TOE127.0.0.1

127.0.0.1  时间:2021-05-19  阅读:()
CommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionPublishedWednesday,22August20123.
0EditionCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionCopyright2012CitrixSystems.
Inc.
AllRightsReserved.
Citrix,Inc.
851WestCypressCreekRoadFortLauderdale,FL33309UnitedStatesofAmericaDisclaimersThisdocumentisfurnished"ASIS.
"Citrix,Inc.
disclaimsallwarrantiesregardingthecontentsofthisdocument,including,butnotlimitedto,impliedwarrantiesofmerchantabilityandfitnessforanyparticularpurpose.
Thisdocumentmaycontaintechnicalorotherinaccuraciesortypographicalerrors.
Citrix,Inc.
reservestherighttorevisetheinformationinthisdocumentatanytimewithoutnotice.
ThisdocumentandthesoftwaredescribedinthisdocumentconstituteconfidentialinformationofCitrix,Inc.
anditslicensors,andarefurnishedunderalicensefromCitrix,Inc.
CitrixSystems,Inc.
,theCitrixlogo,CitrixXenServerandCitrixXenCenteraretrademarksofCitrixSystems,Inc.
and/oroneormoreofitssubsidiaries,andmayberegisteredintheUnitedStatesPatentandTrademarkOfficeandinothercountries.
Allothertrademarksandregisteredtrademarksarepropertyoftheirrespectiveowners.
TrademarksCitrixXenServerXenCenterPublished:22August2012iiiContents1.
AboutthisGuide12.
Hardware32.
1.
Inventory32.
2.
SecuringHardware33.
Software43.
1.
ConfiguringXenCenter43.
1.
1.
InitialInstallation43.
1.
2.
Post-InstallationConfigurationProcedures43.
2.
ConfiguringtheCitrixLicenseServer43.
2.
1.
InitialInstallation43.
2.
2.
PostInstallationConfigurationProcedures53.
3.
ConfiguringNetworkStorage(NFS)53.
4.
ConfiguringNetworkTimeProtocol(NTP)54.
ConfiguringaXenServerHost64.
1.
BeforeInstallingXenServer64.
2.
InstallingXenServer64.
3.
ManagingSSLCertificates64.
3.
1.
InstallingtheTrustedCACertificate64.
3.
2.
GeneratingHostCertificates74.
4.
CreatingaXenServerPool74.
5.
NetworkConfiguration84.
5.
1.
ConfiguringtheStorageNetwork84.
6.
StorageConfiguration84.
6.
1.
AddingaVHDonNFSSR84.
6.
2.
RegisteringaDefaultSR94.
6.
3.
AddinganISOonNFSSR9A.
OpenSSLConfiguration10B.
FirewallConfiguration11ivB.
1.
ManagementNetworkFirewall11B.
2.
StorageNetworkFirewall11B.
3.
GuestNetworkFirewall111Chapter1.
AboutthisGuideThisCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEdition,describestherequirementsandproceduresforinstallingandconfiguringCitrixXenServerinaccordancewiththeCommonCriteriaevaluateddeployment.
IfyoursecurityrequirementsandpoliciesrequireyoutodeployCitrixXenServer6.
0.
2tomatchtheCommonCriteriaTargetofEvaluationconfiguration,followtheproceduresinthisguideexactly.
GlossaryCAX.
509CertificationAuthority,seeRFC5280CCCommonCriteriaCLICommandLineInterfaceCNCommonName,seeRFC5280CSRCertificateSigningRequest,seePKCS#10DNSDomainNameSystemEPTExtendedPageTablesFQDNFullyQualifiedDomainNameHCLHardwareCompatibilityListIPInternetProtocolNFSNetworkFileSystemNICNetworkInterfaceControllerNTPNetworkTimeProtocol,seeRFC1305PBDPhysicalBlockDevicePIFPhysicalInterfacePXEPrebooteXecutionEnvironmentRPCRemoteProcedureCallSANSubjectAlternativeName,seeRFC5280SARSecurityAssuranceRequirementSFRSecurityFunctionalRequirementSRStorageRepositorySTSecurityTargetSSLSecureSocketLayerUUIDUniversallyUniqueIdentifier2TOETargetofEvaluationVIFVirtualInterfaceVMVirtualMachineVT-xVirtualizationTechnologyforx86ProcessorsReferences[XSInstall]CitrixXenServerInstallationGuide,6.
0.
1.
1Edition.
[CTXLIC]CitrixLicensing.
http://support.
citrix.
com/proddocs/topic/technologies/lic-library-node-wrapper.
html.
[XSCCST]CommonCriteriaSecurityTargetforCitrixXenServer6.
0.
2,PlatinumEditionCIN8-ST-0001.
Version1.
0.
[CCXSAdmin]CommonCriteriaAdministrator'sGuideforCitrixXenServer6.
0.
2,PlatinumEdition.
1.
0Edition.
[XSAdmin]CitrixXenServerAdministrator'sGuide6.
0.
1.
1Edition.
3Chapter2.
HardwareImportant:ThehardwareselectedforusemustbecertifiedandsupportedforusewithXenServer.
RefertotheXenServerHardwareCompatibilityList(HCL)athttp://citrix.
com/xenserver/cc-hclfordetails.
ForCommonCriteriapurposes,theXenServer6.
0.
2HCLapplieswiththeadditionalrestrictionthat:Eachservermustcontainatleast2CPUcores.
OnlyIntel64-bit-capableCPUswithbothVT-xandEPTcapabilitiesaresupported.
Eachservermustcontainatleast3NICs.
2.
1.
InventoryServersAtleast2,amaximumof16,serverssatisfyingthelimitationsoftheTOEasfoundin[XSCCST].
StorageNetworkattachedstorageofferingNFSstorage,asdefinedintheTOE([XSCCST]).
NetworkAnynetworkconfigurationwithinthelimitsoftheTOEasfoundin[XSCCST].
Note:Thehosthardwareconfigurationinfluenceshowtheinstalledsystemwillauto-configure.
Fortheevaluatedconfiguration,thehardwareshouldbesetupasfollows:NIC0-ManagementNetworkNIC1-StorageNetworkNIC2.
.
.
NICN-OneormorefurtherNICsmustbeaddedasrequiredtocreateGuestNetworks2.
2.
SecuringHardwareThehardwaremustbesecuredasdescribedin[XSCCST]sectionSecurityObjectivesfortheOperationalEnvironment,specificallyOE.
Secure_Resource,OE.
Secure_Keys,OE.
Separate_Networks.
4Chapter3.
SoftwareTheevaluatedconfigurationasdescribedin[XSCCST]includestheXenCenterclientasamanagementconsole,althoughXenCenterisnotincludedintheTOEandisnotreliedupontoimplementanysecurityfunctions.
WhenXenCenterisusedastheclient,theCC-specificversionmustbeused(availableontheCCISO).
ThestandardversionofXenCenterwouldprovidenotificationsofupdatesthatarenotapplicabletotheXenServerCCversion,whichmaycauseanadministratortotakeitoutoftheEvaluatedConfiguration.
TheCCversionofXenCenterdoesnotprovidethesenotifications.
UsersshouldmonitortheCitrixSupportsite,http://support.
citrix.
com/6.
0.
2[**URLtobeconfirmed**],forupdatesthatareapplicablespecificallytotheXenServerCCversion.
3.
1.
ConfiguringXenCenterTheclientusedforthemanagementofXenServermustverifypresentedSSLcertificates.
TodothisusingCitrixXenCenter,executethefollowingprocedure.
3.
1.
1.
InitialInstallationPleaserefertothestepsinthesectioncalled"InstallingXenCenter"([XSInstall]).
3.
1.
2.
Post-InstallationConfigurationProcedures1.
OntheToolsmenu,selectOptions.
ThisdisplaystheOptionsdialog.
2.
Inthelefthandpane,selectSecurity.
3.
SelecttheoptionsWarnmewhenanewSSLcertificateisfoundandWarnmewhenanSSLcertificatechanges.
4.
ClickOKtoclosethedialog.
Note:IfyouuseXenCenterfortheCommonCriteriaconfiguration,itispossibletostoreyourlogincredentials.
TheusernameandpasswordforallmanagedserverscanbestoredbetweenXenCentersessionsandusedtoautomaticallyreconnecttothematthestartofeachnewXenCentersession.
Toenable,inXenCenteronthe"Tools"menu,select"Options",thenclick"SaveandRestore"andselecttheSaveandrestoreserverconnectionstateonstartupcheckbox.
Inaddition,whenSaveandrestoreserverconnectionstateonstartupisenabled,youcanprotectthestoredlogincredentialswithamasterpasswordtoensuretheyremainsecure.
Atthestartofeachsession,youwillbepromptedtoenterthismasterpasswordbeforeconnectionstoyourmanagedserversareautomaticallyrestored.
TodothisselecttheRequireamasterpasswordcheckbox.
Administratorsshouldfollowtheirorganization'spoliciesregardingstoringpasswords.
3.
2.
ConfiguringtheCitrixLicenseServerTheTOEasdescribedin[XSCCST]requirestheuseofalicenseserver.
3.
2.
1.
InitialInstallationForinformationoninstallingandconfiguringtheCitrixLicenseServer,pleasesee[CTXLIC].
53.
2.
2.
PostInstallationConfigurationProceduresTheevaluatedconfigurationrequiresusingthefollowingports:VendorDaemonPort7279LicenseServerManagerPort270003.
3.
ConfiguringNetworkStorage(NFS)TheevaluatedconfigurationassumesthattheNFSserverusesthefollowingstandardports:RPC111NFS2049Lockd26345Statd26346Mountd26347Rquotad263483.
4.
ConfiguringNetworkTimeProtocol(NTP)TheevaluatedconfigurationrequiresthattheNTPserverusesthestandardport:NTP1236Chapter4.
ConfiguringaXenServerHostThissectiondescribestheconfigurationstepsthatmustbefollowedoneachXenServerhost.
Warning:Theevaluatedconfigurationforahostwillonlybeachievedonceallofthefollowingstepshavebeenexecuted.
Thehostmustnotbemadeavailableforuseuntiltheentireconfigurationhasbeencompleted.
Warning:Intheevaluatedconfiguration,administratorsmustonlyusecommandsthataredefinedintheCommonCriteria(CC)documentation,orinsubsequentCitrixKnowledgeBasearticlesthatapplyexplicitlytotheXenServer6.
0.
2CCconfiguration.
4.
1.
BeforeInstallingXenServerBeforeinstallingXenServer,verifytheintegrityofthedownloadedISOfilesbyfollowingtheinstructionsinChapter1of[delproc]4.
2.
InstallingXenServerFortheremainderoftheinstallationprocedure,refertothestepsinthesectioncalled"InstallingtheXenServerHost"([XSInstall])andto[XSAdmin],notingthefollowingadditionalrestrictions:Donotinstallanysupplementalpacks.
ConfigurethehosttouseastaticIPaddress.
IfyournetworkdoesnothaveaDNSserver,enter127.
0.
0.
1whenpromptedfortheIPaddressofaDNSserver.
Note:PXEbootingXenServerinstallations,asdescribedinAppendixC,PXEBootInstallations([XSInstall])isnotsupportedfortheevaluatedconfiguration.
4.
3.
ManagingSSLCertificatesDuringXenServerhostinstallation,aself-signedSSLcertificateisinstalled.
ThismustbereplacedtofullycomplywiththerequirementsforaCCdeploymentasdefinedin[XSCCST].
ThissectionexplainshowtosetupanSSLconfiguration.
AconfiguredX.
509CertificationAuthority(CA)isrequiredforthestepsinthissection(seeAppendixA,OpenSSLConfigurationforanexampleconfigurationsuitableforusewithOpenSSL).
Note:Whenconfiguringapoolenvironment,thesestepsmustbeexecutedonallhosts.
4.
3.
1.
InstallingtheTrustedCACertificateToInstalltheTrustedCACertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragecontainingthecertificate.
3.
InstallaCAcertificatebyenteringthefollowingcommandsonthehostconsole.
#cd#xepool-certificate-installfilename=74.
Unmountandremovetheremovablestorage.
4.
3.
2.
GeneratingHostCertificatesNote:KeysusedontheXenServerhostmustbegeneratedinaccordancewithOE.
Secure_Keysasdefinedin[XSCCST].
WhencreatingaCertificateSigningRequest(CSR)itisalsoimportanttoconsiderthefollowing:OnlyasingleCommonName(CN)entryisinspectedduringhostnamevalidation.
OnlySubjectAlternativeNames(SAN)withtypeDNSareinspectedduringhostnamevalidation.
Hostnamewildcardsarenotsupported.
ThehostIPaddressmustbeincludedineitherCNorSAN.
AFullyQualifiedDomainName(FQDN)canbeprovidedinadditiontothehostIPaddress,howeverthisisnotessential.
127.
0.
0.
1mustbeincludedineithertheCNorSAN.
Allowashortperiodoftimeforxapitobereadyafterperformingservicexapistart.
SeeAppendixA,OpenSSLConfigurationforanexampleusingOpenSSL.
ToInstalltheSSLCertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragemediacontainingthecertificate.
3.
Enterthefollowingcommandsonthehostconsole:#servicexapistop#pkillstunnel#cp/etc/xensource/xapi-ssl.
pem/etc/xensource/orig-xapi-ssl.
pem#cp/etc/xensource/xapi-ssl.
pem#servicexapistart4.
Unmountandremovetheremovablestorage.
4.
4.
CreatingaXenServerPoolXenServerresourcepoolscanbecreatedusingeithertheXenCentermanagementconsoleortheCLI.
Whenyoujoinanewhosttoaresourcepool,thejoininghostsynchronizesitslocaldatabasewiththepool-wideone,andinheritssomesettingsfromthepool.
Formoreinformationonresourcepools,refertothechaptercalled"XenServerHostsandResourcePools"([XSAdmin]).
BeforecreatingaXenServerPool,chooseoneofthehoststobetheinitialpoolmaster.
Therearenospecialrequirementsforchoosingthepoolmaster.
Onceyouhaveselectedthepoolmaster,joinalltheremaininghosts(whichwillbepoolslaves)tothemasterusingthefollowingprocedure.
ToJoinXenServerHostslave1tomasterUsingCLI1.
OpenaconsoleonXenServerhostslave1.
2.
ConfiguretheXenServerslave1hosttoactasaslaveofPoolMastermasterbyenteringthefollowingontheconsole:xepool-joinmaster-address=master-username=root\master-password=Themaster-addressmustbesettothefully-qualifieddomainnameorIPaddressoftheXenServerhostmasterandthepasswordmustbethepasswordsetwhenXenServerhostmasterwasinstalled.
8ToNametheResourcePoolBydefault,XenServerhostsbelongtoanunnamedpool.
Tonametheresourcepool,enterthefollowingcommand:#xepool-listparams=uuidminimal=truexepool-param-setname-label=uuid=4.
5.
NetworkConfigurationTheTOErequirestheuseofseparatenetworksformanagement,storageandguesttraffic.
GuestsmustonlyeverbeconnectedtotheGuestNetworks.
ThisensuresthatproperseparationismaintainedandthatVIFsareonlycreatedontheGuestNetwork.
UndernocircumstancemustaGuesteverbeconnectedtoeithertheManagementNetworkortheStorageNetwork.
Asdom0doesnotneedVIFstoaccesstheManagementandStoragenetworks,noVIFsshouldeverbedefinedforthem.
Referto[CCXSAdmin]forfurtherinformationonconfiguringnetworkingonXenServerandtothesectionSecurityProblemDefinitionin[XSCCST],specificallyA.
Separate_Networks.
4.
5.
1.
ConfiguringtheStorageNetworkNote:ThefollowingstepsforconfiguringtheStorageNetworkmustbeperformedonALLhosts,includingthePoolMaster.
ToconfiguretheStorageNetwork:1.
FindtheUUIDofthehost:#xehost-listname-label=params=uuiduuid(RO):2.
FindtheUUIDofthePIFrelatedtodeviceeth1(NIC1)andtheUUIDofitsnetwork:#xepif-listdevice=eth1host-uuid=params=uuiduuid(RO):3.
ConfiguretheStorageNetworkIPaddress:#xepif-reconfigure-ipuuid=mode=staticIP=netmask=4.
SetthePIFtobepermanentlyattached:#xepif-param-setuuid=disallow-unplug=true4.
6.
StorageConfigurationTheTOEallowsonlytwotypesofStorageRepository(SR):read-onlyISOonNFSorVHDonNFS.
FormoreinformationaboutISOonNFSSRs,seeSection4.
2.
4,"ISOSRs"([XSAdmin]).
FormoreinformationaboutVHDonNFSSRs,seeSection4.
2.
9,"NFSVHDSRs"([XSAdmin]).
Note:ThesestepsmustbeexecutedonlyonthePoolMaster'sconsole.
4.
6.
1.
AddingaVHDonNFSSR1.
ToaddaVHDonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truedevice-config:server=\device-config:serverpath=type=nfsThisreturnsthesr-uuid.
92.
RepeatthecommandforallsubsequentNFSSRsthatshouldbeavailabletothepool.
4.
6.
2.
RegisteringaDefaultSRAfteraddingalltheNFSSRs,chooseoneandmakeitthedefaultSR:#xepool-listparams=uuidminimal=true#xepool-param-setuuid=default-SR=\suspend-image-SR=crash-dump-SR=4.
6.
3.
AddinganISOonNFSSR1.
ToaddanISOonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truetype=iso\device-config:location=content-type=isoThisreturnsthesr-uuid.
2.
RepeatthecommandforallsubsequentISOonNFSSRsthatshouldbeavailabletothepool.
10AppendixA.
OpenSSLConfigurationFollowingisanexampleofaconfigurationfileforusewithOpenSSL(version1.
0.
0)thatwouldcreateaCSRwhichsatisfiestherequirementsXenServerhasoncertificates.
Beforeusingit,pleaseensurethatthisfilecomplieswithyourorganisationalsecuritypolicy.
ExampleA.
1.
OpenSSLConfigurationHOME=.
oid_section=new_oids[new_oids][req]default_days=365default_keyfile=.
/new_key.
pemdefault_bits=2048distinguished_name=req_distinguished_nameencrypt_key=nostring_mask=nombstrreq_extensions=v3_req[req_distinguished_name]CN=10.
80.
2.
63C=GBO=MyFirmLtdOU=TechnicalSupportemailAddress=my.
email@address.
myfirm.
co.
uk[v3_req]subjectAltName=@alt_names[alt_names]DNS.
1=127.
0.
0.
111AppendixB.
FirewallConfigurationBydefault,arestrictivefirewallisconfiguredduringCommonCriteriaXenServerhostinstallation.
Detailsoftheportsusedcanbefoundinthesectionsthatfollow.
B.
1.
ManagementNetworkFirewallTheportsthatareusedontheManagementNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionHTTPS443tcpbothPingN/Aicmp(echo-request)bothLicensing7279tcpoutLicensing27000tcpoutNTP123udpoutDNS53tcpoutDNS53udpoutB.
2.
StorageNetworkFirewallTheportsthatareusedontheStorageNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionPingN/Aicmp(echo-request)bothDNS53tcpoutDNS53udpoutNFS111tcp&udpoutNFS2049tcp&udpoutNFS26345-26348tcp&udpoutB.
3.
GuestNetworkFirewallTheGuestNetworkissolelyusedbytheGuestVMsandthefirewalldoesnotrequireconfiguration.

搬瓦工最新套餐KVM,CN2线路

搬瓦工在国内非常流行的主机商,以提供低价的vps著称.不过近几年价格逐渐攀升.不过稳定性和速度一向不错.依然深受国内vps爱好者喜爱.新上线的套餐经常卖到断货.支持支付宝,paypal很方便购买和使用.官网网站:https://www.bandwagonhost.com[不能直接访问,已墙]https://www.bwh88.net[有些地区不能直接访问]https://www.bwh81.net...

Vultr VPS韩国首尔机房速度和综合性能参数测试

Vultr 商家有新增韩国首尔机房,这个是继日本、新加坡之后的第三个亚洲机房。不过可以大概率知道肯定不是直连中国机房的,因为早期的日本机房有过直连后来取消的。今天准备体验看看VULTR VPS主机商的韩国首尔机房的云服务器的速度和性能。1、全球节点PING速度测试这里先通过PING测试工具看看全球几十个节点的PING速度。看到好像移动速度还不错。2、路由去程测试测试看看VULTR韩国首尔机房的节点...

免费注册宝塔面板账户赠送价值3188礼包适合购买抵扣折扣

对于一般的用户来说,我们使用宝塔面板免费版本功能还是足够的,如果我们有需要付费插件和专业版的功能,且需要的插件比较多,实际上且长期使用的话,还是购买付费专业版或者企业版本划算一些。昨天也有在文章中分享年中促销活动。如今我们是否会发现,我们在安装宝塔面板后是必须强制我们登录账户的,否则一直有弹出登录界面,我们还是注册一个账户比较好。反正免费注册宝塔账户还有代金券赠送。 新注册宝塔账户送代金券我们注册...

127.0.0.1为你推荐
设备itunes支持ipad支持ipadnetbios端口netbios ssn是什么意思?windows键是哪个Win键是什么?win10关闭445端口如何进入注册表修改关闭445端口itunes备份itunes 里面的资料如何备份?x-routerx-arcsinx的等价无穷小是什么?google中国地图怎样用GOOLE搜中国地图用卫星看的那一种(可以看到城市和房子的)google图片搜索如何用google搜索空间照片
购买域名 singlehop 免费cdn加速 大容量存储 租空间 qingyun 炎黄盛世 qq对话框 qq云端 服务器合租 息壤代理 免费外链相册 美国凤凰城 cxz 全能空间 php服务器 中国域名 免费网络 iki 贵阳电信 更多