In this chapter, we will be securing our UCS system through AAA for logins and hardening of the system.
AAA
Presently, we use the inbuild admin account, “USCPE.” However, on a live system, you would naturally need to use multiple accounts, which should be individual and trackable. We do this through AAA (Authentication, Authorization, and Accounting), whereby we connect to and use the accounts from a directory service. The options we have for this are LDAP, RADIUS, and TACACS+. This chapter will look at how this would be achieved through LDAP (specifically, Microsoft Active Directory). While UCSPE is a self-contained environment, we can run through the setup to see how it looks in real life.
When using AAA, we map groups of users to one of the in-built UCS roles. These roles are
Role name
Description
aaa
The AAA administrator role gives read-and-write access to the users and roles as well as the AAA configurations. It has read access to the rest of the UCS system.
admin
As the name suggests, the admin role has full access to the entire UCS system.
facility-manager
The facility manager role has read/write access to the power management portion of the system. It has read access to the rest of the UCS system.
network
This role has read/write access to the fabric interconnects and also to network security functions. It has read access to the rest of the UCS system.
operations
Read/write access to logs and faults. It has read access to the rest of the UCS system.
read-only
Read-only access to the system.
server-compute
Read/write access to the majority of the service profile settings. Cannot create, modify, or delete vNICs or vHBAs.
server-equipment
Read/write access to physical server-related operations. It has read access to the rest of the UCS system.
server-profile
Read/write access to logical server-related operations. It has read access to the rest of the UCS system.
server-security
Read/write access to server security-related operations. It has read access to the rest of the UCS system.
storage
Read/write access to storage operations. It has read access to the rest of the UCS system.
We start by creating an LDAP provider, by going to “Admin ➤ User Management ➤ LDAP ➤ LDAP Providers” and clicking “Add.” Enter the LDAP details specific to your environment, such as those shown in Figure 6-1.
In the preceding, we are using the following settings (details such as the Bind DN would be in the Active Directory):
Click next and set group authorization to “Enable” and group recursion to recursive (Figure 6-2). This means that the UCS will use the target attribute (memberOf) to check if the user authenticating is a member of a group. Group recursion allows the UCS to look through the user directory level by level until it finds the user.
Leave the Target Attribute as “memberOf,” and “Use Primary Group” unticked. Once you are done, click “Finish.” You will get a notification that the LDAP provider has been created (Figure 6-3).
Usually, you would have more than one LDAP provider to offer a level of resiliency.
We now need to create an LDAP Provider Group. Go to “Admin ➤ User Management ➤ LDAP ➤ LDAP Provider Groups” and click “Add.” Name the provider group (Figure 6-4).
Select the LDAP providers you created in the first step, and click the arrows to move it from LDAP Providers to Included Providers (Figure 6-5).
Click “OK” to save the group and you will see the notice of completion (Figure 6-6).
We will next create some LDAP group maps, to link our AD groups to the UCS roles. We do this from “Admin ➤ User Management ➤ LDAP ➤ LDAP Group Maps.” Click “Add” and add the LDAP group DN, and click on the desired role, similar to Figure 6-7.
Create another for the read-only role (such as Figure 6-8).
Our two group mappings will be shown in the GUI (Figure 6-9).
Now that we have our LDAP provider set up, we need to tell the UCS how to use it. Go to “Admin ➤ User Management ➤ Authentication ➤ Authentication Domains” and click “Add.” In the Create a Domain window, name the domain, and set the realm to LDAP, selecting the provider group we created earlier (Figure 6-10).
The next time we log in, the UCS will first search the domain.local Active Directory for the user, before falling back to the local user account database on the UCS. If the user is not found in either Active Directory or the local database, then the login will be denied.
Hardening the Web Interface
By default, UCS will use a self-signed certificate (in the case of UCSPE, there is no certificate for the web interface). We can’t assign a certificate in UCSPE (as this is a closed-off playground), but we can run through the steps.
Navigate to “Admin ➤ Key Management” and click “Trusted Points.” Trustpoints are the certification authorities we are using. Click “Add.” Add the certificate from your Certification Authority and click OK to create the trust point (Figure 6-11).
Click Key Management again, and then “Key Rings.” Click “Add” and create a new key ring (Figure 6-12). Click “OK.”
Select the new key ring and then click “CreateCertificate Request.” Enter the details (as shown in Figure 6-13).
We will see the final details in the GUI (Figure 6-14).
We would (on a real-life system) then copy the certificate from the same page, and have this certificate signed by our certificate authority.
Once we have the signed certificate, download it and choose the Base64 encoded version, open it in a text editor, and select and copy the entire text, then click “Certificate,” select the trust point, and paste in the signed certificate. The final step in the process is to select the key ring in the Communication Services (Admin ➤ Communication Management ➤ Communication Services). Under the HTTPS settings, select the newly created, and newly certified key ring (Figure 6-15).
There are a few other steps we can take to harden our UCS. Firstly, we should switch to HTTPS instead of permitting HTTP, which we do under the HTTP settings where we can redirect HTTP traffic to our UCS to the more secure HTTPS (Figure 6-16).
Next, we should disable Telnet, as anyone sniffing your traffic will be able to capture your unencrypted password (Figure 6-17).
Finally, we can get rid of the less secure ciphers by setting the cipher suite mode to “Custom” and setting the cipher suite to use “ALL:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!MEDIUM” (which excludes ciphers such as low, triple-DES, MD5, for example) and then set the “Allowed SSL Protocols” to “Only TLSv1.2” (Figure 6-18).
These settings should satisfy most PCI QSAs and security scans!
Summary
In this chapter, we secured access to our UCS system. In the next chapter, we will look at UCS troubleshooting.