CommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionPublishedWednesday,22August20123.
0EditionCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionCopyright2012CitrixSystems.
Inc.
AllRightsReserved.
Citrix,Inc.
851WestCypressCreekRoadFortLauderdale,FL33309UnitedStatesofAmericaDisclaimersThisdocumentisfurnished"ASIS.
"Citrix,Inc.
disclaimsallwarrantiesregardingthecontentsofthisdocument,including,butnotlimitedto,impliedwarrantiesofmerchantabilityandfitnessforanyparticularpurpose.
Thisdocumentmaycontaintechnicalorotherinaccuraciesortypographicalerrors.
Citrix,Inc.
reservestherighttorevisetheinformationinthisdocumentatanytimewithoutnotice.
ThisdocumentandthesoftwaredescribedinthisdocumentconstituteconfidentialinformationofCitrix,Inc.
anditslicensors,andarefurnishedunderalicensefromCitrix,Inc.
CitrixSystems,Inc.
,theCitrixlogo,CitrixXenServerandCitrixXenCenteraretrademarksofCitrixSystems,Inc.
and/oroneormoreofitssubsidiaries,andmayberegisteredintheUnitedStatesPatentandTrademarkOfficeandinothercountries.
Allothertrademarksandregisteredtrademarksarepropertyoftheirrespectiveowners.
TrademarksCitrixXenServerXenCenterPublished:22August2012iiiContents1.
AboutthisGuide12.
Hardware32.
1.
Inventory32.
2.
SecuringHardware33.
Software43.
1.
ConfiguringXenCenter43.
1.
1.
InitialInstallation43.
1.
2.
Post-InstallationConfigurationProcedures43.
2.
ConfiguringtheCitrixLicenseServer43.
2.
1.
InitialInstallation43.
2.
2.
PostInstallationConfigurationProcedures53.
3.
ConfiguringNetworkStorage(NFS)53.
4.
ConfiguringNetworkTimeProtocol(NTP)54.
ConfiguringaXenServerHost64.
1.
BeforeInstallingXenServer64.
2.
InstallingXenServer64.
3.
ManagingSSLCertificates64.
3.
1.
InstallingtheTrustedCACertificate64.
3.
2.
GeneratingHostCertificates74.
4.
CreatingaXenServerPool74.
5.
NetworkConfiguration84.
5.
1.
ConfiguringtheStorageNetwork84.
6.
StorageConfiguration84.
6.
1.
AddingaVHDonNFSSR84.
6.
2.
RegisteringaDefaultSR94.
6.
3.
AddinganISOonNFSSR9A.
OpenSSLConfiguration10B.
FirewallConfiguration11ivB.
1.
ManagementNetworkFirewall11B.
2.
StorageNetworkFirewall11B.
3.
GuestNetworkFirewall111Chapter1.
AboutthisGuideThisCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEdition,describestherequirementsandproceduresforinstallingandconfiguringCitrixXenServerinaccordancewiththeCommonCriteriaevaluateddeployment.
IfyoursecurityrequirementsandpoliciesrequireyoutodeployCitrixXenServer6.
0.
2tomatchtheCommonCriteriaTargetofEvaluationconfiguration,followtheproceduresinthisguideexactly.
GlossaryCAX.
509CertificationAuthority,seeRFC5280CCCommonCriteriaCLICommandLineInterfaceCNCommonName,seeRFC5280CSRCertificateSigningRequest,seePKCS#10DNSDomainNameSystemEPTExtendedPageTablesFQDNFullyQualifiedDomainNameHCLHardwareCompatibilityListIPInternetProtocolNFSNetworkFileSystemNICNetworkInterfaceControllerNTPNetworkTimeProtocol,seeRFC1305PBDPhysicalBlockDevicePIFPhysicalInterfacePXEPrebooteXecutionEnvironmentRPCRemoteProcedureCallSANSubjectAlternativeName,seeRFC5280SARSecurityAssuranceRequirementSFRSecurityFunctionalRequirementSRStorageRepositorySTSecurityTargetSSLSecureSocketLayerUUIDUniversallyUniqueIdentifier2TOETargetofEvaluationVIFVirtualInterfaceVMVirtualMachineVT-xVirtualizationTechnologyforx86ProcessorsReferences[XSInstall]CitrixXenServerInstallationGuide,6.
0.
1.
1Edition.
[CTXLIC]CitrixLicensing.
http://support.
citrix.
com/proddocs/topic/technologies/lic-library-node-wrapper.
html.
[XSCCST]CommonCriteriaSecurityTargetforCitrixXenServer6.
0.
2,PlatinumEditionCIN8-ST-0001.
Version1.
0.
[CCXSAdmin]CommonCriteriaAdministrator'sGuideforCitrixXenServer6.
0.
2,PlatinumEdition.
1.
0Edition.
[XSAdmin]CitrixXenServerAdministrator'sGuide6.
0.
1.
1Edition.
3Chapter2.
HardwareImportant:ThehardwareselectedforusemustbecertifiedandsupportedforusewithXenServer.
RefertotheXenServerHardwareCompatibilityList(HCL)athttp://citrix.
com/xenserver/cc-hclfordetails.
ForCommonCriteriapurposes,theXenServer6.
0.
2HCLapplieswiththeadditionalrestrictionthat:Eachservermustcontainatleast2CPUcores.
OnlyIntel64-bit-capableCPUswithbothVT-xandEPTcapabilitiesaresupported.
Eachservermustcontainatleast3NICs.
2.
1.
InventoryServersAtleast2,amaximumof16,serverssatisfyingthelimitationsoftheTOEasfoundin[XSCCST].
StorageNetworkattachedstorageofferingNFSstorage,asdefinedintheTOE([XSCCST]).
NetworkAnynetworkconfigurationwithinthelimitsoftheTOEasfoundin[XSCCST].
Note:Thehosthardwareconfigurationinfluenceshowtheinstalledsystemwillauto-configure.
Fortheevaluatedconfiguration,thehardwareshouldbesetupasfollows:NIC0-ManagementNetworkNIC1-StorageNetworkNIC2.
.
.
NICN-OneormorefurtherNICsmustbeaddedasrequiredtocreateGuestNetworks2.
2.
SecuringHardwareThehardwaremustbesecuredasdescribedin[XSCCST]sectionSecurityObjectivesfortheOperationalEnvironment,specificallyOE.
Secure_Resource,OE.
Secure_Keys,OE.
Separate_Networks.
4Chapter3.
SoftwareTheevaluatedconfigurationasdescribedin[XSCCST]includestheXenCenterclientasamanagementconsole,althoughXenCenterisnotincludedintheTOEandisnotreliedupontoimplementanysecurityfunctions.
WhenXenCenterisusedastheclient,theCC-specificversionmustbeused(availableontheCCISO).
ThestandardversionofXenCenterwouldprovidenotificationsofupdatesthatarenotapplicabletotheXenServerCCversion,whichmaycauseanadministratortotakeitoutoftheEvaluatedConfiguration.
TheCCversionofXenCenterdoesnotprovidethesenotifications.
UsersshouldmonitortheCitrixSupportsite,http://support.
citrix.
com/6.
0.
2[**URLtobeconfirmed**],forupdatesthatareapplicablespecificallytotheXenServerCCversion.
3.
1.
ConfiguringXenCenterTheclientusedforthemanagementofXenServermustverifypresentedSSLcertificates.
TodothisusingCitrixXenCenter,executethefollowingprocedure.
3.
1.
1.
InitialInstallationPleaserefertothestepsinthesectioncalled"InstallingXenCenter"([XSInstall]).
3.
1.
2.
Post-InstallationConfigurationProcedures1.
OntheToolsmenu,selectOptions.
ThisdisplaystheOptionsdialog.
2.
Inthelefthandpane,selectSecurity.
3.
SelecttheoptionsWarnmewhenanewSSLcertificateisfoundandWarnmewhenanSSLcertificatechanges.
4.
ClickOKtoclosethedialog.
Note:IfyouuseXenCenterfortheCommonCriteriaconfiguration,itispossibletostoreyourlogincredentials.
TheusernameandpasswordforallmanagedserverscanbestoredbetweenXenCentersessionsandusedtoautomaticallyreconnecttothematthestartofeachnewXenCentersession.
Toenable,inXenCenteronthe"Tools"menu,select"Options",thenclick"SaveandRestore"andselecttheSaveandrestoreserverconnectionstateonstartupcheckbox.
Inaddition,whenSaveandrestoreserverconnectionstateonstartupisenabled,youcanprotectthestoredlogincredentialswithamasterpasswordtoensuretheyremainsecure.
Atthestartofeachsession,youwillbepromptedtoenterthismasterpasswordbeforeconnectionstoyourmanagedserversareautomaticallyrestored.
TodothisselecttheRequireamasterpasswordcheckbox.
Administratorsshouldfollowtheirorganization'spoliciesregardingstoringpasswords.
3.
2.
ConfiguringtheCitrixLicenseServerTheTOEasdescribedin[XSCCST]requirestheuseofalicenseserver.
3.
2.
1.
InitialInstallationForinformationoninstallingandconfiguringtheCitrixLicenseServer,pleasesee[CTXLIC].
53.
2.
2.
PostInstallationConfigurationProceduresTheevaluatedconfigurationrequiresusingthefollowingports:VendorDaemonPort7279LicenseServerManagerPort270003.
3.
ConfiguringNetworkStorage(NFS)TheevaluatedconfigurationassumesthattheNFSserverusesthefollowingstandardports:RPC111NFS2049Lockd26345Statd26346Mountd26347Rquotad263483.
4.
ConfiguringNetworkTimeProtocol(NTP)TheevaluatedconfigurationrequiresthattheNTPserverusesthestandardport:NTP1236Chapter4.
ConfiguringaXenServerHostThissectiondescribestheconfigurationstepsthatmustbefollowedoneachXenServerhost.
Warning:Theevaluatedconfigurationforahostwillonlybeachievedonceallofthefollowingstepshavebeenexecuted.
Thehostmustnotbemadeavailableforuseuntiltheentireconfigurationhasbeencompleted.
Warning:Intheevaluatedconfiguration,administratorsmustonlyusecommandsthataredefinedintheCommonCriteria(CC)documentation,orinsubsequentCitrixKnowledgeBasearticlesthatapplyexplicitlytotheXenServer6.
0.
2CCconfiguration.
4.
1.
BeforeInstallingXenServerBeforeinstallingXenServer,verifytheintegrityofthedownloadedISOfilesbyfollowingtheinstructionsinChapter1of[delproc]4.
2.
InstallingXenServerFortheremainderoftheinstallationprocedure,refertothestepsinthesectioncalled"InstallingtheXenServerHost"([XSInstall])andto[XSAdmin],notingthefollowingadditionalrestrictions:Donotinstallanysupplementalpacks.
ConfigurethehosttouseastaticIPaddress.
IfyournetworkdoesnothaveaDNSserver,enter127.
0.
0.
1whenpromptedfortheIPaddressofaDNSserver.
Note:PXEbootingXenServerinstallations,asdescribedinAppendixC,PXEBootInstallations([XSInstall])isnotsupportedfortheevaluatedconfiguration.
4.
3.
ManagingSSLCertificatesDuringXenServerhostinstallation,aself-signedSSLcertificateisinstalled.
ThismustbereplacedtofullycomplywiththerequirementsforaCCdeploymentasdefinedin[XSCCST].
ThissectionexplainshowtosetupanSSLconfiguration.
AconfiguredX.
509CertificationAuthority(CA)isrequiredforthestepsinthissection(seeAppendixA,OpenSSLConfigurationforanexampleconfigurationsuitableforusewithOpenSSL).
Note:Whenconfiguringapoolenvironment,thesestepsmustbeexecutedonallhosts.
4.
3.
1.
InstallingtheTrustedCACertificateToInstalltheTrustedCACertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragecontainingthecertificate.
3.
InstallaCAcertificatebyenteringthefollowingcommandsonthehostconsole.
#cd#xepool-certificate-installfilename=74.
Unmountandremovetheremovablestorage.
4.
3.
2.
GeneratingHostCertificatesNote:KeysusedontheXenServerhostmustbegeneratedinaccordancewithOE.
Secure_Keysasdefinedin[XSCCST].
WhencreatingaCertificateSigningRequest(CSR)itisalsoimportanttoconsiderthefollowing:OnlyasingleCommonName(CN)entryisinspectedduringhostnamevalidation.
OnlySubjectAlternativeNames(SAN)withtypeDNSareinspectedduringhostnamevalidation.
Hostnamewildcardsarenotsupported.
ThehostIPaddressmustbeincludedineitherCNorSAN.
AFullyQualifiedDomainName(FQDN)canbeprovidedinadditiontothehostIPaddress,howeverthisisnotessential.
127.
0.
0.
1mustbeincludedineithertheCNorSAN.
Allowashortperiodoftimeforxapitobereadyafterperformingservicexapistart.
SeeAppendixA,OpenSSLConfigurationforanexampleusingOpenSSL.
ToInstalltheSSLCertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragemediacontainingthecertificate.
3.
Enterthefollowingcommandsonthehostconsole:#servicexapistop#pkillstunnel#cp/etc/xensource/xapi-ssl.
pem/etc/xensource/orig-xapi-ssl.
pem#cp/etc/xensource/xapi-ssl.
pem#servicexapistart4.
Unmountandremovetheremovablestorage.
4.
4.
CreatingaXenServerPoolXenServerresourcepoolscanbecreatedusingeithertheXenCentermanagementconsoleortheCLI.
Whenyoujoinanewhosttoaresourcepool,thejoininghostsynchronizesitslocaldatabasewiththepool-wideone,andinheritssomesettingsfromthepool.
Formoreinformationonresourcepools,refertothechaptercalled"XenServerHostsandResourcePools"([XSAdmin]).
BeforecreatingaXenServerPool,chooseoneofthehoststobetheinitialpoolmaster.
Therearenospecialrequirementsforchoosingthepoolmaster.
Onceyouhaveselectedthepoolmaster,joinalltheremaininghosts(whichwillbepoolslaves)tothemasterusingthefollowingprocedure.
ToJoinXenServerHostslave1tomasterUsingCLI1.
OpenaconsoleonXenServerhostslave1.
2.
ConfiguretheXenServerslave1hosttoactasaslaveofPoolMastermasterbyenteringthefollowingontheconsole:xepool-joinmaster-address=master-username=root\master-password=Themaster-addressmustbesettothefully-qualifieddomainnameorIPaddressoftheXenServerhostmasterandthepasswordmustbethepasswordsetwhenXenServerhostmasterwasinstalled.
8ToNametheResourcePoolBydefault,XenServerhostsbelongtoanunnamedpool.
Tonametheresourcepool,enterthefollowingcommand:#xepool-listparams=uuidminimal=truexepool-param-setname-label=uuid=4.
5.
NetworkConfigurationTheTOErequirestheuseofseparatenetworksformanagement,storageandguesttraffic.
GuestsmustonlyeverbeconnectedtotheGuestNetworks.
ThisensuresthatproperseparationismaintainedandthatVIFsareonlycreatedontheGuestNetwork.
UndernocircumstancemustaGuesteverbeconnectedtoeithertheManagementNetworkortheStorageNetwork.
Asdom0doesnotneedVIFstoaccesstheManagementandStoragenetworks,noVIFsshouldeverbedefinedforthem.
Referto[CCXSAdmin]forfurtherinformationonconfiguringnetworkingonXenServerandtothesectionSecurityProblemDefinitionin[XSCCST],specificallyA.
Separate_Networks.
4.
5.
1.
ConfiguringtheStorageNetworkNote:ThefollowingstepsforconfiguringtheStorageNetworkmustbeperformedonALLhosts,includingthePoolMaster.
ToconfiguretheStorageNetwork:1.
FindtheUUIDofthehost:#xehost-listname-label=params=uuiduuid(RO):2.
FindtheUUIDofthePIFrelatedtodeviceeth1(NIC1)andtheUUIDofitsnetwork:#xepif-listdevice=eth1host-uuid=params=uuiduuid(RO):3.
ConfiguretheStorageNetworkIPaddress:#xepif-reconfigure-ipuuid=mode=staticIP=netmask=4.
SetthePIFtobepermanentlyattached:#xepif-param-setuuid=disallow-unplug=true4.
6.
StorageConfigurationTheTOEallowsonlytwotypesofStorageRepository(SR):read-onlyISOonNFSorVHDonNFS.
FormoreinformationaboutISOonNFSSRs,seeSection4.
2.
4,"ISOSRs"([XSAdmin]).
FormoreinformationaboutVHDonNFSSRs,seeSection4.
2.
9,"NFSVHDSRs"([XSAdmin]).
Note:ThesestepsmustbeexecutedonlyonthePoolMaster'sconsole.
4.
6.
1.
AddingaVHDonNFSSR1.
ToaddaVHDonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truedevice-config:server=\device-config:serverpath=type=nfsThisreturnsthesr-uuid.
92.
RepeatthecommandforallsubsequentNFSSRsthatshouldbeavailabletothepool.
4.
6.
2.
RegisteringaDefaultSRAfteraddingalltheNFSSRs,chooseoneandmakeitthedefaultSR:#xepool-listparams=uuidminimal=true#xepool-param-setuuid=default-SR=\suspend-image-SR=crash-dump-SR=4.
6.
3.
AddinganISOonNFSSR1.
ToaddanISOonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truetype=iso\device-config:location=content-type=isoThisreturnsthesr-uuid.
2.
RepeatthecommandforallsubsequentISOonNFSSRsthatshouldbeavailabletothepool.
10AppendixA.
OpenSSLConfigurationFollowingisanexampleofaconfigurationfileforusewithOpenSSL(version1.
0.
0)thatwouldcreateaCSRwhichsatisfiestherequirementsXenServerhasoncertificates.
Beforeusingit,pleaseensurethatthisfilecomplieswithyourorganisationalsecuritypolicy.
ExampleA.
1.
OpenSSLConfigurationHOME=.
oid_section=new_oids[new_oids][req]default_days=365default_keyfile=.
/new_key.
pemdefault_bits=2048distinguished_name=req_distinguished_nameencrypt_key=nostring_mask=nombstrreq_extensions=v3_req[req_distinguished_name]CN=10.
80.
2.
63C=GBO=MyFirmLtdOU=TechnicalSupportemailAddress=my.
email@address.
myfirm.
co.
uk[v3_req]subjectAltName=@alt_names[alt_names]DNS.
1=127.
0.
0.
111AppendixB.
FirewallConfigurationBydefault,arestrictivefirewallisconfiguredduringCommonCriteriaXenServerhostinstallation.
Detailsoftheportsusedcanbefoundinthesectionsthatfollow.
B.
1.
ManagementNetworkFirewallTheportsthatareusedontheManagementNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionHTTPS443tcpbothPingN/Aicmp(echo-request)bothLicensing7279tcpoutLicensing27000tcpoutNTP123udpoutDNS53tcpoutDNS53udpoutB.
2.
StorageNetworkFirewallTheportsthatareusedontheStorageNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionPingN/Aicmp(echo-request)bothDNS53tcpoutDNS53udpoutNFS111tcp&udpoutNFS2049tcp&udpoutNFS26345-26348tcp&udpoutB.
3.
GuestNetworkFirewallTheGuestNetworkissolelyusedbytheGuestVMsandthefirewalldoesnotrequireconfiguration.
Hostodo在九月份又发布了两款特别套餐,开设在美国拉斯维加斯、迈阿密和斯波坎机房,基于KVM架构,采用NVMe SSD高性能磁盘,最低1.5GB内存8TB月流量套餐年付34.99美元起。Hostodo是一家成立于2014年的国外VPS主机商,主打低价VPS套餐且年付为主,基于OpenVZ和KVM架构,美国三个地区机房,支持支付宝或者PayPal、加密货币等付款。下面列出这两款主机配置信息。CP...
这不端午节和大家一样回家休息几天,也没有照顾网站的更新。今天又出去忙一天没有时间更新,这里简单搜集看看是不是有一些商家促销活动,因为我看到电商平台各种推送活动今天又开始一波,所以说现在的各种促销让人真的很累。比如在前面我们也有看到PacificRack 商家发布过年中活动,这不在端午节(昨天)又发布一款闪购活动,有些朋友姑且较多是端午节活动,刚才有看到活动还在的,如果有需要的朋友可以看看。第一、端...
今天看到一个网友从原来虚拟主机准备转移至服务器管理自己的业务。这里问到虚拟主机和服务器到底有什么不同,需要用到哪些工具软件。那准备在下班之间稍微摸鱼一下整理我们服务器安装环境和运维管理中常见需要用到的软件工具推荐。第一、系统镜像软件一般来说,我们云服务器或者独立服务器都是有自带镜像的。我们只需要选择镜像安装就可以,比如有 Windows和Linux。但是有些时候我们可能需要自定义镜像的高级玩法,这...
127.0.0.1为你推荐
请仔细阅读在本报告尾部的重要法律声明支持ipad支持ipad支持ipad支持ipadcss3圆角用CSS3怎么实现圆角边框?iphone连不上wifi苹果iphone6/plus wifi连接不上怎么办iexplore.exe应用程序错误iexplore.exe应用程序错误win7telnetwindows7旗舰版中telnet在哪iphonewifi苹果手机突然用不了Wi-Fi了
怎么注册域名 日本软银 国外主机 hostgator 流媒体服务器 godaddy支付宝 mobaxterm 灵动鬼影 空间出租 日本bb瘦 91vps 广州服务器 hdd 免费cdn 1美金 四川电信商城 移动服务器托管 海外空间 论坛主机 cdn网站加速 更多