Releases 12.4.10 and earlier

Configuring an stunnel

For releases 12.4.10 and earlier, you can add an stunnel to provide a secure and encrypted connection to the AMD.

To configure an stunnel on your AMD, you must modify the stunnel.config file. Because the stunnel.config file is automatically recreated after each rtmgate service restart, modify the /usr/adlex/rtm/bin/rtmhttp script.

Add all script modifications after the printf(STUNNEL_CNF "debug = 4\n"); line.

  1. To select permitted SSL ciphers, append the following line:

    printf(STUNNEL_CNF "ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PS\n");
  2. To disable SSLv2 and/or SSLv3, append the following lines:

    printf(STUNNEL_CNF "options = NO_SSLv2\n");
    printf(STUNNEL_CNF "options = NO_SSLv3\n");
  3. To apply your changes, restart the rtmgate service.

Enable or disable non secure data transfer

By default, communication with the AMD over HTTPS is enabled. To disable it, use the rtminst command.

  1. Execute the rtminst command from the operating system prompt to start the rtminst setup program.

  2. From the rtminst menu, select [3] to access the AMD setup.

  3. Enable or disable HTTPS communication between the AMD and the report server.

    To disable the HTTPS and allow for the HTTP communication, set the port number to [0]

    Using this setup procedure you can also change the factory defined HTTPS port number. While the default HTTPS port is set to 443, you can change it according to your needs.

    1. From the AMD Setup menu, select [2].

    2. Select [e] to edit the HTTPS port value.

    3. When prompted, enter a port number for HTTPS communication and then press [Enter] to accept your settings.

    4. Press [A] to apply the new value.

    Figure 1. Configuring HTTPS Communication Between AMD and Report Server

    AMD Setup ver. ndw.12.4.XXX
    
    Options:
             1 - Data memory limit
             2 - Enabling and port selection for data transfer over HTTPS
             3 - SHM packet reader thread setup
             4 - Packet buffer size setup
             5 - Driver parameters set
             X - Exit
    Select an option and press `Enter`: 2
    
    Property: https.port(/usr/adlex/config/rtm.config)
    Description: HTTPS port selection for data transfers.
    Set port number for HTTPS protocol data transfers.
    Recommended port number for HTTPS protocol data transfers is 443.
    Set port number to 0 to disable HTTPS and allow HTTP.
    
    Current value: 0
    Recommended value: 443
    E - Edit property value
    C - Cancel
    Select an option and press 'Enter' :e
                    
    Enter new value: https.port=[443] 443
    
    Property: https.port(/usr/adlex/config/rtm.config)
    Description: HTTPS port selection for data transfers.
    Set port number for HTTPS protocol data transfers.
    Recommended port number for HTTPS protocol data transfers is 443.
    Set port number to 0 to disable HTTPS and allow HTTP.
    
    Current value: 443
    Recommended value: 443
            E - Edit property value
            D - Delete property
            A - Apply new value
            C - Cancel
    Select an option and press 'Enter' :a
  4. Press [X] to exit the current screen and validate your changes.

Configuring OpenSSH

To configure the OpenSSH on your AMD, you must modify the sshd_config file located in /etc/ssh folder. This configuration file contains keyword-argument pairs.

Lines starting with a hash are considered comments.

  1. Disable X11 forwarding by changing the X11 Forwarding setting from yes to no .

    X11Forwarding no
  2. Update ciphers by appending the following line to the configuration file:

    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  3. Update MACs by appending the following line to the configuration file:

    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com 
  4. (optional) You can enable Protocol version 2 by uncommenting the #Protocol 2 line:

    Protocol 2
  5. To apply your changes, restart the sshd service:

    [root@amdprobe /]# service sshd stop
    [root@amdprobe /]# service sshd start

Enable or disable non secure data transfer

To enable or disable the non secure data transfer vie the HTTP (port 9091), use the rtminst command.

  1. Execute the rtminst command from the operating system prompt to start the rtminst setup program.

  2. From the rtminst menu, select the AMD setup.

  3. Enable or disable HTTPS communication between the AMD and the report server.
    To enable the HTTP communication, select Enabling non-secure data transfer over HTTP then,
    Enable non-secure data transfer.

    Options:
           1 - Data memory limit
           2 - Driver parameters set
           3 - RTM classic SHM driver parameters
           4 - Enabling non-secure data transfer over HTTP
           X - Exit
    Select an option and press `Enter`: 4
    
    Non-secure data transfer: DISABLED
    
    Options:
           1 - Enable non-secure data transfer
           2 - Disable non-secure data transfer
           X - Exit
    Select an option and press `Enter`: 1 
     
    Non-secure data transfer: ENABLED 


    To disable the HTTP communication, select Enabling non-secure data transfer over HTTP then,
    Disable non-secure data transfer.

    Options:
           1 - Data memory limit
           2 - Driver parameters set
           3 - RTM classic SHM driver parameters
           4 - Enabling non-secure data transfer over HTTP
           X - Exit
    Select an option and press `Enter`: 4
    
    Non-secure data transfer: ENABLED
    
    Options:
           1 - Enable non-secure data transfer
           2 - Disable non-secure data transfer
           X - Exit
    Select an option and press `Enter`: 2 
     
    Non-secure data transfer: DISABLED 
  4. Press [X] to exit the current screen and validate your changes.

  • No labels