User manual NOVELL IFOLDER 3.X SECURITY ADMINISTRATOR GUIDE 08-15-2006

[. . . ] Novell iFolder 3. x Security Administrator Guide novdocx (ENU) 01 February 2006 Novell ® iFolder 3. x SECURITY ADMINISTRATOR GUIDE August 15, 2006 www. novell. com novdocx (ENU) 01 February 2006 Legal Notices Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] For information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong Encryption: How-To (http://httpd. apache. org/docs/2. 0/ssl/ssl_howto. html) on the Apache. org Web site. 2. 8 Installing Trusted Roots and Certifications on the iFolder server You should manually install the trusted roots and the directory public key out-of-band. For information, see "Managing SSL Certificates for Apache" in the Novell iFolder 3. x Administration Guide. 2. 9 Installing Server Certificates from a Known Certificate Authority You should use valid certificates for both the Apache server and the communication between the Simias server and the Simias client daemon. Simias is the technology underpinning your iFolder server and client software. You should have the server pubic key signed by a known Certificate Security Best Practices for Novell iFolder 3. x 13 novdocx (ENU) 01 February 2006 Authority (CA). For information, see "Generating an SSL Certificate for the Server" in the Novell iFolder 3. x Administration Guide. 2. 10 Using a Shared Certificate in iFolder Clusters For a cluster where all of the nodes are acting like the same machine when they are taking their turn hosting, the user should have a single certificate (for the highly available IP address) that all of the nodes in the cluster share. For information, see "Configuring Apache to Point to an SSL Certificate on a Shared Volume for an iFolder Cluster" in the Novell iFolder 3. x Administration Guide. 2. 11 Ensuring Privilege Separation for the iFolder Proxy User The iFolder Proxy user is a proxy user identity used to access the LDAP server with Read access to retrieve a list of authorized users. The proxy user is automatically created during the iFolder enterprise server configuration in YaST. The username is autogenerated to be unique on the system. For most deployments, this username should never change. The iFolder Admin user or equivalent can use the iFolder 3. x iManager plug-in to change the iFolder Proxy user identity in the LDAP settings for the iFolder server. Make sure that the user account assigned as the iFolder Proxy user is different than the one used for the iFolder Admin user and other system users. Separating the proxy user from the administrator provides privilege separation. The proxy user password is stored briefly in the /opt/novell/ifolder3/etc/simiasserver-bootstrap. config on the iFolder server after configuring the iFolder enterprise server and before the iFolder service is started for the first time. The restart of Apache is forced at the end of the configuration process, which starts the iFolder service. During the initial startup, the iFolder process reads the simias-server-bootstrap. config file, stores the password in reversible encrypted format in the server's Simias database, and then removes the password from the file. For information, see "Admin User Considerations" in the Novell iFolder 3. x Administration Guide. For information about modifying the password, see the iFolder Proxy User setting in "Modifying the iFolder LDAP Settings" in the Novell iFolder 3. x Administration Guide. 2. 12 Securing the iFolder Proxy User Password The iFolder Proxy user's password is used to authenticate the iFolder Proxy user to the LDAP server when iFolder synchronizes users for the iFolder user list. When you initially configure the iFolder enterprise server in YaST, iFolder autogenerates a password for the iFolder proxy user, using the BASH random number generator for a number between 0 and 10, 000. Initially, the password for the iFolder Proxy user is stored in clear text in the /opt/novell/ifolder3/etc/simias-server-bootstrap. config file. At the end of the configuration process, the system reboots Apache 2 and starts iFolder. When iFolder runs this first time after configuration, the iFolder process copies the simias-server-bootstrap. config file to the Simias. config file. The default location of the Simias. config file is /var/lib/wwwrun/ . local/share/simias directory or the /home/wwwrun/. local/share/simias directory. [. . . ] · Limit, as much as is possible, who can attach to a wireless network. For example, using MAC address filtering is practical for small networks, but it is a time-consuming administrative effort for large networks. · Use an anonymous Service Set Identifier (SSID) by turning off the SSID broadcast for access points. 4. 5 Creating Strong Passwords Make sure to employ security best practices for passwords, such as the following: · Length: The minimum recommended length is 6 characters. A secure password is at least 8 characters; longer passwords are better. [. . . ]