In this chapter, we will be securing our UCS system through AAA for logins and hardening of the system.
AAA
Presently, we use the inbuild admin account, “USCPE.” However, on a live system, you would naturally need to use multiple accounts, which should be individual and trackable. We do this through AAA (Authentication, Authorization, and Accounting), whereby we connect to and use the accounts from a directory service. The options we have for this are LDAP, RADIUS, and TACACS+. This chapter will look at how this would be achieved through LDAP (specifically, Microsoft Active Directory). While UCSPE is a self-contained environment, we can run through the setup to see how it looks in real life.
Role name | Description |
|---|---|
aaa | The AAA administrator role gives read-and-write access to the users and roles as well as the AAA configurations. It has read access to the rest of the UCS system. |
admin | As the name suggests, the admin role has full access to the entire UCS system. |
facility-manager | The facility manager role has read/write access to the power management portion of the system. It has read access to the rest of the UCS system. |
network | This role has read/write access to the fabric interconnects and also to network security functions. It has read access to the rest of the UCS system. |
operations | Read/write access to logs and faults. It has read access to the rest of the UCS system. |
read-only | Read-only access to the system. |
server-compute | Read/write access to the majority of the service profile settings. Cannot create, modify, or delete vNICs or vHBAs. |
server-equipment | Read/write access to physical server-related operations. It has read access to the rest of the UCS system. |
server-profile | Read/write access to logical server-related operations. It has read access to the rest of the UCS system. |
server-security | Read/write access to server security-related operations. It has read access to the rest of the UCS system. |
storage | Read/write access to storage operations. It has read access to the rest of the UCS system. |
A screenshot of a tab titled create L D A P provider. Create L D A P provider is selected from the left pane. The highlighted field entry for filter is s A M account name = dollar user id on the right.
Creating the LDAP provider
Hostname/FQDN (or IP address): DC01.domain.local
Order: lowest-available
Bind DN: CN=ucs-binduser,OU=svcAccounts,OU=Mgmt,DC=domain,DC=local
Base DN: DC=domain,DC=local
Port: 389
Enable SSL: unticked
Filter: sAMAccountName=$userid
Attribute: empty
Password: $tr0ngP4ssw0rd!
Confirm Password: $tr0ngP4ssw0rd!
Vendor: MS AD
A screenshot of a tab titled create L D A P provider. Create L D A P provider is selected from the left pane. The field entries for group authorization are enabled and group recursion is recursive on the right.
The LDAP provider group settings
A screenshot of a tab titled create L D P A provider. It has text that reads D C 0 1 dot domain dot local lowest available successfully created.
The LDAP provider has been created
Usually, you would have more than one LDAP provider to offer a level of resiliency.
A screenshot of a tab titled create L D A P provider group. It has 2 columns for included providers on the right and included providers on the left. L D A P providers have data for D C 0 1 dot domain C N = u c s-bind 389.
Creating an LDAP provider group
A screenshot of a tab titled create L D A P provider group. It has 2 columns for L D A P provider on the left and included providers on the right. Included providers have data for D C 0 1 dot domain dot local.
The LDAP provider group
A screenshot of a tab titled create L D P A provider. It has text that reads successfully created domain dot local.
The LDAP provider group has been created
A screenshot of a tab titled create L D A P group map. It has 2 columns for roles on the left and locales on the right. Admin is selected from the roles.
Creating an Admin LDAP Group Map
A screenshot of a tab titled create L D A P group map. It has 2 columns for roles on the left and locales on the right. Read-only is selected from the roles.
Creating a read-only LDAP Group Map
A screenshot of a tab. L D A P group maps is selected from the option bar. It has 2 columns and 2 rows. The column headers are name and roles.
The completed LDAP group mappings
A screenshot of a tab titled create a domain. The field entries for name is A D-domain dot local, web session refresh period sec is 600, and realm is L D a p.
Creating the authentication domain
The next time we log in, the UCS will first search the domain.local Active Directory for the user, before falling back to the local user account database on the UCS. If the user is not found in either Active Directory or the local database, then the login will be denied.
Hardening the Web Interface
By default, UCS will use a self-signed certificate (in the case of UCSPE, there is no certificate for the web interface). We can’t assign a certificate in UCSPE (as this is a closed-off playground), but we can run through the steps.
A screenshot of a tab titled trusted point. It has field entries for name is domain-C A and certificate chain is C A certificate goes here.
Creating the trust point
A screenshot of a tab titled key ring. It has field entries for name is my key ring and modulus is mod 2048.
Creating a key ring
A screenshot of a tab titled create certificate request. It has field entries for D N S is my u c s dot domain dot local, state is London, and country is UK. IP v 4 is selected at the bottom.
Creating the certificate request
A screenshot of a tab titled properties. It has field entries for name, modulus, and certificate status below the title. It has a tab titled request and I P v 4 menu is opened at the bottom.
The final certificate settings
We would (on a real-life system) then copy the certificate from the same page, and have this certificate signed by our certificate authority.
A screenshot of a tab. It has communication services selected from the option bar. It has tabs titled telnet and H T T P S. Below the H T T P S tab has field entries for key ring is key ring my key ring is selected.
Setting the key ring to be used for HTTPS GUI access
A screenshot of a tab titled H T T P. It has field entries for admin state is enabled, port is 80, operational port is 80, request timeout in seconds is 90, and redirect H T T P to H T T P S is enabled.
Redirecting HTTP to HTTPS
A screenshot of a tab titled telnet. It has a field entry for admin state is disabled.
Disabling Telnet
A screenshot of a tab titled H T T P S. It has field entries for admin state is enabled, port is 443, operational port is 443, and key ring is key ring default.
Hardening HTTPS
These settings should satisfy most PCI QSAs and security scans!
Summary
In this chapter, we secured access to our UCS system. In the next chapter, we will look at UCS troubleshooting.