PowerSC GUI security

The PowerSC GUI provides security by using bidirectional HTTPS communication between the PowerSC GUI server and the PowerSC GUI agents on each of the endpoints.

The TLS handshaking process uses certificates that are available on both the PowerSC GUI server and PowerSC GUI agents.

The TLS handshaking process supports single authentication in both directions because either the PowerSC GUI agent or the PowerSC GUI server might initiate communication.

The agent creates a nonce, which is a random number, that is sent to the PowerSC GUI server during the first connection. The PowerSC GUI server then includes this nonce with every command that is sent to that agent. This nonce provides another layer of confirmation to the endpoint agent that it is running a command that originated from the authentic PowerSC GUI server. The endpoint must ensure that the source of the web service call is trusted. The initial handshake and the nonce ensures the trust.

All communication between the PowerSC GUI agents and the PowerSC GUI server is encrypted by using protocols and cipher suites that are consistent with the security requirements of the protected systems.

The PowerSC GUI server interacts with all the PowerSC GUI agents and with all the PowerSC GUI users. Therefore, the PowerSC GUI server must have a certificate that is trusted by all connections from the user's web browsers. For example, certificates from a well-known authority such as Verisign or from an internally trusted certificate authority.

During installation, the PowerSC GUI server creates a self-signed certificate for its own use. This certificate can be used indefinitely, but it is intended for temporary use and can be replaced by a user-provided, widely recognized certificate. (See Creating additional security certificates for a description of import_well_known_certificate_uiServer.sh.) The PowerSC GUI server installation also creates a signing certificate that is used to sign all endpoint certificates.

The installation process automatically creates a truststore file for each endpoint. The truststore file is the same for every endpoint and you must copy it from the PowerSC GUI server to each endpoint, as described in Distributing the truststore security certificate to endpoints. This combination of certificates on both the PowerSC GUI server and endpoints provides a high level of communication security.

Group membership

More security control is provided by using UNIX Groups. Any user, such as an LDAP user or a local user who is defined by the operating system, must be a member of a specified UNIX group to log in to the PowerSC GUI. The administrator can set or change group membership by using the pscuiserverctl command.

After you are logged in, you might still be restricted to view-only mode. You can use the user authority function to perform actions against endpoints that are controlled by UNIX group membership. To perform any actions, you must be a member of a UNIX group that has permission to manage the endpoint. For more information, see Adding users who can manage endpoints.

By default, any user who is a member of the security group can manage every endpoint that is visible in the PowerSC GUI. The PowerSC administrator can restrict user access to the individual endpoint level by using the pscuiserverctl with the setgroup parameter. For example pscuiserverctl setgroup <group name> [hostname...|group:powerSCEnpointsGroup...].
Note:

You can specify one or more group names (that you have created in the PowerSC GUI) as group:systemgroup. If you specify multiple group names, each must be separated by a space. Group names that include spaces are not supported in this release.

Note: You can separate host name entries with either a space or comma. However, if a comma is used then there cannot be a space before or after the comma because it is interpreted as a null host name. Consider the following examples:
CORRECT:
# pscuiserverctl setgroup g1 h1 h2 h3 h4
g1=h1,h2,h3,h4
# pscuiserverctl setgroup g1 h1,h2,h3,h4
g1=h1,h2,h3,h4
# pscuiserverctl setgroup g1 h1,h2 h3 h4
g1=h1,h2,h3,h4

INCORRECT:
# pscuiserverctl setgroup g1 h1, h2, h3, h4
g1=h1,,h2,,h3,,h4

There are a variety of configuration commands that can only be performed by an administrative user. Examples include the ability to change global email settings or to create a new profile. Administrative user authority is set by using UNIX groups and it can be configured by using the pscuiserverctl command.