APC Application Note 144 - PowerChuteTM Network Shutdown Security Features & Deployment
APC Application Note 144 - PowerChuteTM Network Shutdown Security Features & Deployment
ABSTRACT
PowerChuteTM Network Shutdown
(PowerChute) software works in
conjunction with the UPS Network
Management Card (NMC) to provide
graceful, unattended shutdown of
multiple IT systems over a network.
Connectivity
PowerChute Access Network Management Card Connection
The PowerChute user interface is accessible via a The UPS Network Management Card (NMC)
web browser and supports TLS v1.0 and above provides an interface between your APC UPS and
which provides authentication and encrypted your network. The NMC uses the HTTP protocol
communication for sensitive communications. by default. This can be changed to HTTPS through
the NMC user interface. The default port is 80 for
If enabled and configured, PowerChute can be HTTP, and 443 for HTTPS. Do not change this
accessed via SNMP v1 or v3. It is recommended to number unless you changed the port being used by
use SNMP v3 only as this provides Authentication, your NMC.
Privacy and Access Control.
Based on the NMC protocol used, you can select
PowerChute supports MD5/SHA-1/SHA-2 for either HTTP or HTTPS in PowerChute. This can be
Authentication and DES/AES-128/AES-192/AES- changed via the PowerChute setup wizard
©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
256 for Privacy when using SNMP v3. following installation if required on the UPS Details
screen.
Note: Support for SSL v3 has been removed from
PowerChute Network Shutdown v4.0 due to The NMC uses a self-signed SSL certificate by
reported security issues with that protocol. default when HTTPS is enabled. You need to
enable "Accept Untrusted SSL Certificates" to allow
PowerChute Network Shutdown provides secured PowerChute to establish communication with the
browser access via HTTPS as default to ensure NMC if a self-signed cert is being used by the
that communication via the web interface is secure NMC.
and cannot be interpreted. Users do have the
option to select HTTP but this is not recommended The NMC sends UPS information to PowerChute
for secure deployment. Network Shutdown via UDP packets which are
limited to a few hundred bytes.
PowerChute uses a self-signed SSL Certificate by
or its affiliated companies. All other trademarks are property of their respective owners.
default that has a 2048-bit RSA public key and For a detailed description on how UPS information
uses the SHA-1 Signature Hash Algorithm. is sent over the network and how PowerChute
receives NMC updates, please see Application
Please see Appendix A for details on how to Note #20 “The Communications Process of
replace SSL certificates for Windows and Linux. PowerChute Network Shutdown”.
2 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment
Authentication
PowerChute User Interface NMC Connection
During the initial PowerChute setup using the The communications mechanism between the
PowerChute Setup Wizard, you must enter a User NMC and PowerChute Network Shutdown uses an
Name, Password and Authentication Phrase. The MD5-based authentication scheme (Hash-based
User Name and Password will be used to log on to Message Authentication Code), which has the
the PowerChute UI. goals of:
The User Name and Authentication Phrase are Ensuring that the password is never sent in
used for authentication between PowerChute and plain text.
the Network Management Card and therefore they Proving that the sender of a message is an
must match. The passwords used in PowerChute authentic user as only those with knowledge of
and the NMC can be different. the password phrase can send valid messages.
Password Recommendations Detecting if a message has been tampered with
©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
Upon launching the PowerChute Setup Wizard, in transit.
the Username, Password and Authentication Detecting if a message is being replayed.
Phrase can be set via the Security Details page.
Password complexity is not enforced though setting The Authentication Phrase must be between 15
a password with a minimum of 8 characters and 32 ASCII characters.
comprising numbers, letters and at least one
special character is recommended. It is also
advised to change the password on a regular basis A well configured firewall and solid security policy is
e.g. every 90 days. integral to the security of any network as this does
not guarantee:
The Username, Password and Authentication
phrase are all stored using AES-128 bit encryption. That all data is encrypted.
Prior to executing the Setup Wizard the default That a brute-force attack will fail to determine
or its affiliated companies. All other trademarks are property of their respective owners.
Authentication Phrase should be changed on each the password phrase.
Network Management Card that PowerChute will Prevention of most Denial of Service attacks.
communicate with. The Username, Password and
Authentication Phrase can be reset via the
pcnconfig.ini file. Therefore only trusted user
accounts should be granted write-access to this External User Credentials
file.
When VMware support is enabled and
Account Lock-Out PowerChute is configured to protect Hosts that are
managed by vCenter Server a username and
PowerChute will automatically “lock out” after three password are required. These details are stored in
unsuccessful log-in attempts (incorrect User ID PowerChute using AES-128 bit encryption. The
and/or Password) to prevent remote password VMware user account requires certain
cracking. Each lockout is logged to the Event log permissions in order to execute Virtualization
and the UI is inaccessible for two minutes and Tasks – for a listing of the required permissions for
displays “Account is locked out”. this account please refer to FA177822 in the
Schneider Electric Knowledge Base. A service
User Control account can be created in vSphere with only the
PowerChute allows you to create one administrator required permissions instead of assigning the
account only. This account has a unique log-in Administrator Role to this account – this is
user name and password enabling full read/write considered more secure. For more information on
access. Only one session of PowerChute can be configuring vCenter Server accounts in
active at any time therefore, users will not be able PowerChute please refer to the Application Note
to log on to the same PowerChute Agent from #180 – “PowerChute Network Shutdown for
multiple machines simultaneously. VMware”
3 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment
The diagram below represents the access points to PowerChute communicates with the Network
PowerChute Network Shutdown and its Management Card using HTTP/HTTPS for
communication paths with external components registration and control tasks. It receives status
such as VMware vCenter Server and VMware updates from the UPS/NMC via UDP packets sent
Hosts. PowerChute is primarily accessed via a to port 3052. For more information on how to
secure HTTPS connection using a supported Web harden security for PowerChute and the NMC
Browser (for the latest browser details, please see please refer to Appendix B.
http://www.apc.com/whitepaper/?um=200).
PowerChute stores configuration information on the
PowerChute also communicates with external local file system using the pcnsconfig.ini file and
VMware components using a secure HTTPS user credentials using the m11.cfg file.
connection.
The Software Updates Notification feature is
©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
PowerChute uses a self-signed SSL Certificate by enabled by default and PowerChute communicates
default that has a 2048-bit RSA public key and with the Update Server using a secure HTTPS
uses the SHA-1 Signature Hash Algorithm. From connection. The Updates Server uses an SSL cert
PowerChute Network Shutdown v4.0, SSL 3.0 that has been signed using a Trusted 3rd Party
access is not longer permitted. TLS 1.0, 1.1 and Root Certification Authority.
1.2 is supported. The default self-signed cert can
be replaced (See Appendix A for detailed
instructions).
or its affiliated companies. All other trademarks are property of their respective owners.
4 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment
©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
If users choose the private JRE, then PowerChute
Network Shutdown will install the JRE version
bundled with the product.
or its affiliated companies. All other trademarks are property of their respective owners.
For more information on JRE versions included
with and supported by PowerChute Network
Shutdown, please refer to the ‘Operating System,
Processor, JRE and Browser Compatibility Chart’
available from the APC website at:
http://www.apc.com/whitepaper/?um=200
5 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment
©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
downloaded. Software updates must be applied
manually.
Knowledge Base
Security Bulletins in relation to known
vulnerabilities are published on the Schneider
Electric Knowledge Base.
or its affiliated companies. All other trademarks are property of their respective owners.
6 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment
©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
a) Open a command prompt window and change directory to C:\Program
Files\APC\PowerChute\group1
b) Type "<path_to_jre>\bin\keytool.exe" -list -v -keystore keystore.
c) Enter the password you specified in step 3 when prompted.
d) Verify the keystore contents are displayed without error. (<path_to_jre> is the location of the
public JRE or C:\Program Files\APC\PowerChute\jre_x64|jre_x32 if private JRE was selected
during the installation)
or its affiliated companies. All other trademarks are property of their respective owners.
and press return.
5. Use the same password that was specified in step 3 in section “Changing the password for the Java Keystore”.
6. Verified that the file keystore now exists in the group1 folder.
Create a certificate signing request and a new SSL cert signed by a Trusted CA
1. Type the command “<path_to_jre>\bin\keytool.exe -certreq -alias securekey –keystore keystore -file
newpowerchute.csr” and press Enter.
2. Enter the required values when prompted – the first value must match the hostname or FQDN (Fully
Qualified Domain Name) of the server where PowerChute is installed. The other values you enter may
need to match the values present on the CA. Some values are required by the CA whereas others may be
optional. This depends on the CA configuration.
3. Use the .CSR file to create a new certificate signed by the Trusted CA. This process will depend on the
Trusted CA software being used e.g. for OpenSSL on Windows:
a) Openssl.exe ca -cert rootca.crt -keyfile rootca.key -out newpowerchute.crt.
b) configopenssl.cfg -infiles newpowerchute.csr.
c) rootca.crt – This is the root CA certificate created when creating the CA.
d) rootca.key – Private key file created when setting up the CA newpowerchute.crt – This is the new
SSL cert that will be created and signed for use on the PowerChute Web Interface.
e) Openssl.cfg – This is the OpenSSL configuration file.
f) newpowerchute.csr - This the file created in step 1.
NOTE: The openssl command used to generate the new signed cert is an example based on
OpenSSL-Win32.
7 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment
©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
Linux/Unix
Changing the password for the Java Keystore.
PowerChute stores the Web Interface SSL certs in a java keystore file located in
/opt/APC/PowerChute/group1/keystore.
or its affiliated companies. All other trademarks are property of their respective owners.
5. Verify that the keystore password has been changed:
a) Open a command prompt window and change directory to /opt/APC/PowerChute/group1
b) Type <path_to_jre>/bin/keytool -list -v -keystore keystore.
c) Enter the password you specified in step 3 when prompted.
d) Verify the keystore contents are displayed without error. (<path_to_jre> is the location of the public
JRE or /opt/APC/PowerChute/group1/jre_x64|jre_x32 if private JRE was selected during the
installation)
8 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment
Import the Root CA and Web Server SSL certs to the PowerChute Keystore
©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
1. Copy rootca.crt and newpowerchute.crt to the machine where PowerChute is installed.
2. Stop the PCNS service.
3. Open a command prompt and change directory to /opt/APC/PowerChute/group1 folder.
4. Import the root CA cert using the command: <path_to_jre>/bin/keytool -import - trustcacerts -alias root -
file rootca.crt -keystore keystore
5. Import the Web Server SSL cert using the command: <path_to_jre>/bin/keytool -import - trustcacerts -
alias securekey -file newpowerchute.crt -keystore keystore
6. Import the root CA cert to the internet browser on all machines that will be used to access the
PowerChute User Interface.
7. Start the PCNS service.
8. PowerChute should be using the new signed certificate and there should not be an SSL Cert security
warning displayed by the browser when the PowerChute Web Interface is launched.
or its affiliated companies. All other trademarks are property of their respective owners.
Note
If using Microsoft Active Directory Certificate Services and you see error “keytool error:
java.lang.Exception: Incomplete certificate chain in reply” please see the following post:
9 December 2016
[ APPLICATION NOTE #144 ] PowerChuteTM Network Shutdown Security Features & Deployment
©2016 Schneider Electric. All Rights Reserved. Schneider Electric and APC are trademarks owned by Schneider Electric Industries SAS
secure them – available here.
1. Import the Network Management Card SSL certificate to the PowerChute-Keystore using the command:
<path_to_jre>\bin\keytool.exe -import -trustcacerts -alias root -file nmc.crt -keystore PowerChute-keystore.
Re-start the PowerChute service after importing the NMC SSL Certificate.
2. During the Setup Wizard, on the Network Management Card connection page, change the protocol to
HTTPS and port to 443. Disable the option “Accept Untrusted SSL Certs”.
3. Replace the default self-signed SSL certificate for the PowerChute UI using the instructions in Appendix
A.
4. Change the default password for the CACERTS keystore located in the group1 folder using the command:
or its affiliated companies. All other trademarks are property of their respective owners.
keytool.exe -storepasswd -new <new password> -keystore cacerts -storepass changeit.
5. Ensure that the file permissions set for the group1 folder and its contents allow read/write access only for
trusted users and LocalSystem account on Windows and root account on Linux/Unix.
6. Prevent Remote Access to the Web UI if this is not required using a firewall rule for TCP ports 3052 ad
6547. To prevent Denial of Service attacks such as the SSL THC DOS attack these ports should be
blocked and we do not recommend allowing access to PowerChute on a public facing network interface.
Additionally the firewall should prevent inbound communication with UDP port 3052 except for the
Network Management Card that PowerChute is communicating with.
7. If using a public JRE with PowerChute this should be updated regularly as software updates and security
fixes are released. Alternatively PowerChute can be configured to use a private JRE.
8. If using SNMP with PowerChute, it is recommended to only use SNMP v3 and to choose SHA-2 and AES-
128 or higher for Authentication and Privacy. Please refer to APC Knowledge Base Article FA290630 for
more information on how to enable support for AES-192 and AES-256. Access Control should also be
configured to restrict access to PowerChute via SNMP.
10 December 2016