TOE127.0.0.1
127.0.0.1 时间:2021-05-19 阅读:()
CommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionPublishedWednesday,22August20123.
0EditionCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionCopyright2012CitrixSystems.
Inc.
AllRightsReserved.
Citrix,Inc.
851WestCypressCreekRoadFortLauderdale,FL33309UnitedStatesofAmericaDisclaimersThisdocumentisfurnished"ASIS.
"Citrix,Inc.
disclaimsallwarrantiesregardingthecontentsofthisdocument,including,butnotlimitedto,impliedwarrantiesofmerchantabilityandfitnessforanyparticularpurpose.
Thisdocumentmaycontaintechnicalorotherinaccuraciesortypographicalerrors.
Citrix,Inc.
reservestherighttorevisetheinformationinthisdocumentatanytimewithoutnotice.
ThisdocumentandthesoftwaredescribedinthisdocumentconstituteconfidentialinformationofCitrix,Inc.
anditslicensors,andarefurnishedunderalicensefromCitrix,Inc.
CitrixSystems,Inc.
,theCitrixlogo,CitrixXenServerandCitrixXenCenteraretrademarksofCitrixSystems,Inc.
and/oroneormoreofitssubsidiaries,andmayberegisteredintheUnitedStatesPatentandTrademarkOfficeandinothercountries.
Allothertrademarksandregisteredtrademarksarepropertyoftheirrespectiveowners.
TrademarksCitrixXenServerXenCenterPublished:22August2012iiiContents1.
AboutthisGuide12.
Hardware32.
1.
Inventory32.
2.
SecuringHardware33.
Software43.
1.
ConfiguringXenCenter43.
1.
1.
InitialInstallation43.
1.
2.
Post-InstallationConfigurationProcedures43.
2.
ConfiguringtheCitrixLicenseServer43.
2.
1.
InitialInstallation43.
2.
2.
PostInstallationConfigurationProcedures53.
3.
ConfiguringNetworkStorage(NFS)53.
4.
ConfiguringNetworkTimeProtocol(NTP)54.
ConfiguringaXenServerHost64.
1.
BeforeInstallingXenServer64.
2.
InstallingXenServer64.
3.
ManagingSSLCertificates64.
3.
1.
InstallingtheTrustedCACertificate64.
3.
2.
GeneratingHostCertificates74.
4.
CreatingaXenServerPool74.
5.
NetworkConfiguration84.
5.
1.
ConfiguringtheStorageNetwork84.
6.
StorageConfiguration84.
6.
1.
AddingaVHDonNFSSR84.
6.
2.
RegisteringaDefaultSR94.
6.
3.
AddinganISOonNFSSR9A.
OpenSSLConfiguration10B.
FirewallConfiguration11ivB.
1.
ManagementNetworkFirewall11B.
2.
StorageNetworkFirewall11B.
3.
GuestNetworkFirewall111Chapter1.
AboutthisGuideThisCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEdition,describestherequirementsandproceduresforinstallingandconfiguringCitrixXenServerinaccordancewiththeCommonCriteriaevaluateddeployment.
IfyoursecurityrequirementsandpoliciesrequireyoutodeployCitrixXenServer6.
0.
2tomatchtheCommonCriteriaTargetofEvaluationconfiguration,followtheproceduresinthisguideexactly.
GlossaryCAX.
509CertificationAuthority,seeRFC5280CCCommonCriteriaCLICommandLineInterfaceCNCommonName,seeRFC5280CSRCertificateSigningRequest,seePKCS#10DNSDomainNameSystemEPTExtendedPageTablesFQDNFullyQualifiedDomainNameHCLHardwareCompatibilityListIPInternetProtocolNFSNetworkFileSystemNICNetworkInterfaceControllerNTPNetworkTimeProtocol,seeRFC1305PBDPhysicalBlockDevicePIFPhysicalInterfacePXEPrebooteXecutionEnvironmentRPCRemoteProcedureCallSANSubjectAlternativeName,seeRFC5280SARSecurityAssuranceRequirementSFRSecurityFunctionalRequirementSRStorageRepositorySTSecurityTargetSSLSecureSocketLayerUUIDUniversallyUniqueIdentifier2TOETargetofEvaluationVIFVirtualInterfaceVMVirtualMachineVT-xVirtualizationTechnologyforx86ProcessorsReferences[XSInstall]CitrixXenServerInstallationGuide,6.
0.
1.
1Edition.
[CTXLIC]CitrixLicensing.
http://support.
citrix.
com/proddocs/topic/technologies/lic-library-node-wrapper.
html.
[XSCCST]CommonCriteriaSecurityTargetforCitrixXenServer6.
0.
2,PlatinumEditionCIN8-ST-0001.
Version1.
0.
[CCXSAdmin]CommonCriteriaAdministrator'sGuideforCitrixXenServer6.
0.
2,PlatinumEdition.
1.
0Edition.
[XSAdmin]CitrixXenServerAdministrator'sGuide6.
0.
1.
1Edition.
3Chapter2.
HardwareImportant:ThehardwareselectedforusemustbecertifiedandsupportedforusewithXenServer.
RefertotheXenServerHardwareCompatibilityList(HCL)athttp://citrix.
com/xenserver/cc-hclfordetails.
ForCommonCriteriapurposes,theXenServer6.
0.
2HCLapplieswiththeadditionalrestrictionthat:Eachservermustcontainatleast2CPUcores.
OnlyIntel64-bit-capableCPUswithbothVT-xandEPTcapabilitiesaresupported.
Eachservermustcontainatleast3NICs.
2.
1.
InventoryServersAtleast2,amaximumof16,serverssatisfyingthelimitationsoftheTOEasfoundin[XSCCST].
StorageNetworkattachedstorageofferingNFSstorage,asdefinedintheTOE([XSCCST]).
NetworkAnynetworkconfigurationwithinthelimitsoftheTOEasfoundin[XSCCST].
Note:Thehosthardwareconfigurationinfluenceshowtheinstalledsystemwillauto-configure.
Fortheevaluatedconfiguration,thehardwareshouldbesetupasfollows:NIC0-ManagementNetworkNIC1-StorageNetworkNIC2.
.
.
NICN-OneormorefurtherNICsmustbeaddedasrequiredtocreateGuestNetworks2.
2.
SecuringHardwareThehardwaremustbesecuredasdescribedin[XSCCST]sectionSecurityObjectivesfortheOperationalEnvironment,specificallyOE.
Secure_Resource,OE.
Secure_Keys,OE.
Separate_Networks.
4Chapter3.
SoftwareTheevaluatedconfigurationasdescribedin[XSCCST]includestheXenCenterclientasamanagementconsole,althoughXenCenterisnotincludedintheTOEandisnotreliedupontoimplementanysecurityfunctions.
WhenXenCenterisusedastheclient,theCC-specificversionmustbeused(availableontheCCISO).
ThestandardversionofXenCenterwouldprovidenotificationsofupdatesthatarenotapplicabletotheXenServerCCversion,whichmaycauseanadministratortotakeitoutoftheEvaluatedConfiguration.
TheCCversionofXenCenterdoesnotprovidethesenotifications.
UsersshouldmonitortheCitrixSupportsite,http://support.
citrix.
com/6.
0.
2[**URLtobeconfirmed**],forupdatesthatareapplicablespecificallytotheXenServerCCversion.
3.
1.
ConfiguringXenCenterTheclientusedforthemanagementofXenServermustverifypresentedSSLcertificates.
TodothisusingCitrixXenCenter,executethefollowingprocedure.
3.
1.
1.
InitialInstallationPleaserefertothestepsinthesectioncalled"InstallingXenCenter"([XSInstall]).
3.
1.
2.
Post-InstallationConfigurationProcedures1.
OntheToolsmenu,selectOptions.
ThisdisplaystheOptionsdialog.
2.
Inthelefthandpane,selectSecurity.
3.
SelecttheoptionsWarnmewhenanewSSLcertificateisfoundandWarnmewhenanSSLcertificatechanges.
4.
ClickOKtoclosethedialog.
Note:IfyouuseXenCenterfortheCommonCriteriaconfiguration,itispossibletostoreyourlogincredentials.
TheusernameandpasswordforallmanagedserverscanbestoredbetweenXenCentersessionsandusedtoautomaticallyreconnecttothematthestartofeachnewXenCentersession.
Toenable,inXenCenteronthe"Tools"menu,select"Options",thenclick"SaveandRestore"andselecttheSaveandrestoreserverconnectionstateonstartupcheckbox.
Inaddition,whenSaveandrestoreserverconnectionstateonstartupisenabled,youcanprotectthestoredlogincredentialswithamasterpasswordtoensuretheyremainsecure.
Atthestartofeachsession,youwillbepromptedtoenterthismasterpasswordbeforeconnectionstoyourmanagedserversareautomaticallyrestored.
TodothisselecttheRequireamasterpasswordcheckbox.
Administratorsshouldfollowtheirorganization'spoliciesregardingstoringpasswords.
3.
2.
ConfiguringtheCitrixLicenseServerTheTOEasdescribedin[XSCCST]requirestheuseofalicenseserver.
3.
2.
1.
InitialInstallationForinformationoninstallingandconfiguringtheCitrixLicenseServer,pleasesee[CTXLIC].
53.
2.
2.
PostInstallationConfigurationProceduresTheevaluatedconfigurationrequiresusingthefollowingports:VendorDaemonPort7279LicenseServerManagerPort270003.
3.
ConfiguringNetworkStorage(NFS)TheevaluatedconfigurationassumesthattheNFSserverusesthefollowingstandardports:RPC111NFS2049Lockd26345Statd26346Mountd26347Rquotad263483.
4.
ConfiguringNetworkTimeProtocol(NTP)TheevaluatedconfigurationrequiresthattheNTPserverusesthestandardport:NTP1236Chapter4.
ConfiguringaXenServerHostThissectiondescribestheconfigurationstepsthatmustbefollowedoneachXenServerhost.
Warning:Theevaluatedconfigurationforahostwillonlybeachievedonceallofthefollowingstepshavebeenexecuted.
Thehostmustnotbemadeavailableforuseuntiltheentireconfigurationhasbeencompleted.
Warning:Intheevaluatedconfiguration,administratorsmustonlyusecommandsthataredefinedintheCommonCriteria(CC)documentation,orinsubsequentCitrixKnowledgeBasearticlesthatapplyexplicitlytotheXenServer6.
0.
2CCconfiguration.
4.
1.
BeforeInstallingXenServerBeforeinstallingXenServer,verifytheintegrityofthedownloadedISOfilesbyfollowingtheinstructionsinChapter1of[delproc]4.
2.
InstallingXenServerFortheremainderoftheinstallationprocedure,refertothestepsinthesectioncalled"InstallingtheXenServerHost"([XSInstall])andto[XSAdmin],notingthefollowingadditionalrestrictions:Donotinstallanysupplementalpacks.
ConfigurethehosttouseastaticIPaddress.
IfyournetworkdoesnothaveaDNSserver,enter127.
0.
0.
1whenpromptedfortheIPaddressofaDNSserver.
Note:PXEbootingXenServerinstallations,asdescribedinAppendixC,PXEBootInstallations([XSInstall])isnotsupportedfortheevaluatedconfiguration.
4.
3.
ManagingSSLCertificatesDuringXenServerhostinstallation,aself-signedSSLcertificateisinstalled.
ThismustbereplacedtofullycomplywiththerequirementsforaCCdeploymentasdefinedin[XSCCST].
ThissectionexplainshowtosetupanSSLconfiguration.
AconfiguredX.
509CertificationAuthority(CA)isrequiredforthestepsinthissection(seeAppendixA,OpenSSLConfigurationforanexampleconfigurationsuitableforusewithOpenSSL).
Note:Whenconfiguringapoolenvironment,thesestepsmustbeexecutedonallhosts.
4.
3.
1.
InstallingtheTrustedCACertificateToInstalltheTrustedCACertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragecontainingthecertificate.
3.
InstallaCAcertificatebyenteringthefollowingcommandsonthehostconsole.
#cd#xepool-certificate-installfilename=74.
Unmountandremovetheremovablestorage.
4.
3.
2.
GeneratingHostCertificatesNote:KeysusedontheXenServerhostmustbegeneratedinaccordancewithOE.
Secure_Keysasdefinedin[XSCCST].
WhencreatingaCertificateSigningRequest(CSR)itisalsoimportanttoconsiderthefollowing:OnlyasingleCommonName(CN)entryisinspectedduringhostnamevalidation.
OnlySubjectAlternativeNames(SAN)withtypeDNSareinspectedduringhostnamevalidation.
Hostnamewildcardsarenotsupported.
ThehostIPaddressmustbeincludedineitherCNorSAN.
AFullyQualifiedDomainName(FQDN)canbeprovidedinadditiontothehostIPaddress,howeverthisisnotessential.
127.
0.
0.
1mustbeincludedineithertheCNorSAN.
Allowashortperiodoftimeforxapitobereadyafterperformingservicexapistart.
SeeAppendixA,OpenSSLConfigurationforanexampleusingOpenSSL.
ToInstalltheSSLCertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragemediacontainingthecertificate.
3.
Enterthefollowingcommandsonthehostconsole:#servicexapistop#pkillstunnel#cp/etc/xensource/xapi-ssl.
pem/etc/xensource/orig-xapi-ssl.
pem#cp/etc/xensource/xapi-ssl.
pem#servicexapistart4.
Unmountandremovetheremovablestorage.
4.
4.
CreatingaXenServerPoolXenServerresourcepoolscanbecreatedusingeithertheXenCentermanagementconsoleortheCLI.
Whenyoujoinanewhosttoaresourcepool,thejoininghostsynchronizesitslocaldatabasewiththepool-wideone,andinheritssomesettingsfromthepool.
Formoreinformationonresourcepools,refertothechaptercalled"XenServerHostsandResourcePools"([XSAdmin]).
BeforecreatingaXenServerPool,chooseoneofthehoststobetheinitialpoolmaster.
Therearenospecialrequirementsforchoosingthepoolmaster.
Onceyouhaveselectedthepoolmaster,joinalltheremaininghosts(whichwillbepoolslaves)tothemasterusingthefollowingprocedure.
ToJoinXenServerHostslave1tomasterUsingCLI1.
OpenaconsoleonXenServerhostslave1.
2.
ConfiguretheXenServerslave1hosttoactasaslaveofPoolMastermasterbyenteringthefollowingontheconsole:xepool-joinmaster-address=master-username=root\master-password=Themaster-addressmustbesettothefully-qualifieddomainnameorIPaddressoftheXenServerhostmasterandthepasswordmustbethepasswordsetwhenXenServerhostmasterwasinstalled.
8ToNametheResourcePoolBydefault,XenServerhostsbelongtoanunnamedpool.
Tonametheresourcepool,enterthefollowingcommand:#xepool-listparams=uuidminimal=truexepool-param-setname-label=uuid=4.
5.
NetworkConfigurationTheTOErequirestheuseofseparatenetworksformanagement,storageandguesttraffic.
GuestsmustonlyeverbeconnectedtotheGuestNetworks.
ThisensuresthatproperseparationismaintainedandthatVIFsareonlycreatedontheGuestNetwork.
UndernocircumstancemustaGuesteverbeconnectedtoeithertheManagementNetworkortheStorageNetwork.
Asdom0doesnotneedVIFstoaccesstheManagementandStoragenetworks,noVIFsshouldeverbedefinedforthem.
Referto[CCXSAdmin]forfurtherinformationonconfiguringnetworkingonXenServerandtothesectionSecurityProblemDefinitionin[XSCCST],specificallyA.
Separate_Networks.
4.
5.
1.
ConfiguringtheStorageNetworkNote:ThefollowingstepsforconfiguringtheStorageNetworkmustbeperformedonALLhosts,includingthePoolMaster.
ToconfiguretheStorageNetwork:1.
FindtheUUIDofthehost:#xehost-listname-label=params=uuiduuid(RO):2.
FindtheUUIDofthePIFrelatedtodeviceeth1(NIC1)andtheUUIDofitsnetwork:#xepif-listdevice=eth1host-uuid=params=uuiduuid(RO):3.
ConfiguretheStorageNetworkIPaddress:#xepif-reconfigure-ipuuid=mode=staticIP=netmask=4.
SetthePIFtobepermanentlyattached:#xepif-param-setuuid=disallow-unplug=true4.
6.
StorageConfigurationTheTOEallowsonlytwotypesofStorageRepository(SR):read-onlyISOonNFSorVHDonNFS.
FormoreinformationaboutISOonNFSSRs,seeSection4.
2.
4,"ISOSRs"([XSAdmin]).
FormoreinformationaboutVHDonNFSSRs,seeSection4.
2.
9,"NFSVHDSRs"([XSAdmin]).
Note:ThesestepsmustbeexecutedonlyonthePoolMaster'sconsole.
4.
6.
1.
AddingaVHDonNFSSR1.
ToaddaVHDonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truedevice-config:server=\device-config:serverpath=type=nfsThisreturnsthesr-uuid.
92.
RepeatthecommandforallsubsequentNFSSRsthatshouldbeavailabletothepool.
4.
6.
2.
RegisteringaDefaultSRAfteraddingalltheNFSSRs,chooseoneandmakeitthedefaultSR:#xepool-listparams=uuidminimal=true#xepool-param-setuuid=default-SR=\suspend-image-SR=crash-dump-SR=4.
6.
3.
AddinganISOonNFSSR1.
ToaddanISOonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truetype=iso\device-config:location=content-type=isoThisreturnsthesr-uuid.
2.
RepeatthecommandforallsubsequentISOonNFSSRsthatshouldbeavailabletothepool.
10AppendixA.
OpenSSLConfigurationFollowingisanexampleofaconfigurationfileforusewithOpenSSL(version1.
0.
0)thatwouldcreateaCSRwhichsatisfiestherequirementsXenServerhasoncertificates.
Beforeusingit,pleaseensurethatthisfilecomplieswithyourorganisationalsecuritypolicy.
ExampleA.
1.
OpenSSLConfigurationHOME=.
oid_section=new_oids[new_oids][req]default_days=365default_keyfile=.
/new_key.
pemdefault_bits=2048distinguished_name=req_distinguished_nameencrypt_key=nostring_mask=nombstrreq_extensions=v3_req[req_distinguished_name]CN=10.
80.
2.
63C=GBO=MyFirmLtdOU=TechnicalSupportemailAddress=my.
email@address.
myfirm.
co.
uk[v3_req]subjectAltName=@alt_names[alt_names]DNS.
1=127.
0.
0.
111AppendixB.
FirewallConfigurationBydefault,arestrictivefirewallisconfiguredduringCommonCriteriaXenServerhostinstallation.
Detailsoftheportsusedcanbefoundinthesectionsthatfollow.
B.
1.
ManagementNetworkFirewallTheportsthatareusedontheManagementNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionHTTPS443tcpbothPingN/Aicmp(echo-request)bothLicensing7279tcpoutLicensing27000tcpoutNTP123udpoutDNS53tcpoutDNS53udpoutB.
2.
StorageNetworkFirewallTheportsthatareusedontheStorageNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionPingN/Aicmp(echo-request)bothDNS53tcpoutDNS53udpoutNFS111tcp&udpoutNFS2049tcp&udpoutNFS26345-26348tcp&udpoutB.
3.
GuestNetworkFirewallTheGuestNetworkissolelyusedbytheGuestVMsandthefirewalldoesnotrequireconfiguration.
0.
2,PlatinumEditionPublishedWednesday,22August20123.
0EditionCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionCopyright2012CitrixSystems.
Inc.
AllRightsReserved.
Citrix,Inc.
851WestCypressCreekRoadFortLauderdale,FL33309UnitedStatesofAmericaDisclaimersThisdocumentisfurnished"ASIS.
"Citrix,Inc.
disclaimsallwarrantiesregardingthecontentsofthisdocument,including,butnotlimitedto,impliedwarrantiesofmerchantabilityandfitnessforanyparticularpurpose.
Thisdocumentmaycontaintechnicalorotherinaccuraciesortypographicalerrors.
Citrix,Inc.
reservestherighttorevisetheinformationinthisdocumentatanytimewithoutnotice.
ThisdocumentandthesoftwaredescribedinthisdocumentconstituteconfidentialinformationofCitrix,Inc.
anditslicensors,andarefurnishedunderalicensefromCitrix,Inc.
CitrixSystems,Inc.
,theCitrixlogo,CitrixXenServerandCitrixXenCenteraretrademarksofCitrixSystems,Inc.
and/oroneormoreofitssubsidiaries,andmayberegisteredintheUnitedStatesPatentandTrademarkOfficeandinothercountries.
Allothertrademarksandregisteredtrademarksarepropertyoftheirrespectiveowners.
TrademarksCitrixXenServerXenCenterPublished:22August2012iiiContents1.
AboutthisGuide12.
Hardware32.
1.
Inventory32.
2.
SecuringHardware33.
Software43.
1.
ConfiguringXenCenter43.
1.
1.
InitialInstallation43.
1.
2.
Post-InstallationConfigurationProcedures43.
2.
ConfiguringtheCitrixLicenseServer43.
2.
1.
InitialInstallation43.
2.
2.
PostInstallationConfigurationProcedures53.
3.
ConfiguringNetworkStorage(NFS)53.
4.
ConfiguringNetworkTimeProtocol(NTP)54.
ConfiguringaXenServerHost64.
1.
BeforeInstallingXenServer64.
2.
InstallingXenServer64.
3.
ManagingSSLCertificates64.
3.
1.
InstallingtheTrustedCACertificate64.
3.
2.
GeneratingHostCertificates74.
4.
CreatingaXenServerPool74.
5.
NetworkConfiguration84.
5.
1.
ConfiguringtheStorageNetwork84.
6.
StorageConfiguration84.
6.
1.
AddingaVHDonNFSSR84.
6.
2.
RegisteringaDefaultSR94.
6.
3.
AddinganISOonNFSSR9A.
OpenSSLConfiguration10B.
FirewallConfiguration11ivB.
1.
ManagementNetworkFirewall11B.
2.
StorageNetworkFirewall11B.
3.
GuestNetworkFirewall111Chapter1.
AboutthisGuideThisCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEdition,describestherequirementsandproceduresforinstallingandconfiguringCitrixXenServerinaccordancewiththeCommonCriteriaevaluateddeployment.
IfyoursecurityrequirementsandpoliciesrequireyoutodeployCitrixXenServer6.
0.
2tomatchtheCommonCriteriaTargetofEvaluationconfiguration,followtheproceduresinthisguideexactly.
GlossaryCAX.
509CertificationAuthority,seeRFC5280CCCommonCriteriaCLICommandLineInterfaceCNCommonName,seeRFC5280CSRCertificateSigningRequest,seePKCS#10DNSDomainNameSystemEPTExtendedPageTablesFQDNFullyQualifiedDomainNameHCLHardwareCompatibilityListIPInternetProtocolNFSNetworkFileSystemNICNetworkInterfaceControllerNTPNetworkTimeProtocol,seeRFC1305PBDPhysicalBlockDevicePIFPhysicalInterfacePXEPrebooteXecutionEnvironmentRPCRemoteProcedureCallSANSubjectAlternativeName,seeRFC5280SARSecurityAssuranceRequirementSFRSecurityFunctionalRequirementSRStorageRepositorySTSecurityTargetSSLSecureSocketLayerUUIDUniversallyUniqueIdentifier2TOETargetofEvaluationVIFVirtualInterfaceVMVirtualMachineVT-xVirtualizationTechnologyforx86ProcessorsReferences[XSInstall]CitrixXenServerInstallationGuide,6.
0.
1.
1Edition.
[CTXLIC]CitrixLicensing.
http://support.
citrix.
com/proddocs/topic/technologies/lic-library-node-wrapper.
html.
[XSCCST]CommonCriteriaSecurityTargetforCitrixXenServer6.
0.
2,PlatinumEditionCIN8-ST-0001.
Version1.
0.
[CCXSAdmin]CommonCriteriaAdministrator'sGuideforCitrixXenServer6.
0.
2,PlatinumEdition.
1.
0Edition.
[XSAdmin]CitrixXenServerAdministrator'sGuide6.
0.
1.
1Edition.
3Chapter2.
HardwareImportant:ThehardwareselectedforusemustbecertifiedandsupportedforusewithXenServer.
RefertotheXenServerHardwareCompatibilityList(HCL)athttp://citrix.
com/xenserver/cc-hclfordetails.
ForCommonCriteriapurposes,theXenServer6.
0.
2HCLapplieswiththeadditionalrestrictionthat:Eachservermustcontainatleast2CPUcores.
OnlyIntel64-bit-capableCPUswithbothVT-xandEPTcapabilitiesaresupported.
Eachservermustcontainatleast3NICs.
2.
1.
InventoryServersAtleast2,amaximumof16,serverssatisfyingthelimitationsoftheTOEasfoundin[XSCCST].
StorageNetworkattachedstorageofferingNFSstorage,asdefinedintheTOE([XSCCST]).
NetworkAnynetworkconfigurationwithinthelimitsoftheTOEasfoundin[XSCCST].
Note:Thehosthardwareconfigurationinfluenceshowtheinstalledsystemwillauto-configure.
Fortheevaluatedconfiguration,thehardwareshouldbesetupasfollows:NIC0-ManagementNetworkNIC1-StorageNetworkNIC2.
.
.
NICN-OneormorefurtherNICsmustbeaddedasrequiredtocreateGuestNetworks2.
2.
SecuringHardwareThehardwaremustbesecuredasdescribedin[XSCCST]sectionSecurityObjectivesfortheOperationalEnvironment,specificallyOE.
Secure_Resource,OE.
Secure_Keys,OE.
Separate_Networks.
4Chapter3.
SoftwareTheevaluatedconfigurationasdescribedin[XSCCST]includestheXenCenterclientasamanagementconsole,althoughXenCenterisnotincludedintheTOEandisnotreliedupontoimplementanysecurityfunctions.
WhenXenCenterisusedastheclient,theCC-specificversionmustbeused(availableontheCCISO).
ThestandardversionofXenCenterwouldprovidenotificationsofupdatesthatarenotapplicabletotheXenServerCCversion,whichmaycauseanadministratortotakeitoutoftheEvaluatedConfiguration.
TheCCversionofXenCenterdoesnotprovidethesenotifications.
UsersshouldmonitortheCitrixSupportsite,http://support.
citrix.
com/6.
0.
2[**URLtobeconfirmed**],forupdatesthatareapplicablespecificallytotheXenServerCCversion.
3.
1.
ConfiguringXenCenterTheclientusedforthemanagementofXenServermustverifypresentedSSLcertificates.
TodothisusingCitrixXenCenter,executethefollowingprocedure.
3.
1.
1.
InitialInstallationPleaserefertothestepsinthesectioncalled"InstallingXenCenter"([XSInstall]).
3.
1.
2.
Post-InstallationConfigurationProcedures1.
OntheToolsmenu,selectOptions.
ThisdisplaystheOptionsdialog.
2.
Inthelefthandpane,selectSecurity.
3.
SelecttheoptionsWarnmewhenanewSSLcertificateisfoundandWarnmewhenanSSLcertificatechanges.
4.
ClickOKtoclosethedialog.
Note:IfyouuseXenCenterfortheCommonCriteriaconfiguration,itispossibletostoreyourlogincredentials.
TheusernameandpasswordforallmanagedserverscanbestoredbetweenXenCentersessionsandusedtoautomaticallyreconnecttothematthestartofeachnewXenCentersession.
Toenable,inXenCenteronthe"Tools"menu,select"Options",thenclick"SaveandRestore"andselecttheSaveandrestoreserverconnectionstateonstartupcheckbox.
Inaddition,whenSaveandrestoreserverconnectionstateonstartupisenabled,youcanprotectthestoredlogincredentialswithamasterpasswordtoensuretheyremainsecure.
Atthestartofeachsession,youwillbepromptedtoenterthismasterpasswordbeforeconnectionstoyourmanagedserversareautomaticallyrestored.
TodothisselecttheRequireamasterpasswordcheckbox.
Administratorsshouldfollowtheirorganization'spoliciesregardingstoringpasswords.
3.
2.
ConfiguringtheCitrixLicenseServerTheTOEasdescribedin[XSCCST]requirestheuseofalicenseserver.
3.
2.
1.
InitialInstallationForinformationoninstallingandconfiguringtheCitrixLicenseServer,pleasesee[CTXLIC].
53.
2.
2.
PostInstallationConfigurationProceduresTheevaluatedconfigurationrequiresusingthefollowingports:VendorDaemonPort7279LicenseServerManagerPort270003.
3.
ConfiguringNetworkStorage(NFS)TheevaluatedconfigurationassumesthattheNFSserverusesthefollowingstandardports:RPC111NFS2049Lockd26345Statd26346Mountd26347Rquotad263483.
4.
ConfiguringNetworkTimeProtocol(NTP)TheevaluatedconfigurationrequiresthattheNTPserverusesthestandardport:NTP1236Chapter4.
ConfiguringaXenServerHostThissectiondescribestheconfigurationstepsthatmustbefollowedoneachXenServerhost.
Warning:Theevaluatedconfigurationforahostwillonlybeachievedonceallofthefollowingstepshavebeenexecuted.
Thehostmustnotbemadeavailableforuseuntiltheentireconfigurationhasbeencompleted.
Warning:Intheevaluatedconfiguration,administratorsmustonlyusecommandsthataredefinedintheCommonCriteria(CC)documentation,orinsubsequentCitrixKnowledgeBasearticlesthatapplyexplicitlytotheXenServer6.
0.
2CCconfiguration.
4.
1.
BeforeInstallingXenServerBeforeinstallingXenServer,verifytheintegrityofthedownloadedISOfilesbyfollowingtheinstructionsinChapter1of[delproc]4.
2.
InstallingXenServerFortheremainderoftheinstallationprocedure,refertothestepsinthesectioncalled"InstallingtheXenServerHost"([XSInstall])andto[XSAdmin],notingthefollowingadditionalrestrictions:Donotinstallanysupplementalpacks.
ConfigurethehosttouseastaticIPaddress.
IfyournetworkdoesnothaveaDNSserver,enter127.
0.
0.
1whenpromptedfortheIPaddressofaDNSserver.
Note:PXEbootingXenServerinstallations,asdescribedinAppendixC,PXEBootInstallations([XSInstall])isnotsupportedfortheevaluatedconfiguration.
4.
3.
ManagingSSLCertificatesDuringXenServerhostinstallation,aself-signedSSLcertificateisinstalled.
ThismustbereplacedtofullycomplywiththerequirementsforaCCdeploymentasdefinedin[XSCCST].
ThissectionexplainshowtosetupanSSLconfiguration.
AconfiguredX.
509CertificationAuthority(CA)isrequiredforthestepsinthissection(seeAppendixA,OpenSSLConfigurationforanexampleconfigurationsuitableforusewithOpenSSL).
Note:Whenconfiguringapoolenvironment,thesestepsmustbeexecutedonallhosts.
4.
3.
1.
InstallingtheTrustedCACertificateToInstalltheTrustedCACertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragecontainingthecertificate.
3.
InstallaCAcertificatebyenteringthefollowingcommandsonthehostconsole.
#cd#xepool-certificate-installfilename=74.
Unmountandremovetheremovablestorage.
4.
3.
2.
GeneratingHostCertificatesNote:KeysusedontheXenServerhostmustbegeneratedinaccordancewithOE.
Secure_Keysasdefinedin[XSCCST].
WhencreatingaCertificateSigningRequest(CSR)itisalsoimportanttoconsiderthefollowing:OnlyasingleCommonName(CN)entryisinspectedduringhostnamevalidation.
OnlySubjectAlternativeNames(SAN)withtypeDNSareinspectedduringhostnamevalidation.
Hostnamewildcardsarenotsupported.
ThehostIPaddressmustbeincludedineitherCNorSAN.
AFullyQualifiedDomainName(FQDN)canbeprovidedinadditiontothehostIPaddress,howeverthisisnotessential.
127.
0.
0.
1mustbeincludedineithertheCNorSAN.
Allowashortperiodoftimeforxapitobereadyafterperformingservicexapistart.
SeeAppendixA,OpenSSLConfigurationforanexampleusingOpenSSL.
ToInstalltheSSLCertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragemediacontainingthecertificate.
3.
Enterthefollowingcommandsonthehostconsole:#servicexapistop#pkillstunnel#cp/etc/xensource/xapi-ssl.
pem/etc/xensource/orig-xapi-ssl.
pem#cp/etc/xensource/xapi-ssl.
pem#servicexapistart4.
Unmountandremovetheremovablestorage.
4.
4.
CreatingaXenServerPoolXenServerresourcepoolscanbecreatedusingeithertheXenCentermanagementconsoleortheCLI.
Whenyoujoinanewhosttoaresourcepool,thejoininghostsynchronizesitslocaldatabasewiththepool-wideone,andinheritssomesettingsfromthepool.
Formoreinformationonresourcepools,refertothechaptercalled"XenServerHostsandResourcePools"([XSAdmin]).
BeforecreatingaXenServerPool,chooseoneofthehoststobetheinitialpoolmaster.
Therearenospecialrequirementsforchoosingthepoolmaster.
Onceyouhaveselectedthepoolmaster,joinalltheremaininghosts(whichwillbepoolslaves)tothemasterusingthefollowingprocedure.
ToJoinXenServerHostslave1tomasterUsingCLI1.
OpenaconsoleonXenServerhostslave1.
2.
ConfiguretheXenServerslave1hosttoactasaslaveofPoolMastermasterbyenteringthefollowingontheconsole:xepool-joinmaster-address=master-username=root\master-password=Themaster-addressmustbesettothefully-qualifieddomainnameorIPaddressoftheXenServerhostmasterandthepasswordmustbethepasswordsetwhenXenServerhostmasterwasinstalled.
8ToNametheResourcePoolBydefault,XenServerhostsbelongtoanunnamedpool.
Tonametheresourcepool,enterthefollowingcommand:#xepool-listparams=uuidminimal=truexepool-param-setname-label=uuid=4.
5.
NetworkConfigurationTheTOErequirestheuseofseparatenetworksformanagement,storageandguesttraffic.
GuestsmustonlyeverbeconnectedtotheGuestNetworks.
ThisensuresthatproperseparationismaintainedandthatVIFsareonlycreatedontheGuestNetwork.
UndernocircumstancemustaGuesteverbeconnectedtoeithertheManagementNetworkortheStorageNetwork.
Asdom0doesnotneedVIFstoaccesstheManagementandStoragenetworks,noVIFsshouldeverbedefinedforthem.
Referto[CCXSAdmin]forfurtherinformationonconfiguringnetworkingonXenServerandtothesectionSecurityProblemDefinitionin[XSCCST],specificallyA.
Separate_Networks.
4.
5.
1.
ConfiguringtheStorageNetworkNote:ThefollowingstepsforconfiguringtheStorageNetworkmustbeperformedonALLhosts,includingthePoolMaster.
ToconfiguretheStorageNetwork:1.
FindtheUUIDofthehost:#xehost-listname-label=params=uuiduuid(RO):2.
FindtheUUIDofthePIFrelatedtodeviceeth1(NIC1)andtheUUIDofitsnetwork:#xepif-listdevice=eth1host-uuid=params=uuiduuid(RO):3.
ConfiguretheStorageNetworkIPaddress:#xepif-reconfigure-ipuuid=mode=staticIP=netmask=4.
SetthePIFtobepermanentlyattached:#xepif-param-setuuid=disallow-unplug=true4.
6.
StorageConfigurationTheTOEallowsonlytwotypesofStorageRepository(SR):read-onlyISOonNFSorVHDonNFS.
FormoreinformationaboutISOonNFSSRs,seeSection4.
2.
4,"ISOSRs"([XSAdmin]).
FormoreinformationaboutVHDonNFSSRs,seeSection4.
2.
9,"NFSVHDSRs"([XSAdmin]).
Note:ThesestepsmustbeexecutedonlyonthePoolMaster'sconsole.
4.
6.
1.
AddingaVHDonNFSSR1.
ToaddaVHDonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truedevice-config:server=\device-config:serverpath=type=nfsThisreturnsthesr-uuid.
92.
RepeatthecommandforallsubsequentNFSSRsthatshouldbeavailabletothepool.
4.
6.
2.
RegisteringaDefaultSRAfteraddingalltheNFSSRs,chooseoneandmakeitthedefaultSR:#xepool-listparams=uuidminimal=true#xepool-param-setuuid=default-SR=\suspend-image-SR=crash-dump-SR=4.
6.
3.
AddinganISOonNFSSR1.
ToaddanISOonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truetype=iso\device-config:location=content-type=isoThisreturnsthesr-uuid.
2.
RepeatthecommandforallsubsequentISOonNFSSRsthatshouldbeavailabletothepool.
10AppendixA.
OpenSSLConfigurationFollowingisanexampleofaconfigurationfileforusewithOpenSSL(version1.
0.
0)thatwouldcreateaCSRwhichsatisfiestherequirementsXenServerhasoncertificates.
Beforeusingit,pleaseensurethatthisfilecomplieswithyourorganisationalsecuritypolicy.
ExampleA.
1.
OpenSSLConfigurationHOME=.
oid_section=new_oids[new_oids][req]default_days=365default_keyfile=.
/new_key.
pemdefault_bits=2048distinguished_name=req_distinguished_nameencrypt_key=nostring_mask=nombstrreq_extensions=v3_req[req_distinguished_name]CN=10.
80.
2.
63C=GBO=MyFirmLtdOU=TechnicalSupportemailAddress=my.
email@address.
myfirm.
co.
uk[v3_req]subjectAltName=@alt_names[alt_names]DNS.
1=127.
0.
0.
111AppendixB.
FirewallConfigurationBydefault,arestrictivefirewallisconfiguredduringCommonCriteriaXenServerhostinstallation.
Detailsoftheportsusedcanbefoundinthesectionsthatfollow.
B.
1.
ManagementNetworkFirewallTheportsthatareusedontheManagementNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionHTTPS443tcpbothPingN/Aicmp(echo-request)bothLicensing7279tcpoutLicensing27000tcpoutNTP123udpoutDNS53tcpoutDNS53udpoutB.
2.
StorageNetworkFirewallTheportsthatareusedontheStorageNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionPingN/Aicmp(echo-request)bothDNS53tcpoutDNS53udpoutNFS111tcp&udpoutNFS2049tcp&udpoutNFS26345-26348tcp&udpoutB.
3.
GuestNetworkFirewallTheGuestNetworkissolelyusedbytheGuestVMsandthefirewalldoesnotrequireconfiguration.
iON Cloud七月促销适合稳定不折腾的用户,云服务器新购半年付8.5折,洛杉矶/圣何塞CN2 GT线路,可选Windows系统
iON Cloud怎么样?iON Cloud今天发布了7月份优惠,使用优惠码:VC4VF8RHFL,新购指定型号VPS半年付或以上可享八五折!iON的云服务器包括美国洛杉矶、美国圣何塞(包含了优化线路、CN2 GIA线路)、新加坡(CN2 GIA线路、PCCW线路、移动CMI线路)这几个机房或者线路可供选择,有Linux和Windows系统之分,整体来说针对中国的优化是非常明显的,机器稳定可靠,比...
百纵科技(19元/月),美国洛杉矶10G防御服务器/洛杉矶C3机房 带金盾高防
百纵科技官网:https://www.baizon.cn/百纵科技:美国云服务器活动重磅来袭,洛杉矶C3机房 带金盾高防,会员后台可自助管理防火墙,添加黑白名单 CC策略开启低中高.CPU全系列E52680v3 DDR4内存 三星固态盘列阵。另有高防清洗!美国洛杉矶 CN2 云服务器CPU内存带宽数据盘防御价格1H1G10M10G10G19元/月 购买地址2H1G10M10G10G29元/月 购买...
PacificRack(年付低至19美元),夏季促销PR-M系列和多IP站群VPS主机
这几天有几个网友询问到是否有Windows VPS主机便宜的VPS主机商。原本他们是在Linode、Vultr主机商挂载DD安装Windows系统的,有的商家支持自定义WIN镜像,但是这些操作起来特别效率低下,每次安装一个Windows系统需要一两个小时,所以如果能找到比较合适的自带Windows系统的服务器那最好不过。这不看到PacificRack商家有提供夏季促销活动,其中包括年付便宜套餐的P...
127.0.0.1为你推荐
-
FUSIONENTERTAINMENT.COM的人迅雷支持ipad深圳市富满电子集团股份有限公司平台操作使用手册ipad如何上网iPad怎么上网?请高手指点ipad如何上网ipad怎么设置网络?tcpip上的netbiostcp 协议里的 netbios . 在哪,找不到csshack什么是Css Hack?ie6,7,8的hack分别是什么googleadsense·什么是Google AdSense?如何加入Google AdSense? 谁可以告诉我吗?