0% found this document useful (0 votes)
53 views10 pages

APC Application Note 144 - PowerChuteTM Network Shutdown Security Features & Deployment

Uploaded by

eramidopul
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
53 views10 pages

APC Application Note 144 - PowerChuteTM Network Shutdown Security Features & Deployment

Uploaded by

eramidopul
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment

PowerChuteTM Network Shutdown Security


Features & Deployment
By David Grehan, Sarah Jane Hannon

ABSTRACT
PowerChuteTM Network Shutdown
(PowerChute) software works in
conjunction with the UPS Network
Management Card (NMC) to provide
graceful, unattended shutdown of
multiple IT systems over a network.

This Application Note provides an


overview of the security features in
PowerChute including connectivity and
authentication as well as information Introduction
on secure deployment.
All APC by Schneider Electric software products are
developed in adherence with key security principles in order
Applications to deliver secure products protecting IT equipment.
IT Server Rooms, Data Centers, Remote
Branch Offices, Distributed Networks. This Application Note contains the following information:
 Connectivity
 Authentication
Customer Benefits
 External User Credentials
 Graceful network-based shutdown
 Communications / Access Model
 Run command file capability
 Java Runtime Environment
 Event logging
 Secure Back-Up Recommendations
 Secure communications
 Vulnerability Reporting and Management
 Browser accessible
 Appendices
 Redundant UPS configuration support
 How to update PowerChute SSL Certs
 Parallel UPS configuration support
 Security hardening for PowerChute and the NMC
 HTTPS communications
 IPv6 support
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment

Connectivity
PowerChute Access Network Management Card Connection
The PowerChute user interface is accessible via a The UPS Network Management Card (NMC)
web browser and supports TLS v1.0 and above provides an interface between your APC UPS and
which provides authentication and encrypted your network. The NMC uses the HTTP protocol
communication for sensitive communications. by default. This can be changed to HTTPS through
the NMC user interface. The default port is 80 for
If enabled and configured, PowerChute can be HTTP, and 443 for HTTPS. Do not change this
accessed via SNMP v1 or v3. It is recommended to number unless you changed the port being used by
use SNMP v3 only as this provides Authentication, your NMC.
Privacy and Access Control.
Based on the NMC protocol used, you can select
PowerChute supports MD5/SHA-1/SHA-2 for either HTTP or HTTPS in PowerChute. This can be
Authentication and DES/AES-128/AES-192/AES- changed via the PowerChute setup wizard

©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
256 for Privacy when using SNMP v3. following installation if required on the UPS Details
screen.
Note: Support for SSL v3 has been removed from
PowerChute Network Shutdown v4.0 due to The NMC uses a self-signed SSL certificate by
reported security issues with that protocol. default when HTTPS is enabled. You need to
enable "Accept Untrusted SSL Certificates" to allow
PowerChute Network Shutdown provides secured PowerChute to establish communication with the
browser access via HTTPS as default to ensure NMC if a self-signed cert is being used by the
that communication via the web interface is secure NMC.
and cannot be interpreted. Users do have the
option to select HTTP but this is not recommended The NMC sends UPS information to PowerChute
for secure deployment. Network Shutdown via UDP packets which are
limited to a few hundred bytes.
PowerChute uses a self-signed SSL Certificate by

or its affiliated companies. All other trademarks are property of their respective owners.
default that has a 2048-bit RSA public key and For a detailed description on how UPS information
uses the SHA-1 Signature Hash Algorithm. is sent over the network and how PowerChute
receives NMC updates, please see Application
Please see Appendix A for details on how to Note #20 “The Communications Process of
replace SSL certificates for Windows and Linux. PowerChute Network Shutdown”.

Connectivity Protocol Definitions


Hypertext Transfer Protocol over Secure Socket
Layer (HTTPS) is a Web protocol that encrypts and
decrypts page requests from the user and the
pages returned by the Web server.

Transport Layer Security (TLS) and its


predecessor, Secure Sockets Layer (SSL), are
cryptographic protocols that provide communication
security over the Internet.

2 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment

Authentication
PowerChute User Interface NMC Connection
During the initial PowerChute setup using the The communications mechanism between the
PowerChute Setup Wizard, you must enter a User NMC and PowerChute Network Shutdown uses an
Name, Password and Authentication Phrase. The MD5-based authentication scheme (Hash-based
User Name and Password will be used to log on to Message Authentication Code), which has the
the PowerChute UI. goals of:

The User Name and Authentication Phrase are  Ensuring that the password is never sent in
used for authentication between PowerChute and plain text.
the Network Management Card and therefore they  Proving that the sender of a message is an
must match. The passwords used in PowerChute authentic user as only those with knowledge of
and the NMC can be different. the password phrase can send valid messages.
Password Recommendations  Detecting if a message has been tampered with

©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
Upon launching the PowerChute Setup Wizard, in transit.
the Username, Password and Authentication  Detecting if a message is being replayed.
Phrase can be set via the Security Details page.
Password complexity is not enforced though setting The Authentication Phrase must be between 15
a password with a minimum of 8 characters and 32 ASCII characters.
comprising numbers, letters and at least one
special character is recommended. It is also
advised to change the password on a regular basis A well configured firewall and solid security policy is
e.g. every 90 days. integral to the security of any network as this does
not guarantee:
The Username, Password and Authentication
phrase are all stored using AES-128 bit encryption.  That all data is encrypted.
Prior to executing the Setup Wizard the default  That a brute-force attack will fail to determine

or its affiliated companies. All other trademarks are property of their respective owners.
Authentication Phrase should be changed on each the password phrase.
Network Management Card that PowerChute will  Prevention of most Denial of Service attacks.
communicate with. The Username, Password and
Authentication Phrase can be reset via the
pcnconfig.ini file. Therefore only trusted user
accounts should be granted write-access to this External User Credentials
file.
When VMware support is enabled and
Account Lock-Out PowerChute is configured to protect Hosts that are
managed by vCenter Server a username and
PowerChute will automatically “lock out” after three password are required. These details are stored in
unsuccessful log-in attempts (incorrect User ID PowerChute using AES-128 bit encryption. The
and/or Password) to prevent remote password VMware user account requires certain
cracking. Each lockout is logged to the Event log permissions in order to execute Virtualization
and the UI is inaccessible for two minutes and Tasks – for a listing of the required permissions for
displays “Account is locked out”. this account please refer to FA177822 in the
Schneider Electric Knowledge Base. A service
User Control account can be created in vSphere with only the
PowerChute allows you to create one administrator required permissions instead of assigning the
account only. This account has a unique log-in Administrator Role to this account – this is
user name and password enabling full read/write considered more secure. For more information on
access. Only one session of PowerChute can be configuring vCenter Server accounts in
active at any time therefore, users will not be able PowerChute please refer to the Application Note
to log on to the same PowerChute Agent from #180 – “PowerChute Network Shutdown for
multiple machines simultaneously. VMware”

To ensure secure user control it is recommended


that PowerChute is not available on a public-facing
network segment.

3 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment

PowerChute Network Shutdown – Communication/Access Model

The diagram below represents the access points to PowerChute communicates with the Network
PowerChute Network Shutdown and its Management Card using HTTP/HTTPS for
communication paths with external components registration and control tasks. It receives status
such as VMware vCenter Server and VMware updates from the UPS/NMC via UDP packets sent
Hosts. PowerChute is primarily accessed via a to port 3052. For more information on how to
secure HTTPS connection using a supported Web harden security for PowerChute and the NMC
Browser (for the latest browser details, please see please refer to Appendix B.
http://www.apc.com/whitepaper/?um=200).
PowerChute stores configuration information on the
PowerChute also communicates with external local file system using the pcnsconfig.ini file and
VMware components using a secure HTTPS user credentials using the m11.cfg file.
connection.
The Software Updates Notification feature is

©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
PowerChute uses a self-signed SSL Certificate by enabled by default and PowerChute communicates
default that has a 2048-bit RSA public key and with the Update Server using a secure HTTPS
uses the SHA-1 Signature Hash Algorithm. From connection. The Updates Server uses an SSL cert
PowerChute Network Shutdown v4.0, SSL 3.0 that has been signed using a Trusted 3rd Party
access is not longer permitted. TLS 1.0, 1.1 and Root Certification Authority.
1.2 is supported. The default self-signed cert can
be replaced (See Appendix A for detailed
instructions).

or its affiliated companies. All other trademarks are property of their respective owners.

4 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment

Java Runtime Environment (JRE) Secure Backup Recommendations

JRE Utilization INI File


A JRE must be installed on the system to allow All configuration settings applied via the
PowerChute Network Shutdown to operate. PowerChute Setup Wizard and User Interface are
PowerChute is shipped with an up-to-date private stored on the local file system using the
JRE as each new PowerChute version is released. pcnsconfig.ini file. It is recommended to save a
copy of this file as a backup.
The PowerChute installer also provides the option
to select a valid public JRE instead of the private User Credentials are stored using the m11.cfg and
bundled JRE. Using the public JRE reduces the are encrypted using AES-128 bit encryption. User
amount of disk space required, and makes use of credentials can be restored via the pcnsconfig.ini
Java updates to ensure that the latest security file.
patches are automatically applied.

©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
If users choose the private JRE, then PowerChute
Network Shutdown will install the JRE version
bundled with the product.

If the user opts for the public JRE:


 On Windows operating systems, PowerChute
will attempt to auto-detect the JRE - if there are
multiple system JRE versions installed the
latest version will be used.
 On Unix/Linux operating systems, PowerChute
will use the JRE that is located in the path
specified by the user.

or its affiliated companies. All other trademarks are property of their respective owners.
For more information on JRE versions included
with and supported by PowerChute Network
Shutdown, please refer to the ‘Operating System,
Processor, JRE and Browser Compatibility Chart’
available from the APC website at:
http://www.apc.com/whitepaper/?um=200

5 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment

Vulnerability Reporting & Management


How to report a Vulnerability Security Updates and Notifications

Cyber security incidents and potential Product Center Page


vulnerabilities can be reported to Schneider Electric The Product Center Page is accessible via the Help
using the following link: menu in the PowerChute UI and contains links to
http://www2.schneider- important Knowledge Base articles.
electric.com/sites/corporate/en/support/cybersecurit
y/contact-form.page. Update Notifications
If a security vulnerability is detected in PowerChute
that requires a software update, a notification will
be sent via the Update Notifications feature
providing a web link from where the update can be

©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
downloaded. Software updates must be applied
manually.

Knowledge Base
Security Bulletins in relation to known
vulnerabilities are published on the Schneider
Electric Knowledge Base.

or its affiliated companies. All other trademarks are property of their respective owners.

6 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment

Appendix A – Replacing the Default PowerChute SSL Certificate


Windows
Changing the password for the Java Keystore.
PowerChute stores the Web Interface SSL certs in a java keystore file located in C:\Program
Files\APC\PowerChute\group1\keystore.

To change the password for the keystore:


1. Stop the PowerChute service via the services console or using the command “net stop pcns1”.
2. Open C:\Program Files\APC\PowerChute\group1\pcnsconfig.ini.
3. In the section [NetworkManagementCard] add the line KeystorePassword = your_password
(your_password can be replaced with a password of your choice. It must be at least 6 characters).
4. Start the PCNS service via the services console or using the command “net start pcns1”.
5. Verify that the keystore password has been changed:

©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
a) Open a command prompt window and change directory to C:\Program
Files\APC\PowerChute\group1
b) Type "<path_to_jre>\bin\keytool.exe" -list -v -keystore keystore.
c) Enter the password you specified in step 3 when prompted.
d) Verify the keystore contents are displayed without error. (<path_to_jre> is the location of the
public JRE or C:\Program Files\APC\PowerChute\jre_x64|jre_x32 if private JRE was selected
during the installation)

Create a new Keystore for the trusted SSL cert.


1. Stop the PowerChute service.
2. Delete the existing keystore file - C:\Program Files\APC\PowerChute\group1\keystore.
3. Open a command prompt and change directory to C:\Program Files\APC\PowerChute\group1.
4. Type “<path_to_jre>\bin\keytool.exe" -genkey -alias securekey -keyalg RSA –keystore keystore -keysize 2048

or its affiliated companies. All other trademarks are property of their respective owners.
and press return.
5. Use the same password that was specified in step 3 in section “Changing the password for the Java Keystore”.
6. Verified that the file keystore now exists in the group1 folder.

Create a certificate signing request and a new SSL cert signed by a Trusted CA
1. Type the command “<path_to_jre>\bin\keytool.exe -certreq -alias securekey –keystore keystore -file
newpowerchute.csr” and press Enter.
2. Enter the required values when prompted – the first value must match the hostname or FQDN (Fully
Qualified Domain Name) of the server where PowerChute is installed. The other values you enter may
need to match the values present on the CA. Some values are required by the CA whereas others may be
optional. This depends on the CA configuration.
3. Use the .CSR file to create a new certificate signed by the Trusted CA. This process will depend on the
Trusted CA software being used e.g. for OpenSSL on Windows:
a) Openssl.exe ca -cert rootca.crt -keyfile rootca.key -out newpowerchute.crt.
b) configopenssl.cfg -infiles newpowerchute.csr.
c) rootca.crt – This is the root CA certificate created when creating the CA.
d) rootca.key – Private key file created when setting up the CA newpowerchute.crt – This is the new
SSL cert that will be created and signed for use on the PowerChute Web Interface.
e) Openssl.cfg – This is the OpenSSL configuration file.
f) newpowerchute.csr - This the file created in step 1.

NOTE: The openssl command used to generate the new signed cert is an example based on
OpenSSL-Win32.

7 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment

Replacing the Default PowerChute SSL Certificate - continued


Import the Root CA and Web Server SSL certs to the PowerChute Keystore
1. Copy rootca.crt and newpowerchute.crt to the machine where PowerChute is installed.
2. Stop the PCNS service.
3. Open a command prompt and change directory to C:\Program Files\APC\PowerChute\group1 folder.
4. Import the root CA cert using the command: <path_to_jre>\bin\keytool.exe -import –trustcacerts -alias root
-file rootca.crt -keystore PowerChute-keystore
5. Import the Web Server SSL cert using the command: <path_to_jre>\bin\keytool.exe -import - trustcacerts -
alias securekey -file newpowerchute.crt -keystore PowerChute-keystore
6. Import the root CA cert to the internet browser on all machines that will be used to access the PowerChute
User Interface.
7. Start the PCNS service.
8. PowerChute should be using the new signed certificate and there should not be an SSL Cert security
warning displayed by the browser when the PowerChute Web Interface is launched.

©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
Linux/Unix
Changing the password for the Java Keystore.
PowerChute stores the Web Interface SSL certs in a java keystore file located in
/opt/APC/PowerChute/group1/keystore.

To change the password for the keystore:


1. Stop the PowerChute service using the command “service PowerChute stop”.
2. Open /opt/APC/PowerChute/group1/pcnsconfig.ini.
3. In the section [NetworkManagementCard] add the line KeystorePassword = your_password (your_password
can be replaced with a password of your choice. It must be at least 6 characters).
4. Start the PowerChute service using the command “service PowerChute start”.

or its affiliated companies. All other trademarks are property of their respective owners.
5. Verify that the keystore password has been changed:
a) Open a command prompt window and change directory to /opt/APC/PowerChute/group1
b) Type <path_to_jre>/bin/keytool -list -v -keystore keystore.
c) Enter the password you specified in step 3 when prompted.
d) Verify the keystore contents are displayed without error. (<path_to_jre> is the location of the public
JRE or /opt/APC/PowerChute/group1/jre_x64|jre_x32 if private JRE was selected during the
installation)

Create a new Keystore for the trusted SSL cert


1. Stop the PowerChute service.
2. Delete the existing keystore file - /opt/APC/PowerChute/group1/keystore
3. Open a command prompt and change directory to /opt/APC/PowerChute/group1.
4. Type “<path_to_jre>/bin/keytool -genkey -alias securekey -keyalg RSA -keystore keystore - keysize
2048” and press return.
5. Use the same password that was specified in step 3 in section “Changing the password for the Java
Keystore”.
6. Verified that the file keystore now exists in the group1 folder.

8 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment

Replacing the Default PowerChute SSL Certificate - continued


Create a certificate signing request and a new SSL cert signed by a Trusted CA
1. Type the command “<path_to_jre>/bin/keytool -certreq -alias securekey -keystore keystore -file
newpowerchute.csr” and press Enter.
2. Enter the required values when prompted – the first value must match the hostname or FQDN (Fully
Qualified Domain Name) of the server where PowerChute is installed. The other values you enter may
need to match the values present on the CA. Some values are required by the CA whereas others may be
optional. This depends on the CA configuration.
3. Use the .CSR file to create a new certificate signed by the Trusted CA. This process will depend on the
Trusted CA software being used.

Import the Root CA and Web Server SSL certs to the PowerChute Keystore

©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
1. Copy rootca.crt and newpowerchute.crt to the machine where PowerChute is installed.
2. Stop the PCNS service.
3. Open a command prompt and change directory to /opt/APC/PowerChute/group1 folder.
4. Import the root CA cert using the command: <path_to_jre>/bin/keytool -import - trustcacerts -alias root -
file rootca.crt -keystore keystore
5. Import the Web Server SSL cert using the command: <path_to_jre>/bin/keytool -import - trustcacerts -
alias securekey -file newpowerchute.crt -keystore keystore
6. Import the root CA cert to the internet browser on all machines that will be used to access the
PowerChute User Interface.
7. Start the PCNS service.
8. PowerChute should be using the new signed certificate and there should not be an SSL Cert security
warning displayed by the browser when the PowerChute Web Interface is launched.

or its affiliated companies. All other trademarks are property of their respective owners.
Note
If using Microsoft Active Directory Certificate Services and you see error “keytool error:
java.lang.Exception: Incomplete certificate chain in reply” please see the following post:

What do I do when keytool.exe can't establish a certificate chain from my certs?

9 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment

Appendix B – Security Hardening for PowerChute and Network Management Card


Recommended configuration changes to increase security for PowerChute communication
with the Network Management Card.

Network Management Card

1. Change the default Authentication Phrase via Configuration->Shutdown->PowerChute Shutdown


Parameters.
2. Disable HTTP and enable HTTPS via Configuration->Network->Web->Access.
3. Create a new SSL certificate for the Network Management Card using the APC Network Management
Card Security Wizard v1.0.4. Please refer to these manuals for more information.
4. Replace the default self-signed SSL certificate with the new one via Configuration->Network->Web->SSL
Certificate.
5. Please see the Security Guides for the Network Management Cards for more information on how to

©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
secure them – available here.

PowerChute Network Shutdown

1. Import the Network Management Card SSL certificate to the PowerChute-Keystore using the command:
<path_to_jre>\bin\keytool.exe -import -trustcacerts -alias root -file nmc.crt -keystore PowerChute-keystore.
Re-start the PowerChute service after importing the NMC SSL Certificate.
2. During the Setup Wizard, on the Network Management Card connection page, change the protocol to
HTTPS and port to 443. Disable the option “Accept Untrusted SSL Certs”.
3. Replace the default self-signed SSL certificate for the PowerChute UI using the instructions in Appendix
A.
4. Change the default password for the CACERTS keystore located in the group1 folder using the command:

or its affiliated companies. All other trademarks are property of their respective owners.
keytool.exe -storepasswd -new <new password> -keystore cacerts -storepass changeit.
5. Ensure that the file permissions set for the group1 folder and its contents allow read/write access only for
trusted users and LocalSystem account on Windows and root account on Linux/Unix.
6. Prevent Remote Access to the Web UI if this is not required using a firewall rule for TCP ports 3052 ad
6547. To prevent Denial of Service attacks such as the SSL THC DOS attack these ports should be
blocked and we do not recommend allowing access to PowerChute on a public facing network interface.
Additionally the firewall should prevent inbound communication with UDP port 3052 except for the
Network Management Card that PowerChute is communicating with.
7. If using a public JRE with PowerChute this should be updated regularly as software updates and security
fixes are released. Alternatively PowerChute can be configured to use a private JRE.
8. If using SNMP with PowerChute, it is recommended to only use SNMP v3 and to choose SHA-2 and AES-
128 or higher for Authentication and Privacy. Please refer to APC Knowledge Base Article FA290630 for
more information on how to enable support for AES-192 and AES-256. Access Control should also be
configured to restrict access to PowerChute via SNMP.

10 December 2016

You might also like