TOE127.0.0.1

127.0.0.1  时间:2021-05-19  阅读:()
CommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionPublishedWednesday,22August20123.
0EditionCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionCopyright2012CitrixSystems.
Inc.
AllRightsReserved.
Citrix,Inc.
851WestCypressCreekRoadFortLauderdale,FL33309UnitedStatesofAmericaDisclaimersThisdocumentisfurnished"ASIS.
"Citrix,Inc.
disclaimsallwarrantiesregardingthecontentsofthisdocument,including,butnotlimitedto,impliedwarrantiesofmerchantabilityandfitnessforanyparticularpurpose.
Thisdocumentmaycontaintechnicalorotherinaccuraciesortypographicalerrors.
Citrix,Inc.
reservestherighttorevisetheinformationinthisdocumentatanytimewithoutnotice.
ThisdocumentandthesoftwaredescribedinthisdocumentconstituteconfidentialinformationofCitrix,Inc.
anditslicensors,andarefurnishedunderalicensefromCitrix,Inc.
CitrixSystems,Inc.
,theCitrixlogo,CitrixXenServerandCitrixXenCenteraretrademarksofCitrixSystems,Inc.
and/oroneormoreofitssubsidiaries,andmayberegisteredintheUnitedStatesPatentandTrademarkOfficeandinothercountries.
Allothertrademarksandregisteredtrademarksarepropertyoftheirrespectiveowners.
TrademarksCitrixXenServerXenCenterPublished:22August2012iiiContents1.
AboutthisGuide12.
Hardware32.
1.
Inventory32.
2.
SecuringHardware33.
Software43.
1.
ConfiguringXenCenter43.
1.
1.
InitialInstallation43.
1.
2.
Post-InstallationConfigurationProcedures43.
2.
ConfiguringtheCitrixLicenseServer43.
2.
1.
InitialInstallation43.
2.
2.
PostInstallationConfigurationProcedures53.
3.
ConfiguringNetworkStorage(NFS)53.
4.
ConfiguringNetworkTimeProtocol(NTP)54.
ConfiguringaXenServerHost64.
1.
BeforeInstallingXenServer64.
2.
InstallingXenServer64.
3.
ManagingSSLCertificates64.
3.
1.
InstallingtheTrustedCACertificate64.
3.
2.
GeneratingHostCertificates74.
4.
CreatingaXenServerPool74.
5.
NetworkConfiguration84.
5.
1.
ConfiguringtheStorageNetwork84.
6.
StorageConfiguration84.
6.
1.
AddingaVHDonNFSSR84.
6.
2.
RegisteringaDefaultSR94.
6.
3.
AddinganISOonNFSSR9A.
OpenSSLConfiguration10B.
FirewallConfiguration11ivB.
1.
ManagementNetworkFirewall11B.
2.
StorageNetworkFirewall11B.
3.
GuestNetworkFirewall111Chapter1.
AboutthisGuideThisCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEdition,describestherequirementsandproceduresforinstallingandconfiguringCitrixXenServerinaccordancewiththeCommonCriteriaevaluateddeployment.
IfyoursecurityrequirementsandpoliciesrequireyoutodeployCitrixXenServer6.
0.
2tomatchtheCommonCriteriaTargetofEvaluationconfiguration,followtheproceduresinthisguideexactly.
GlossaryCAX.
509CertificationAuthority,seeRFC5280CCCommonCriteriaCLICommandLineInterfaceCNCommonName,seeRFC5280CSRCertificateSigningRequest,seePKCS#10DNSDomainNameSystemEPTExtendedPageTablesFQDNFullyQualifiedDomainNameHCLHardwareCompatibilityListIPInternetProtocolNFSNetworkFileSystemNICNetworkInterfaceControllerNTPNetworkTimeProtocol,seeRFC1305PBDPhysicalBlockDevicePIFPhysicalInterfacePXEPrebooteXecutionEnvironmentRPCRemoteProcedureCallSANSubjectAlternativeName,seeRFC5280SARSecurityAssuranceRequirementSFRSecurityFunctionalRequirementSRStorageRepositorySTSecurityTargetSSLSecureSocketLayerUUIDUniversallyUniqueIdentifier2TOETargetofEvaluationVIFVirtualInterfaceVMVirtualMachineVT-xVirtualizationTechnologyforx86ProcessorsReferences[XSInstall]CitrixXenServerInstallationGuide,6.
0.
1.
1Edition.
[CTXLIC]CitrixLicensing.
http://support.
citrix.
com/proddocs/topic/technologies/lic-library-node-wrapper.
html.
[XSCCST]CommonCriteriaSecurityTargetforCitrixXenServer6.
0.
2,PlatinumEditionCIN8-ST-0001.
Version1.
0.
[CCXSAdmin]CommonCriteriaAdministrator'sGuideforCitrixXenServer6.
0.
2,PlatinumEdition.
1.
0Edition.
[XSAdmin]CitrixXenServerAdministrator'sGuide6.
0.
1.
1Edition.
3Chapter2.
HardwareImportant:ThehardwareselectedforusemustbecertifiedandsupportedforusewithXenServer.
RefertotheXenServerHardwareCompatibilityList(HCL)athttp://citrix.
com/xenserver/cc-hclfordetails.
ForCommonCriteriapurposes,theXenServer6.
0.
2HCLapplieswiththeadditionalrestrictionthat:Eachservermustcontainatleast2CPUcores.
OnlyIntel64-bit-capableCPUswithbothVT-xandEPTcapabilitiesaresupported.
Eachservermustcontainatleast3NICs.
2.
1.
InventoryServersAtleast2,amaximumof16,serverssatisfyingthelimitationsoftheTOEasfoundin[XSCCST].
StorageNetworkattachedstorageofferingNFSstorage,asdefinedintheTOE([XSCCST]).
NetworkAnynetworkconfigurationwithinthelimitsoftheTOEasfoundin[XSCCST].
Note:Thehosthardwareconfigurationinfluenceshowtheinstalledsystemwillauto-configure.
Fortheevaluatedconfiguration,thehardwareshouldbesetupasfollows:NIC0-ManagementNetworkNIC1-StorageNetworkNIC2.
.
.
NICN-OneormorefurtherNICsmustbeaddedasrequiredtocreateGuestNetworks2.
2.
SecuringHardwareThehardwaremustbesecuredasdescribedin[XSCCST]sectionSecurityObjectivesfortheOperationalEnvironment,specificallyOE.
Secure_Resource,OE.
Secure_Keys,OE.
Separate_Networks.
4Chapter3.
SoftwareTheevaluatedconfigurationasdescribedin[XSCCST]includestheXenCenterclientasamanagementconsole,althoughXenCenterisnotincludedintheTOEandisnotreliedupontoimplementanysecurityfunctions.
WhenXenCenterisusedastheclient,theCC-specificversionmustbeused(availableontheCCISO).
ThestandardversionofXenCenterwouldprovidenotificationsofupdatesthatarenotapplicabletotheXenServerCCversion,whichmaycauseanadministratortotakeitoutoftheEvaluatedConfiguration.
TheCCversionofXenCenterdoesnotprovidethesenotifications.
UsersshouldmonitortheCitrixSupportsite,http://support.
citrix.
com/6.
0.
2[**URLtobeconfirmed**],forupdatesthatareapplicablespecificallytotheXenServerCCversion.
3.
1.
ConfiguringXenCenterTheclientusedforthemanagementofXenServermustverifypresentedSSLcertificates.
TodothisusingCitrixXenCenter,executethefollowingprocedure.
3.
1.
1.
InitialInstallationPleaserefertothestepsinthesectioncalled"InstallingXenCenter"([XSInstall]).
3.
1.
2.
Post-InstallationConfigurationProcedures1.
OntheToolsmenu,selectOptions.
ThisdisplaystheOptionsdialog.
2.
Inthelefthandpane,selectSecurity.
3.
SelecttheoptionsWarnmewhenanewSSLcertificateisfoundandWarnmewhenanSSLcertificatechanges.
4.
ClickOKtoclosethedialog.
Note:IfyouuseXenCenterfortheCommonCriteriaconfiguration,itispossibletostoreyourlogincredentials.
TheusernameandpasswordforallmanagedserverscanbestoredbetweenXenCentersessionsandusedtoautomaticallyreconnecttothematthestartofeachnewXenCentersession.
Toenable,inXenCenteronthe"Tools"menu,select"Options",thenclick"SaveandRestore"andselecttheSaveandrestoreserverconnectionstateonstartupcheckbox.
Inaddition,whenSaveandrestoreserverconnectionstateonstartupisenabled,youcanprotectthestoredlogincredentialswithamasterpasswordtoensuretheyremainsecure.
Atthestartofeachsession,youwillbepromptedtoenterthismasterpasswordbeforeconnectionstoyourmanagedserversareautomaticallyrestored.
TodothisselecttheRequireamasterpasswordcheckbox.
Administratorsshouldfollowtheirorganization'spoliciesregardingstoringpasswords.
3.
2.
ConfiguringtheCitrixLicenseServerTheTOEasdescribedin[XSCCST]requirestheuseofalicenseserver.
3.
2.
1.
InitialInstallationForinformationoninstallingandconfiguringtheCitrixLicenseServer,pleasesee[CTXLIC].
53.
2.
2.
PostInstallationConfigurationProceduresTheevaluatedconfigurationrequiresusingthefollowingports:VendorDaemonPort7279LicenseServerManagerPort270003.
3.
ConfiguringNetworkStorage(NFS)TheevaluatedconfigurationassumesthattheNFSserverusesthefollowingstandardports:RPC111NFS2049Lockd26345Statd26346Mountd26347Rquotad263483.
4.
ConfiguringNetworkTimeProtocol(NTP)TheevaluatedconfigurationrequiresthattheNTPserverusesthestandardport:NTP1236Chapter4.
ConfiguringaXenServerHostThissectiondescribestheconfigurationstepsthatmustbefollowedoneachXenServerhost.
Warning:Theevaluatedconfigurationforahostwillonlybeachievedonceallofthefollowingstepshavebeenexecuted.
Thehostmustnotbemadeavailableforuseuntiltheentireconfigurationhasbeencompleted.
Warning:Intheevaluatedconfiguration,administratorsmustonlyusecommandsthataredefinedintheCommonCriteria(CC)documentation,orinsubsequentCitrixKnowledgeBasearticlesthatapplyexplicitlytotheXenServer6.
0.
2CCconfiguration.
4.
1.
BeforeInstallingXenServerBeforeinstallingXenServer,verifytheintegrityofthedownloadedISOfilesbyfollowingtheinstructionsinChapter1of[delproc]4.
2.
InstallingXenServerFortheremainderoftheinstallationprocedure,refertothestepsinthesectioncalled"InstallingtheXenServerHost"([XSInstall])andto[XSAdmin],notingthefollowingadditionalrestrictions:Donotinstallanysupplementalpacks.
ConfigurethehosttouseastaticIPaddress.
IfyournetworkdoesnothaveaDNSserver,enter127.
0.
0.
1whenpromptedfortheIPaddressofaDNSserver.
Note:PXEbootingXenServerinstallations,asdescribedinAppendixC,PXEBootInstallations([XSInstall])isnotsupportedfortheevaluatedconfiguration.
4.
3.
ManagingSSLCertificatesDuringXenServerhostinstallation,aself-signedSSLcertificateisinstalled.
ThismustbereplacedtofullycomplywiththerequirementsforaCCdeploymentasdefinedin[XSCCST].
ThissectionexplainshowtosetupanSSLconfiguration.
AconfiguredX.
509CertificationAuthority(CA)isrequiredforthestepsinthissection(seeAppendixA,OpenSSLConfigurationforanexampleconfigurationsuitableforusewithOpenSSL).
Note:Whenconfiguringapoolenvironment,thesestepsmustbeexecutedonallhosts.
4.
3.
1.
InstallingtheTrustedCACertificateToInstalltheTrustedCACertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragecontainingthecertificate.
3.
InstallaCAcertificatebyenteringthefollowingcommandsonthehostconsole.
#cd#xepool-certificate-installfilename=74.
Unmountandremovetheremovablestorage.
4.
3.
2.
GeneratingHostCertificatesNote:KeysusedontheXenServerhostmustbegeneratedinaccordancewithOE.
Secure_Keysasdefinedin[XSCCST].
WhencreatingaCertificateSigningRequest(CSR)itisalsoimportanttoconsiderthefollowing:OnlyasingleCommonName(CN)entryisinspectedduringhostnamevalidation.
OnlySubjectAlternativeNames(SAN)withtypeDNSareinspectedduringhostnamevalidation.
Hostnamewildcardsarenotsupported.
ThehostIPaddressmustbeincludedineitherCNorSAN.
AFullyQualifiedDomainName(FQDN)canbeprovidedinadditiontothehostIPaddress,howeverthisisnotessential.
127.
0.
0.
1mustbeincludedineithertheCNorSAN.
Allowashortperiodoftimeforxapitobereadyafterperformingservicexapistart.
SeeAppendixA,OpenSSLConfigurationforanexampleusingOpenSSL.
ToInstalltheSSLCertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragemediacontainingthecertificate.
3.
Enterthefollowingcommandsonthehostconsole:#servicexapistop#pkillstunnel#cp/etc/xensource/xapi-ssl.
pem/etc/xensource/orig-xapi-ssl.
pem#cp/etc/xensource/xapi-ssl.
pem#servicexapistart4.
Unmountandremovetheremovablestorage.
4.
4.
CreatingaXenServerPoolXenServerresourcepoolscanbecreatedusingeithertheXenCentermanagementconsoleortheCLI.
Whenyoujoinanewhosttoaresourcepool,thejoininghostsynchronizesitslocaldatabasewiththepool-wideone,andinheritssomesettingsfromthepool.
Formoreinformationonresourcepools,refertothechaptercalled"XenServerHostsandResourcePools"([XSAdmin]).
BeforecreatingaXenServerPool,chooseoneofthehoststobetheinitialpoolmaster.
Therearenospecialrequirementsforchoosingthepoolmaster.
Onceyouhaveselectedthepoolmaster,joinalltheremaininghosts(whichwillbepoolslaves)tothemasterusingthefollowingprocedure.
ToJoinXenServerHostslave1tomasterUsingCLI1.
OpenaconsoleonXenServerhostslave1.
2.
ConfiguretheXenServerslave1hosttoactasaslaveofPoolMastermasterbyenteringthefollowingontheconsole:xepool-joinmaster-address=master-username=root\master-password=Themaster-addressmustbesettothefully-qualifieddomainnameorIPaddressoftheXenServerhostmasterandthepasswordmustbethepasswordsetwhenXenServerhostmasterwasinstalled.
8ToNametheResourcePoolBydefault,XenServerhostsbelongtoanunnamedpool.
Tonametheresourcepool,enterthefollowingcommand:#xepool-listparams=uuidminimal=truexepool-param-setname-label=uuid=4.
5.
NetworkConfigurationTheTOErequirestheuseofseparatenetworksformanagement,storageandguesttraffic.
GuestsmustonlyeverbeconnectedtotheGuestNetworks.
ThisensuresthatproperseparationismaintainedandthatVIFsareonlycreatedontheGuestNetwork.
UndernocircumstancemustaGuesteverbeconnectedtoeithertheManagementNetworkortheStorageNetwork.
Asdom0doesnotneedVIFstoaccesstheManagementandStoragenetworks,noVIFsshouldeverbedefinedforthem.
Referto[CCXSAdmin]forfurtherinformationonconfiguringnetworkingonXenServerandtothesectionSecurityProblemDefinitionin[XSCCST],specificallyA.
Separate_Networks.
4.
5.
1.
ConfiguringtheStorageNetworkNote:ThefollowingstepsforconfiguringtheStorageNetworkmustbeperformedonALLhosts,includingthePoolMaster.
ToconfiguretheStorageNetwork:1.
FindtheUUIDofthehost:#xehost-listname-label=params=uuiduuid(RO):2.
FindtheUUIDofthePIFrelatedtodeviceeth1(NIC1)andtheUUIDofitsnetwork:#xepif-listdevice=eth1host-uuid=params=uuiduuid(RO):3.
ConfiguretheStorageNetworkIPaddress:#xepif-reconfigure-ipuuid=mode=staticIP=netmask=4.
SetthePIFtobepermanentlyattached:#xepif-param-setuuid=disallow-unplug=true4.
6.
StorageConfigurationTheTOEallowsonlytwotypesofStorageRepository(SR):read-onlyISOonNFSorVHDonNFS.
FormoreinformationaboutISOonNFSSRs,seeSection4.
2.
4,"ISOSRs"([XSAdmin]).
FormoreinformationaboutVHDonNFSSRs,seeSection4.
2.
9,"NFSVHDSRs"([XSAdmin]).
Note:ThesestepsmustbeexecutedonlyonthePoolMaster'sconsole.
4.
6.
1.
AddingaVHDonNFSSR1.
ToaddaVHDonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truedevice-config:server=\device-config:serverpath=type=nfsThisreturnsthesr-uuid.
92.
RepeatthecommandforallsubsequentNFSSRsthatshouldbeavailabletothepool.
4.
6.
2.
RegisteringaDefaultSRAfteraddingalltheNFSSRs,chooseoneandmakeitthedefaultSR:#xepool-listparams=uuidminimal=true#xepool-param-setuuid=default-SR=\suspend-image-SR=crash-dump-SR=4.
6.
3.
AddinganISOonNFSSR1.
ToaddanISOonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truetype=iso\device-config:location=content-type=isoThisreturnsthesr-uuid.
2.
RepeatthecommandforallsubsequentISOonNFSSRsthatshouldbeavailabletothepool.
10AppendixA.
OpenSSLConfigurationFollowingisanexampleofaconfigurationfileforusewithOpenSSL(version1.
0.
0)thatwouldcreateaCSRwhichsatisfiestherequirementsXenServerhasoncertificates.
Beforeusingit,pleaseensurethatthisfilecomplieswithyourorganisationalsecuritypolicy.
ExampleA.
1.
OpenSSLConfigurationHOME=.
oid_section=new_oids[new_oids][req]default_days=365default_keyfile=.
/new_key.
pemdefault_bits=2048distinguished_name=req_distinguished_nameencrypt_key=nostring_mask=nombstrreq_extensions=v3_req[req_distinguished_name]CN=10.
80.
2.
63C=GBO=MyFirmLtdOU=TechnicalSupportemailAddress=my.
email@address.
myfirm.
co.
uk[v3_req]subjectAltName=@alt_names[alt_names]DNS.
1=127.
0.
0.
111AppendixB.
FirewallConfigurationBydefault,arestrictivefirewallisconfiguredduringCommonCriteriaXenServerhostinstallation.
Detailsoftheportsusedcanbefoundinthesectionsthatfollow.
B.
1.
ManagementNetworkFirewallTheportsthatareusedontheManagementNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionHTTPS443tcpbothPingN/Aicmp(echo-request)bothLicensing7279tcpoutLicensing27000tcpoutNTP123udpoutDNS53tcpoutDNS53udpoutB.
2.
StorageNetworkFirewallTheportsthatareusedontheStorageNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionPingN/Aicmp(echo-request)bothDNS53tcpoutDNS53udpoutNFS111tcp&udpoutNFS2049tcp&udpoutNFS26345-26348tcp&udpoutB.
3.
GuestNetworkFirewallTheGuestNetworkissolelyusedbytheGuestVMsandthefirewalldoesnotrequireconfiguration.

Friendhosting(月1.35欧元),不限流量,9机房可选

今天9月10日是教师节,我们今天有没有让孩子带礼物和花送给老师?我们这边不允许带礼物进学校,直接有校长在门口遇到有带礼物的直接拦截下来。今天有看到Friendhosting最近推出了教师节优惠,VPS全场45折,全球多机房可选,有需要的可以看看。Friendhosting是一家成立于2009年的保加利亚主机商,主要提供销售VPS和独立服务器出租业务,数据中心分布在:荷兰、保加利亚、立陶宛、捷克、乌...

Linode十八周年及未来展望

这两天Linode发布了十八周年的博文和邮件,回顾了过去取得的成绩和对未来的展望。作为一家运营18年的VPS主机商,Linode无疑是有一些可取之处的,商家提供基于KVM架构的VPS主机,支持随时删除(按小时计费),可选包括美国、英国、新加坡、日本、印度、加拿大、德国等全球十多个数据中心,所有机器提供高出入网带宽,最低仅$5/月($0.0075/小时)。This month marks Linod...

sharktech:老牌高防服务器商,跳楼价,1G独享$70、10G共享$240、10G独享$800

不知道大家是否注意到sharktech的所有服务器的带宽价格全部跳楼跳水,降幅简直不忍直视了,还没有见过这么便宜的独立服务器。根据不同的机房,价格也是不一样的。大带宽、不限流量比较适合建站、数据备份、做下载、做流媒体、做CDN等多种业务。 官方网站:https://www.sharktech.net 付款方式:比特币、信用卡、PayPal、支付宝、西联汇款 以最贵的洛杉矶机器为例,配置表如...

127.0.0.1为你推荐
pcllenchrome思科routecontentcss支持ipad请仔细阅读在本报告尾部的重要法律声明netbios端口如何组织netbios端口的外部通信联通iphone4北京 朝阳区 哪家联通店可以卖Iphone4的,本周周末过去买ipad无法加入网络我的IPAD无法加入网络苹果5.1完美越狱iphone 5.1版本怎么越狱?div居中div如何居中
秒解服务器 鲨鱼机 私人服务器 名片模板psd 丹弗 免费个人空间申请 idc资讯 亚马逊香港官网 空间技术网 多线空间 彩虹云 韩国代理ip 申请免费空间 免费蓝钻 建站论坛 西部数码主机 游戏服务器 火山互联 装修瓦工招聘 kosspp 更多