You are on page 1of 90

Nokia Security Service Manager

Installation Guide
Version 3.0.1

Part No. N450783006 Rev A


Published May 2005
COPYRIGHT
2005 Nokia. All rights reserved.
Rights reserved under the copyright laws of the United States.

RESTRICTED RIGHTS LEGEND


Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

IMPORTANT NOTE TO USERS


This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not
limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall
Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or
consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or
profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort
(including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of
such damage.

Nokia reserves the right to make changes without further notice to any products herein.

TRADEMARKS
Nokia is a registered trademark of Nokia Corporation.

Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation in the U.S. and/or other
countries.
SecurID is a registered trademark of RSA Security INC.
SSH Certifier is either a registered trademark or trademark of SSH Communications Security Oyj in the United States
and/or other countries.
Check Point, FireWall-1, and OPSEC are trademarks or registered trademarks of Check Point Software Technologies
Ltd.

Other products mentioned in this document are trademarks or registered trademarks of their respective holders.

50110

2 Nokia Security Service Manager Installation Guide


Nokia Contact Information
Web Site http://www.nokia.com

Telephone 1-888-477-4566 or
1-650-625-2000

Fax 1-650-691-2170

Mail Nokia Inc.


Address 313 Fairchild Drive
Mountain View, California
94043-2215 USA

Regional Contact Information

Americas Nokia Inc. Tel: 1-877-997-9199


313 Fairchild Drive Outside USA and Canada: +1 512-437-7089
Mountain View, CA 94043-2215 email: ipsecurity.na@nokia.com
USA

Europe, Nokia House, Summit Avenue Tel: UK: +44 161 601 8908
Middle East, Southwood, Farnborough Tel: France: +33 170 708 166
and Africa Hampshire GU14 ONG UK email: ipsecurity.emea@nokia.com

Asia-Pacific 438B Alexandra Road Tel: +65 6588 3364


#07-00 Alexandra Technopark email: ipsecurity.apac@nokia.com
Singapore 119968

Nokia Customer Support

Web Site: https://support.nokia.com/

Email: tac.support@nokia.com

Americas Europe

Voice: 1-888-361-5030 or Voice: +44 (0) 125-286-8900


1-613-271-6721

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666

Asia-Pacific
Voice: +65-67232999

Fax: +65-67232897

050113

Nokia Security Service Manager Installation Guide 3


4 Nokia Security Service Manager Installation Guide
Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11


In This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1 Introducing Nokia Security Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 15


Nokia Security Service Manager Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Enrollment Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Management Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Creating a Mobile VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Deploying VPN Policies to Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring Client Access to VPN Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Managing Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Managing Users and User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Authenticating Users to Nokia Security Service Manager. . . . . . . . . . . . . . . . . . . 25
Using Online Certificate Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Using Nokia Mobile VPN Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2 Installing Nokia Security Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31


Choosing an Installation Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Obtaining Valid Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Installing and Running Several Nokia Security Service Manager Instances on
One Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Minimum System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Preparing for the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Installing Patches and Libraries on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Modifying System Specifications in Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Nokia Security Service Manager Installation Guide 5


Installing J2RE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Synchronizing System Clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Using the Nokia Security Service Manager Installer . . . . . . . . . . . . . . . . . . . . . . . . 37
Selecting the Installation Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Installation Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Installing Nokia Security Service Manager in Solaris . . . . . . . . . . . . . . . . . . . . . . 41
Installing Nokia Security Service Manager in Linux . . . . . . . . . . . . . . . . . . . . . . . 42
Installing Management Station in Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
After the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Setting File Permissions and Creating a Startup Script . . . . . . . . . . . . . . . . . . . . 49
Saving the Server Passphrase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Obtaining TLS/SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Using Example Configuration Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Backing Up the Installation Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3 Configuring Nokia Security Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 53


Extending the Enterprise Network to Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . 53
Specifying Settings for Automatic Content Update . . . . . . . . . . . . . . . . . . . . . . . 54
Specifying Settings for a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Creating a Content Manager Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuring Client Access Policy for Challenge-Response Authentication
to VPN Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Deploying Policies to Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Specifying Settings for VPN Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Installing Software and Settings on Mobile Devices . . . . . . . . . . . . . . . . . . . . . . 70
Moving from Legacy Authentication to Certificate-Based Authentication . . . . . . . . 70
Creating an Internal CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring Client Access for Certificate-Based Authentication . . . . . . . . . . . . . 71
Modifying Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Specifying Settings for Certificate Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Using an External CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Creating an External CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Modifying Client Access for Certificate-Based Authentication . . . . . . . . . . . . . . . 79
Modifying Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

4 Upgrading and Uninstalling Nokia Security Service Manager . . . . . . . . . . . . . . 83


Upgrading Nokia Security Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Uninstalling Nokia Security Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

6 Nokia Security Service Manager Installation Guide


Tables

Table 1 Command-Line Conventions . . . . . . . . . . . . . . . . . . . . . 12


Table 2 Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Table 3 Minimum System Requirements . . . . . . . . . . . . . . . . . . 34
Table 4 Installation Settings Checklist . . . . . . . . . . . . . . . . . . . . . 38

Nokia Security Service Manager Installation Guide 7


8 Nokia Security Service Manager Installation Guide
Figures

Figure 1 Mobile VPN System Components . . . . . . . . . . . . . . . . . 15


Figure 2 Creating VPN Tunnels with an IPSec VPN . . . . . . . . . . 18
Figure 3 Securing Email Access from Mobile Devices . . . . . . . . 19
Figure 4 Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 5 User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 6 Enrollment Gateway as Registration Authority . . . . . . . 28
Figure 7 Installing All SSM Components on Separate Computers 32
Figure 8 Extending the Enterprise Network to Mobile Devices . . 54
Figure 9 Using An External CA . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Nokia Security Service Manager Installation Guide 9


10 Nokia Security Service Manager Installation Guide
About This Guide

This guide describes how to install and initially configure Nokia Security Service Manager
(SSM) and Nokia Mobile VPN Client. The information in this guide is useful to network
administrators, system administrators, and user managers.
This preface provides the following information:
In This Guide
Conventions This Guide Uses
Related Documentation

In This Guide
This guide is organized into the following chapters:
Chapter 1, Introducing Nokia Security Service Manager provides an overview of the SSM
components and functions and describes how to use SSM to set up automatic content
delivery to mobile devices.
Chapter 2, Installing Nokia Security Service Manager describes how to install and initially
configure SSM.
Chapter 3, Configuring Nokia Security Service Manager contains use cases that are
examples of how to configure SSM to extend the enterprise network to mobile devices.

Conventions This Guide Uses


The following sections describe the conventions this guide uses, including notices, text
conventions, and command-line conventions.

Nokia Security Service Manager Installation Guide 11


About This Guide

Notices

Caution
Cautions indicate potential equipment damage, equipment malfunction, loss of
performance, loss of data, or interruption of service.

Note
Notes provide information of special interest or recommendations.

Command-Line Conventions
This section defines the elements of commands that are available in SSM. You might encounter
one or more of the following elements on a command-line path.

Table 1 Command-Line Conventions


Convention Description

command This required element is usually the product name or other short
word that invokes the product or calls the compiler or preprocessor
script for a compiled Nokia product. It might appear alone or
precede one or more options. You must spell a command exactly
as shown and use lowercase letters.

Italics Indicates a variable in a command that you must supply. For


example:
delete interface if_name

Supply an interface name in place of the variable. For example:


delete interface nic1

Square brackets [ ] Indicates optional arguments.


https://host_name[:port]

For example:
https://company.com:443

-flag A flag is usually an abbreviation for a function, menu, or option


name, or for a compiler or preprocessor argument. You must enter
a flag exactly as shown, including the preceding hyphen.

(.,;+*-/) Punctuation and mathematical notations are literal symbols that


you must enter exactly as shown.

"" Quotation marks are literal symbols that you must enter as shown.

12 Nokia Security Service Manager Installation Guide


Conventions This Guide Uses

Text Conventions
Table 2 describes the text conventions this guide uses.

Table 2 Text Conventions


Convention Description

monospace font Indicates command syntax, or represents computer or screen


output, for example:
Log error 12453

bold monospace font Indicates text you enter or type, for example:
# configure nat

Key names Keys that you press simultaneously are linked by a plus sign (+):
Press Ctrl + Alt + Del.

Menu commands Menu commands are separated by a greater than sign (>):
Choose File > Open.

The words enter and type Enter indicates you type something and then press the Return or
Enter key.
Do not press the Return or Enter key when an instruction says
type.

Italics Emphasizes a point or denotes new terms at the place where


they are defined in the text.
Indicates an external book title reference.
Indicates a variable in a command:
delete interface if_name

Menu Items
The greater than sign (>), with spaces before and after the sign, separates items in menus.
For example, Start > Programs > Nokia > Nokia Security Service Manager indicates that you
first choose Start, then choose the Programs menu command, then choose Nokia, and finally
choose Nokia Security Service Manager.

Nokia Security Service Manager Installation Guide 13


About This Guide

Related Documentation
You can download the following additional documentation from the Nokia customer support
Web site at https://support.nokia.com/:
Nokia Security Service Manager Release Notes describe known issues in the current release.
Nokia Security Service Manager Planning Sheet helps you plan network topology before
you install SSM.
Nokia Security Service Manager Administration Guide provides detailed information about
how to use SSM.
Nokia Security Service Manager Help provides detailed information about how to use the
SSM graphical user interface (GUI).
To open the help, choose Help > Help Topics in the SSM GUI.
Nokia Mobile VPN Client Release Notes
Nokia Mobile VPN Client Quick Reference Guide
Nokia Mobile VPN Client Users Guide
Nokia Mobile VPN Client Help provides detailed information about how to use Mobile
VPN Client.
The support Web site also contains list of mobile devices that have been tested to support Mobile
VPN Client. You must register to access the Web site.

14 Nokia Security Service Manager Installation Guide


1 Introducing Nokia Security Service
Manager

Local and remote network users have the same requirements for quick, easy access to resources
over their corporate networks. And yet, remote network traffic needs protection through
encrypted VPN tunneling, antivirus scanning, and appropriate security policies. In addition,
network transactions need privacy and integrity while remote users need to be authenticated and
authorized for access to networks and network services.
Nokia Security Service Manager (SSM) addresses the initial deployment, subsequent
configuration management, and public-key infrastructure (PKI) related requirements of mobile
devices in an Internet protocol security (IPSec) virtual private network (VPN). SSM provides a
scalable solution for enterprises to extend their VPN to the mobile domain.
Figure 1 illustrates how SSM works in combination with other hardware, software, and services
to create a mobile VPN.
Figure 1 Mobile VPN System Components

External CA DMZ SSM server


and database

SSM
Firewall/ enrollment
VPN gateway
gateway
SSM
Internet management
station
VPN policy
Operator management
mobile network software
External
Nokia
authentication
SSM
server
Web
Nokia server Mail gateway
Mobile VPN Client (SMTP)
00365

The components of a mobile VPN have the following roles:


VPN gatewayenforces the security policy.
Nokia Mobile VPN Clientnegotiates a secure tunnel with the VPN gateway.

Nokia Security Service Manager Installation Guide 15


1 Introducing Nokia Security Service Manager

VPN policy management softwaremanages the VPN gateway. You use policy
management software to create VPN policies and profiles and export them to the SSM
database.
Nokia Security Service Managerdelivers security policy and other files to large numbers
of authorized users.
External authentication serverauthenticates access to SSM.
External certification authority (CA)serves the certification requests that it receives
from Mobile VPN Client through SSM.
Mail gatewayuses the simple mail transfer protocol (SMTP) to send notifications to
users.

Nokia Security Service Manager Components


DMZ Nokia
Security Service Manager
Firewall/
VPN gateway
Server
and database

Enrollment
gateway (EGW)
Nokia SSM
Web server Management
and Web site station:
GUI and CLI 00366

Nokia SSM consists of the following components:


Server
Enrollment Gateway
Web Server
Management Station
You can install and run the SSM components either in one computer that is in the enterprise
network or distribute them on several computers.

Server
The server component consists of server and database. The server implements the core
functionality of SSM. The database is an embedded relational database that stores information
about users, user groups, VPN policies, other files, and their properties.

Enrollment Gateway
The enrollment gateway (EGW) component provides online certificate enrollment for Mobile
VPN Client. The EGW receives certification requests from Mobile VPN Client. The EGW uses

16 Nokia Security Service Manager Installation Guide


Creating a Mobile VPN

the server to authenticate and authorize the certification requests and then forwards the
certification requests to an internal or external CA.
You can specify that an EGW entity acts as an internal CA. The automatic content update service
uses certificates that an internal CA issues. An internal CA stores certificates, certificate
revocation lists (CRL), and other data in the database.
You must obtain additional licenses to use internal CAs for other purposes than automatic
content update.

Web Server
The Web server component acts as an external interface to SSM:
Mobile VPN Client sends certification requests to the Web server, which forwards them to
the EGW through the server.
Mobile VPN Client connects to the Web server for automatic content updates from the
database.
VPN policy management software exports VPN policies to the database through the Web
server.
The VPN gateway might send CRL requests to the Web server, which forwards them to the
EGW through the server.
Users access a Web site that the Web server hosts to download content.

Management Station
The management station component consists of a graphical user interface (GUI) and command-
line interface (CLI). You can use the GUI and CLI to manage SSM. You can install and run the
management station on one or several computers.
For information about how to use the GUI and CLI to accomplish system administrators tasks,
see the Nokia Security Service Manager Administration Guide.

Creating a Mobile VPN


Figure 2 describes how to use Nokia Mobile VPN Client to create VPN tunnels to corporate
network resources through a VPN gateway. You can run Mobile VPN Client on mobile devices,
such as Nokia communicators and imaging phones.

Nokia Security Service Manager Installation Guide 17


1 Introducing Nokia Security Service Manager

Figure 2 Creating VPN Tunnels with an IPSec VPN

SAP database
Mail
Intranet

Web
content VPN gateway

Internet

Mobile
network

Nokia
Mobile VPN Client
00369

Mobile VPN Client is an IPSec VPN application that allows mobile employees to use the
wireless infrastructure to create encrypted connections from their mobile device to a corporate
network. Once a mobile employee authenticates to the corporate VPN successfully, all data that
travels between the mobile device and the corporate network is encrypted, no matter what the
mobile application. Furthermore, the stringent security that is inherent in an IPSec VPN helps
ensure that the recipient receives data exactly as the sender sent it. IPSec also helps protect
against electronic data theft and man-in-the-middle attacks.

Deploying VPN Policies to Mobile Devices


Figure 3 describes how to use SSM and Mobile VPN Client to secure email access from mobile
devices. You can use Mobile VPN Client to encrypt all data that travels between the mobile
device and the corporate network, no matter what the mobile application.

18 Nokia Security Service Manager Installation Guide


Creating a Mobile VPN

Figure 3 Securing Email Access from Mobile Devices


Configure client access to a VPN gateway

Use VPN policy management


1 Export client policies to 2
software to configure client
the SSM database
access to VPN gateways

Use the SSM GUI or CLI to:

Specify settings for the


Create a user group
automatic content
4 Specify authentication 3
update service
servers
Map client policies to
Create an internal CA
user groups

Mobile Devices

Use the mobile device to: Create VPN access points


Install Nokia Mobile Select a VPN access point
5 VPN Client when you use Messaging 6
Install VPN policies to connect to intranet
from SSM mailbox

00370

System administrators must accomplish the tasks that the following sections describe to extend
an IPSec VPN to mobile devices:
Configuring Client Access to VPN Gateways
Managing Content
Managing Users and User Groups
Authenticating Users to Nokia Security Service Manager
Using Online Certificate Enrollment
Using Nokia Mobile VPN Client
To automate some of these steps, use example configuration scripts to specify settings for the
automatic content update service. For more information about how to use example configuration
scripts, see the Nokia Security Service Manager Getting Started Guide.

Configuring Client Access to VPN Gateways


To use Mobile VPN Client, users need a VPN policy that specifies the settings for a VPN tunnel.
A VPN policy defines the method that a mobile device and the VPN gateway use to authenticate
each other and the encryption algorithms that they use to help protect the integrity of the data.
Content managers use VPN management software to create VPN policies and to export them to
SSM.
The automatic content update service of SSM automatically installs the VPN policy on a mobile
device from SSM. Mobile VPN Client refers to SSM as a VPN policy server.

Nokia Security Service Manager Installation Guide 19


1 Introducing Nokia Security Service Manager

Authenticating Remote Clients to VPN Gateways


VPN gateways support the following kinds of Internet key exchange (IKE) authentication:
Certificate-based authenticationusers must have certificates that a trusted CA issues.
Users can use online certificate enrollment to obtain the certificates.
Legacy authenticationusernames and passwords or passcodes authenticate users. You
can use RSA SecurID tokens to generate passcodes, for example.
XAUTHusers use either certificates or usernames and passwords or passcodes to
authenticate.

Certificate-Based Authentication
You can use one of two methods to allow users to use digital certificates as an authentication
method. You can set up a VPN policy that:
Includes private keys and digital certificates.
Forces each user to generate their own key pair and use online certificate enrollment to
request their own certificate from a CA.
Nokia recommends that you use online certificate enrollment to request certificates from an
internal or external CA.

Legacy Authentication
A VPN gateway can support the following types of legacy authentication:
Shared secretsusernames and fixed passwords authenticate users. More typically, VPN
gateways use shared secrets to authenticate each other in a site-to-site VPN.
Challenge-response authenticationduring challenge-response authentication, the VPN
gateway authenticates with a certificate and the user authenticates with a legacy
authentication method in an open-ended exchange until they satisfy the VPN gateway.
The VPN client informs the VPN gateway that it will use challenge-response authentication
and names a legacy authentication method. The VPN gateway responds with its certificate.
The certificate authenticates the VPN gateway to the VPN client. The VPN client then uses
the legacy authentication method to authenticate to the VPN gateway.

XAUTH
Cisco VPN 3000 Series Concentrator support extended authentication within IKE (XAUTH).
XAUTH is a method to use unidirectional authentication mechanisms such as RADIUS,
SecurID, and one-time passwords within IKE.

Accessing Nokia IP VPN


If you use Nokia IP VPN, use Nokia VPN Manager to create client policies and profiles and
export them to SSM.
You can use VPN Manager to create two types of IPSec VPN policies:
Client policy
Generic profile

20 Nokia Security Service Manager Installation Guide


Creating a Mobile VPN

A client policy contains all the information that a VPN client needs to establish VPN tunnels to a
VPN gateway.
A generic profile lacks user-specific information, such as client certificates and private keys. To
provide this information, users do the following:
Employ user names and passwords or certificates to authenticate to the VPN gateway.
Use online certificate enrollment to acquire certificates and private keys.
After you create client policies or profiles, export them to the SSM database for installation to
mobile devices.
For examples of how to configure client access to IP VPN Gateway, see Chapter 3, Configuring
Nokia Security Service Manager. For more information about how to use VPN Manager, see
the Nokia IP VPN Gateway Configuration Guide.

Accessing Nokia IP Security Platform


Use Check Point SmartDashboard to configure client access to the Nokia IP security platform.
Create a Check Point VPN-1/FireWall-1 policy that consists of gateways and external user
profiles that participate in remote access VPN communities.
Create an open platform for security (OPSEC) application to execute the vpn nssm_topology
command or execute the command from the command line in the SmartCenter Server to export
VPN policies to SSM. SSM converts the VPN policies to a format that Mobile VPN Client
supports.
For examples of how to configure client access to the Nokia IP security platform, see the
Chapter 3, Configuring Nokia Security Service Manager. For more information about how to
export VPN policies to SSM, see the Nokia Security Service Manager Administration Guide.

Accessing Cisco VPN 3000 Series Concentrator


Define VPN policy in Cisco VPN 3000 Series Concentrator. Then use the SSM policy push to
create VPN policies in the SSM database.
You use a set of predefined templates to create VPN policies for each supported authentication
method: certificate-based authentication, legacy authentication, or shared secrets. The templates
define the method that a mobile device and the VPN gateway use to authenticate each other and
the encryption algorithms that they use to help protect the integrity of the data. You use policy
push to add information about the VPN gateway and networking options.
For examples of how to configure client access to the Cisco VPN 3000 Series Concentrator, see
the Chapter 3, Configuring Nokia Security Service Manager.For more information about how
to use policy push to generate VPN policies for Mobile VPN Client, see Nokia Security Service
Manager Administration Guide.

Nokia Security Service Manager Installation Guide 21


1 Introducing Nokia Security Service Manager

Managing Content
You can use SSM to deliver content, such as a VPN policy or Mobile VPN Client software to
large numbers of users. All content in the database has an associated multipurpose Internet mail
extensions (MIME) type that describes the content.
You do not use SSM to create content. Use VPN policy management software to configure VPN
policies and export them to SSM. Use the SSM GUI or CLI to map the VPN policies to users
and user groups. Mobile VPN Client connects to the SSM Web server, the automatic content
update service checks for new, updated, or deleted VPN policies in the SSM database, and
Mobile VPN Client installs VPN policies to the mobile device or removes them.
Use some other tool to create other types of content and then add the content to the database.
Users can download the content that you map to them or to their user groups from the Web site.
You cannot add identical content to the database under two different names. The following
properties uniquely identify a content entry in the database:
Fingerprint that SSM generates from the content
MIME type
Originator of the content
You can specify settings for VPN access points and renewing VPN certificates that are
associated with a VPN policy and use the automatic content update service to deliver them to
mobile devices.
Content properties authorize users to enroll certificates from a CA. To authorize users, SSM
compares the properties of users and the content that you map to users in the database to the
fields in the certification request. For more information about how to authorize certificate
enrollment, see Authorizing Certificate Enrollment on page 26.

Managing Users and User Groups


You can use the GUI or CLI to add users and user groups. You can perform the following
operations on users and user groups:
Create
Search
Modify
Remove
Map users to user groups
Map a user group to another user group (form a group hierarchy)
Map content (VPN policies and other files) to user groups and users
Use the CLI to import large numbers of users and user groups from an external database. The
number of users that you can add to the database depends on the license you obtain.
To change the properties of large numbers of users at a time, use the CLI to export the users to a
file. Modify the file with a text editor, save it as a new file, and import the new file to the
database.

22 Nokia Security Service Manager Installation Guide


Creating a Mobile VPN

Granting Users Privileges


SSM authenticates all access. Once users authenticate, they can use SSM according to the
privileges of their user group. Privileges specify the objects that the members of a user group can
access and the actions that they can apply to the objects. The database contains predefined user
groups for system, user, and content managers. In addition, you can create users groups to allow
users to access content and enroll certificates.
The user groups have the following privileges:
System managers (system administrators)can use all the SSM functions.
User managerscan use a subset of SSM functions to manage users and user groups.
Content managerscan export VPN policies from VPN policy management software to
the database and use policy push to create VPN policies in the SSM database.
System administrator-specified user groupscan access content and enroll certificates.
You create these user groups and give them names.
Any user can belong to only one managers group. Any user can belong to several user groups
that you create.

Inheriting Content from User Groups


You can form a user group hierarchy, where one user group is the member of another group.
Group membership determines how users access content, because when you map content to a
group you indirectly map the content to the members of the group.
Figure 4 illustrates the network of a company that provides remote access to telecommuters who
use laptops or mobile devices to access corporate resources, such as email, Web, and a SAP
database.

Nokia Security Service Manager Installation Guide 23


1 Introducing Nokia Security Service Manager

Figure 4 Remote Access

DMZ

SSM
Firewall/ server
VPN and database
gateway
SSM
Internet enrollment
gateway
SSM
Operator management
mobile network station
RADIUS or
LDAP server
Nokia
SSM SAP
Windows Web database
Clients/ server
Laptop Corporate
Policy Mobile Devices/ email
Mobile Devices
Policy
Corporate
Telecommuters Web services

00371

Figure 5 illustrates the user groups that you can create in SSM to map VPN policies to users.
Figure 5 User Groups

You map VPN policies to the user groups. Because users and groups inherit content, the users
have access to different numbers of VPN policies. For example, users whom you map to the
MobileDevices user group have access to the content that you map to the MobileDevices user
group and to the Telecommuters user group.

Notifying Users
You can send notifications to users and user groups by email. SSM uses SMTP to deliver
notifications. SSM can deliver notifications to users GSM phones, if their email addresses point
to an SMS gateway that understands SMTP.

24 Nokia Security Service Manager Installation Guide


Creating a Mobile VPN

Authenticating Users to Nokia Security Service Manager


SSM authenticates all access. Either logon names and passwords or certificates authenticate
users. SSM verifies logon names and passwords against the local database or an external
authentication server, such as a RADIUS or an LDAP server. Certificates authenticate users to
the automatic content update service. SSM verifies that an internal CA issued the certificates and
that they are valid.
To prevent brute-force attacks against username-password login, SSM delays the login process
after failed login attempts. Specify settings for attack prevention in the SSM configuration file,
server.properties, login.fail.threshold, and login.fail.delay settings.

Authentication Methods
You can use the following authentication methods to authenticate users to the SSM Web site and
automatic content update service:
Local authenticationSSM checks the logon name and password of the user against a
local database. Only one local database can exist at a time.
One-time password authenticationAdministrators use the GUI to generate passwords
for users whom they add to the database. Administrators set a predefined authentication
server called One-time password as the users authentication server. SSM checks the logon
name and password of the user against the database and removes the password from the
database. Another authentication method, such as certificates, subsequently authenticates
users.
RADIUS authenticationSSM checks the logon name and password of the user against a
RADIUS server. Optionally, SSM drops the domain name part of the user identifier before
authentication. The passwords can be either normal passwords or one-time passwords that
users generate with token cards, such as RSA SecurID. Several instances of this
authentication method can exist at the same time.
LDAP authenticationSSM searches for the user by logon name from an LDAP server.
Optionally, SSM drops the domain name part of the logon name before the search. When the
user is found, an LDAP bind is done using the users distinguished name (DN) and
password. Several instances of this authentication method can exist at the same time.
Certificate authenticationthe user presents a certificate, which must be valid, and a
signature. The certificate is valid if it is signed by the CA that you define as the
authentication server, if it is within its validity period, and if it has not been revoked. If the
signature was signed with the certificate, the user is considered authenticated. The
rfc822Name subject alternative name extension field in the certificate maps the user to an
existing SSM logon name.
In SSM v3.0, certification authentication is only supported for the automatic content update
service. The first time users log on to SSM with Mobile VPN Client, one of the other
authentication methods authenticates users. During the first connection, Mobile VPN Client
requests certification for the users from the SSM internal CA. Certificates subsequently
authenticate users to the automatic content update service. Users might need to use the other
authentication methods again if their certificates expire.

Nokia Security Service Manager Installation Guide 25


1 Introducing Nokia Security Service Manager

Selecting Authentication Methods


You can use more than one authentication method to authenticate users to SSM. For example,
you can choose that SSM authenticates some users against the local database and some against
an external authentication server. Or you can generate one-time passwords that authenticate
users to SSM to enroll certificates for subsequent authentication to a VPN or to the SSM
automatic content update service.
You define authentication servers and the users whom the servers authenticate. You specify
additional settings for external authentication servers.

Using Self-Provisioning to Add Users Automatically


If you have an external authentication server, you can use self-provisioning to set up content
delivery. You set self-provisioning rules that specify an authentication domain, an authentication
server, and a user group. After successful authentication, SSM adds users to the database as
members of the user group that you specify. Users can access content that you map to that user
group.
You specify a logon name for each user in user properties. SSM enforces that you specify logon
names in the following format: logonname@domain. The logon names do not need to be real
email addresses.
When a user logs on to SSM, SSM performs the following tasks that can lead to self-
provisioning:
1. If the logon name does not contain a domain name, SSM appends the default authentication
domain name to the logon name. You specify the default authentication domain name when
you install SSM.
2. SSM searches for the user from the local database:
If SSM finds the user, SSM authenticates the user against the authentication server that
you specify in the user properties.
If SSM does not find the user, SSM searches among self-provisioning rules for a
matching authentication domain.
3. If SSM finds the authentication domain, and the external authentication server that you
specify in the self-provisioning rule authenticates the user, SSM adds the user to the
database.
The server.properties file contains regular expressions that extract the first and last name
correctly from the logon name. The default expressions match logon names in the
firstname.lastname@domain format. If you specify logon names in other formats, modify
the self.provisioning.firstname and self.provisioning.lastname settings to match the logon
name format.
4. When the user logs on again and enters the username and password, SSM searches for the
user in the local database and authenticates the user against the external authentication
server.
Use the enable.self.provisioning setting in the server.properties file to temporarily disable self-
provisioning.

26 Nokia Security Service Manager Installation Guide


Creating a Mobile VPN

Using Online Certificate Enrollment


When a VPN client receives a VPN policy that lacks a private key and client certificate, the VPN
client must obtain them before it can establish a VPN tunnel. The VPN client can use online
certificate enrollment to obtain certificates.
The VPN client creates a public-private key pair and a PKCS #10 certification request and sends
them to a CA. The CA uses a public-key algorithm to certify the public key and issues a
certificate for a user. The CA signs a collection of information that includes the users
distinguished name (DN), subject alternative name, and public key. If the enrollment is
successful, the CA sends back a certificate and the VPN client is ready to establish a VPN
tunnel.
The SSM enrollment gateway (EGW) authenticates and authorizes certification requests from
Mobile VPN Client and automatically enrolls certificates from an internal or external CA if the
authentication and authorization succeed.
Some certificate enrollment protocols support two modes, manual and automatic. You agree
with the CA vendor on the mode to use.
In manual mode, the CA completes certificate enrollment after the CA administrator personally
verifies the PKCS #10 certification request. For example, the administrator can call the user on
the phone to provide verification.
In automatic mode, a preconfigured shared secret, or some other mechanism (for example,
legacy authentication based on RADIUS or LDAP), verifies the certification requests.

Using Nokia Security Service Manager as an RA


For mass deployment of certificate clients to work smoothly, you must completely automate the
CA. When the CA receives a certification request, it should automatically generate a new
certificate and return it to the requestor. This process poses a security problem, however. The CA
should issue certificates automatically only if it can verify that the requestor is legitimate. Most
of the existing CAs cannot verify this automatically.
VeriSign and EuroTrust support certificate request syntax (CRS) in automatic administration
mode to accomplish total automation. Users must first authenticate to SSM. If they are
successful, the server forwards the certification request to the CA. This process moves the
burden of authenticating certification requests from the CA to SSM, which acts as a registration
authority (RA). The CA needs to know and trust only one source of certification requests, SSM.
Figure 6 illustrates how the EGW acts as an RA.

Nokia Security Service Manager Installation Guide 27


1 Introducing Nokia Security Service Manager

Figure 6 Enrollment Gateway as Registration Authority


Nokia
Mobile 1
2
VPN
Client
5 3
SSM External
4 CA
00372

Online certificate enrollment proceeds as follows:


1. Mobile VPN Client sends a certification request to SSM.
2. SSM authenticates the user.
3. SSM uses the protocol that the external CA specifies to send the request to the external CA.
4. The external CA signs a digital X.509v3 certificate for Mobile VPN Client and sends it, or a
certificate-pending reply, to SSM.
5. SSM forwards the reply to Mobile VPN Client.
From the Mobile VPN Client point of view, the whole operation consists of a single HTTP
request-response pair.

Using Nokia Mobile VPN Client


Users can install several VPN policies on a mobile device to exchange data with multiple
companies or service providers. To enable Mobile VPN Client to negotiate VPN tunnels with a
specific VPN gateway, VPN policies are associated with VPN access points. A VPN access
point combines a VPN policy and an Internet access point.
When users select a VPN access point to connect to the network, Mobile VPN Client performs
the following tasks:
Connects to the Internet access point that is associated with the VPN access point.
Loads the VPN policy that is associated with the VPN access point.
Connects to a VPN gateway to negotiate a VPN tunnel.
Users update VPN policies in two ways:
Choose a Mobile VPN Client command.
Select a VPN access point to connect to the network.
When users select a VPN access point to connect to the network, they start the VPN policy
update process with SSM in parallel to the logon process with a VPN gateway. Mobile VPN
Client compares the VPN policies on the mobile device with the VPN policies in SSM. Mobile
VPN Client installs new and updated VPN policies on the mobile device and removes obsolete
VPN policies from the mobile device.
When users update an active VPN policy, they do not affect current VPN tunnels. Changes
become effective the next time users select a VPN access point that is associated with the VPN
policy. When users remove the current VPN policy they do not close the current VPN tunnels.

28 Nokia Security Service Manager Installation Guide


Creating a Mobile VPN

When certificates are about to expire, Mobile VPN Client enrolls new certificates. Specify the
threshold for renewing certificates for the automatic content update service in the
client.properties configuration file, acu.cert.renewal setting.
Mobile VPN Client uses the automatic content update service to enroll VPN certificates for
users. Mobile VPN Client enrolls new VPN certificates when they expire. The enrollment begins
when users activate a VPN policy and the renewal period for the certificate that is associated
with the VPN policy has expired. Use the SSM CLI to specify the certificate renewal period as a
property of the VPN policy.

Note
Even if you remove users from an external authentication server, certificates grant users
access to SSM until they expire. Remove users from SSM as well as from the external
authentication server to deny them access to SSM.

For more information about how to use Mobile VPN Client, see the Nokia Mobile VPN Client
Users Guide.

Nokia Security Service Manager Installation Guide 29


1 Introducing Nokia Security Service Manager

30 Nokia Security Service Manager Installation Guide


2 Installing Nokia Security Service
Manager

This chapter describes how to install Nokia Security Service Manager (SSM):
Choosing an Installation Option
Minimum System Requirements
Preparing for the Installation
Using the Nokia Security Service Manager Installer
After the Installation
For information about how to configure SSM, see Chapter 3, Configuring Nokia Security
Service Manager.

Choosing an Installation Option


You can install the SSM components on up to four computers. Install each component only once.
The management station is an exception. You can install the management station on several
computers to manage SSM remotely. You can install the management station also on Windows
computers.
You can either install all the SSM components on one computer or you can install the following
SSM components on separate computers:
Server
Web serverinstall the Web server separately from the server to improve performance and
security.
EGWinstall the EGW on a dedicated computer to ensure security and improve
performance.
Management stationinstall the management station separately from the other
components to manage SSM remotely. You can install the management station on Windows
workstations as well as on UNIX computers.

Note
Use the Nokia Security Service Manager Planning Sheet to plan your network topology
before you install SSM.

Nokia Security Service Manager Installation Guide 31


2 Installing Nokia Security Service Manager

Figure 7 illustrates an installation where the SSM components are installed on four separate
computers. The Web server is in the demilitarized zone (DMZ) and the other SSM components
are on the intranet. A firewall is placed between the Web server and SSM server.
Figure 7 Installing All SSM Components on Separate Computers
DMZ Nokia
Security Service Manager
Firewall/
VPN gateway
Server
and database

Enrollment
gateway (EGW)
Nokia SSM
Web server Management
and Web site station:
GUI and CLI 00366

Security Considerations
The security of the SSM installation is affected by where you install the SSM components.
The Web server component acts as an external interface to SSM, so applications and users must
be able to access it. You have the following options to install the Web server:
Install the Web server in the DMZ and place a firewall between the Web server and server.
Install the Web server on the intranet and use a proxy server between the intranet and the
public network.
Install the server and Web server on network segments that allow only the minimum network
traffic to pass in and out. For example, place the Web server in Ethernet segments that do not
contain any other servers.
Install the server and EGW on the intranet to help protect them from attacks. Preferably, use a
firewall to separate the network segment from the rest of the intranet.
You can set up the EGW to connect to an external CA for online certificate enrollment. If the CA
is in the public network, you can use a proxy server for communication between the EGW and
CA.
If you do not use a proxy server, install the EGW in a part of the intranet where it can connect to
the external CA. The EGW must be able to initiate TCP/IP communication to the CA over the
public network.
Perform the following tasks on the server and Web server to prevent unauthorized access to
SSM:
Install the most recent security patches.
Remove unnecessary services that might provide attackers with access to SSM.
Deny unauthorized operating system root-level access to the computers to which you install
SSM.

32 Nokia Security Service Manager Installation Guide


Minimum System Requirements

Obtaining Valid Licenses


To install and run Nokia Security Service Manager, you must obtain valid licenses for the
services that you need and the number of users you manage. You can add licenses as necessary.
You can obtain an evaluation license that allows you to install and run SSM for a set period. You
can upgrade the evaluation license to a permanent license

Installing and Running Several Nokia Security Service Manager


Instances on One Computer
In a service provider environment, for example, you can install several independent SSM
instances on one computer. Note the following:
Obtain a separate license for each SSM instance.
Install each SSM instance in a separate directory.
Use a different UNIX user account as the process owner of each SSM instance.
Specify a different port base for each SSM instance.
The port numbers that you reserve for each SSM instance cannot overlap.
If you specify a different Web server host name for each SSM instance as a real or virtual IP
interface address, you can use the default port numbers for the HTTP and HTTPS ports.
This ensures that firewalls pass automatic content update traffic on the Internet. You can,
however, use the same host name for all Web server instances if you specify different HTTP
and HTTPS port numbers for each instance.
You can use a single management station to manage all the SSM instances. In Windows, install
the management station several times to enter the host name, port base, and server certificate for
each SSM instance. The installation program creates separate icons to start the GUI and CLI to
manage each SSM instance.
In UNIX, you do not need to install the management station more than once, but you must use
the mcs trustcert management command script to import the server certificate of each SSM
instance to the trusted-key store, certs.jks, on the management station.
For more information about how to use management command scripts, see the Nokia Security
Service Manager Administration Guide

Minimum System Requirements


Table 3 describes the minimum system requirements, which depend on the type of installation
that you choose.

Nokia Security Service Manager Installation Guide 33


2 Installing Nokia Security Service Manager

Table 3 Minimum System Requirements


Installation Option Requirements

One computer Operating system:


RedHat Enterprise Linux v3.0 AS, ES, or WS,
Intel X86 compatible
Sun SPARC Solaris 8 with patches
Sun SPARC Solaris 9
Other requirements:
Java 2 Runtime Environment (J2RE) v1.4.2_04, 32-bit
250 MB of available hard disk space (for a database that contains the
maximum number of users)
512 MB of RAM
TLS/SSL certificate for the Web server. Optional.

Server Operating system:


RedHat Enterprise Linux v3.0 AS, ES, or WS,
Intel X86 compatible
Sun SPARC Solaris 8 with patches
Sun SPARC Solaris 9
Other requirements:
J2RE v1.4.2_04, 32-bit
180 MB of available hard disk space (for a database that contains the
maximum number of users)
512 MB of RAM

Management station Operating system:


RedHat Enterprise Linux v3.0 AS, ES, or WS,
Intel X86 compatible
Sun SPARC Solaris 8 with patches
Sun SPARC Solaris 9
Microsoft Windows 2000 with Service Pack 2 or later or Windows XP Pro
Other requirements:
J2RE v1.4.2_04, 32-bit or J2RE 1.5
20 MB of available hard disk space, which does not include the disk space
that J2RE requires
256 MB of RAM

Web server Operating system:


RedHat Enterprise Linux v3.0 AS, ES, or WS,
Intel X86 compatible
Sun SPARC Solaris 8 with patches
Sun SPARC Solaris 9
Other requirements:
J2RE v1.4.2_04_04, 32-bit
95 MB of available hard disk space
512 MB of RAM
TLS/SSL certificate for the Web server.

34 Nokia Security Service Manager Installation Guide


Preparing for the Installation

Table 3 Minimum System Requirements


Installation Option Requirements

EGW Operating system:


RedHat Enterprise Linux v3.0 AS, ES, or WS,
Intel X86 compatible
Sun SPARC Solaris 8 with patches
Sun SPARC Solaris 9
Other requirements:
30 MB of available hard disk space
512 MB of RAM

Note
Content and logs require additional disk space on the server, Web server, and management
station.

Preparing for the Installation


Before you can install SSM, you must perform some tasks, including:
Installing Patches and Libraries on Solaris
Modifying System Specifications in Solaris
Installing J2RE
Synchronizing System Clocks
For important product information and known issues, see the Nokia Security Service Manager
Release Notes.

Installing Patches and Libraries on Solaris


The standard installations might not contain all the functionality that SSM requires. Install
patches as described in the following sections:
Installing Sun Patches on Solaris
Installing SUNWzlib on Solaris 8

Installing Sun Patches on Solaris


If you install and run SSM on Solaris, install the latest patches from Sun. Install patches as root.
To view the patches that are already installed, enter the following command:
showrev -p

Nokia Security Service Manager Installation Guide 35


2 Installing Nokia Security Service Manager

On Solaris 8, install at least the following patches:


112438-02improves performance and implements the
/dev/random random number generator
111297installs the libsendfile functionality.
Patch cluster that Sun recommends you to install.

Installing SUNWzlib on Solaris 8


The SSM database requires that the Zip Compression Library package, SUNWzlib, is installed
on the server computer. Since the SUNWzlib package is not part of the End User software group
on Solaris 8, you might need to manually add the packages to your Solaris 8 system. You can
find the packages on the Solaris 8 media.

Modifying System Specifications in Solaris


If you install and run SSM on Solaris, set new values for system modules in one-computer
installations or on the server computer to ensure that SSM does not run out of resources.

To modify system specifications


1. Log on as root.
2. Edit the /etc/system file.
Add the following lines to the end of the file:
set shmsys:shminfo_shmmax=0x2000000
set shmsys:shminfo_shmmin=1
set shmsys:shminfo_shmmni=256
set shmsys:shminfo_shmseg=256
set semsys:seminfo_semmap=256
set semsys:seminfo_semmni=512
set semsys:seminfo_semmns=512
set semsys:seminfo_semmsl=32
3. Save the file.
4. Restart the computer.

Installing J2RE
SSM server requires Java 2 Runtime Edition (J2RE) v1.4.2_04, 32-bit, which is not preinstalled
on Windows or RedHat Enterprise Linux v3.0. The version that is preinstalled on Solaris might
be older than the version that SSM requires. The SSM installer checks that the correct J2RE
version is installed and prompts you to install v1.4.2_04, if necessary.
A separate management station installation also supports J2RE v1.5.
You can download J2RE v1.4.2_04 or v1.5 from the Sun Web site. Install J2RE as root.

36 Nokia Security Service Manager Installation Guide


Using the Nokia Security Service Manager Installer

Note
J2RE 64-bit is not supported if you run SSM on Sun SPARC Solaris.

For the SSM CLI to support characters that the US-ASCII character set does not include, such as
the Scandinavian characters, install J2RE in custom mode and select the additional languages
support option.

Synchronizing System Clocks


CA operations require accurate clocks on the server and EGW. To synchronize clocks, use the
network time protocol (NTP), for example, which distributes accurate and current time
information.

Using the Nokia Security Service Manager Installer


You can install the SSM components on up to four computers. Install each component only once.
The management station is an exception. You can install the management station on several
computers to manage SSM remotely. You can install the management station also on Windows
computers.
Choose from the following installation options:
Server installationinstalls the server, database, and management station. Always install
this option first.
Web server installationinstalls the Web server and Web site.
Enrollment gateway installationinstalls the EGW.
Management station installationinstalls the GUI and CLI.

Selecting the Installation Directory


If the installation directory already exists, grant write (w) access to the directory to the process
owner and the group to which the process owner belongs. If the installation directory does not
exist, grant the process owner write (w) access to its parent directory.
Nokia recommends that you use the mcs rootinstall command after the installation to set root as
the owner of the installation directory. A setuid bit starts the SSM starter process as root even
though you are logged on as the process owner. The processes that the SSM starter process starts
set the user ID back to the process owner. The Web server process sets its HTTP request handlers
to nobody.
Root should also own the directories between the root directory and the installation directory and
only root should have write access to them. If you allow users other than root to modify files that
root executes, you compromise root.

Nokia Security Service Manager Installation Guide 37


2 Installing Nokia Security Service Manager

For more information about setting operating system file permissions, see Setting File
Permissions and Creating a Startup Script on page 49.

Installation Settings
When you install or configure SSM, you specify values for the fields that Table 4 describes. Find
out the values before you begin the installation.
The values are stored in the SSM configuration files, which are in the installation_directory/etc
directory. Back up the configuration files after installation. Do not change the values manually.
Use the GUI or CLI to modify the properties of the system manager account. For more
information about how to modify user properties, see the Nokia Security Service Manager
Administration Guide or the SSM Help.

Table 4 Installation Settings Checklist


Field Description

Server

Directory name Select the directory in which to install SSM.


In a one-computer installation, install all the components of one SSM instance
in the same directory.
By default, SSM is installed in the nssm directory in the current users home
directory.

Note
Root must own the installation directory or you compromise root. In addition,
only root can have write access to the directories between the root directory
and the installation directory or you compromise root.

Host name The fully qualified host name or IP address of the server.
The other SSM components use this value to communicate with the server.
Do not use the value localhost.
In Linux, the default value is the host name of the computer.

Port base Reserve this port number and the six following port numbers for SSM. By
default, port numbers 26773 through 26779 are used.
You cannot use port numbers in the anonymous port range in the computer.
By default the anonymous port range starts from port 32768.
For more information about protocols and port numbers, see the Nokia
Security Service Manager Administration Guide.

Passphrase A text string at least eight characters long.


SSM uses this value to help protect private keys and the communication
between the server, Web server, and EGW when you install them on different
computers. Specify the same passphrase for all the SSM components.

38 Nokia Security Service Manager Installation Guide


Using the Nokia Security Service Manager Installer

Table 4 Installation Settings Checklist


Field Description

Save passphrase Select this option to save the passphrase in the server.properties
configuration file.
SSM uses the passphrase to encrypt private keys, so the passphrase must
not be compromised. Save the passphrase in server.properties only if you can
be sure that unauthorized persons cannot see it.
A more secure method to save the passphrase is to use the mcs
rootproperties management command script that saves the server
passphrase in the root.properties configuration file in encrypted format. Only
root can access root.properties.
If you do not save the passphrase in server.properties or root.properties, SSM
asks you to enter it each time you start the server.

Subject DN Specify default values for the subject name of certificates that the internal CAs
issue and the subject name of the Web server certificate.
Specify the following settings in the subject DN:
CCountry (use the two-letter ISO 3166 country codes)
OOrganization
OUOrganization unit (optional)

Default authentication Default domain part of the logon names that authenticate users to SSM.
domain For example, customer.com.
Do not include the at sign (@) in the value that you define, because SSM
automatically adds it.
If a logon name does not contain a domain name, SSM appends the default
domain name to the logon name when SSM adds the user to the database
and when users log on to SSM.
For example, peter.jones@customer.com.

System manager account

Last name The last name of the system administrator.


The installer saves the system manager account in the database. You can use
the GUI or CLI to modify it.

First name The first name of the system administrator.

Logon name The logon name authenticates the system administrator when he or she
accesses the GUI or CLI.
You can decide the logon name format. Logon names are from 1 to 128
characters long.

Password A text string at least 8 characters long.


Passwords authenticate the system administrators against the server.

Email The email address of the system administrator.

Mobile phone The mobile phone number of the system administrator. Use the international
format: +country code phone number. Optional.

Nokia Security Service Manager Installation Guide 39


2 Installing Nokia Security Service Manager

Table 4 Installation Settings Checklist


Field Description

Web server

Host name The fully qualified host name or IP address of the Web server.
Use the first DNS address of the server in full format including the domain
name.
In Linux, the default value is the host name of the computer.

The host name must be a routable IP address or resolvable host name,


because Mobile VPN Client uses the host name to connect to the Web server.
Mobile VPN Client can resolve the host name of the Web server only if the
DNS server of the Internet service provider can resolve the host name.
You cannot use a dynamic network address translation (NAT) address for the
Web server. If you use a fixed NAT address, you must configure the public
NAT address as a part of the address of the automatic content update service.

For scalability, give different host names to the Web server and server even in
a one-computer installation. This makes it possible to move the Web server to
another computer to improve performance.
For more information about distributing SSM to several computers, see the
Nokia Security Service Manager Administration Guide.
You cannot use the value localhost as the host name of the Web server.

HTTP port A port number. By default, port 80 is used.


You cannot use port numbers in the anonymous port range in the computer.
By default, the anonymous port range starts from port 32768.

HTTPS port A port number. By default, port 443 is used.


You cannot use port numbers in the anonymous port range in the computer.
By default, the anonymous port range starts from port 32768.

Server certificate file The path to the server certificate and trusted certificate store that the installer
or configuration script creates during the installation of the server component.
By default, the installer or configuration script calls the certificate store
certs.jks and creates it in the installation_directory/etc directory.
You need certs.jks when you install the Web server and management station
on a separate computer. Copy certs.jks to the Web server or management
station in a secure way.

40 Nokia Security Service Manager Installation Guide


Using the Nokia Security Service Manager Installer

Installing Nokia Security Service Manager in Solaris


You can use either graphical or text-based installation.

Note
If you distribute SSM to several computers, always install the server component first.

To install Nokia Security Service Manager in Solaris


1. Create a user account (called process owner in this guide) to install and run SSM. For
example, ssm.
2. Log on as the process owner.

Note
You cannot install SSM as root in Solaris.

3. The J2RE directory must be in the system path for the duration of the installation. To set the
path, enter the following command at the command prompt:
JAVA_HOME=/J2RE_installation_directory
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME PATH
4. Enter the following command to start the SSM installer:
java -jar Setup.jar
java -cp Setup.jar run -console
5. Specify the installation directory.
The default directory is nssm in the current users home directory. Change the default
directory to /opt/nssm, for example.
If you install several SSM instances in the same computer, install them in different
directories.
6. Select the SSM components to install.
Table 4 explains the settings that you need to specify.
7. Follow the directions of the installer until the installation is complete.
8. If you install the server, copy SSM licenses to the installation_directory/etc/licenses
directory.
9. Set file permissions and create a startup script to enable automatic startup of SSM:
a. Log on as root.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script:
./mcs rootinstall

Nokia Security Service Manager Installation Guide 41


2 Installing Nokia Security Service Manager

For more information, see Setting File Permissions and Creating a Startup Script on
page 49.
10. Start SSM to check that the installation was successful and that all the services start up:
a. Log on as the process owner.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script to start
SSM:
./mcs start
d. Enter the passphrase that you specified when you installed the server component, unless
you saved the passphrase in the server.properties or root.properties configuration files.
e. At the command prompt, execute the following management command script to check
that all the SSM services started up:
./mcs status
f. Use a Web browser to access the URL of the Web site to verify the Web server
installation:
https://host_name[:port]

Note
If the Web server does not start, check that you executed the ./mcs rootinstall
management command script to set file permissions.

11. If you install the Web server, the installer generates a private key and creates a PKCS #10
certification request and a self-signed certificate for the Web server. You can use the self-
signed certificate to check that the SSM installation succeeds and that SSM starts up.
The Web server certificate authenticates the Web server to:
VPN policy management applications and the SSM policy push command that create
SSL connections to the Web server to export VPN policies to the SSM database
Users who use the SSM Web site to download content.
Before you can export VPN policies to SSM, you must send the certification request to an
internal or external CA to sign. For more information, see To obtain a TLS/SSL certificate
on page 51.

Installing Nokia Security Service Manager in Linux


Use installation scripts to install the SSM components from compressed tar packages in Linux.
You can either use a quick installation script to install and configure all SSM components in one
Linux computer in the DMZ for evaluation purposes or use the standard installation script and
configuration scripts to install SSM in the production environment and to distribute the SSM
components to several computers.

42 Nokia Security Service Manager Installation Guide


Using the Nokia Security Service Manager Installer

Installing All SSM Components in One Computer


Use the quick installation script to install all SSM components in one Linux computer in the
DMZ. The quick installation script performs the following tasks:
Installs all SSM components in one computer using default values where possible.
Runs the Linux configuration scripts that set parameters for the SSM components using
default values where possible.
Creates a system administrator with the logon name admin and the password that you define.
Runs the SSM example configuration scripts that create a content manager, specifies settings
for the automatic content update service, and creates an internal CA.
Runs the ./mcs rootinstall script to set file permissions and creates a startup script to enable
automatic startup of SSM.

To install all SSM components in one computer


1. Log on as root.
2. Create a user account (called process owner in this guide) to install and run SSM. For
example, ssm.
3. The J2RE directory must be in the system path for the duration of the installation. To set the
path, enter the following command at the command prompt:
JAVA_HOME=/J2RE_installation_directory
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME PATH
4. Create an installation directory on the server, copy the installation tar files and SSM licenses
to the installation directory, and switch to the installation directory.
The quick installation script creates a subdirectory called ssm in the current working
directory and installs SSM in the ssm directory.
The root needs at least execute (x) access rights to the installation script and read (r) access
rights to the .tgz files.
The process owner needs the execute (x) access rights to all directories from the installation
directory to the root.
5. To install SSM components, enter the following command:
./quickinstall.sh
6. Enter the name of the process owner whose account you create in step 2.
7. Follow the instructions of the quick installation script. Table 4 explains the settings that you
need to specify.
Error messages might appear during the installation and configuration, because the scripts
might try to access directories that the process owner does not have the rights to access:
bash: /root/.bashrc: Permission denied
You can safely ignore the error messages.

Nokia Security Service Manager Installation Guide 43


2 Installing Nokia Security Service Manager

8. Start SSM to check that the installation was successful and that all the services start up:
a. Change to the installation_directory/bin directory.
b. At the command prompt, execute the following management command script to start
SSM:
./mcs start
9. At the command prompt, execute the following management command script to check that
all the SSM services started up:
./mcs status
10. Use a Web browser to access the URL of the Web site to verify the Web server installation:
https://host_name[:port]

Distributing SSM to Several Computers


Use the standard installation script to distribute the SSM components to several computers. First
run the installation script in each computer. Then run the following configuration scripts that the
installation copies in the installation_directory/bin directory for the components that you install
in the computer:
server-config
web-config
egw-config
management-config

Note
If you distribute SSM to several computers, always install and configure the server
component first.

During the installation, the process owner needs least execute (x) access rights to the installer
file and read (r) access rights to the .tgz files.

To distribute SSM components to several computers


1. Log on as the process owner.

Note
You cannot run the ./installer script as root.

2. The J2RE directory must be in the system path for the duration of the installation. To set the
path, enter the following command at the command prompt:
JAVA_HOME=/J2RE_installation_directory>
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME PATH

44 Nokia Security Service Manager Installation Guide


Using the Nokia Security Service Manager Installer

3. To install SSM components, enter the following command:


./installer [ -d directory ] [ -t directory ]
install server egw web management
where:
-d directory is the directory to install SSM.
-t directory is the directory where the tar files are. You can omit this parameter if the tar
files are in the same directory as the installer script.
server installs the server and management station (that is, the server package includes the
management package)
egw installs the EGW
web installs the Web server
management installs the GUI and CLI in a separate computer
Select all packages to install in a particular directory at the same time. For example, enter
the following command to install all SSM components in the /opt/ssm directory:
./installer -d /opt/ssm install server egw web
You must have write permissions to the directory. If the directory does not exist, You must
have write permissions to its parent directory.
If you install several SSM instances in the same computer, install them in different
directories.
4. When you install the server component, copy SSM licenses to the installation_directory/etc/
licenses directory.
5. Change to installation_directory/bin.
6. Run configuration scripts to configure the SSM components.
Table 4 explains the settings that you need to specify.
a. Run the server-config script to configure the server. If you leave an optional field empty,
the configuration script inserts the default value for the field:
./server-config
[ --server=hostname ]
[ --portbase=port_base ]
[ --webserver=hostname ]
[ --httpport=HTTP_port ]
[ --httpsport=HTTPS_port ]
--c=country
--o=organization
[ --ou=organization_unit ]
--authdomain=default_authentication_domain
--passphrase=passphrase
[ --savepassphrase ]
[ --help ]
b. Run the web-config script to configure the Web server. If you leave an optional field
empty, the configuration script inserts the default value for the field:

Nokia Security Service Manager Installation Guide 45


2 Installing Nokia Security Service Manager

./web-config
--server=server_hostname
--webserver=hostname
[ --portbase=server_port_base ]
[ --servercert=server_certificate_file ]
[ --httpport=HTTP_port ]
[ --httpsport=HTTPS_port ]
[ --passphrase=server_passphrase
--savepassphrase ]
[ --help ]
Follow the instructions that the configuration script displays until the configuration is
complete.
The configuration scripts prompts you to enter values for country, organization, and
organization unit. Specify the same values as for the server-config script.
If the Web server host name cannot be resolved to a public IP address, you receive an
error message. To solve the problem, modify the /etc/hosts file or define nsswitch.conf to
resolve host names from DNS before it looks in the hosts file. You can either remove the
host name from the hosts file or add the IP address of the Web server external interface to
the hosts file. Then run the web-config script again.
c. Run the egw-config script to configure the EGW. If you leave an optional field empty, the
configuration script inserts the default value for the field:
./egw-config
--server=server_hostname
[ --portbase=server_port_base ]
[ --passphrase=server_passphrase
--savepassphrase ]
[ --help ]
When you install the management station in a separate Linux computer, run the
management-config script to configure the management station. If you leave an optional
field empty, the configuration script inserts the default value for the field:
./management-config
--server=server_hostname
[ --portbase=server_port_base ]
[ --servercert=server_certificate_file ]
[ --help ]
7. Set file permissions and create a startup script to enable automatic startup of SSM:
a. Log on as root.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script:
./mcs rootinstall
For more information, see Setting File Permissions and Creating a Startup Script on
page 49.

46 Nokia Security Service Manager Installation Guide


Using the Nokia Security Service Manager Installer

8. Start SSM to check that the installation was successful and that all the services start up:
a. Log on as the process owner.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script to start
SSM:
./mcs start
d. Enter the passphrase that you specified when you installed the server component, unless
you saved the passphrase in the server.properties or root.properties configuration files.
e. At the command prompt, execute the following management command script to check
that all the SSM services started up:
./mcs status
f. Use a Web browser to access the URL of the Web site to verify the Web server
installation:
https://host_name[:port]

Note
If the Web server does not start, check that you executed the ./mcs rootinstall
management command script to set file permissions.

9. If you install the Web server, the configuration script generates a private key and creates a
PKCS #10 certification request and a self-signed certificate for the Web server. You can use
the self-signed certificate to check that the SSM installation succeeds and that SSM starts
up.
The Web server certificate authenticates the Web server to:
VPN policy management applications and the SSM policy push command that create
SSL connections to the Web server to export VPN policies to the SSM database
Users who use the SSM Web site to download content.
Before you can export VPN policies to SSM, you must send the certification request to an
internal or external CA to sign. For more information, see To obtain a TLS/SSL certificate
on page 51.

Nokia Security Service Manager Installation Guide 47


2 Installing Nokia Security Service Manager

Installing Management Station in Windows


You can use management station v3.0.1 to manage server v3.0 and v3.0.1. You can install
several versions of management station on the same computer in separate directories.

Note
If you use Nokia IP VPN, install Nokia VPN Manager before you install the SSM
management station. This enables you to start the SSM GUI directly from VPN Manager and
to export profiles from VPN Manager to the SSM database.

To install the management station in Windows


1. Copy the server certificate file, certs.jks, from the installation_directory/etc directory on the
server to the management station.
2. Double-click Setup.exe.
The launcher extracts the installation package to a temporary directory. If the directory does
not have enough space, installation fails. To restart the installation, enter the following
command:
Setup.exe -is:tempdir directory
Specify a directory that contains enough free disk space (at least the size of the executable
file) for the launcher to write temporary files.
3. Follow the directions on the setup wizard until the installation is complete.
You can specify the installation directory during the installation.

After the Installation


The following sections describe the tasks that you must perform after the installation:
Setting File Permissions and Creating a Startup Script
Saving the Server Passphrase
Obtaining TLS/SSL Certificates
Using Example Configuration Scripts
Using Example Configuration Scripts
Backing Up the Installation Directory
You can skip the above tasks, except backing up the installation directory, if you use the quick
installation script, ./quickinstall.sh, in Linux.

48 Nokia Security Service Manager Installation Guide


After the Installation

Setting File Permissions and Creating a Startup Script


The mcs rootinstall command performs the following tasks:
Creates a startup script in the computer.
Sets file permissions to remove unnecessary access rights from the process owner.
Allows you to start the Web server as the process owner even though you use the default port
numbers for the Web server.

Setting File Permissions


The mcs rootinstall command sets to root the ownership of the following subdirectories in the
installation directory and the critical executables and configuration files in the subdirectories:
bin
etc
lib
_uninst
pgsql
apache
This process helps protect the system from attackers if they manage to break into the computer
by using the account of the process owner.
The mcs rootinstall command grants permissions to the UNIX group of the process owner, so do
not add unauthorized users to the group.
The mcs rootinstall command changes the file permissions in the installation_directory/apache
directory so that you can start the Web server as the process owner even though you specify
HTTP or HTTPS port numbers smaller than 1024 for the SSM Web server (default port
numbers).
The mcs rootinstall command displays a list of directories that root does not own. If you allow
users other than root to modify files that root executes, you compromise root. Nokia
recommends that you change the ownership of the listed directories to root. All the directories
from the root directory to the installation directory must be writable only by root or you
compromise root.
Root must own the starter process, because it is a setuid program. Startup scripts point to the
directory where the starter process and mcs command are, so root must also own all directories
from the starter process directory up to the root directory.
The startup script automatically starts SSM when you start the computer.

Nokia Security Service Manager Installation Guide 49


2 Installing Nokia Security Service Manager

Process Watchdog
The starter process runs in the background and acts as a watchdog for the processes that it starts,
except for the Web server process. The starter process restarts processes when necessary and
records the following information in installation_directory/logs/starter.log:
Process ID (pid) of the process that stopped
Command line of the process that restarted

Saving the Server Passphrase


SSM components require the server passphrase to start up. After you set the file permissions,
you can execute the mcs rootproperties management command script to save the server
passphrase in the root.properties configuration file. If you do not save the passphrase, SSM stops
the startup process and waits until you enter the passphrase from the console.
Enter the server passphrase as a parameter of the mcs rootproperties script. The script encrypts
the passphrase and stores it in the root.properties configuration file. Only root can access
root.properties.

To save the server passphrase in root.properties


1. Log on as root.
2. Change to the installation_directory/bin directory.
3. At the command prompt, enter:
./mcs rootproperties passphrase
SSM encrypts the server passphrase and stores it in root.properties.
When you start the server, SSM does not ask for the server passphrase.

Obtaining TLS/SSL Certificates


Obtain a transport layer security/secure sockets layer (TLS/SSL) certificate for the Web server
from a internal or external CA. The Web server certificate authenticates the Web server to:
VPN policy management applications and the SSM policy push command that create SSL
connections to the Web server to export VPN policies to the SSM database
Users who use the SSM Web site to download content.
The SSM installer generates a private key and creates a certification request and a self-signed
certificate. You can use the self-signed certificate (installation_directory/apache/conf/ssl.crt/
server.crt) to check that the SSM installation succeeds and that all the SSM components start up.
Use the certification request file to request certification from a CA.

50 Nokia Security Service Manager Installation Guide


After the Installation

Note
SSM does not allow you to use the internal CA that issues certificates for the automatic
content update service to sign the TLS/SSL certificate of the Web server. You can create
another SSM internal CA for this purpose.

You can use an example configuration script to create an internal CA and enroll the server
certificate from the internal CA.

To obtain a TLS/SSL certificate


1. Send the certification request file, installation_directory/apache/conf/ssl.crt/server.p10, to a
CA to request certification.
2. After you receive the certificate, server.crt, from the CA, copy the certificate to the
installation_directory/apache/conf/ssl.crt/ directory.
3. Restart the Web server to take the new certificate to use:
a. Log on as the process owner.
b. Change to the installation_directory/bin directory.
c. To stop the Web server, enter:
./mcs web stop
d. To start the Web server, enter:
./mcs web start
You can also use the create_vpnca sample configuration script to specify settings for an internal
CA and request certification for the Web server from the internal CA. The script only works if
you install the server and Web server in the same computer.

Using Example Configuration Scripts


The example configuration scripts illustrate how you can use the CLI commands in scripts to
automate SSM management tasks.
The standalone Linux installation runs the example configuration scripts after it installs and
configures SSM. On Solaris and after a distributed installation on Linux, you must run the
scripts manually.
You can use the following example configuration scripts to perform the following tasks:
create_content_managercreate a content manager account and add it to the Content
Managers user group.
create_acu_serviceset up the automatic content update service.
create_vpncacreate an internal CA that issues a server certificate for the Web server.
The use cases describe how to use the example configuration scripts in more detail.
For more information about how to use the GUI or CLI to modify the settings that the example
configuration scripts specify, see the Nokia Security Service Manager Administration Guide.

Nokia Security Service Manager Installation Guide 51


2 Installing Nokia Security Service Manager

To use an example configuration script to create an internal CA


1. Log on as the process owner.
2. Enter the following command:
./create_vpnca
3. Enter the username and password of a system administrator.
SSM performs the following tasks:
Checks that the Web server has been installed.
Checks that the Web server is not running and stops it if necessary.
Uses CLI commands to create an internal CA.
The entity name of the internal CA is CompanyVPNCA.
Uses CLI commands to request certification for the Web server from the internal CA.
SSM uses the server.p10 certification request in installation_directory/apache/conf/ssl.crt/
and stores the certificate that the internal CA issues, server.crt, in the same directory.

Backing Up the Installation Directory


After you install SSM, back up the installation directory or at least the etc directory. The etc
directory contains SSM configuration files and the following certificates and keys as encrypted
files:
Master keymk.save.
RMI TLS/SSL private keysserver.jks.
Server certificatecerts.jks.
You need these files to restore SSM from backups.

52 Nokia Security Service Manager Installation Guide


3 Configuring Nokia Security Service
Manager

This chapter contains examples of how to extend the enterprise network to mobile devices and
how to move from legacy authentication to certificate-based authentication:
Extending the Enterprise Network to Mobile Devices
Moving from Legacy Authentication to Certificate-Based Authentication
Using an External CA

Extending the Enterprise Network to Mobile Devices


Your company uses an enterprise VPN to connect sites and provide remote access to employees
who use their laptops.
Your company uses challenge-response authentication as the method to authenticate users to the
VPN gateway. A RADIUS server authenticates users. Users generate one-time passwords with
SecurID tokens. However, this example is relevant also when users have fixed passwords.
Your task is to securely extend the enterprise VPN to mobile devices, such as the Nokia 9500
Communicator or the Nokia 6630 phone. Give users mobile devices and use SSM to set up
access from the mobile devices to the users email and other services and resources on the
enterprise network. Use Mobile VPN Client to encrypt all connections from mobile devices to
the enterprise network.

Nokia Security Service Manager Installation Guide 53


3 Configuring Nokia Security Service Manager

Figure 8 Extending the Enterprise Network to Mobile Devices

DMZ
SSM
server
and database
Firewall/
VPN SSM
gateway enrollment
gateway
Internet SSM
management
station
Operator Policy
mobile network management
software
RADIUS or
Nokia LDAP server
SSM
Web Mail gateway
Nokia server (SMTP)
Mobile VPN Client
00367

Extending the enterprise network to mobile devices includes the following tasks:
Specifying Settings for Automatic Content Update
Specifying Settings for a RADIUS Server
Creating a Content Manager Account
Configuring Client Access Policy for Challenge-Response Authentication to VPN Gateways
Deploying Policies to Mobile Devices
Specifying Settings for VPN Access Points
Installing Software and Settings on Mobile Devices
The following sections describe the preceding tasks at a general level. For detailed information
about a task and the options that you have, see the Nokia Security Service Manager
Administration Guide or the SSM Help.

Specifying Settings for Automatic Content Update

Note
You can skip this task if you use the quick installation script in Linux. The quick installation
script runs the example configuration script to specify the settings for you.

Set up the SSM automatic content update service to automate updates of VPN policies and VPN
certificates to mobile devices. The automatic content update service receives content update
requests from Mobile VPN Client, processes the requests, and sends responses to Mobile VPN
Client.
The automatic content update service uses HTTP for transport. The Web server handles the
HTTP communication with Mobile VPN Client and processes the messages.

54 Nokia Security Service Manager Installation Guide


Extending the Enterprise Network to Mobile Devices

When you start the Web server for the first time, the Web server performs the following
operations to initialize:
Opens a secure connection to the SSM server.
Fetches an automatic content update service certificate and key pair and caches them for use
when the Web server processes content update requests.
To create an encrypted connection to the server, the Web server uses a shared secret. SSM
generates the shared secret from a passphrase that you enter when you install the Web server.
The automatic content update service uses this connection later to serve requests that do not
include user authentication information.
Use the SSM example configuration script to specify settings for the automatic content update
service. Use the SSM GUI to check the settings. The settings must be in place for the use case to
succeed.
You can save the settings as a SIS file that you can install to mobile devices.

To specify settings for the automatic content update service


1. Log on as the process owner.
2. Enter the following command:
./create_acu_service
3. Enter the username and password of a system administrator.
SSM uses CLI commands to perform the following tasks:
Create an internal CA for the automatic content update service with the entity name
AutomaticContentUpdateCA.
Add the internal CA entity as an authentication server with the name Authentication
Server for Automatic Content Update.
Generate a private key and certificate for the automatic content update service. The
certificate authenticates the Web server to Mobile VPN Client when VPN policies are
automatically updated.
Specify settings for the automatic content update service.
Create a user group with the name AutomaticContentUpdateUserGroup.
Map the certificate enrollment content entry for the internal CA,
AutomaticContentUpdateCA, to the user group, AutomaticContentUpdateUserGroup.
Use the CLI to save the automatic content update settings as a SIS file. You can deliver the
address and certificate of the automatic content update service and a client certification request
template to Mobile VPN Client in the SIS file.

To save settings for the automatic content update service as SIS files
1. Log on as the process owner.
2. Change to the installation_directory/bin directory.
3. To start the CLI and make the SIS file, enter the following command:
./cli sis acu

Nokia Security Service Manager Installation Guide 55


3 Configuring Nokia Security Service Manager

SSM saves the settings as the file serverconf.sis in the installation_directory/bin directory in
Windows and the specified directory or current directory in Solaris and Linux.
The sis acu command makes a SIS file that is compatible with the Nokia 9500
communicators and Nokia 9300 smartphones.
For more information about how to make SIS files that are compatible with other supported
mobile devices, see the Nokia Security Service Manager Administration Guide.
4. Deliver the SIS file to users in a secure way together with Mobile VPN Client.

Specifying Settings for a RADIUS Server


SSM authenticates all access. Administrators and users use logon names and passwords to
authenticate. The server verifies user identity either against the database or an external
authentication server, such as a RADIUS or LDAP server.
You can use self-provisioning to automatically add the users of mobile devices to the database.
Add your RADIUS server as an authentication server in SSM and create a self-provisioning rule.
SSM adds the users to the database after they successfully authenticate to the server.
After users install Mobile VPN Client, they can install VPN policies from SSM.
For more information about how to use the local database or an LDAP server for authentication
instead of a RADIUS server, see the Nokia Security Service Manager Administration Guide.

To specify settings for RADIUS authentication


1. Start the SSM GUI.
2. In the main view, Settings pane, choose Content Delivery > Authentication to specify
settings for the RADIUS server in the Authentication Servers view:
a. Choose Edit > Create New to add a RADIUS server.
b. Give the server the name RADIUSserver.
c. Specify settings for the primary RADIUS server.
3. Click the Self-Provisioning Rules tab to create a self-provisioning rule:
a. Choose Edit > Create New to open the Self-Provisioning Rule Properties dialog box.
b. Set self-provisioning rules for an authentication domain for the users that the RADIUS
server authenticates.
c. Give the authentication domain the name of your Internet domain.
In this example, customer.com.
This is also the users domain in the RADIUS server.
d. Select AutomaticContentUpdateUserGroup as the default group.
The example configuration scripts create this user group to use the automatic content
update service.

56 Nokia Security Service Manager Installation Guide


Extending the Enterprise Network to Mobile Devices

Creating a Content Manager Account

Note
You can skip this task if you use the quick installation script in Linux. The quick installation
script runs the example configuration script to create the content manager for you.

You need a content manager account to export VPN policies from VPN policy management
software to the SSM database and use policy push to create VPN policies in the database. The
commands that you use to export or create VPN policies require that you specify the content
manager logon name and password
Use an SSM example configuration script to create a content manager.

To create a content manager


1. Log on as the process owner.
2. Change to the installation_directory/bin directory.
3. Enter the following command:
./create_content_manager
4. Enter the username and password of a system administrator.
SSM uses CLI commands to create a content manager with the logon name
ContentManager, to generate a password for the content manager, and to map the content
manager to the predefined Content Managers user group in the database.
5. Write down the password of the content manager.
You can use the GUI or CLI to change the password.

Configuring Client Access Policy for Challenge-Response


Authentication to VPN Gateways
Your company can use the following VPN gateways to create an enterprise VPN that connects
sites and provides remote access to employees:
Nokia IP VPN Gateway
Nokia IP Security Platform
Cisco VPN 3000 Series Concentrator
To configure client access to a VPN gateway, you use VPN policy management software to
create a VPN policy for challenge-response authentication and to export the VPN policy to the
SSM database.
SSM automatically converts VPN policies to the Symbian format that Mobile VPN Client
supports. SSM adds a fingerprint and the word CONVERTED to VPN policy names. Mobile
VPN Client strips the additional information and displays only the VPN policy name up to the
first colon (:).

Nokia Security Service Manager Installation Guide 57


3 Configuring Nokia Security Service Manager

SSM stores the original policies with the converted policy.


For Mobile VPN Client to trust the VPN gateway, you use the SSM internal CA to sign the
device certificate of the VPN gateway.
The following sections describe how to configure client access policy for each supported VPN
gateway. For more information, see the Nokia Security Service Manager Administration Guide
and the product documentation for the VPN gateway.

Nokia IP VPN Gateway


Use Nokia VPN Manager to configure client access to Nokia IP VPN Gateway.
IP VPN Gateway supports certificate-based and challenge-response authentication. Because
authentication is part of IKE Phase 1, you define separate IKE policies for certificate-based and
challenge-response authentication. You can use the same IPSec policy for both authentication
methods.
In addition, you configure IP VPN Gateway to allow challenge-response authentication against a
RADIUS server.
Generate a client profile for an entire group of clients, such as all mobile devices. Distribute the
same client profile to all users in the group. Users use usernames and passwords or passcodes to
authenticate to IP VPN Gateway.
For more information about how to use VPN Manager, see the Nokia IP VPN Gateway
Configuration Guide.

To configure client access for challenge-response authentication


1. Start VPN Manager.
In UNIX, enter the following command:
./mcs nvm
In Windows, choose Start > Programs > Nokia > Nokia Security Service Manager 3.0 >
Nokia VPN Manager with Nokia SSM.
2. Choose Gateway > Properties > Client Access > IPSec Clients > Client Policy to specify
client IPSec and IKE policies:
a. Select a CA in the Select Certification Authority for IKE authentication list.
The certificate of this CA authenticates IP VPN Gateway to Mobile VPN Client.
If the list is empty, use VPN Manager to create an internal CA.
b. In Clients will connect using the following IPSec policy, click New to define IPSec
policy for mobile device access.
c. Click Settings > Add to specify IKE policy settings for mobile device access.
For more information about the settings that Mobile VPN Client supports, see the Nokia IP
VPN Gateway Configuration Guide.

58 Nokia Security Service Manager Installation Guide


Extending the Enterprise Network to Mobile Devices

3. Choose Gateway > Properties > Client Access > IPSec Clients > Client Access to configure
IP VPN Gateway to use challenge-response authentication.
a. In the Challenge Response Clients group, check the Allow clients to connect using
Challenge Response authentication box.
b. Click Password or SecurID or both to select authentication methods.
4. Choose Local Configuration > Services > External Authentication and specify settings for a
RADIUS server:
In the Set the order of authentication methods field, set RADIUS to 1.
In the Usage group, check the Client access box.
Click New to specify settings for a RADIUS server.
5. Choose Gateway > Properties > Local Configuration > Services > DNS to specify domain
name system (DNS) servers for the internal network.
Mobile VPN Client uses DNS services when users select VPN access points to access the
enterprise network.
To view which DNS server Mobile VPN Client uses, choose Gateway > Properties > Client
Access > IPSec Clients > Internal Addressing.
6. Click the Remote Clients tab to configure mobile devices:
a. Choose Profile > New to create a generic profile for challenge-response authentication.
Give the profile the name MobileDeviceProfile.
b. If you use IP VPN Gateway v6.3, select Nokia Mobile VPN Client in the Generate
profiles for list.
c. Click New to create an new gateway access filter.
Give the filter the name MobileDeviceAccessFilter.
d. In the Establish tunnels to remote gateway list, select the VPN gateway that the Mobile
VPN Client connects to.
e. If you use internal addressing, check the Assign client IP address from the Default IP
Address pool box.
f. In the Select an IKE policy list, select the IKE policy for mobile device access that you
specify in step 2.
g. In the Use authentication method group, select the Challenge Response option.
7. Click Profile > Export Profiles to Nokia Security Service Manager to export profiles to
SSM.
8. Use the SSM content manager account to log on to SSM.
For detailed information about using VPN Manager, see the Nokia IP VPN Gateway
Configuration Guide.

Nokia Security Service Manager Installation Guide 59


3 Configuring Nokia Security Service Manager

Nokia IP Security Platform


You use the integrated Nokia Firewall/VPN Appliance, which offers Check Point VPN-1/FW-1
on a Nokia platform and the Nokia IPSO operating system.
Use the Check Point SmartDashboard to configure client access to Nokia VPN-1 Net. For more
information about how to use the SmartDashboard software, see the Check Point SmartCenter
Guide NG_AI.

Note
This section contains examples of how to use the SmartDashboard NG with Application
Intelligence (NG_AI) software to configure client access. For more information about how to
use other SmartDashboard software versions, see Check Point product documentation.

Configuring client access to the IP security platform includes the following steps:
To add a RADIUS server to a host node
To create user groups
To create an external user profile for challenge-response authentication
To add an SSM internal CA to SmartDashboard
To edit Check Point gateway properties
To add rules
To use Office Mode
To set a port number for NAT traversal
To export the generic client profile to the SSM database

To add a RADIUS server to a host node


1. Choose Manage > Network Objects > New > Node > Host to open the Host Node dialog box
and specify settings for the RADIUS server.
2. Choose Manage > Servers and OPSEC Applications > New > RADIUS to open the
RADIUS Server Properties dialog box:
a. Select the RADIUS server in the Host list.
b. In the Service list, select RADIUS if the RADIUS server listens to port 1645 and NEW-
RADIUS if the server listens to port 1812.
c. Type a shared secret for the RADIUS server in the Shared Secret text field.
You can also use an LDAP server for authentication instead of a RADIUS server.

60 Nokia Security Service Manager Installation Guide


Extending the Enterprise Network to Mobile Devices

To add an LDAP server to a host node


1. Choose Manage > Network Objects > New > Node > Host to open the Host Node dialog box
and specify settings for the LDAP server.
2. Choose Manage > Servers and OPSEC Applications > New > LDAP Account Unit to define
a new LDAP account unit in the LDAP Account Unit Properties dialog box:
a. Check the CRL retrieval box if you publish the CRL to the LDAP server.
You must use SSM to include the CRL distribution points to client certificates in the
internal CA properties.
b. Check the User management box to authenticate users against the LDAP server.
c. In the Profile list, select the profile of your LDAP server vendor.
d. Click the Servers tab and Add to add the LDAP server to the server list.
e. In the LDAP Sever Properties dialog box, select a host in the Host list.
f. Type the username and password of the administrator of the LDAP server in the Login
DN and Password text fields.
Retype the password in the Confirm password text field to omit spelling errors.
You specify the username and password of the administrator of the LDAP server also in
the authentication server properties in SSM.
g. In the Early Versions Compatibility server list, select the same host as in step e.
h. Click the Objects Management tab and then Add to define two search bases in the Fetch
branches field.
If you use Microsoft Active Directory, define both the branch where the CRL is and the
branch where the users are.

To create user groups


1. Choose Manage > Users and Administrators > New > User Group.
2. Give the user group the name MobileDeviceUserGroup.

To create an external user profile for challenge-response authentication


1. Choose Manage > Users and Administrators > New > External User Profile > Match all
users to create a generic* user profile.
2. Click the Authentication tab:
a. In the Authentication Scheme list, select RADIUS.
b. In the Select a RADIUS server or Group of Servers list, select the RADIUS server.
c. If you use LDAP authentication, select VPN-1 FireWall-1 password and specify a
Password in the Password field.
3. Click the Encryption tab and select IKE as the client encryption method.
4. Click Edit to edit IKE settings and deselect the Public Key option.
5. Click the Groups tab and add the MobileDeviceUserGroup to the Belongs to Groups box.

Nokia Security Service Manager Installation Guide 61


3 Configuring Nokia Security Service Manager

To add an SSM internal CA to SmartDashboard

Note
Do not add the certificate of the SSM internal CA that issues certificates for the automatic
content update.

1. Choose Manage > Servers and OPSEC Applications > New > Certificate Authority and add
the SSM internal CA, CompanyVPNCA, to establish trust between Check Point and SSM.
2. Give the SSM internal CA the name CompanyVPNCA.
3. Click the OPSEC PKI tab and then Get to import the CA certificate of CompanyVPNCA.
4. If you publish the CRL of CompanyVPNCA to an LDAP server, check the LDAP Server(s)
(Requires an LDAP Account Unit) box.
5. If you publish the CRL of CompanyVPNCA to the SSM Web site, check the HTTP Server(s)
box.
Click View to check the CRL distribution points from where the VPN gateway fetches the
CRL.
Add the certificates of the following CAs to SmartDashboard:
CA that issues a device certificate for the VPN gateway
CA that issues the certificate of the SSM Web server

To edit Check Point gateway properties


1. Choose Manage > Network Objects > Check Points, select a Check Point gateway, and click
Edit to open the Check Point Gateway dialog box.
The VPN gateway is called CustomerCluster in this example.
2. Click VPN to specify settings for the VPN domain.
3. Click Add to add the RemoteAccess community to the list of VPN communities that the
gateway participates in.
4. Click Add under Certificate List to request a device certificate for the Check Point gateway
in the Certificate Properties dialog box:
a. Select the SSM internal CA, CompanyVPNCA, in the Certificate Authority list.
b. Click Generate to generate a certification request.
c. Type a distinguished name in the DN text field.
d. Select the Define Alternate Name option and click Add to add the IP address of the
external interface of the Check Point gateway.
Mobile VPN Client uses the IP address to locate the CA.
e. Click View to display the certification request.
f. Copy and paste the certification request to a text editor and save it as a file.
5. Import the certification request to SSM for CompanyVPNCA to sign.

62 Nokia Security Service Manager Installation Guide


Extending the Enterprise Network to Mobile Devices

6. In the Certificate Properties dialog box, click Get to get the certificate.
7. Choose Policy > Install to send the changes to the gateway.

Note
Save the configuration. If the connection closes before you save the configuration, you
lose all the changes.

To add rules
1. Choose Rules > Add Rule.
2. Add a policy rule and select a user group to accept encrypted traffic to and from that user
group through the remote access community.
3. Add a policy rule to accept HTTP traffic from Mobile VPN Client through the Internet to the
SSM Web server.

To use Office Mode


1. Choose Policy > Global Properties > Remote Access > VPN - Basic and check the Support
remote access VPN using Nokia clients box to enable Nokia features.
2. Choose Manage > Network Objects > New > Network to add an internal IP address pool.
If you specify the internal addressing network in the external network, it appears in External
Objects. To specify the internal addressing network also in the encryption domain of the
gateway:
Use the correct netmask.
Define appropriate routes.
Insert an IP pool range.

Examples The public interface of the VPN gateway has the IP address 60.21.163.193/29 and the
private internal addressing pool is in the range 100.21.163.128 through 135. Use the
following netmask for the IP address 100.21.163.1:
255.255.255.128
Use the following netmask for an IP Pool network:
255.255.255.128
The definitions split your network into two different networks, which solves routing
problems. To use the same network, specify routes on the hosts.
3. Edit the Check Point gateway properties:
a. Click Remote Access > Office Mode.
b. Select Allow Office Mode to all users or Offer Office Mode to group to restrict access to
office mode to a group.

Nokia Security Service Manager Installation Guide 63


3 Configuring Nokia Security Service Manager

c. Select the Manual (using IP pool) option and select the internal addressing network in the
Allocate IP from network list.
d. Click Optional Parameters to select DNS and WINS servers for Mobile VPN Client.

To set a port number for NAT traversal


1. Choose Policy > Global Properties > Remote Access > VPN - Basic and check the Support
remote access VPN using Nokia clients box to enable Nokia features.
2. Choose Gateway > Edit > Remote Access.
3. Check the Support NAT traversal mechanism (UDP encapsulation) box and select
VPN1__IPSEC_encapsulation in the Allocated port list.
4. Choose Manage > Services to edit the VPN1_IPSEC_encapsulation object.
5. Use the default port number when you create VPN policies for mobile devices.
When you create VPN policies for Windows clients, select the UDP/9872 port number.

To export the generic client profile to the SSM database


Execute the vpn nssm_topology command from the command line. Specify the following
parameters:
vpn -d nssm_topology
-url "https://host_name/nssm/updateContentList"
-dn "CN=CompanyVPNCA,O=Customer,C=GB"
-name "ContentManager@customer.com"
-pass "zw5469yh"
-action drop
where host_name is the host name of the SSM Web server and -dn is the subject name of the
certificate of the Web server. The SSM GUI displays the subject name in the Certificate
Properties dialog box, Subject Name text field.
You can add an OPSEC application that exports external user profiles to SSM or export profiles
from the command line. You specify the name of the OPSEC product and application when you
create the product and add the application. For more information, see the Nokia Security Service
Manager Administration Guide.

Cisco VPN 3000 Series Concentrator


Use the Cisco VPN 3000 Concentrator Series Manager to configure client access:
To add the certificate of the SSM internal CA to the VPN gateway
To request a device certificate for the VPN gateway from the SSM internal CA
To configure internal address pools (optional)
To configure NAT traversal
To define protected networks (optional)
To configure client access for challenge-response authentication
To use SSM policy push

64 Nokia Security Service Manager Installation Guide


Extending the Enterprise Network to Mobile Devices

To add the certificate of the SSM internal CA to the VPN gateway


1. Use the SSM GUI to export the root certificate of the SSM internal CA to a file:
Choose Services > Certificate Enrollment > CompanyVPNCA > Properties > Protocol
Properties > View > Save As and save the certificate as a file.
2. Start the Cisco VPN 3000 Concentrator Series Manager.
3. Choose Administration > Certificate Management > Installation > Install CA certificate >
Upload File from Workstation, and click Browse to locate the certificate file.
4. Click Install.
5. Choose Administration > Certificate Management > Configure to configure CRL checking:
a. Click the CRL Retrieval tab and select Use CRL distribution points embedded in
certificate being checked
b. Click the CRL Caching tab and check the Enabled box and the Enforce Next Update box.
The VPN gateway does not work if the CRL is empty. Therefore, make sure that the CRL
contains at least one revoked certificate.

To request a device certificate for the VPN gateway from the SSM internal CA
1. In the Cisco VPN 3000 Concentrator Series Manager, choose Administration > Certificate
Management > Click here to enroll with a Certificate Authority > Enroll via PKCS10
Request (Manual) to create a PKCS #10 certification request:
a. Enter values in the Common Name (CN), Organization (O), Country (C), and Key Size
fields.
The CN appears in digital certificate lists. Enter the common name
IdentityfromCompanyVPNCA.
b. Click Enroll.
2. Use the SSM GUI to import the certification request to SSM for CompanyVPNCA to sign:
a. Choose Services > Certificate Enrollment > CompanyVPNCA > Certificates issued >
Create New > Import PKCS #10 file > Browse to locate the certificate file.
You can also paste the certificate to the field.
b. Click Export to save the certificate as a file.
3. In the Cisco VPN 3000 Concentrator Series Manager, choose Administration > Certificate
Management > Installation > Install certificate obtained via enrollment.
4. Click Install > Upload File from Workstation and click Browse to locate the certificate file.
5. Click Install.
The device certificate appears in the Certificate Manager in the Identity Certificates list.

Nokia Security Service Manager Installation Guide 65


3 Configuring Nokia Security Service Manager

To configure internal address pools (optional)


1. Optionally, in the Cisco VPN 3000 Concentrator Series Manager, choose Configuration >
System > Address Management > Pools > Add to add an internal IP address pool.
Nokia recommends that you specify internal IP address pools.
You can also specify an IP address pool for a particular user group.
2. Choose Assignment to define how Mobile VPN Client obtains IP addresses.
3. Check the Use Address Pools box.
4. Click Add.

To configure NAT traversal


1. In the Cisco VPN 3000 Concentrator Series Manager, choose Configuration > Tunneling
and Security > IPSec > NAT Transparency.
2. Check the IPSec over NAT-T box to configure NAT traversal over IETF NAT-T.
The IETF NAT-T implementation uses UDP port 4500.
3. Click Apply.

To define protected networks (optional)


1. Optionally, in the Cisco VPN 3000 Concentrator Series Manager, choose Configuration >
Policy Management > Traffic Management > Network Lists > Add to define protected
networks.
By default, the VPN gateway protects all networks, but you can also protect only certain
networks to enable split tunneling.
2. In the List Name text field, give the Network List the name Protected Network.
3. In the Network List text field, enter the networks to be protected.
4. Click Add.
You can use Network Lists in User Groups and in Rules.
5. Define the corresponding networks as selectors in the SSM policy push templates,
installation_directory/etc/templates/policy_*.xml, to generate VPN client policies that
match your VPN gateway configuration.

To configure client access for challenge-response authentication


1. In the Cisco VPN 3000 Concentrator Series Manager, choose Configuration > Tunneling
and Security > IPSec > IKE Proposals > Add, to define an IKE proposal:
a. Give the proposal the name IKE-3DES-SHA-Challenge-Response.
b. In the Authentication Mode list, select Challenge/Response Authentication (CRACK).
c. Enter values for the other fields.
d. Move the proposal to the Active Proposals list and set it as the first proposal in the list.

66 Nokia Security Service Manager Installation Guide


Extending the Enterprise Network to Mobile Devices

2. Choose Configuration > Policy Management > Traffic Management > SAs > Add to define
an IPSec security association for challenge-response authentication:
a. Give the security association the name Challenge-response.
b. In IPSec Parameters, select the following values to match the default configuration in the
policy push templates:
In the Authentication Algorithm list, select ESP/SHA/HMAC-160.
In the Encryption Algorithm list, select AES-256.
c. In IKE Parameters, select the device certificate of the VPN gateway,
IdentityfromCompanyVPNCA, in the Digital Certificate list.
d. In the Certificate Transmission group, select the Identity certificate only option.
e. Select IKE-3DES-SHA-Challenge-Response in the IKE Proposal list.
For more information about the settings that Mobile VPN Client supports, see the Nokia
Security Service Manager Administration Guide.
3. Choose Configuration > User Management > Groups > Add Group to create a user group for
challenge-response authentication:
a. Give the user group the name Challenge-ResponseGroup.
You give the group name as the value of the id_value parameter for the SSM policy push
command.
b. Enter a password in the Password field.
c. Select Internal in the Type list.
d. Click the IPSec tab and select Challenge-response in the IPSec SA list.
e. Check the IKE Keepalives box to enable the VPN gateway to monitor the continued
presence of Mobile VPN Client and to report its own presence to Mobile VPN Client.
f. Select Remote Access in the Tunnel Type list.
g. Select RADIUS in the Authentication list.
h. Uncheck the Mode Configuration box.
i. Optionally, click the Client Config tab to specify settings for split tunneling:
In the Split Tunneling Policy group, select the Only tunnel networks in the list option.
In the Split Tunneling Network List, select Protected Network.
j. Click Add.
k. Save the changes.
4. Choose Configuration > System > Servers > Authentication > Add, to specify settings for a
RADIUS server.
5. Alternatively, you can specify RADIUS as the authentication method for a particular user
group.
Choose User Management > Groups, select Challenge-ResponseGroup, and click
Authentication Servers > Add to specify settings for the RADIUS server.

Nokia Security Service Manager Installation Guide 67


3 Configuring Nokia Security Service Manager

To use SSM policy push


1. The policy push command creates an SSL connection from the management station to the
Web server. To establish the secure connection, import the Web server certificate (/apache/
conf/ssl.crt/server.crt in the Web server) to the trusted key store, certs.jks, in the SSM server.
a. Log on as the process owner.
b. Copy the Web server certificate to the installation_directory/bin directory.
c. Change to the installation_directory/bin directory.
d. Enter the following command:
./mcs trustcert path/server.crt
where path is the path to the Web server certificate file in the file system of the SSM
server.
2. Enter the following command from the command line on the server, to add a VPN policy for
challenge-response authentication to SSM:
policypush -uContentManager -p1XvT456y
https://host_name[:port]
address=123.45.6.7
name=MobileDeviceProfile
method=crack
action=drop
ca_cert_1=directory/etc/CompanyVPNCA.cer
crack_method=securID
id_value=Challenge-ResponseGroup
Where host_name is the host name of the SSM Web server. You do not need to enter the port
number if you use the default HTTPS port, 443.
SSM generates a VPN policy called MobileDeviceProfile in the SSM database in Symbian OS
format.
The SSM policy push command combines input from you with templates in the
installation_directory/etc/templates directory to generate policies for each supported
authentication method. Each template contains the supported values for a particular IKE
authentication mode in the Cisco VPN 3000 Concentrator Series Manager:
Certificate-based authenticationRSA Digital Certificate or RSA Digital Certificate
(XAUTH)
Legacy authenticationChallenge/Response Authentication (CRACK)
Shared secretsPreshared Keys (XAUTH)
For more information about how to use policy push, see the Nokia Security Service Manager
Administration Guide.

68 Nokia Security Service Manager Installation Guide


Extending the Enterprise Network to Mobile Devices

Deploying Policies to Mobile Devices


Use the SSM GUI to map the AutomaticContentUpdateUserGroup user group to the VPN policy
in the database.
The example configuration scripts create the user group and map the certificate enrollment
service content entry for the AutomaticContentUpdateCA internal CA entity to the user group.

To deploy VPN policies


1. In the SSM GUI Settings pane, click Content Delivery > Content to open the Content view.
2. Search for and select the VPN policy in the Symbian format:
Nokia IP security platformgeneric*:fingerprint:CONVERTED
Other gatewaysMobileDeviceProfile:fingerprint:CONVERTED
3. Choose Edit > Map to User Groups and select the AutomaticContentUpdateUserGroup.

Specifying Settings for VPN Access Points


VPN access points combine VPN policies with Internet access points. To create VPN
connections from mobile devices, users select VPN access points when they use applications on
the mobile device to connect to the enterprise.
Mobile VPN Client creates a VPN connection to the enterprise network over the Internet access
point connection. Mobile VPN Client creates and encrypts the connection according to the VPN
policy that is loaded when users connect to a VPN access point.
When users install VPN policies from SSM for the first time, matching VPN access points are
created for each policy that users install on the mobile device. You can also use the SSM CLI to
specify settings for a VPN access point that is associated with the VPN policy and use the
automatic content update service to deliver the settings to the mobile device.

To specify settings for a VPN access point


1. Start the SSM CLI.
2. Enter the following command:
Nokia IP security platform:
update content
NAME=generic*:fingerprint
-param vpn.accesspoint.name="Customer VPN"
vpn.proxy.address=host_name
vpn.proxy.port=8080
Other gateways:
update content
NAME=MobileDeviceProfile:fingerprint
-param vpn.accesspoint.name="Customer VPN"
vpn.proxy.address=host_name
vpn.proxy.port=8080

Nokia Security Service Manager Installation Guide 69


3 Configuring Nokia Security Service Manager

You can use Mobile VPN Client to modify or remove VPN access points.

Installing Software and Settings on Mobile Devices


Install Mobile VPN Client on the mobile devices before you give them to users.
You can download the latest versions of software and documentation from the Nokia customer
support Web site at https://support.nokia.com/.
Use the SSM CLI to save the settings for the automatic content update service as a SIS file. Then
install the SIS file on mobile devices.
If you do not sign the SIS file with a certificate that is signed by a CA that a mobile device trusts,
the mobile device displays a security warning when users install the SIS file.
Nokia recommends that you use PC Suite to install SIS files. To deliver and install settings over
the mobile network without an encrypted connection presents a security risk.
You must ask users to complete the installation, because users must authenticate to SSM when
they install VPN policies. In this example, users enter their RADIUS username and a SecurID
passcode to authenticate to SSM.
For more information about how to install Mobile VPN Client, settings for the automatic content
update service, and VPN policies, see the Nokia Mobile VPN Client Users Guide.

Moving from Legacy Authentication to Certificate-Based


Authentication
The company has extended the enterprise VPN to mobile devices. You use challenge-response
authentication as the method to authenticate users to the VPN gateway. A RADIUS server
authenticates users. Users use SecurID tokens to generate one-time passwords.
Your task is to move from legacy authentication to certificate-based authentication. Acquire a
license for the SSM EGW and set up online certificate enrollment, which provides users with
certificates. Mobile VPN Client automatically enrolls certificates from an SSM internal CA.

Note
To set up client access to an enterprise VPN by using certificate-based authentication, you
must first perform the tasks in the section Extending the Enterprise Network to Mobile
Devices on page 53.

Moving from legacy authentication to certificate-based authentication includes the following


additional tasks:
Creating an Internal CA
Configuring Client Access for Certificate-Based Authentication
Modifying Content
Specifying Settings for Certificate Enrollment

70 Nokia Security Service Manager Installation Guide


Moving from Legacy Authentication to Certificate-Based Authentication

Creating an Internal CA

Note
You can skip this task if you use the standalone installation script in Linux. The installation
script runs the example configuration script to create an internal CA for you.

When Mobile VPN Client receives a VPN policy that lacks a private key and client certificate,
Mobile VPN Client must obtain them before it can establish a VPN tunnel. Mobile VPN Client
can use online certificate enrollment to obtain certificates.
Mobile VPN Client creates a public-private key pair and a PKCS #10 certification request and
sends them to a CA. The CA uses a public-key algorithm to certify the public key and issues a
certificate for a user. The CA signs a collection of information that includes the users
distinguished name (DN), subject alternative name, and public key. If the enrollment is
successful, the CA sends back a certificate and Mobile VPN Client is ready to establish a VPN
tunnel.
SSM authenticates and authorizes certification requests from Mobile VPN Client and
automatically enrolls certificates from an internal CA if the authentication and authorization
succeed.
To establish connections between Mobile VPN Client and an internal or external CA through
SSM, you must create an EGW entity and specify settings for each internal or external CA.
Use the SSM example configuration script to create an internal CA, CompanyVPNCA. For more
information, see To use an example configuration script to create an internal CA on page 52.

Configuring Client Access for Certificate-Based Authentication


Use VPN management software to generate a client profile for an entire group of clients, such as
all mobile devices. Distribute the same client profile to all users in the group. Mobile VPN
Client uses online certificate enrollment to request VPN certificates from a CA.
For VPN gateway to trust the certificates of the mobile devices, you must add the certificate of
the SSM internal CA to the VPN gateway. For Mobile VPN Client to trust the VPN gateway,
you use the SSM internal CA to sign the device certificate of VPN gateway.
Create a client profile for online certificate enrollment and export it to the SSM database.
The following sections describe how to accomplish the preceding tasks for each supported VPN
gateway:
Nokia IP VPN Gateway
Nokia IP Security Platform
Cisco VPN 3000 Series Concentrator

Nokia Security Service Manager Installation Guide 71


3 Configuring Nokia Security Service Manager

Nokia IP VPN Gateway


Use VPN Manager to configure client access for certificate-based authentication:
To add the SSM internal CA as an external CA in VPN Manager
To issue a device certificate for IP VPN Gateway
To configure client access for certificate-based authentication
To configure mobile devices

To add the SSM internal CA as an external CA in VPN Manager


1. In the SSM GUI, save the CA certificate of CompanyVPNCA as a file or copy the certificate
to the clipboard.
Choose Services > Certificate Enrollment > CompanyVPNCA > Edit > Properties > Protocol
Properties > View > Save As and save the certificate as CompanyVPNCA.cer.
2. In VPN Manager, import the CA certificate of CompanyVPNCA:
a. Choose Edit > VPN Global Properties > Policy Configuration > Certification
Authorities.
b. Click the right mouse button in the Certification Authorities pane.
c. Choose Import External Certification Authority, click Browse and locate
CompanyVPNCA.cer, or paste the certificate from the clipboard.
3. Select CompanyVPNCA to use for IKE Authentication:
a. Choose Gateway > Properties > Client Access > IPSec Clients > Client Policy.
b. in the Select Certification Authority for IKE authentication list, select CompanyVPNCA.
4. Choose Actions > Apply Changes to apply the changes to the gateway configuration.

To issue a device certificate for IP VPN Gateway


1. In VPN Manager, create a PKCS #10 certificate signing request:
a. Choose Gateway > Properties > Certificates > Device Certificates > Request.
b. In the Select Certification Authority to request certificate from list, select
CompanyVPNCA and click Submit.
c. Click Export to save the request as device.p10.
You can also click Copy to copy the certificate to the clipboard.
2. In the SSM GUI, import the certificate request for signing.
a. Choose Services > Certificate Enrollment > CompanyVPNCA > Certificates issued by
CompanyVPNCA > Edit > Create New > Import PKCS #10 file > Browse and locate
device.p10.
You can also paste the certificate to the field.
b. Specify a lifetime for the certificate in years.

72 Nokia Security Service Manager Installation Guide


Moving from Legacy Authentication to Certificate-Based Authentication

Specify long lifetimes for device certificates. If the device certificate expires, Mobile
VPN Client cannot authenticate the IP VPN Gateway and connections fail.
c. Press Export to save the certificate as device.cer.
3. In VPN Manager, import the device certificate.
Choose Gateway Properties > Certificates > Device Certificates > Import and locate
device.cer.
4. Choose Actions > Apply Changes to apply the changes to the gateway configuration.

To configure client access for certificate-based authentication


1. Configure IP VPN Gateway to allow certificate-based authentication:
a. In VPN Manager, choose Gateway > Properties > Client Access > IPSec Clients > Client
Access.
b. In Certificate Clients, check the Allow clients to connect using certificate based
authentication box.
c. Click New to create the *@internal.com client access filter.
2. Configure IP VPN Gateway to use CRL retrieval and SCEP for online certificate
enrollment:
a. Choose Edit > VPN Global Properties > Policy Configuration > Certification Authorities
> Edit > Properties > Settings to open the CRL/SCEP Configuration dialog box.
b. In the Certificate Revocation List group, check the Enable on-line CRL retrieval box.
c. In the CRL Distribution Point group, check the CRL DP is found in this certificate or
CRL DP is found in subordinate certificate box.
3. If you use IP VPN Gateway v6.1 or v6.2, perform the following additional steps:
a. In the On-line Certificate Enrollment group, check the Enable on-line certificate
enrollment (SCEP) box.
b. In the HTTP URL text field, type the CA URL of the SSM EGW entity:
http://host_name/nssm/pki/scep/
where host_name is the host name or IP address of the SSM Web server.
c. In the CA Entity Name field, enter CompanyVPNCA.
4. Choose Actions > Apply Changes to apply the changes to the gateway configuration.

To configure mobile devices


1. Click the Remote Clients tab and select MobileDeviceProfile.
2. Choose Profile > Properties to modify the profile to use certificate-based authentication:

Nokia Security Service Manager Installation Guide 73


3 Configuring Nokia Security Service Manager

3. In Gateway Access Filters, select MobileDeviceAccessFilter and click Edit to modify the
gateway access filter:
a. In the Use authentication method group, select Certificates.
b. In the Select client access rights by client identity list box, select the *@internal.com
domain.
4. If you use IP VPN Gateway v6.1 or v6.2, perform the following additional steps:
a. In the Certificate Request Information group, check the Enable on-line certificate
enrollment box.
b. In the Domain text box, enter the same domain name as in step 3.
5. Click Profile > Export Profiles to Nokia Security Service Manager to export the profile to
SSM.
6. Use the SSM content manager account to log onto SSM.

Nokia IP Security Platform


Use the Check Point SmartDashboard software to create an external profile for certificate-based
authentication.

To create an external user profile for certificate-based authentication


1. Start the Check Point SmartDashboard software.
2. Choose New > External User Profile > Match by domain to open the External User Profile
Properties dialog box.
3. Give the external user profile the name MobileDeviceProfile.
4. In the Domain Name matching definitions group, check the Free format and Domain Name
boxes and enter a domain name for the user.
The VPN policy inherits the domain name and SSM uses the domain name to authorize
certification requests.
If you use this domain name when you specify self-provisioning rules in SSM, use the same
case (uppercase or lowercase) in both SmartDashboard and the SSM GUI or CLI.
In this example, the domain name is customer.com.
5. Click the Authentication tab and selected Undefined in the Authentication Scheme list.
6. Click the Encryption tab and select IKE as the client encryption method.
7. Click Edit to edit IKE settings and check the Public Key box.
8. Click the Groups tab and add the MobileDeviceUserGroup to the Belongs to Groups box.

74 Nokia Security Service Manager Installation Guide


Moving from Legacy Authentication to Certificate-Based Authentication

Cisco VPN 3000 Series Concentrator


First use the Cisco VPN 3000 Concentrator Series Manager to configure client access for
certificate-based authentication. Then use the policy push command to add a VPN policy for
certificate-based authentication to SSM.

To configure client access for certificate-based authentication


1. Start the Cisco VPN 3000 Concentrator Series Manager.
2. Choose Configuration > Tunneling and Security > IPSec > IKE Proposals > Add, to define
an IKE proposal:
a. Give the proposal the name IKE-3DES-SHA1-RSAcert.
b. Select RSA Digital Certificate in the Authentication Mode list.
c. Enter values for the other fields.
d. Click Add.
e. Move the proposal to the Active Proposals list and set it as the first proposal in the list.
For more information about the settings that Mobile VPN Client supports, see the Nokia
Security Service Manager Administration Guide.
3. Choose Configuration > Policy Management > Traffic Management > SAs > Add to define
an IPSec security association for certificate-based authentication:
a. Give the security association the name CertificateSA.
b. In IPSec Parameters, select the following values to match the default configuration in the
policy push templates:
In the Authentication Algorithm list, select ESP/SHA/HMAC-160.
In the Encryption Algorithm list, select AES-256.
c. In IKE Parameters:
In the Digital Certificate list, select the common name of an identity certificate that
CompanyVPNCA signed.
In the Certificate transmission group, select the Identify certificate only option.
In the IKE Proposal list, select IKE-3DES-SHA1-RSAcert.
4. Choose Configuration > User Management > Groups > Add Group to create a user group for
certificate-based authentication:
a. Give the user group the name CertificateGroup.
b. Enter a password in the Password field.
c. Select Internal in the Type list.
d. Click the IPSec tab and select CertificateSA in the IPSec SA list.
e. To enable the IKE peer identity validation feature, select Required in the IKE Peer
Identity Validation list.

Nokia Security Service Manager Installation Guide 75


3 Configuring Nokia Security Service Manager

If the certificate of a peer does not provide sufficient information to perform an identity
check, the VPN gateway drops the tunnel.
f. Check the IKE Keepalives box to enable the VPN gateway to monitor the continued
presence of Mobile VPN Client and to report its own presence to Mobile VPN Client.
g. Select Remote Access in the Tunnel Type list.
h. Select None in the Authentication list.
i. Select Common Name (CN) in the DN Field box.
j. Uncheck the Mode Configuration box.
k. Optionally, click the Client Config tab to specify settings for split tunneling:
In the Split Tunneling Policy section, select the Only tunnel networks in the list
option.
In the Split Tunneling Networks List, select Protected Network.
5. Click Add
6. Save the changes.
7. Choose Configuration > Policy Management > Group Matching > Policy to configure the
policy for certificate group matching.
8. Check the Default to Group box and select CertificateGroup in the Default to Group list.

To use SSM policy push


Enter the following command in the SSM server to add a VPN policy for certificate-based
authentication to SSM:
policypush -uContentManager -p1XvT456y
https://host_name[:port]
address=123.45.6.7
name=MobileDeviceProfile
method=client-cert
action=drop
internal_addr=true
ca_cert_1=directory/etc/CompanyVPNCA.cer
Where host_name is the host name of the SSM Web server. You do not need to enter the port
number if you use the default HTTPS port, 443.
SSM replaces the VPN policy called MobileDeviceProfile in the SSM database with the new
policy.

76 Nokia Security Service Manager Installation Guide


Using an External CA

Modifying Content
Map the enrollment service content information entry of the internal CA to the user group.

To modify content
1. In the SSM GUI main view, Settings pane, click Content Delivery > User Groups to open
the User Groups view.
2. Search for and select AutomaticContentUpdateUserGroup.
3. Choose Edit > Map to Content.
4. Map the following content to the user group:
MobileDeviceProfile
Enrollment service content information entry for the CompanyVPNCA internal CA to
authorize the user group to enroll certificates from the internal CA
5. If you use the Nokia IP security platform, unmap the generic* profile from the user group.
The next time users update policies from SSM, Mobile VPN Client installs MobileDeviceProfile
in the mobile device and removes the generic* profile from the mobile device.

Specifying Settings for Certificate Enrollment


Mobile VPN Client uses the automatic content update service to enroll VPN certificates for
users. Mobile VPN Client enrolls new VPN certificates when they expire. The enrollment begins
when a VPN policy is loaded on the Mobile VPN Client and the renewal period for the
certificate that is associated with the VPN policy expires.
Use the SSM CLI to specify the certificate renewal period as a property of the VPN policy.
For example, you can specify that Mobile VPN Client enrolls a new VPN certificate for a VPN
policy when 10 percent of the certificate lifetime is left.

To set the certificate renewal period


1. Start the SSM CLI.
2. Enter the following command:
update content
NAME=MobileDeviceProfile:fingerprint
-param vpn.cert.renewal=90

Using an External CA
The company has set up a VPN to provide remote access to mobile devices. You use certificates
as the method to authenticate users to VPN gateways. Mobile VPN Client automatically enrolls
certificates from the SSM internal CA.

Nokia Security Service Manager Installation Guide 77


3 Configuring Nokia Security Service Manager

Your task is to move from using an internal CA to using an external CA. Make an agreement
with the CA vendor to use the certificate request syntax (CRS) service in automatic
administration mode and use the SSM GUI to specify settings for the external CA.
Figure 9 Using An External CA

External CA DMZ SSM server


and database

SSM
Firewall/ enrollment
VPN gateway
gateway
SSM
Internet management
station
VPN policy
Operator management
mobile network software
External
Nokia
authentication
SSM
server
Web
Nokia server Mail gateway
Mobile VPN Client (SMTP)
00365

Note
To set up client access to an enterprise VPN by using certificate-based authentication, you
must first perform the tasks in Extending the Enterprise Network to Mobile Devices on
page 53 and Moving from Legacy Authentication to Certificate-Based Authentication on
page 70.

Using an external CA includes the following additional tasks:


Creating an External CA
Modifying Client Access for Certificate-Based Authentication
Modifying Content

Creating an External CA
Make an agreement with the CA vendor to use the CRS service in automatic administration
mode and use the SSM to specify settings for the external CA.

To create an external CA
1. Start the SSM GUI and choose Services > Certificate Enrollment > Edit > Create New.
2. Give the enrollment gateway entity the name AutomaticCRS.

78 Nokia Security Service Manager Installation Guide


Using an External CA

3. Click the Protocol properties tab, select CRS as the enrollment protocol, and specify the
following settings:
The URL of the CRS service. For example, http://crs.service.vendor.com/cgi-bin/crs.exe.
If EGW is on the intranet, specify the HTTP proxy server that the EGW entity uses to
connect to an external CA.
A CA certificate for the CRS protocol.
A CRS certificate for the CRS protocol.
You receive the CRS certificate from the CA vendor.
A registration authority (RA) certificate and private key for EGW.
You generate a public-private key pair and a certification request that the CA vendor
signs and sends to you.
The organization and organization unit name that you agree on with the CA vendor.
The CA vendor places the organization and organization unit in the SubjectName of the
certificates that it issues. In this example, organization is Customer and organization unit
is Sales.
Enable automatic CRS.

Modifying Client Access for Certificate-Based Authentication


Use VPN management software to modify client access for certificate-based authentication. For
the VPN gateway to trust mobile devices, you must add the certificate of the external CA in the
VPN gateway and use the external CA to sign the device certificate of the VPN gateway.
The following sections describe how to accomplish the preceding tasks for each supported VPN
gateway:
Nokia IP VPN Gateway
Nokia IP Security Platform
Cisco VPN 3000 Series Concentrator

Nokia IP VPN Gateway


Use VPN Manager to modify client access for certificate-based authentication:
To add the external CA in VPN Manager
To issue a device certificate for the IP VPN Gateway

To add the external CA in VPN Manager


1. In the SSM GUI, save the CA certificate of AutomaticCRS as a file.
Choose Services > Certificate Enrollment > AutomaticCRS > Edit > Properties > Protocol
Properties > View > Save As and save the certificate as AutomaticCRS.cer.
2. In VPN Manager, import the CA certificate of AutomaticCRS.

Nokia Security Service Manager Installation Guide 79


3 Configuring Nokia Security Service Manager

Choose Edit > VPN Global Properties > Policy Configuration > Certification Authorities
and click the right mouse button. Choose Import External Certification Authority > Browse
and locate AutomaticCRS.cer.
3. Select AutomaticCRS to be used for IKE Authentication.
Choose Gateway > Properties > Client Access > IPSec Clients > Client Policy > Select
Certification Authority for IKE authentication and select AutomaticCRS.

To issue a device certificate for the IP VPN Gateway


1. In VPN Manager, create a PKCS #10 certificate signing request:
a. Choose Gateway Properties > Certificates > Device Certificates > Request.
b. Select AutomaticCRS.cer and click Submit.
c. Click Export to save the certificate as AutomaticCRS.cer.
You can also click Copy to copy the certificate to the clipboard.
2. Use the SSM CLI enroll command to request certification from AutomaticCRS.
3. In VPN Manager, import the device certificate.
Choose Gateway Properties > Certificates > Device Certificates > Import and locate
AutomaticCRS.cer.

Nokia IP Security Platform


Use Check Point SmartDashboard to modify client access for certificate-based authentication.

To modify client access to the IP security platform


1. Start the Check Point SmartDashboard software and choose Manage > Servers > New >
Certificate Authority to import the CA certificate that the CA vendor issued for
AutomaticCRS.
2. Choose Manage > Network Objects > Check Points, select the CustomerCluster gateway,
and click Edit to edit the general properties of the gateway.
3. Add the device certificate of AutomaticCRS in the gateway properties:
a. Click VPN to specify settings for the VPN domain.
b. Click Add to add the RemoteAccess community to the list of VPN communities that the
gateway participates in.
c. Click Add under Certificate List to open the Certificate Properties dialog box.
d. Select the external CA in the Certificate Authority list.
e. Click Generate to generate a certification request.
f. Type a distinguished name in the DN text field.
g. Select the Define Alternate Name option and click Add to add the IP address of the
external interface of the Check Point gateway. Mobile VPN Client uses the IP address to
locate the CA.

80 Nokia Security Service Manager Installation Guide


Using an External CA

h. Click View to display the certification request. Copy and paste the certification request to
a text editor and save it as a file.
i. Use the SSM CLI enroll command to request certification from AutomaticCRS.
j. In the Certificate Properties dialog box, click Get to get the certificate.

Note
If you do not use the NSSM internal CA any more, remove the device certificate of
CompanyVPNCA from the gateway properties.

Note
Save the configuration. If the connection is cut before you save the configuration, you
lose all the changes.

4. Use the vpn nssm_topology command on the SmartCenter Server to export


MobileDeviceProfile to the SSM database.

Cisco VPN 3000 Series Concentrator


Use Cisco VPN 3000 Concentrator Series Manager to modify client access for certificate-based
authentication:
To add the certificate of the external CA to the VPN gateway
To request a device certificate for the VPN gateway from the external CA
To modify client access
To modify the VPN policy for certificate-based authentication in the database

To add the certificate of the external CA to the VPN gateway


1. Start the Cisco VPN 3000 Concentrator Series Manager.
2. Choose Administration > Certificate Management > Click here to install a certificate >
Install a CA certificate > Upload File from Workstation, and click Browse to locate
AutomaticCRS.cer.
3. Click Install.

To request a device certificate for the VPN gateway from the external CA
1. Start the Cisco VPN 3000 Concentrator Series Manager.
2. Choose Administration > Certificate Management > Click here to enroll with a Certificate
Authority > Enroll via PKCS10 Request (Manual).
3. Create a PKCS #10 certification request.
The common name (CN) appears in digital certificate lists. Enter the common name
IdentityfromAutomaticCRS.
4. Click Enroll.

Nokia Security Service Manager Installation Guide 81


3 Configuring Nokia Security Service Manager

5. Use the SSM CLI enroll command to request certification from AutomaticCRS.
6. In the Cisco VPN 3000 Concentrator Series Manager, choose Administration > Certificate
Management > Installation > Install certificate obtained via enrollment.
7. Click Install > Upload File from Workstation and click Browse to locate the certificate file.
8. Click Install.
The device certificate appears in the Certificate Manager in the Identity Certificates list.

To modify client access


1. in the Cisco VPN 3000 Concentrator Series Manager, choose Configuration > Policy
Management > Traffic Management > SAs, select CertificateSA, and click Modify to
modify the IPSec security association for certificate-based authentication.
2. In IKE Parameters, select IdentityfromAutomaticCRS in the Digital Certificate list.

To modify the VPN policy for certificate-based authentication in the database


Enter the following command from the command line on the server:
policypush -uContentManager -p1XvT456y
https://host_name[:port]
address=123.45.6.7
name=MobileDeviceProfile
method=client-cert
action=drop
internal_addr=true
ca_cert_1=directory/etc/CompanyVPNCA.cer
ca_cert_2=directory/etc/AutomaticCRS.cer
Where host_name is the host name of the SSM Web server. You do not need to enter the port
number if you use the default HTTPS port, 443.
SSM replaces the VPN policy called MobileDeviceProfile in the SSM database with the new
policy.

Modifying Content
Map the enrollment service content information entry of the external CA to the user group to
authorize the user group to enroll certificates from the external CA.

To modify content
1. In the SSM GUI main view, Settings pane, click Content Delivery > User Groups to open
the User Groups view.
2. Search for and select AutomaticContentUpdateUserGroup.
3. Choose Edit > Map to Content and map the enrollment service content information entry for
the AutomaticCRS external CA to the user group.

82 Nokia Security Service Manager Installation Guide


4 Upgrading and Uninstalling Nokia
Security Service Manager

This chapter describes how to upgrade and uninstall Nokia Security Service Manager (SSM):
Upgrading Nokia Security Service Manager
Uninstalling Nokia Security Service Manager

Upgrading Nokia Security Service Manager


Use the SSM installer to upgrade the SSM software version. You upgrade all SSM components
in an installation directory at the same time. The installation program uses version and release
numbers to check that the current software is earlier than the version to upgrade to.
The installation program backs up the content of the bin, docs, etc, lib, web, apache, tomcat, and
openssl directories to the installation_directory/upgrade-version-release.backup directory.
The installation program copies new files over the old installation. After the installation, the
installation program restores settings in the configuration files and upgrades the database
schema.
The installation program records events to installation_directory/logs/upgrade-version-
release.log.

To upgrade Nokia Security Service Manager


1. Stop all SSM v3.0 services:
a. Log on as the process owner.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script to stop all
SSM services:
./mcs stop
2. Restore file permissions:
a. Log on as root.
b. Change to the installation_directory/bin directory.

Nokia Security Service Manager Installation Guide 83


4 Upgrading and Uninstalling Nokia Security Service Manager

c. At the command prompt, execute the following management command script to undo the
changes in file permissions that the rootinstall management command script made:
./mcs rootuninstall
3. Upgrade to SSM v3.0.1:
a. Log on as the process owner.
b. Start the SSM installer:
In Solaris:
java -jar Setup.jar
java -cp Setup.jar run -console
Specify the path to the SSM installation directory and follow the instructions of the setup
wizard.
In Linux:
./installer [ -d installation_directory ] upgrade
where: -d installation_directory is the SSM installation directory.
4. Set file permissions and create a startup script to enable automatic startup of SSM:
a. Log on as root.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script:
./mcs rootinstall
For more information, see Setting File Permissions and Creating a Startup Script on
page 49.
5. Start SSM to check that the installation was successful and that all the services start up:
a. Log on as the process owner.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script to start the
SSM services:
./mcs start
For more information about executing management command scripts, see the Nokia
Security Service Manager Administration Guide.
If you enter an incorrect server passphrase when you start SSM, upgrade fails. The SSM installer
records the following error message to installation_directory/logs/cmd.log:
ERROR DatabaseConnectionPool - Cannot open a new database connection to
host jdbc:postgresql://localhost:26777/vpndb. It either might be JDBC
connection problem or wrong passphrase is given in startup phase.
To complete the upgrade, run the following management command script:
./mcs postupgrade
Then enter the correct server passphrase.

84 Nokia Security Service Manager Installation Guide


Uninstalling Nokia Security Service Manager

To upgrade the management station on Windows


You can use management station v3.0.1 to manage server v3.0 and v3.0.1. You can install
several versions of management station on the same computer in separate directories.
Install management station v3.0.1. For more information, see To install the management station
in Windows on page 48.

Uninstalling Nokia Security Service Manager


When you uninstall SSM, you always remove the whole package that you installed.

To uninstall Nokia Security Service Manager


1. Stop all SSM services:
a. Log on as the process owner.
b. Change to the installation_directory/bin directory.
c. At the command prompt, execute the following management command script to stop
SSM:
./mcs stop
2. Reset file permissions:
a. Log on as root.
b. Change to the installation_directory/bin directory.
At the command prompt, execute the following management command script to undo the
changes in file permissions that the rootinstall management command script made:
./mcs rootuninstall
3. Log on as the same account as when you installed SSM.
4. Start the SSM uninstaller:
In Solaris:
java -jar installation_directory/_uninst/Uninstall.jar
java -cp installation_directory/_uninst/Uninstall.jar run -
console
In Linux:
./installer -d installation_directory uninstall
5. Follow the instructions in the SSM uninstaller.
The uninstaller removes the installation directory, all its subdirectories and their contents
from the computer.

Nokia Security Service Manager Installation Guide 85


4 Upgrading and Uninstalling Nokia Security Service Manager

To uninstall the management station from Windows


1. In the Control Panel, double-click Add/Remove Programs to open the Add/Remove
Programs Properties dialog box.
2. Select Nokia Security Service Manager and click Add/Remove to start the SSM uninstaller.
3. Follow the instructions in the SSM uninstaller.
4. Click OK to remove the management station from the computer.

86 Nokia Security Service Manager Installation Guide


Index

A configuring
Cisco VPN 3000 Concentrator 64
acu.cert.renewal setting 29
Nokia IP Security Platform 60
adding bypass rules to IP security platform 63
Nokia IP VPN Gateway 58
administrators tasks 19
SSM 53
authentication
content
certificate-based 20
delivering 22
challenge-response 20
identifiers 22
shared secrets 20
content manager, creating 57
to SSM 25
create_content_manager example configuration
to VPN 20
script 57
XAUTH 20
create_vpnca example configuration script 52
authorizing users to use functions 23
CRL 17
automatic administration mode, CRS 27
retrieving 62
automatic content update service
certificate 55
handling requests 54 D
renewing certificates 29 Default authentication domain field 39
saving settings as SIS files 55 Directory name field 38
specifying settings 55 distinguished name 27
using 28 DMZ 32
automatic mode, certificate enrollment 27 DNS, viewing and specifying in Check Point
SmartDashboard 64
B
bypass rules, adding to IP security platform 63 E
EGW
C introduction 16
security considerations 32
certificate enrollment
Email field 39
procedure 27
enable.self.provisioning setting 26
renewing certificates 29
enrollment gateway 16
using SSM as RA 28
enrollment protocols, modes 27
certificate request syntax 27
evaluation license 33
certificate-based authentication 20
certificates
automatic content update service 55 F
obtaining TLS/SSL 50 file permissions 49
PKCS #10 certification requests 27 fingerprint, content 22
challenge-response authentication 20 First name field 39
choosing installation options 33
Cisco VPN 3000 Concentrator, configuring 64
G
generic profiles 21

Nokia Security Service Manager Installation Guide Index - 87


H Mobile phone field 39
Host name field Mobile VPN Client
server installation 38 allowing connections to Web server 63
Web server installation 40 automatic content update 22
HTTP, specifying port 40 configuring client access 19
HTTPS, specifying port 40 delivering policies 18
secure connections 17
selecting DNS and WINS servers 64
I using 28
installation
after the installation 48
directory 37, 38
N
options 32 Nokia IP Security Platform, configuring 60
preparations 35 Nokia IP VPN Gateway, configuring 58
settings 38 NTP 37
installing
J2RE 36 O
management station in Windows 48 obtaining TLS/SSL certificates 50
patches on Solaris 35 OPSEC 21
several SSM instances on one computer 33
SSM 37
SSM in Linux 42 P
SSM in Solaris 41 Passphrase field 38
SSM securely 32 Password field 39
SUNWzlib on Solaris 36 PKI 15
IPSec 15 policypush
command 68
using 68
J
Port base field 38
J2RE, installing 36 privileges, overview 23

L R
Last name field 39 RA, using SSM as 27
LDAP, specifying settings in CheckPoint RADIUS
SmartDashboard 61 settings in CheckPoint SmartDashboard 60
legacy authentication 20 specifying settings 56
Logon name field 39 registration authority 27
related documentation 14
M remote access, providing to users 23
management station rfc822Name 25
components 17
installing on Windows 48
introduction 17
upgrading on Windows 85
manual mode, certificate enrollment 27
mcs nvm command 58
mcs postupgrade command 84
mcs rootinstall command 41, 46, 49, 84
mcs trustcert command 68
MIME types, using 22

Index - 88 Nokia Security Service Manager Installation Guide


S U
Save passphrase field 39 uninstalling
self.provisioning.firstname setting 26 management station from Windows 86
self.provisioning.lastname setting 26 SSM 85
self-provisioning upgrading, SSM 83
enable.self.provisioning 26 user groups, hierarchy 23
extracting user name from logon name 26 users
logon names 26 authenticating to SSM 25
process 26 authenticating to VPN 20
specifying settings 56 privileges 23
server
components 16 V
security considerations 32
VPN 15
specifying port number 38
VPN access points
Server certificate file field 40
about 28
server passphrase
creating 69
incorrect 84
VPN gateways
saving 50
about 15
server.crt 51
supported 57
server.p10 51
VPN policies
setup procedure 31, 83
configuring 57
shared secrets
converting to Symbian format 57
definition 20
deploying to mobile devices 18, 69
RADIUS 60
SMTP 16 exporting to SSM from SmartDashboard 64
Solaris Nokia VPN Manager 21
patches and libraries 35 using 19
system specifications 36 VPN policy servers 19
ssl.crt 51 VPN, using with applications 28
SSM
components 16 W
installing 37 watchdog 50
starting VPN Manager 58 Web server
subject alternative name 27 certificate 42, 47, 50, 68
Subject DN field, internal CA certificate 39 components 17
SUNWzlib 36 security considerations 32
support Web site 14
supported mobile devices 14
synchronizing system clocks 37
X
system requirements 33 XAUTH, definition 20

T
TLS/SSL, obtaining certificates 50

Nokia Security Service Manager Installation Guide Index - 89


Index - 90 Nokia Security Service Manager Installation Guide