NIMSH over SSL

SSL over NIMSH

This is a guide intended for those who are well versed in NIM and would like to add an extra layer of security to their environment.

References:

Here’s a list of useful NIM documents you might want to read before continuing with this:

1. NIM Setup Guide

http://www-01.ibm.com/support/docview.wss?uid=isg3T1010383

2. NIM Communications in a Firewall Environment

http://www-01.ibm.com/support/docview.wss?uid=isg3T1011808

3. NIM Alternate Master Configuration / Applications

http://www-01.ibm.com/support/docview.wss?uid=isg3T1012143

4. IBM Redbook – NIM A-Z

http://www.redbooks.ibm.com/abstracts/sg247296.html?Open

The nimsh method can be extended to use Secure Sockets Layer (SSL) key-based trusted authentication.
This functionality depends on OpenSSL software being installed on both the master and client systems.

Note:
OpenSSL is provided as an install package on the AIX 6.1 base media starting with AIX 6.1 TL3.
The filesets are openssl.base, openssl.license and openssl.man.en_US.

Any communication initiated from the NIM client (pull operation) reaches the NIM master on the request for services and registration ports (1058 and 1059, respectively). This communication is not encrypted. For any communication initiated from the NIM master (push operations), the NIM master communicates with the NIM client using the NIMSH daemon. This allows an encrypted handshake dialog during authentication. However, data packets are not encrypted.

What this means, is that only push operations can use secure NIMSH, and data packets are not encrypted. Secure NIMSH only adds an encrypted handshake between the NIM master and its clients.

All the testing has been performed in the following test environment:
NIM master – AIX 7.1 TL4 SP2, openssl version 1.0.1.516
NIM client – AIX 7.1 TL4 SP2, openssl version 1.0.1.516

1. Must install OpenSSL software on both the NIM master and the NIM client.

2. NIMSH must be active on the NIM master. To verify:

# lssrc –s nimsh

Subsystem Group PID Status
nimsh nimclient 6685140 active

If the subsystem is inactive, you can start it with:

# startsrc –s nimsh
0513-059 The nimsh Subsystem has been started. Subsystem PID is 3801250.

3. Install software on the NIM master first, then use NIM to install the package on clients.

4. If you have an lpp_source for AIX 6.1 TL3 or higher, created from DVD media with the –a packages=all option, you most likely already have the filesets in the lpp_source. To verify:

# nim –o showres <name of lpp_source> | grep openssl

If any of the NIM clients do not have the following filesets, you can install them from a base media lpp_source at the same level as the NIM client:

openssl.base
openssl.license
openssl.man.en_US

You can install the filesets from the base media lpp_source on the NIM Master with:
# nim -o cust -a lpp_source=<base lpp_source> -a accept_licenses=yes -a filesets="openssl.base openssl.license openssl.man.en_US" <NIM client>

 
1. Invoke SMIT with the smitty nim_ssl fast path

The only option you need to change is Enable Cryptohraphic Authentication to enable (press F4 and select Enable).

The output, once the SSL configuration finishes, should look like this:

You can verify that the Cryptographic Authentication has been enabled by running:
# lsnim –l master | grep ssl
ssl_support = yes

If the C.A. has not been enabled, the ssl_support attribute will not be present in the # lsnim output.

When SSL is configured on the master, the /ssl_nimsh directory structure is created containing the keys and certificates.
The /ssl_nimsh folder will have three subfolders: certs, configs, keys.

(Optional)
If you want to change certificate options, edit the files in /usr/samples/nim/ssl before configuring SSL on the master:
- SSL_root.cnf – Generates Certificate Authority key for signing certificates
- SSL_server.cnf – Generates the NIM master’s certificate for distributing to clients.
- SSL_client.cnf – Generates the NIM master’s local certificate for authenticating.

The certificates and keys are generated and stored in a directory hierarchy, mentioned in SSL Certificates Options.

The folders are the following:

/ssl_nimsh/configs – Contains scripts used to configure SSL in NIM

/ssl_nimsh/certs – Contains SSL certificates used during host authentication. This contains the NIM master certificates used for host authentication.

/ssl_nimsh/keys – Contains keys used during SSL protocol communication. This contains the key file that is used by the NIM master to establish SSL communication with a client.

Once SSL has been configured on the NIM master, the NIM client can be configured correctly for cryptographic authentication.

During the configuration of the client, a certificate is transferred from the NIM master using tftp and stored under /ssl_nimsh/certs directory on the client.

If the NIM client is already configured to communicate with the NIM master using NIMSH, SSL can be enabled by simply running the following command from the NIM client:
# nimclient –c

If the client is using the default shell configuration, to enable NIMSH with cryptographic authentication, you can use the smitty fastpath:
# smitty nim_config_services

Press F4 to change the following options:
Communication Protocol used by client [] << Select nimsh
Enable Cryptographic Authentication [disable] << Change to Enable

1. Must configure SSL on the NIM master first.

2. Ensure that tftp is enabled on the NIM master:
# cat /etc/inetd.conf | grep tftp
tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd –n << make sure this line is not commented

# lssrc –t tftp
Service Command Description Status
tftp /usr/sbin/tftpd tftpd -n active

To configure NIMSH over SSL on the NIM client, first verify what the client communication protocol is set to NIMSH:

From the NIM master:
# lsnim –l <name of client> | grep connect
connect = nimsh << NIMSH

Or

connect = shell << RSH

If the default connect method for your NIM client is RSH, you can change it to NIMSH with the following command from the NIM client:
# mv /etc/niminfo /etc/niminfo.old
# niminit –a master=<name of master> -a name=<name of client> -a connect=nimsh

Once the communication protocol is set to NIMSH, you can run the # nimclient -c command on the client to enable SSL. You can verify if NIMSH is running on the NIM client with:
# lssrc –s nimsh
# nimclient –c

x - /usr/lib/libssl.so.0.9.8
x - /usr/lib/libcrypto.so.0.9.8
Received 2788 Bytes in 0.0 Seconds
0513-044 The nimsh Subsystem was requested to stop.
0513-077 Subsystem has been changed.
0513-059 The nimsh Subsystem has been started. Subsystem PID is 4653142.

If your NIM client has been using RSH as the default communication protocol, you can remove the .rhosts file, as it is no longer needed.

Once this is done, you can try a NIM push operation to display the information for the bos.mp64 fileset installed on the NIM client:
# nim –o lslpp <name of client> | grep mp64

You can now run the following to verify that the communication protocol is set to secure nimsh:

# lsnim –l <client> | grep connect
connect = nimsh (secure)

You can also see the SSL handshake in the NIM client’s /var/adm/ras/nimsh.log file:

If the communication protocol is only NIMSH, the passing OpenSSL setting will be 0:

Your environment has now been setup to add an encrypted handshake between the NIM master and the NIM client during a push operation.

If at any time you wish to disable SSL Cryptographic Authentication for NIM master push operations, you can run the following command on the NIM client:

# nimclient –C

1. Create Bio hang

When the NIM master is updated (technology level/service pack update), any NIM push commands will hang indefinitely and the NIM client's /var/adm/ras/nimsh.log file will show the hang occurring on:

2017 Loading certificates..

2017 Negotiating SSL_CTX object using SSLv23_method
2017 Loading private key file..
2017 create BIO

NIMSH will hang on key exchanges. To fix this, you need to recycle the certificates on the NIM master and restart the cryptographic authentication on the NIM client:

From the NIM master:

# cd /
# nimconfig -C
# mv ssl_nimsh ssl_nimsh_old
# nimconfig -c

From the NIM client:

# nimclient -C
# nimclient -c

Once the certificates are refreshed, the communication will work.

2. Error connecting to SSL object

Another known issue comes up when updating the SSL filesets from AIX 7.1 TL2 to TL3 which breaks the secure NIMSH connection between the master and the client.

The problem comes from updating from version 0.9.8.2400 to 1.0.1.500 on the NIM client.

My NIM client has the 0.9.8.2400 SSL version installed:

When the secure NIMSH is started from the client side, two files are created:
/usr/lib/libssl.so.0.9.8
/usr/lib/libcrypto.so.0.9.8

And # lsnim –l <client> from the NIM master shows connect = nimsh (secure)

Issuing a simple NIM push operation, like # nim –o lslpp <client name>, works just fine:

However, when you update SSL to version 1.0.1.500, the push operation fails:

The solution would be to delete the two files that are created when #nimclient –c is done, and reinitiate

# nimclient –c to refresh them:

From the NIM client:

# rm /usr/lib/libssl.so.0.9.8
# rm /usr/lib/libcrypto.so.0.9.8

# nimclient -c

This issue has been addressed in APAR IV58877.

Thank you for the time to read through this guide. I hope you found the information both useful and helpful. If you feel there are any mistakes or inconsistencies, please email me at ted.todorov@bg.ibm.com. If there are any technical questions regarding this document, please follow support procedures and open a PMR by calling 1-800-426-7378, and select the option for software support.