Secure LPM: Live Partition Mobility with IPSec

In plain Live Partition Mobility (LPM), transfer of memory contents of the source logical partition (LPAR) goes unprotected over the network. Secure LPM provides an option to administrators to choose whether or not to transfer memory contents through an Internet Protocol Security (IPSec) tunnel. This article explains the steps to configure secure LPM and provides an overview of the available security profiles that mandate the creation of automatic tunnels. It also covers the concepts, prerequisites, and hardware and software configuration along with screen captures.

Share:

Tejaswini Kaujalgi (tejaswini@in.ibm.com), Staff Software Engineer, IBM

Photo of Tejaswini Kaujalgi Tejaswini Kaujalgi works as a Staff Software Engineer in the IBM AIX UPT Release team, Bangalore. She has been working on AIX, Oracle, IBM PowerHA®, Security, VIOS components on IBM Power Systems for more than six years at IBM India Software Labs. She has also worked on various customer configurations using Lightweight Directory Access Protocol (LDAP), Kerberos, role-based access control (RBAC), PowerHA and AIX on Power Systems. She has co-authored the IBM developerWorks® article on Introduction to PowerHA and Configuration of Oracle RAC 11g on IBM AIX using IBM GPFS 3.5. She has contributed to two IBM Redbooks® (Power Systems Enterprise Servers with PowerVM Virtualization and RAS and IBM CSM to IBM Systems Director Transformation Guide) on topics related to virtualization and high availability. She is an IBM certified Power Systems administrator.



27 March 2014

LPM allows users to migrate partitions that are running IBM® AIX® and Linux operating systems and their hosted applications from one physical server to another without disrupting the infrastructure services.

The framework for IPSec provides a standardized way to implement security at the IP-packet level, providing a method to implement and encrypt data. IPSec protocols secure network connections between IP addresses and port pairs. The secure connection is alternatively known as secure IP tunnel. IPSec protocols support data origin authentication, data integrity, data confidentiality, key management, and management of security associations.

The article is divided into the following subsections:

  1. Introduction to various security profiles
  2. Configuration of IPSec on VIOS
  3. LPM of an LPAR
  4. Manual creation of tunnels
  5. VIOS-level support
  6. Troubleshooting

1. Introduction to various security profiles

PowerSC helps to automate the configuration and monitoring of systems that must be compliant with Payment Card Industry Data Security Standard (PCI DSS) version 1.2. Therefore, PowerSC security and compliance feature is an accurate and complete method of security configuration automation that is used to meet the IT compliance requirements of the Department of Defence (DoD) UNIX STIG, the PCI DSS, the Sarbanes-Oxley Act (SOX), COBIT compliance, and the Health Insurance Portability and Accountability Act (HIPAA).

The preconfigured compliance profiles delivered with the PowerSC Express Edition reduce the administrative workload of interpreting compliance documentation and implementing the standards as specific system configuration parameters. This technology reduces the cost of compliance configuration and auditing by automating the processes. IBM PowerSC Express Edition is designed to help effectively manage the system requirement associated with external standard compliance that can potentially reduce costs and improve compliance.

The various profiles available are:

  • DoD STIG compliance
    The US. DoD requires highly secure computer systems. This level of security and quality defined by DoD meets with the quality and customer base of AIX on an IBM Power Systems™ server.
  • PCI DSS compliance
    PCI DSS categorizes IT security into 12 sections that are called the 12 requirements and security assessment procedures.
  • SOX and COBIT compliance
    The Sarbanes-Oxley Act of 2002, which is based on the 107th congress of the United States of America, oversees the audit of public companies that are subject to the security laws and related matters in order to protect the interests of investors.
  • HIPAA
    HIPAA is a security profile that focuses on the protection of electronically protected health information.

2. Configuration of IPSec on VIOS

Applying any of the above profiles will mandate the creation of tunnels. But, before applying a profile, make sure that the PowerSC file sets are installed. We have mounted them on /mnt.

#cd /mnt
#installp –acgvYXd . all
# lslpp -l | grep powersc
powerscExp.ice.cmds        
1.1.3.1  COMMITTED  ICE Express Security Extension  powerscExp.license         
1.1.3.1  COMMITTED  PowerSC Express Edition  powerscExp.rtc.rte        
1.1.3.1  COMMITTED  Real-Time Compliance  powerscExp.ice.cmds        
1.1.3.1  COMMITTED  ICE Express Security Extension  powerscExp.rtc.rte         
1.1.3.1  COMMITTED  Real-Time Compliance

Also, check if bos.net.ipsec* is installed. If not, install it from the base media.

#lslpp –l | grep bos.net.ipsec*
bos.net.ipsec.keymgt      6.1.9.15  APPLIED    IP Security Key Management
bos.net.ipsec.rte         6.1.9.15  APPLIED    IP Security
bos.net.ipsec.websm       6.1.9.15  APPLIED    IP Security WebSM
bos.net.ipsec.keymgt      6.1.9.15  APPLIED    IP Security Key Management
bos.net.ipsec.rte         6.1.9.15  APPLIED    IP Security
bos.net.ipsec.websm        6.1.9.0  COMMITTED  IP Security WebSM

After installing the file sets, perform the following steps for configuring IPSec on VIOS.

  1. Start the ike deamon.
    # startsrc -g ike
    0513-059 The cpsd Subsystem has been started. Subsystem PID is 17498356.
    0513-059 The tmd Subsystem has been started. Subsystem PID is 15794340.
    0513-059 The iked Subsystem has been started. Subsystem PID is 21364778.
  2. Start IPSec by selecting Smitty ipsec4 Start/Stop IP Security Start IP Security. Then press Enter.

    The following screen opens.

  3. The next step is to verify if ike is working fine.
    # ike cmd=list
    No tunnels match your request.

    After we start the LPM, the tunnels will be created.

  4. Enable any of high, DOD, or PCI security profiles in both source and destination VIOS. The IPSec profiles are located in the etc/security/aixpert/ path.

    Using the viosecure command, apply any one of the profiles.
    viosecure  -file /etc/security/aixpert/custom/DoD.xml
    viosecure  -file /etc/security/aixpert/custom/PCI.xml
    viosecure  -file /etc/security/aixpert/custom/SOX-COBIT.xml
    viosecure -level high -apply

    All the above profiles mandate the creation of tunnels while LPM is being performed on any of the VIOS clients.

    In this example, let us apply the DoD profile.

    $ viosecure  -file /etc/security/aixpert/custom/DoD.xml
    Processing prereqlh :cached
    Processing prereqda :cached
    Processing prereqbinaudit :cached
    Processing prereqinetd :cached
    Processing dod_mvhostsfiles ....:done.
    Processing dod_chetcpasswd ....:done.
    Processing dod_logindodherald ....:done.
    Processing dod_autologoff ....:done.
    Processing dod_minlen .....:done.
    Processing dod_minalpha .....:done.
    Processing dod_maxrepeats .....:done.
    Processing dod_histsize .....:done.
    Processing dod_maxage .....:done.
    Processing dod_minage .....:done.
    Processing dod_loginretries .....:done.
    Processing dod_system .....:done.
    Processing dod_rootrlogin .....:done.
    Processing dod_logindelay .....:done.
    Processing dod_rmdotfrmpathvar .....:done.
    Processing dod_chdodftpusers ....:done.
    Processing dod_chetchostsfiles ....:done.
    Processing dod_chowndodfiles ....:done.
    Processing dod_dodaudit .:done.
    Processing dod_sndmailhelpfile ....:done.
    Processing dod_sndmailexpn ....:done.
    Processing dod_chsyslog ....:done.
    Processing dod_chsshd_config ....:done.
    Processing dod_chcronfiles ....:done.
    Processing dod_login ......:done.
    Processing dod_shell ......:done.
    Processing dod_telnet ......:done.
    Processing dod_ftp ......:done.
    Processing dod_uucp ......:done.
    Processing dod_exec ......:done.
    Processing dod_bcastping ......:done.
    Processing dod_ipsrcroutesend ......:done.
    Processing dod_ipsrcrouteforward ......:done.
    Processing dod_directed_broadcast ......:done.
    Processing dod_portcheck ...:done.
    Processing dod_log_inetd ...:done.
    Processing dod_fpmdodfiles ....:done.
    Processing dod_SecureLPM ...:done.
    Processedrules=38       Passedrules=38  Failedrules=0   Level=DoD
            	Input file=/etc/security/aixpert/custom/DoD.xml

    Each profile applied some rules to the system. The DoD profile has successfully applied 38 rules. After this is applied, most of the entries get comments in the /etc/inetd.conf file, which causes disablement of services. For example, after the DoD profile is applied, /etc/inetd.conf looks as shown below.

    #cat /etc/inetd.conf
    #ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd         ftpd
    #telnet  stream  tcp6    nowait  root    /usr/sbin/telnetd      telnetd -a
    #shell   stream  tcp6    nowait  root    /usr/sbin/rshd         rshd
    ##kshell stream  tcp     nowait  root    /usr/sbin/krshd        krshd
    #login   stream  tcp6    nowait  root    /usr/sbin/rlogind      rlogind
    ##klogin stream  tcp     nowait  root    /usr/sbin/krlogind     krlogind
    #exec    stream  tcp6    nowait  root    /usr/sbin/rexecd       rexecd
    ##comsat dgram   udp     wait    root    /usr/sbin/comsat       comsat
    ##uucp   stream  tcp     nowait  root    /usr/sbin/uucpd        uucpd
    ##bootps        dgram   udp     wait    root    /usr/sbin/bootpd       bootpd /e
    tc/bootptab
    ###
    ### Finger, systat and netstat give out user information which may be
    ### valuable to potential "system crackers."  Many sites choose to disable
    ### some or all of these services to improve security.
    ###
    ##finger stream  tcp     nowait  nobody  /usr/sbin/fingerd     fingerd
    ##systat        stream  tcp     nowait  nobody  /usr/bin/ps           ps -ef
    ##netstat stream        tcp     nowait  nobody  /usr/bin/netstat      netstat -f 
    inet
    ##
    ##tftp   dgram  udp6    SRC     nobody  /usr/sbin/tftpd         tftpd -n
    ##talk   dgram   udp     wait    root    /usr/sbin/talkd         talkd
    #ntalk   dgram   udp     wait    root    /usr/sbin/talkd         talkd
    ##
    ## rexd uses very minimal authentication and many sites choose to disable
    ## this service to improve security.
    ##
    ##rquotad  sunrpc_udp     udp     wait    root    /usr/sbin/rpc.rquotad rquotad
    100011 1
    ##rexd   sunrpc_tcp     tcp     wait    root    /usr/sbin/rpc.rexd rexd 100017 1
    ##rstatd         sunrpc_udp     udp     wait    root    /usr/sbin/rpc.rstatd rst
    atd 100001 1-3
    ##rusersd sunrpc_udp    udp     wait    root    /usr/lib/netsvc/rusers/rpc.ruser
    sd rusersd 100002 1-2
    ##rwalld         sunrpc_udp     udp     wait    root    /usr/lib/netsvc/rwall/rp
    c.rwalld rwalld 100008 1
    ##sprayd         sunrpc_udp     udp     wait    root    /usr/lib/netsvc/spray/rp
    c.sprayd sprayd 100012 1
    ##pcnfsd         sunrpc_udp     udp     wait    root    /usr/sbin/rpc.pcnfsd pcn
    fsd 150001 1-2
    ##echo  stream  tcp     nowait  root    internal
    ##discard       stream  tcp     nowait  root    internal
    ##chargen       stream  tcp     nowait  root    internal
    #daytime        stream  tcp     nowait  root    internal
    #time   stream  tcp     nowait  root    internal
    ##echo  dgram   udp     wait    root    internal
    ##discard       dgram   udp     wait    root    internal
    ##chargen       dgram   udp     wait    root    internal
    #daytime        dgram   udp     wait    root    internal
    #time   dgram   udp     wait    root    internal
    ### The following line is for installing over the network.
    ##instsrv stream        tcp     nowait  netinst /u/netinst/bin/instsrv instsrv 
    -r /tmp/netinstalllog /u/netinst/scripts
    ##imap2 stream  tcp     nowait  root    /usr/sbin/imapd imapd
    ##pop3  stream  tcp     nowait  root    /usr/sbin/pop3d pop3d
    xmquery dgram   udp6    wait    root    /usr/bin/xmtopas xmtopas -p3
    caa_cfg stream  tcp6    nowait  root    /usr/sbin/clusterconf clusterconf >>/var 
    /adm/ras/clusterconf.log 2>&1
    #wsmserver      stream  tcp     nowait  root    /usr/websm/bin/wsmserver wsmserv
    er -start
    #ttdbserver     sunrpc_tcp      tcp     wait    root    /usr/dt/bin/rpc.ttdbserv
    er rpc.ttdbserver 100083 1
    #dtspcd stream  tcp     nowait  root    /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
    #cmsd   sunrpc_udp      udp     wait    root    /usr/dt/bin/rpc.cmsd cmsd 100068
    2-5
  5. After applying the profile, filter rules that are applicable to the tunnels are generated. You can list them using the lsfilt command.
    # lsfilt -v4 -a
    Beginning of IPv4 filter rules.
    Rule 1:
    *** Dynamic filter placement rule for IKE tunnels ***
    Logging control     : no
    
    Rule 2:
    Rule action         : permit
    Source Address      : 0.0.0.0
    Source Mask         : 0.0.0.0
    Destination Address : 0.0.0.0
    Destination Mask    : 0.0.0.0
    Source Routing      : yes
    Protocol            : all
    Source Port         : any 0
    Destination Port    : any 0
    Scope               : both
    Direction           : both
    Logging control     : no
    Fragment control    : all packets
    Tunnel ID number    : 0
    Interface           : all
    Auto-Generated      : no
    Expiration Time     : 0
    Description         :
    
    End of IPv4 filter rules.
    Dynamic rule 0:
    Rule action         : permit
    Source Address      : 0.0.0.0
    Source Mask         : 0.0.0.0
    Destination Address : 0.0.0.0
    Destination Mask    : 0.0.0.0
    Source Routing      : no
    Protocol            : udp
    Source Port         : 0-0
    Destination Port    : 500-500
    Scope               : both
    Direction           : both
    Fragment control    : all packets
    Tunnel ID number    : 0
    
    Dynamic rule 1:
    Rule action         : permit
    Source Address      : 0.0.0.0
    Source Mask         : 0.0.0.0
    Destination Address : 0.0.0.0
    Destination Mask    : 0.0.0.0
    Source Routing      : no
    Protocol            : ah
    Source Port         : 0-0
    Destination Port    : 0-0
    Scope               : both
    Direction           : inbound
    Fragment control    : all packets
    Tunnel ID number    : 0
    
    Dynamic rule 2:
    Rule action         : permit
    Source Address      : 0.0.0.0
    Source Mask         : 0.0.0.0
    Destination Address : 0.0.0.0
    Destination Mask    : 0.0.0.0
    Source Routing      : no
    Protocol            : esp
    Source Port         : 0-0
    Destination Port    : 0-0
    Scope               : both
    Direction           : inbound
    Fragment control    : all packets
    Tunnel ID number    : 0

3. LPM of an LPAR

After the VIOS instances are applied with the profiles, and LPM of the VIOS client is initiated, the tunnels are created on the source and destination VIOS.

Perform the following steps to validate partition mobility.

1. Select the LPAR and then click Operations Mobility validate.

Click to see larger image

2. After the validation is successful, start the migration. You can also use command line to validate or migrate an LPAR. For information about LPM, refer to the Basic understanding and troubleshooting of LPM article.

To validate:

migrlpar -o v -m [source cec] -t [target cec] -p [lpar to migrate] \
> --ip [target hmc] -u [remote user]

To migrate:

migrlpar -o m -m [source cec] -t [target cec] -p [lpar to migrate] \
> --ip [target hmc] -u [remote user]

After the migration starts, you can verify the tunnel creation on the source and the destination VIOS using the ike command.

You can use the ike command to start, stop, and monitor IP Security dynamic tunnels using the Internet Key Exchange (IKE) protocol. IP Security tunnels protect IP traffic by authenticating and encrypting IP data. The ike command performs several functions. It can activate, remove, or list IKE and IP Security tunnels.

The IKE negotiation occurs in two phases. The first phase authenticates the two parties and sets up a key management (also known as phase 1) security association for protecting the data that is passed during the negotiation. In this phase, the key management policy is used to secure the negotiation messages. The second phase negotiates data management (also known as the phase 2) security association, which uses the data management policy to set up IP Security tunnels in the kernel for encapsulating and decapsulating data packets. The secure channel established in phase 1 can be used to protect multiple data management negotiations between two hosts.

Source VIOS:

As soon as the LPM command is issued, tunnels are created. As we see below, it is the negotiating state.

#ike cmd=list
Phase  Tun Id  Status      Local Id                        Remote Id
1      1       Negotiating N/A                             10.33.7.73
2      1       Initial     10.33.0.89-10.33.0.89           10.33.7.73-10.33.7.73

After the negotiating state, the tunnels move to the active state.

#ike cmd=list
Phase  Tun Id  Status      Local Id                        Remote Id
1      1       Active      10.33.0.89                      10.33.7.73
2      1       Active      10.33.0.89-10.33.0.89           10.33.7.73-10.33.7.73

After the LPM is complete, the tunnels are automatically deleted.

#ike cmd=list
No tunnels match your request.
No tunnels match your request.
No tunnels match your request.

On the destination VIOS, the tunnels directly move in to the active.

#ike cmd=list
Phase  Tun Id  Status      Local Id                        Remote Id
1      1       Active      10.33.7.73                      10.33.0.89
2      1       Active      10.33.7.73-10.33.7.73           10.33.0.89-10.33.0.89
Phase  Tun Id  Status      Local Id                        Remote Id
1      1       Active      10.33.7.73                      10.33.0.89
2      1       Active      10.33.7.73-10.33.7.73           10.33.0.89-10.33.0.89

After LPM is complete, all the tunnels are removed.

#ike cmd=list
No tunnels match your request.
No tunnels match your request.
No tunnels match your request.

4. Manual creation of tunnels

When the source is at a level, where automatic tunneling is supported (AIX 7.1 TL2 and AIX 6.1 TL8) and destination is at a level where automatic tunneling is not supported (below AIX 7.1 TL2 or AIX 6.1 TL8), then we need to create manual tunnels at the destination.

IKE tunnel can be created using smitty ike4 or ike6 or using the ike command line. The ikedb command allows users to retrieve, update, delete, import, and export information in the IKE database using an XML interface.


5. Different levels of VIOS

  1. One end point Mover Service Partition (MSP) is at older level.

    Tunnels would not be created automatically. If the source MSP needs IPSec tunnels as per the applied profile, then a manual tunnel must exist. Otherwise, LPM will fail.

  2. Source MSP has any of high / DOD / PCI security profiles applied but destination does not have any of these profiles applied.

    Tunnels would be created automatically. If tunnel creation fails, LPM has to fail.

  3. Destination MSP has high/DOD/PCI security profile applied, but source does not have any of these profiles applied.

    Tunnels would not be created. LPM would continue.


6. Troubleshooting

  • Use the lssrc command to see the status of IP Security daemons.
     # lssrc -g ike
    Subsystem         Group            PID         Status
     cpsd             ike             10420226     active
     tmd              ike             11010142     active
     iked             ike             5963942      active
  • Use the lsdev command to see if the IP Security devices are available.
    #lsdev –Cc ipsec
  • Set up logging that can help to debug the issue further. To do so, add the following entry to /etc/syslog.conf.
    local4.debug /var/adm.ipsec.log

    The local4 facility is used to record traffic and IP Security events.

  • Refresh syslogd.
    #refresh –s syslogd

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=967007
ArticleTitle=Secure LPM: Live Partition Mobility with IPSec
publish-date=03272014