Server access

Enable, disable, and configure settings associated with the different network-accessible processes that can run on your DCE server: web server, SSH daemon, SNMP daemon, and SOCKS proxy.   SNMP Server tab   Enable or disable the use of an SNMP agent at your server, define the community names and the port setting used for SNMP access to monitored devices, and identify the contact and location information for the server.   SOCKS Proxy tab   Enable or disable the server's built-in SOCKS v5 proxy server. This proxy server, which uses port 1080, allows users with proxy access to access devices that reside on the private DHCP LAN, by accessing the server from the public LAN.   SSH Server tab Secure Shell (SSH), a program that provides strong authentication and secure communications over insecure channels. SSH is used to log into a server on the network from a command line to execute commands.   SSH is currently running Enabled by default. Allows SSH access to the Data Center Expert server. Disabling SSH will cause the SSH daemon to be terminated. No new SSH sessions will be allowed. Existing SSH sessions will not be affected.   SSH starts at boot time Enabled by default. Starts SSH whenever the server is turned on or rebooted. Note: SSH is primarily intended for use with technical support guidance in troubleshooting device issues.   Web Server tab   HTTP and HTTPS settings   Enabling and disabling HTTP or HTTPS access, or changing the ports used, can prevent devices from providing data to your Data Center Expert server.   Enable HTTP Port Select to enable the Data Center Expert server to use HTTP, a non-secure Internet protocol, for web communication at the defined IP port. HTTP is disabled by default.   Enable HTTPS port The Data Center Expert server always uses HTTPS, a secure Internet protocol, for web communication. You can specify the IP port, 443 by default. Note: IP ports 1 - 65535 are valid, with the exception of ports 20, 21, 22, 23, 25, 123, 161, 162, and 389. These are ports reserved for use by NetBotz appliances and by well-known protocols. Using these reserved ports creates a conflict that can result in operational difficulties.   Enable HTTP Strict Transport Security Allow the Data Center Expert server to add an HTTP Strict Transport Security (HSTS) entry to HTTP response headers. This automatically redirects HTTP connections to HTTPS. If you select HTTP, it is recommended that you enable HSTS unless it prevents older NetBotz Appliances from posting successfully. Learn more about HSTS   SSL Certificate   Provides information about the current SSL certificate and allows you to change the certificate. The DCE server generates a default, self-signed SSL certificate that can be used for secure HTTPS web communication. Change Certificate: Access the Change Server SSL Certificate wizard to create or add a new certificate. You also can create a certificate signing request to send to a certificate signing authority.   Security Policy tab   Configure the system-wide cryptographic policy used by the Data Center Expert server. Crypto policies are a system component that configure the core cryptographic subsystem security policies instead of using individual configurations.   Select one of the cryptographic policies the Data Center Expert server supports:   Future: Most restrictive to withstand near-term future attacks Default: Secure settings for current threat models Legacy policy: Least restrictive for maximum compatibility DCE: Custom policy, less restrictive than Default and more restrictive than Legacy FIPS: A policy level that conforms to FIPS 140 requirements   These policies are applied consistently to running services and are kept up to date as part of Data Center Expert software updates.   When a new policy is set, the web server and SSH server on the DCE server will restart. The DCE policy is selected by default. The DCE policy is similar to the Legacy policy except that the DCE policy does not allow any RC4 or 3DES based ciphers.   See the documentation for security policy definitions from Red Hat here.   FIPS Federal Information Processing Standards (FIPS) govern how devices and systems use cryptography and other information technology. These standards were created by the National Institute of Science and Technology (NIST) to protect government data, and ensure those working with the government comply with certain safety standards before they have access to data. When a system is in FIPS mode, it uses algorithms and libraries that comply with FIPS standards, and may also use additional data protection features. FIPS mode may also disable or restrict certain functions that don't comply with FIPS standards. Note: In DCE, CIFS (Windows) mounts do not work when FIPS mode is enabled. MD5 authentication is required for CIFS, which is not supported in FIPS mode.   Go to Help > About Data Center Expert to see whether FIPS mode is active on the client and the server. You can also hover over the lower right corner of the desktop client to see whether FIPS mode is active on the client.  

You can use the Change Server SSL Certificate wizard to create or add a new certificate. You also can create a certificate signing request to send to a certificate signing authority. Create a new self-signed certificate Go to System > Server Administration Settings > Server Access. On the Web Server tab, click Modify Certificate. Select Create New Self-Signed Certificate. Edit the certificate parameters as needed, and click Next. Note: Country is limited to two alphabetical characters. Click Finish to overwrite the default SSL certificate with a new, self-signed SSL certificate created by the server. You can log on to the server again after it finishes rebooting. Create a certificate signing request to send to a certificate signing authority Go to System > Server Administration Settings > Server Access. On the Web Server tab, click Modify Certificate. Select Create Certificate Signing Request (CSR) and click Next. Edit the certificate parameters as needed, and click Next. Note: Country is limited to two alphabetical characters. Copy the provided CSR text to a text file. You can manually select the text and use Ctrl+C, or right-click anywhere in the text to use the Select All and Copy options, to copy the CSR text. Note: Each time you generate a new Certificate Signing Request from the DCE user interface, the DCE server private key will change. You must add the signed certificate to DCE (which was created from your matching CSR) EITHER before you create a new CSR OR before you reboot the DCE server. If you do not follow these steps, the private key on DCE will not match the original private key that was on the server when you created the CSR. The server will fail to start because of a private key mismatch, and generate an error. Submit the CSR to the appropriate 3rd-party certificate authority for signing. They will give you a signed SSL certificate. Use the Add Certificate option in the "Choose Certificate Action" display to add the newly signed certificate to the server. Import a 3rd-party signed SSL certificate Go to System > Server Administration Settings > Server Access. On the Web Server tab, click Modify Certificate. Select Add Certificate and click Next. Use Ctrl+V to paste a copy of the certificate in the text box, or click Import Certificate to import the certificate from its text file, and click Next. Click Finish to overwrite the current SSL certificate with the new SSL certificate. You can log on to the server again after it finishes rebooting.