the CLI Manager, navigate to Tools > Trusted Appliances Cluster > Site Management > Add Site.

   The following screen appears.

   

2. Select OK.

   The new site is added.

Renaming a Site

This section describes the steps to rename a site from the CLI Manager.

To rename a site:

1. On the CLI Manager, navigate to Tools > Trusted Appliances Cluster > Site Management > Update Cluster Site Settings.

2. Select the required site and select Rename.

   The Rename Site screen appears.

3. Type the required site name and select OK.

   The site is renamed.

Setting a Master Site from the CLI Manager

This section describes the steps to set a master site from the CLI Manager.

To set a master site from the CLI Manager:

1. On the CLI Manager, navigate to Tools > Trusted Appliances Cluster > Site Management > Set Master Site.

   The Set Master Site screen appears.

2. Select the required site and select Set Master.

   A message Operation has been completed successfully appears and the new master site is set. An empty cluster site does not contain any node. You cannot set an empty cluster site as a master site.

Deleting a Cluster Site

This section describes the steps to delete a cluster site from the CLI Manager. You can only delete an empty cluster site.

To delete a cluster site:

1. In the CLI Manager of the node hosting the appliance cluster, navigate to Tools > Trusted Appliances Cluster > Site Management > Remove: Remove Cluster sites(s).

   The Remove Site screen appears.

2. Select the required site and select Remove.

3. Select OK.

   The site is deleted.

2.5 - Node Management

Using Node Management, you can:

• List the nodes - The same option as List Nodes menu, refer here.
• Add a node to the cluster - If your appliance is a part of the cluster, and you want to add a remote node to this cluster.
• Update cluster information - For updating the identification entries.
• Manage communication method of the nodes.
• Remove a remote node from the cluster.

2.5.1 - Show Cluster Nodes and Status

The following table describes the fields that appear on the status screen.

2.5.2 - Viewing the Cluster Status using the CLI Manager

To view the status of the nodes in a cluster using the CLI Manager:

1. In the CLI Manager, navigate to Tools > Trusted Appliances Cluster > Node Management > List Nodes.

   The screen displaying the status of the nodes appears.

   

2. Select Change View to change the view.

   The list of different reports is as follows:

   • List View: Displays the list of all the nodes.
   • Labels View: Displays a grouped view of the nodes.
   • Status View: Displays the status of the nodes.
   • Report view: Displays the cluster diagnostics, network or connectivity issues, and generate error or warning messages if required.

2.5.3 - Adding a Remote Node to a Cluster

To add a remote node to the cluster:

1. In the CLI Manager of the node hosting the cluster, navigate to Tools > Trusted Appliances Cluster > Node Management > Add Node: Add a remote node to this cluster.

   The Add Node screen appears.

   

2. Enter the credentials of the local node user, which must have administrative privileges, into the Username and Password text boxes.

3. Type the preferred communication method on the Preferred Method text box.

4. Type the accessible communication method of the target node in the Reachable Address text box.

5. Type the credentials of the target node user in the Username and Password text boxes.

6. Select OK.

The node is invited to the cluster.

2.5.4 - Updating Cluster Information using the CLI Manager

It is recommended not to change the name of the node after you create the cluster task.

To update cluster information:

1. In the CLI Manager of the node hosting the cluster, navigate to Tools > Trusted Appliances Cluster > Node Management > Update Cluster Information.

   The Update Cluster Information screen appears.

   

2. Type the name of the node in the Name text box.

3. Type the information describing the node in the Description text box.

4. Type the required label for the node in the Labels text box.

5. Select OK.

The details of the node are updated.

2.5.5 - Managing Communication Methods for Local Node

Every node in a network is identified using a unique identifier. A communication method is a qualifier for the remote nodes in the network to communicate with the local node.

There are two standard methods by which a node is identified:

• Local IP Address of the system (ethMNG)
• Host name

The nodes joining a cluster use the communication method to communicate with each other. The communication between nodes in a cluster occur over one of the accessible communication methods.

Adding a Communication Method from the CLI Manager

This section describes the steps to add a communication method from the CLI Manager.

To add a communication method from the CLI Manager:

1. In the ESA CLI Manager, navigate to Tools > Clustering > Trusted Appliances Cluster.

2. In the Cluster Services screen, select Node Management: Add/Remove Cluster Nodes/ Information.

3. In the Node Management screen, select Manage node’s local communication methods.

4. In the Select Communication Method screen, select Add.

5. Type the required communication method and select OK.

The new communication method is added.

Ensure that the length of the text is less than or equal to 64 characters.

Editing a Communication Method from the CLI Manager

This section describes the steps to edit a communication method from the CLI Manager.

To add a communication method from the CLI Manager:

1. In the ESA CLI Manager, navigate to Tools > Clustering > Trusted Appliances Cluster.

2. In the Cluster Services screen, select Node Management: Add/Remove Cluster Nodes/ Information.

3. In the Node Management screen, select Manage node’s local communication methods.

4. In the Select Communication Method screen, select the communication method to edit and select Edit.

5. In the Edit method screen, enter the required changes and select OK.

The changes to the communication method are complete.

Deleting a Communication Method from the CLI Manager

This section describes the steps to delete a communication method from the CLI Manager.

To delete a communication method from the CLI Manager:

1. In the ESA CLI Manager, navigate to Tools > Clustering > Trusted Appliances Cluster.

2. In the Cluster Services screen, select Node Management: Add/Remove Cluster Nodes/ Information.

3. In the Node Management screen, select Manage node’s local communication methods.

4. In the Select Communication Method screen, select the required communication method and select Delete.

The communication method of the node is deleted.

2.5.6 - Managing Local to Remote Node Communication

You can select the method that a node uses to communicate with another node in a network. The communication methods of all the nodes are visible across the cluster. You can select the specific communication mode to connect with a specific node in the cluster. In the Node Management screen, you can set the communication between a local node and remote node in a cluster.

You can also set the preferred method that a node uses to communicate with other nodes in a network. If the selected communication method is not accessible, then the other available communication methods of the target node are used for communication.

Selecting a Local to Remote Node Communication Method

This section describes the steps to select a local to remote node communication method.

To select a local to remote node communication method:

1. In the ESA CLI Manager, navigate to Tools > Clustering > Trusted Appliances Cluster.

2. In the Cluster Services screen, select Node Management: Add/Remove Cluster Nodes/ Information.

3. In the Node Management screen, select Manage local to other nodes communication methods.

4. In the Manage local to other nodes communication method, select the required node for which you want to change the communication method.

5. Select Change.

6. Select the required communication method and select Choose. If a new communication must be added so it can be chosen as the required communication method, select Add New to add it.

7. Select Ok.

The communication method is selected to communicate with the remote node in the cluster.

Changing a Local to Remote Node Communication Method

This section describes the steps to change a local to remote node communication method.

To change a local to remote node communication method:

1. In the ESA CLI Manager, navigate to Tools > Clustering > Trusted Appliances Cluster.

2. In the Cluster Services screen, select Node Management: Add/Remove Cluster Nodes/ Information.

3. In the Node Management screen, select Manage local to other nodes communication methods.

4. In the Manage local to other nodes communication method screen, select a remote node and select Change.

   The following screen appears.

   

5. Select the required communication method.

6. Select Choose.

The new local to other nodes communication methods is set.

2.5.7 - Removing a Node from a Cluster using CLI Manager

Before attempting to remove a node, verify if it is associated with a cluster task. If a node is associated with a cluster task that is based on the hostname or IP address, then the Remove a (remote) cluster node operation will not remove node from the cluster. Ensure that you delete all such tasks before removing any node from the cluster.

To remove a node from a cluster using the CLI Manager:

1. In the ESA CLI Manager, navigate to Tools > Trusted Appliances Cluster.

2. In the Cluster Services screen, select Node Management: Add/Remove Cluster Nodes/Information.

   The following screen appears.

   

3. Select Remove: Delete a (remote) cluster node and select OK.

   The screen displaying the nodes in the cluster appears.

4. Select the required node and select OK.

   The following screen appears.

   

5. Select OK.

6. Select REFRESH to view the updated status.

2.5.8 - Uninstalling Cluster Services

Before attempting to remove a node, verify if it is associated with a cluster task. If a node is associated with a cluster task that is based on the hostname or IP address, then the Uninstall Cluster Services operation will not uninstall the cluster services on the node. Ensure that you delete all such tasks before uninstalling the cluster services.

To remove a node from a cluster using the CLI Manager:

1. In the ESA CLI Manager, navigate to Tools > Trusted Appliances Cluster.

2. In the Cluster Services screen, select 7 Uninstall : Uninstall Cluster Services.

3. A confirmation message appears.

4. Select Yes.

   The cluster services are uninstalled.

2.6 - Trusted Appliances Cluster

A Trusted Appliances cluster can be used to transfer data from one node to other nodes regardless of their location, as long as standard SSH access is supported. This mechanism allows you to run remote commands on remote cluster nodes, transfer files to remote nodes and export configurations to remote nodes. Trusted appliances clusters are typically used for disaster recovery. The trusted appliance cluster can be configured and controlled using the Appliance Web UI as well as the Appliance CLI.

Clustering details are fully explained in section Trusted Appliances Cluster (TAC). In that section you will find information how to:

• Setup a trusted appliances cluster
• Add the appliance to an existing trusted appliances cluster
• Remove an appliance from the trusted appliances cluster
• Manage cluster nodes
• Run commands on cluster nodes

Using the cluster maintenance, you can perform the following functions:

• List cluster nodes
• Update cluster keys
• Redeploy local cluster configuration to all nodes
• Review cluster service interval
• Execute commands as OS root user

2.6.1 - Updating Cluster Key

Before you begin

Ensure that all the nodes in the cluster are active, before changing the cluster key.
If a new key is deployed to a node that is unreachable, then connect the node to the cluster. In this scenario, remove the node from the cluster and re-join the cluster.

Generate a new set of the cluster SSH keys to the nodes that are directly connected to the local node. This ensures that the trusted appliance cluster is secure.

To re-generate cluster keys:

1. In the ESA CLI Manager, navigate to Tools > Clustering > Trusted Appliances Cluster > Maintenance: Update Cluster Settings.

   The following screen appears.

   

2. Select New Cluster Keys.

   A message to re-generate the cluster keys appears.

3. Select Yes.

   The new keys are deployed to the nodes that are directly connected.

2.6.2 - Redeploy Local Cluster Configuration to All Nodes

You can redeploy the local cluster configuration to force it to be applied on all connected nodes. Usually there is no need for such operation since the configurations are synchronized automatically. However, if the cluster status service is stopped or you want to force a specific configuration, then you can use this option to force the configuration.

When you select to Redeploy local cluster configuration to all nodes in the Update Cluster dialog box, the operation is performed at once with no confirmation.

2.6.3 - Cluster Service Interval

The cluster provides an auto-update mechanism that runs in the background as a background service which is responsible for updating local and remote cluster configurations and cluster health checks.

You can specify the cluster service interval in the Cluster Service Interval dialog box.

The interval (in seconds) specifies the sleep time between cluster background updates/operations. For example, if the specified value is 120 seconds, then every two minutes the cluster service will update its status and synchronize its cluster configuration with the other nodes (if changes identified).

2.6.4 - Execute Commands as OS Root User

By default, the cluster user is a restricted user which means that the cluster commands will be restricted by the OS. There are scenarios where you would like to disable these restrictions and allow the cluster user to run as the OS root user.

Using the details in the table below, you can specify whether to execute the commands as root or as a restricted user.

3 - Working with Xen Paravirtualization Tool

Using Tools > Clustering Tool, you can setup an appliance virtual environment. The default installation of a Protegrity appliance uses hardware virtualization mode (HVM). The appliance can be reconfigured to use parallel virtualization mode (PVM) to optimize the performance of virtual guest machines.

Protegrity supports these virtual servers:

• Xen®
• Microsoft Hyper-V™
• KVM Hypervisor

XEN paravirtualization details are fully covered in section Xen Paravirtualization Setup. In that section you will find information how to:

• Set up Xen paravirtualization
• Follow the paravirtualization process

4 - Working with the File Integrity Monitor Tool

Using Tools > File Integrity Monitor, you can make a weekly check. The content modifications can be viewed by the Security Officer since the PCI specifications require that sensitive files and folders in the Appliance are monitored. This information contains password, certificate, and configuration files. All changes made to these files can be reviewed by authorized users.

5 - Rotating Appliance OS Keys

When you install the appliance, it generates multiple security identifiers such as, keys, certificates, secrets, passwords, and so on. These identifiers ensure that sensitive data is unique between two appliances in a network. When you receive a Protegrity appliance image or replicate an appliance image on-premise, the identifiers are generated with certain values. If you use the security identifiers without changing their values, then security is compromised and the system might be vulnerable to attacks. Using the Rotate Appliance OS Keys, you can randomize the values of these security identifiers on an appliance. This tool must be run only when you finalize the ESA from a cloud instance.

Set ESA communication and key rotations

When an appliance, such as DSG, communicates with ESA, the Set ESA communication must be performed. Before running the Set ESA communication process, ensure appliance OS keys are rotated.

For example, if the OS keys are not rotated, then you might not be able to add the appliances to a Trusted Appliances Cluster (TAC).

To rotate appliance OS keys:

1. From the CLI Manager, navigate to to Tools > Rotate Appliance OS Keys.

2. Enter the root credentials.

   The following screen appears.

   

3. Select Yes.

   The following screen appears.

   

   If you select No, then the Rotate Appliance OS Keys operation is discarded.

4. Enter the administrative credentials and select OK.

   The following screen appears.

   

   The following screen appears.

   

5. To update the user passwords, provide the credentials for the following users.

   • root
   • admin
   • viewer
   • local_admin

   If you have deleted any of the default users, such as admin or viewer, those users will not be listed in the User’s Passwords screen.

6. Select Apply.

   The user passwords are updated and the appliance OS keys are rotated.

7. After rotating appliance keys the hostname of ESA changes, update the hostname in the configuration files and rotate the Insight certificates using the steps from Updating the host name or domain name of the ESA.

6 - Managing Removable Drives

As a security feature, you can restrict access to the removable drives attached to your appliances. You can enable or disable the access to the removable disks, such as, CD/DVD drive or USB Flash drives.

The access to the removable disks is enabled by default.

Disabling CD or DVD drive

To disable CD or DVD drive:

1. On the CLI Manager, navigate to Tools > Removable Media Management > Disable CD/DVD Drives.

2. Press ENTER.

   The following message appears.

   

Disabling USB Flash Drive

To disable USB flash drive:

1. On the CLI Manager, navigate to Tools > Removable Media Management > Disable USB Flash Drives..

2. Press ENTER.

   The following message appears.

   

Enabling CD or DVD Drive

To enable CD/DVD drive:

1. On the CLI Manager, navigate to Tools > Removable Media Management > Enable CD/DVD Drives.

2. Press ENTER.

Enabling USB Flash Drive

To enable USB flash drive:

1. On the CLI Manager, navigate to Tools > Removable Media Management > Enable Flash Drives.

2. Press ENTER.

7 - Tuning the Web Services

Using Tools > Web Services Tuning, you can monitor and configure the Application Protector Web Service Sessions. You can view information such as Session Shared Memory ID, maximum open sessions, open sessions, free sessions, and session timeout.

CAUTION: It is recommended to contact Protegrity Support before applying any changes for Web Services.

In the Web Services Tuning screen you can find and configure the following fields.

Start Servers: In the StartServers field, you configure the number of child servers processes created on startup. Since the number of processes is dynamically controlled depending on the load, there is usually no reason to adjust the default parameter.

Minimum Spare Servers: In the MinSpareServers field, you set the minimum number of child server processes not handling a request. If the number of such processes is less than configured in the MinSpareServers field, then the parent process creates new children at a maximum rate of 1 per second. It is recommended to change the default value only when dealing with very busy sites.

Maximum Spare Servers: In the MaxSpareServers field, you set the maximum number of child server processes not handling a request. When the number of such processes exceeds the number configured in MaxSpareServers, the parent process kills the excessive processes.
It is recommended to change the default value only when dealing with very busy sites. If you try to set the value lower than MinSpareServers, then it will automatically be adjusted to MinSpareServers value +1.

Maximum Clients: In the MaxClients field, you set the maximum number of connections to be processed simultaneously.

Maximum Requests per Child: In the MaxRequestsPerChild field, you set the limit on the number of requests that an individual child server will handle during its life. When the number of requests exceeds the value configured in the MaxRequestsPerChild field, the child process dies. If you set the MaxRequestsPerChild value to 0, then the process will never expire.

Maximum Keep Alive Requests: In the MaxKeepAliveRequest field, you can set the maximum number of requests that can be allowed during a persistent connection. If you set 0, then the number of allowed request will be unlimited. For maximum performance, leave this number high.

Keep Alive Timeout: In the KeepAliveTimeout field, you can set the number of seconds to wait for the next request from same client on the same connection.

8 - Tuning the Service Dispatcher

The Service Dispatcher parameters are the Apache Multi-Processing Module (MPM) worker parameters. The Apache MPM Worker module implements a multi-threaded multi-process web server that allows it to serve higher number of requests with limited system resources. For more information about the Apache MPM Worker parameters, refer to https://httpd.apache.org/docs/2.2/mod/worker.html.

To improve service dispatcher performance, navigate to Tools > Service Dispatcher Tuning.

The following table provides information about the configurable parameters and recommendations for Service Dispatcher performance.

9 - Working with Antivirus

The AntiVirus program uses ClamAV, an open source and cross-platform antivirus engine designed to detect malicious trojan, virus, and malware threats. A single file or directory, or the whole system can be scanned. Infected file or files are logged and can be deleted or moved to a different location, as required.

The Antivirus option allows you to perform the following actions.

Customizing Antivirus Scan Options from the CLI

To customize Antivirus scan options from the CLI:

1. Go to Tools > AntiVirus.

2. Select Options.

3. Press ENTER.

   The following table provides a list of the choices available to you to customize scan options.

   Table 1. List of all scan options

   Option	Selection	Description
   Action	Ignore	Ignore the infected file and proceed with the scan.
   	Move to directory	Move the infected files to specific directory. In the text box, enter the path where the infected file should be moved.
   	Delete infected file	Remove the infected file from the directory.
   Recursive	True	Scan sub-directories.
   	False	Do not scan sub-directories.
   Scan directory		Path of the directory to be scanned.