LPM allows users to migrate partitions that are running IBM® AIX® and Linux operating systems and their hosted applications from one physical server to another without disrupting the infrastructure services.
The framework for IPSec provides a standardized way to implement security at the IP-packet level, providing a method to implement and encrypt data. IPSec protocols secure network connections between IP addresses and port pairs. The secure connection is alternatively known as secure IP tunnel. IPSec protocols support data origin authentication, data integrity, data confidentiality, key management, and management of security associations.
The article is divided into the following subsections:
- Introduction to various security profiles
- Configuration of IPSec on VIOS
- LPM of an LPAR
- Manual creation of tunnels
- VIOS-level support
1. Introduction to various security profiles
PowerSC helps to automate the configuration and monitoring of systems that must be compliant with Payment Card Industry Data Security Standard (PCI DSS) version 1.2. Therefore, PowerSC security and compliance feature is an accurate and complete method of security configuration automation that is used to meet the IT compliance requirements of the Department of Defence (DoD) UNIX STIG, the PCI DSS, the Sarbanes-Oxley Act (SOX), COBIT compliance, and the Health Insurance Portability and Accountability Act (HIPAA).
The preconfigured compliance profiles delivered with the PowerSC Express Edition reduce the administrative workload of interpreting compliance documentation and implementing the standards as specific system configuration parameters. This technology reduces the cost of compliance configuration and auditing by automating the processes. IBM PowerSC Express Edition is designed to help effectively manage the system requirement associated with external standard compliance that can potentially reduce costs and improve compliance.
The various profiles available are:
- DoD STIG compliance
The US. DoD requires highly secure computer systems. This level of security and quality defined by DoD meets with the quality and customer base of AIX on an IBM Power Systems™ server.
- PCI DSS compliance
PCI DSS categorizes IT security into 12 sections that are called the 12 requirements and security assessment procedures.
- SOX and COBIT compliance
The Sarbanes-Oxley Act of 2002, which is based on the 107th congress of the United States of America, oversees the audit of public companies that are subject to the security laws and related matters in order to protect the interests of investors.
HIPAA is a security profile that focuses on the protection of electronically protected health information.
2. Configuration of IPSec on VIOS
Applying any of the above profiles will mandate the creation of tunnels. But, before applying a profile, make sure that the PowerSC file sets are installed. We have mounted them on /mnt.
#cd /mnt #installp –acgvYXd . all # lslpp -l | grep powersc powerscExp.ice.cmds 18.104.22.168 COMMITTED ICE Express Security Extension powerscExp.license 22.214.171.124 COMMITTED PowerSC Express Edition powerscExp.rtc.rte 126.96.36.199 COMMITTED Real-Time Compliance powerscExp.ice.cmds 188.8.131.52 COMMITTED ICE Express Security Extension powerscExp.rtc.rte 184.108.40.206 COMMITTED Real-Time Compliance
Also, check if bos.net.ipsec* is installed. If not, install it from the base media.
#lslpp –l | grep bos.net.ipsec* bos.net.ipsec.keymgt 220.127.116.11 APPLIED IP Security Key Management bos.net.ipsec.rte 18.104.22.168 APPLIED IP Security bos.net.ipsec.websm 22.214.171.124 APPLIED IP Security WebSM bos.net.ipsec.keymgt 126.96.36.199 APPLIED IP Security Key Management bos.net.ipsec.rte 188.8.131.52 APPLIED IP Security bos.net.ipsec.websm 184.108.40.206 COMMITTED IP Security WebSM
After installing the file sets, perform the following steps for configuring IPSec on VIOS.
- Start the
# startsrc -g ike 0513-059 The cpsd Subsystem has been started. Subsystem PID is 17498356. 0513-059 The tmd Subsystem has been started. Subsystem PID is 15794340. 0513-059 The iked Subsystem has been started. Subsystem PID is 21364778.
- Start IPSec by selecting Smitty ipsec4 → Start/Stop IP Security → Start IP Security. Then press Enter.
The following screen opens.
- The next step is to verify if
ikeis working fine.
# ike cmd=list No tunnels match your request.
After we start the LPM, the tunnels will be created.
- Enable any of high, DOD, or PCI security profiles in both source and destination VIOS. The IPSec profiles are located in the etc/security/aixpert/ path.
viosecurecommand, apply any one of the profiles.
viosecure -file /etc/security/aixpert/custom/DoD.xml
viosecure -file /etc/security/aixpert/custom/PCI.xml
viosecure -file /etc/security/aixpert/custom/SOX-COBIT.xml
viosecure -level high -apply
All the above profiles mandate the creation of tunnels while LPM is being performed on any of the VIOS clients.
In this example, let us apply the DoD profile.
$ viosecure -file /etc/security/aixpert/custom/DoD.xml Processing prereqlh :cached Processing prereqda :cached Processing prereqbinaudit :cached Processing prereqinetd :cached Processing dod_mvhostsfiles ....:done. Processing dod_chetcpasswd ....:done. Processing dod_logindodherald ....:done. Processing dod_autologoff ....:done. Processing dod_minlen .....:done. Processing dod_minalpha .....:done. Processing dod_maxrepeats .....:done. Processing dod_histsize .....:done. Processing dod_maxage .....:done. Processing dod_minage .....:done. Processing dod_loginretries .....:done. Processing dod_system .....:done. Processing dod_rootrlogin .....:done. Processing dod_logindelay .....:done. Processing dod_rmdotfrmpathvar .....:done. Processing dod_chdodftpusers ....:done. Processing dod_chetchostsfiles ....:done. Processing dod_chowndodfiles ....:done. Processing dod_dodaudit .:done. Processing dod_sndmailhelpfile ....:done. Processing dod_sndmailexpn ....:done. Processing dod_chsyslog ....:done. Processing dod_chsshd_config ....:done. Processing dod_chcronfiles ....:done. Processing dod_login ......:done. Processing dod_shell ......:done. Processing dod_telnet ......:done. Processing dod_ftp ......:done. Processing dod_uucp ......:done. Processing dod_exec ......:done. Processing dod_bcastping ......:done. Processing dod_ipsrcroutesend ......:done. Processing dod_ipsrcrouteforward ......:done. Processing dod_directed_broadcast ......:done. Processing dod_portcheck ...:done. Processing dod_log_inetd ...:done. Processing dod_fpmdodfiles ....:done. Processing dod_SecureLPM ...:done. Processedrules=38 Passedrules=38 Failedrules=0 Level=DoD Input file=/etc/security/aixpert/custom/DoD.xml
Each profile applied some rules to the system. The DoD profile has successfully applied 38 rules. After this is applied, most of the entries get comments in the /etc/inetd.conf file, which causes disablement of services. For example, after the DoD profile is applied, /etc/inetd.conf looks as shown below.
#cat /etc/inetd.conf #ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd #telnet stream tcp6 nowait root /usr/sbin/telnetd telnetd -a #shell stream tcp6 nowait root /usr/sbin/rshd rshd ##kshell stream tcp nowait root /usr/sbin/krshd krshd #login stream tcp6 nowait root /usr/sbin/rlogind rlogind ##klogin stream tcp nowait root /usr/sbin/krlogind krlogind #exec stream tcp6 nowait root /usr/sbin/rexecd rexecd ##comsat dgram udp wait root /usr/sbin/comsat comsat ##uucp stream tcp nowait root /usr/sbin/uucpd uucpd ##bootps dgram udp wait root /usr/sbin/bootpd bootpd /e tc/bootptab ### ### Finger, systat and netstat give out user information which may be ### valuable to potential "system crackers." Many sites choose to disable ### some or all of these services to improve security. ### ##finger stream tcp nowait nobody /usr/sbin/fingerd fingerd ##systat stream tcp nowait nobody /usr/bin/ps ps -ef ##netstat stream tcp nowait nobody /usr/bin/netstat netstat -f inet ## ##tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd -n ##talk dgram udp wait root /usr/sbin/talkd talkd #ntalk dgram udp wait root /usr/sbin/talkd talkd ## ## rexd uses very minimal authentication and many sites choose to disable ## this service to improve security. ## ##rquotad sunrpc_udp udp wait root /usr/sbin/rpc.rquotad rquotad 100011 1 ##rexd sunrpc_tcp tcp wait root /usr/sbin/rpc.rexd rexd 100017 1 ##rstatd sunrpc_udp udp wait root /usr/sbin/rpc.rstatd rst atd 100001 1-3 ##rusersd sunrpc_udp udp wait root /usr/lib/netsvc/rusers/rpc.ruser sd rusersd 100002 1-2 ##rwalld sunrpc_udp udp wait root /usr/lib/netsvc/rwall/rp c.rwalld rwalld 100008 1 ##sprayd sunrpc_udp udp wait root /usr/lib/netsvc/spray/rp c.sprayd sprayd 100012 1 ##pcnfsd sunrpc_udp udp wait root /usr/sbin/rpc.pcnfsd pcn fsd 150001 1-2 ##echo stream tcp nowait root internal ##discard stream tcp nowait root internal ##chargen stream tcp nowait root internal #daytime stream tcp nowait root internal #time stream tcp nowait root internal ##echo dgram udp wait root internal ##discard dgram udp wait root internal ##chargen dgram udp wait root internal #daytime dgram udp wait root internal #time dgram udp wait root internal ### The following line is for installing over the network. ##instsrv stream tcp nowait netinst /u/netinst/bin/instsrv instsrv -r /tmp/netinstalllog /u/netinst/scripts ##imap2 stream tcp nowait root /usr/sbin/imapd imapd ##pop3 stream tcp nowait root /usr/sbin/pop3d pop3d xmquery dgram udp6 wait root /usr/bin/xmtopas xmtopas -p3 caa_cfg stream tcp6 nowait root /usr/sbin/clusterconf clusterconf >>/var /adm/ras/clusterconf.log 2>&1 #wsmserver stream tcp nowait root /usr/websm/bin/wsmserver wsmserv er -start #ttdbserver sunrpc_tcp tcp wait root /usr/dt/bin/rpc.ttdbserv er rpc.ttdbserver 100083 1 #dtspcd stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd #cmsd sunrpc_udp udp wait root /usr/dt/bin/rpc.cmsd cmsd 100068 2-5
- After applying the profile, filter rules that are applicable to the tunnels are generated. You can list them using the
# lsfilt -v4 -a Beginning of IPv4 filter rules. Rule 1: *** Dynamic filter placement rule for IKE tunnels *** Logging control : no Rule 2: Rule action : permit Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : yes Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : both Logging control : no Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : End of IPv4 filter rules. Dynamic rule 0: Rule action : permit Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : no Protocol : udp Source Port : 0-0 Destination Port : 500-500 Scope : both Direction : both Fragment control : all packets Tunnel ID number : 0 Dynamic rule 1: Rule action : permit Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : no Protocol : ah Source Port : 0-0 Destination Port : 0-0 Scope : both Direction : inbound Fragment control : all packets Tunnel ID number : 0 Dynamic rule 2: Rule action : permit Source Address : 0.0.0.0 Source Mask : 0.0.0.0 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : no Protocol : esp Source Port : 0-0 Destination Port : 0-0 Scope : both Direction : inbound Fragment control : all packets Tunnel ID number : 0
3. LPM of an LPAR
After the VIOS instances are applied with the profiles, and LPM of the VIOS client is initiated, the tunnels are created on the source and destination VIOS.
Perform the following steps to validate partition mobility.
1. Select the LPAR and then click Operations → Mobility → validate.
2. After the validation is successful, start the migration. You can also use command line to validate or migrate an LPAR. For information about LPM, refer to the Basic understanding and troubleshooting of LPM article.
migrlpar -o v -m [source cec] -t [target cec] -p [lpar to migrate] \ > --ip [target hmc] -u [remote user]
migrlpar -o m -m [source cec] -t [target cec] -p [lpar to migrate] \ > --ip [target hmc] -u [remote user]
After the migration starts, you can verify the tunnel creation on the source and the destination VIOS using the
You can use the
ike command to start, stop, and monitor IP Security dynamic tunnels using the Internet Key Exchange (IKE) protocol. IP Security tunnels protect IP traffic by authenticating and encrypting IP data. The
ike command performs several functions. It can activate, remove, or list IKE and IP Security tunnels.
The IKE negotiation occurs in two phases. The first phase authenticates the two parties and sets up a key management (also known as phase 1) security association for protecting the data that is passed during the negotiation. In this phase, the key management policy is used to secure the negotiation messages. The second phase negotiates data management (also known as the phase 2) security association, which uses the data management policy to set up IP Security tunnels in the kernel for encapsulating and decapsulating data packets. The secure channel established in phase 1 can be used to protect multiple data management negotiations between two hosts.
As soon as the LPM command is issued, tunnels are created. As we see below, it is the negotiating state.
#ike cmd=list Phase Tun Id Status Local Id Remote Id 1 1 Negotiating N/A 10.33.7.73 2 1 Initial 10.33.0.89-10.33.0.89 10.33.7.73-10.33.7.73
After the negotiating state, the tunnels move to the active state.
#ike cmd=list Phase Tun Id Status Local Id Remote Id 1 1 Active 10.33.0.89 10.33.7.73 2 1 Active 10.33.0.89-10.33.0.89 10.33.7.73-10.33.7.73
After the LPM is complete, the tunnels are automatically deleted.
#ike cmd=list No tunnels match your request. No tunnels match your request. No tunnels match your request.
On the destination VIOS, the tunnels directly move in to the active.
#ike cmd=list Phase Tun Id Status Local Id Remote Id 1 1 Active 10.33.7.73 10.33.0.89 2 1 Active 10.33.7.73-10.33.7.73 10.33.0.89-10.33.0.89 Phase Tun Id Status Local Id Remote Id 1 1 Active 10.33.7.73 10.33.0.89 2 1 Active 10.33.7.73-10.33.7.73 10.33.0.89-10.33.0.89
After LPM is complete, all the tunnels are removed.
#ike cmd=list No tunnels match your request. No tunnels match your request. No tunnels match your request.
4. Manual creation of tunnels
When the source is at a level, where automatic tunneling is supported (AIX 7.1 TL2 and AIX 6.1 TL8) and destination is at a level where automatic tunneling is not supported (below AIX 7.1 TL2 or AIX 6.1 TL8), then we need to create manual tunnels at the destination.
IKE tunnel can be created using smitty ike4 or ike6 or using the
ike command line. The
ikedb command allows users to retrieve, update, delete, import, and export information in the IKE database using an XML interface.
5. Different levels of VIOS
- One end point Mover Service Partition (MSP) is at older level.
Tunnels would not be created automatically. If the source MSP needs IPSec tunnels as per the applied profile, then a manual tunnel must exist. Otherwise, LPM will fail.
- Source MSP has any of high / DOD / PCI security profiles applied but destination does not have any of these profiles applied.
Tunnels would be created automatically. If tunnel creation fails, LPM has to fail.
- Destination MSP has high/DOD/PCI security profile applied, but source does not have any of these profiles applied.
Tunnels would not be created. LPM would continue.
- Use the
lssrccommand to see the status of IP Security daemons.
# lssrc -g ike Subsystem Group PID Status cpsd ike 10420226 active tmd ike 11010142 active iked ike 5963942 active
- Use the
lsdevcommand to see if the IP Security devices are available.
#lsdev –Cc ipsec
- Set up logging that can help to debug the issue further. To do so, add the following entry to /etc/syslog.conf.
The local4 facility is used to record traffic and IP Security events.
#refresh –s syslogd