TOE127.0.0.1

CommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionPublishedWednesday,22August20123.
0EditionCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEditionCopyright2012CitrixSystems.
Inc.
AllRightsReserved.
Citrix,Inc.
851WestCypressCreekRoadFortLauderdale,FL33309UnitedStatesofAmericaDisclaimersThisdocumentisfurnished"ASIS.
"Citrix,Inc.
disclaimsallwarrantiesregardingthecontentsofthisdocument,including,butnotlimitedto,impliedwarrantiesofmerchantabilityandfitnessforanyparticularpurpose.
Thisdocumentmaycontaintechnicalorotherinaccuraciesortypographicalerrors.
Citrix,Inc.
reservestherighttorevisetheinformationinthisdocumentatanytimewithoutnotice.
ThisdocumentandthesoftwaredescribedinthisdocumentconstituteconfidentialinformationofCitrix,Inc.
anditslicensors,andarefurnishedunderalicensefromCitrix,Inc.
CitrixSystems,Inc.
,theCitrixlogo,CitrixXenServerandCitrixXenCenteraretrademarksofCitrixSystems,Inc.
and/oroneormoreofitssubsidiaries,andmayberegisteredintheUnitedStatesPatentandTrademarkOfficeandinothercountries.
Allothertrademarksandregisteredtrademarksarepropertyoftheirrespectiveowners.
TrademarksCitrixXenServerXenCenterPublished:22August2012iiiContents1.
AboutthisGuide12.
Hardware32.
1.
Inventory32.
2.
SecuringHardware33.
Software43.
1.
ConfiguringXenCenter43.
1.
1.
InitialInstallation43.
1.
2.
Post-InstallationConfigurationProcedures43.
2.
ConfiguringtheCitrixLicenseServer43.
2.
1.
InitialInstallation43.
2.
2.
PostInstallationConfigurationProcedures53.
3.
ConfiguringNetworkStorage(NFS)53.
4.
ConfiguringNetworkTimeProtocol(NTP)54.
ConfiguringaXenServerHost64.
1.
BeforeInstallingXenServer64.
2.
InstallingXenServer64.
3.
ManagingSSLCertificates64.
3.
1.
InstallingtheTrustedCACertificate64.
3.
2.
GeneratingHostCertificates74.
4.
CreatingaXenServerPool74.
5.
NetworkConfiguration84.
5.
1.
ConfiguringtheStorageNetwork84.
6.
StorageConfiguration84.
6.
1.
AddingaVHDonNFSSR84.
6.
2.
RegisteringaDefaultSR94.
6.
3.
AddinganISOonNFSSR9A.
OpenSSLConfiguration10B.
FirewallConfiguration11ivB.
1.
ManagementNetworkFirewall11B.
2.
StorageNetworkFirewall11B.
3.
GuestNetworkFirewall111Chapter1.
AboutthisGuideThisCommonCriteriaEvaluatedConfigurationGuideforCitrixXenServer6.
0.
2,PlatinumEdition,describestherequirementsandproceduresforinstallingandconfiguringCitrixXenServerinaccordancewiththeCommonCriteriaevaluateddeployment.
IfyoursecurityrequirementsandpoliciesrequireyoutodeployCitrixXenServer6.
0.
2tomatchtheCommonCriteriaTargetofEvaluationconfiguration,followtheproceduresinthisguideexactly.
GlossaryCAX.
509CertificationAuthority,seeRFC5280CCCommonCriteriaCLICommandLineInterfaceCNCommonName,seeRFC5280CSRCertificateSigningRequest,seePKCS#10DNSDomainNameSystemEPTExtendedPageTablesFQDNFullyQualifiedDomainNameHCLHardwareCompatibilityListIPInternetProtocolNFSNetworkFileSystemNICNetworkInterfaceControllerNTPNetworkTimeProtocol,seeRFC1305PBDPhysicalBlockDevicePIFPhysicalInterfacePXEPrebooteXecutionEnvironmentRPCRemoteProcedureCallSANSubjectAlternativeName,seeRFC5280SARSecurityAssuranceRequirementSFRSecurityFunctionalRequirementSRStorageRepositorySTSecurityTargetSSLSecureSocketLayerUUIDUniversallyUniqueIdentifier2TOETargetofEvaluationVIFVirtualInterfaceVMVirtualMachineVT-xVirtualizationTechnologyforx86ProcessorsReferences[XSInstall]CitrixXenServerInstallationGuide,6.
0.
1.
1Edition.
[CTXLIC]CitrixLicensing.
http://support.
citrix.
com/proddocs/topic/technologies/lic-library-node-wrapper.
html.
[XSCCST]CommonCriteriaSecurityTargetforCitrixXenServer6.
0.
2,PlatinumEditionCIN8-ST-0001.
Version1.
0.
[CCXSAdmin]CommonCriteriaAdministrator'sGuideforCitrixXenServer6.
0.
2,PlatinumEdition.
1.
0Edition.
[XSAdmin]CitrixXenServerAdministrator'sGuide6.
0.
1.
1Edition.
3Chapter2.
HardwareImportant:ThehardwareselectedforusemustbecertifiedandsupportedforusewithXenServer.
RefertotheXenServerHardwareCompatibilityList(HCL)athttp://citrix.
com/xenserver/cc-hclfordetails.
ForCommonCriteriapurposes,theXenServer6.
0.
2HCLapplieswiththeadditionalrestrictionthat:Eachservermustcontainatleast2CPUcores.
OnlyIntel64-bit-capableCPUswithbothVT-xandEPTcapabilitiesaresupported.
Eachservermustcontainatleast3NICs.
2.
1.
InventoryServersAtleast2,amaximumof16,serverssatisfyingthelimitationsoftheTOEasfoundin[XSCCST].
StorageNetworkattachedstorageofferingNFSstorage,asdefinedintheTOE([XSCCST]).
NetworkAnynetworkconfigurationwithinthelimitsoftheTOEasfoundin[XSCCST].
Note:Thehosthardwareconfigurationinfluenceshowtheinstalledsystemwillauto-configure.
Fortheevaluatedconfiguration,thehardwareshouldbesetupasfollows:NIC0-ManagementNetworkNIC1-StorageNetworkNIC2.
.
.
NICN-OneormorefurtherNICsmustbeaddedasrequiredtocreateGuestNetworks2.
2.
SecuringHardwareThehardwaremustbesecuredasdescribedin[XSCCST]sectionSecurityObjectivesfortheOperationalEnvironment,specificallyOE.
Secure_Resource,OE.
Secure_Keys,OE.
Separate_Networks.
4Chapter3.
SoftwareTheevaluatedconfigurationasdescribedin[XSCCST]includestheXenCenterclientasamanagementconsole,althoughXenCenterisnotincludedintheTOEandisnotreliedupontoimplementanysecurityfunctions.
WhenXenCenterisusedastheclient,theCC-specificversionmustbeused(availableontheCCISO).
ThestandardversionofXenCenterwouldprovidenotificationsofupdatesthatarenotapplicabletotheXenServerCCversion,whichmaycauseanadministratortotakeitoutoftheEvaluatedConfiguration.
TheCCversionofXenCenterdoesnotprovidethesenotifications.
UsersshouldmonitortheCitrixSupportsite,http://support.
citrix.
com/6.
0.
2[**URLtobeconfirmed**],forupdatesthatareapplicablespecificallytotheXenServerCCversion.
3.
1.
ConfiguringXenCenterTheclientusedforthemanagementofXenServermustverifypresentedSSLcertificates.
TodothisusingCitrixXenCenter,executethefollowingprocedure.
3.
1.
1.
InitialInstallationPleaserefertothestepsinthesectioncalled"InstallingXenCenter"([XSInstall]).
3.
1.
2.
Post-InstallationConfigurationProcedures1.
OntheToolsmenu,selectOptions.
ThisdisplaystheOptionsdialog.
2.
Inthelefthandpane,selectSecurity.
3.
SelecttheoptionsWarnmewhenanewSSLcertificateisfoundandWarnmewhenanSSLcertificatechanges.
4.
ClickOKtoclosethedialog.
Note:IfyouuseXenCenterfortheCommonCriteriaconfiguration,itispossibletostoreyourlogincredentials.
TheusernameandpasswordforallmanagedserverscanbestoredbetweenXenCentersessionsandusedtoautomaticallyreconnecttothematthestartofeachnewXenCentersession.
Toenable,inXenCenteronthe"Tools"menu,select"Options",thenclick"SaveandRestore"andselecttheSaveandrestoreserverconnectionstateonstartupcheckbox.
Inaddition,whenSaveandrestoreserverconnectionstateonstartupisenabled,youcanprotectthestoredlogincredentialswithamasterpasswordtoensuretheyremainsecure.
Atthestartofeachsession,youwillbepromptedtoenterthismasterpasswordbeforeconnectionstoyourmanagedserversareautomaticallyrestored.
TodothisselecttheRequireamasterpasswordcheckbox.
Administratorsshouldfollowtheirorganization'spoliciesregardingstoringpasswords.
3.
2.
ConfiguringtheCitrixLicenseServerTheTOEasdescribedin[XSCCST]requirestheuseofalicenseserver.
3.
2.
1.
InitialInstallationForinformationoninstallingandconfiguringtheCitrixLicenseServer,pleasesee[CTXLIC].
53.
2.
2.
PostInstallationConfigurationProceduresTheevaluatedconfigurationrequiresusingthefollowingports:VendorDaemonPort7279LicenseServerManagerPort270003.
3.
ConfiguringNetworkStorage(NFS)TheevaluatedconfigurationassumesthattheNFSserverusesthefollowingstandardports:RPC111NFS2049Lockd26345Statd26346Mountd26347Rquotad263483.
4.
ConfiguringNetworkTimeProtocol(NTP)TheevaluatedconfigurationrequiresthattheNTPserverusesthestandardport:NTP1236Chapter4.
ConfiguringaXenServerHostThissectiondescribestheconfigurationstepsthatmustbefollowedoneachXenServerhost.
Warning:Theevaluatedconfigurationforahostwillonlybeachievedonceallofthefollowingstepshavebeenexecuted.
Thehostmustnotbemadeavailableforuseuntiltheentireconfigurationhasbeencompleted.
Warning:Intheevaluatedconfiguration,administratorsmustonlyusecommandsthataredefinedintheCommonCriteria(CC)documentation,orinsubsequentCitrixKnowledgeBasearticlesthatapplyexplicitlytotheXenServer6.
0.
2CCconfiguration.
4.
1.
BeforeInstallingXenServerBeforeinstallingXenServer,verifytheintegrityofthedownloadedISOfilesbyfollowingtheinstructionsinChapter1of[delproc]4.
2.
InstallingXenServerFortheremainderoftheinstallationprocedure,refertothestepsinthesectioncalled"InstallingtheXenServerHost"([XSInstall])andto[XSAdmin],notingthefollowingadditionalrestrictions:Donotinstallanysupplementalpacks.
ConfigurethehosttouseastaticIPaddress.
IfyournetworkdoesnothaveaDNSserver,enter127.
0.
0.
1whenpromptedfortheIPaddressofaDNSserver.
Note:PXEbootingXenServerinstallations,asdescribedinAppendixC,PXEBootInstallations([XSInstall])isnotsupportedfortheevaluatedconfiguration.
4.
3.
ManagingSSLCertificatesDuringXenServerhostinstallation,aself-signedSSLcertificateisinstalled.
ThismustbereplacedtofullycomplywiththerequirementsforaCCdeploymentasdefinedin[XSCCST].
ThissectionexplainshowtosetupanSSLconfiguration.
AconfiguredX.
509CertificationAuthority(CA)isrequiredforthestepsinthissection(seeAppendixA,OpenSSLConfigurationforanexampleconfigurationsuitableforusewithOpenSSL).
Note:Whenconfiguringapoolenvironment,thesestepsmustbeexecutedonallhosts.
4.
3.
1.
InstallingtheTrustedCACertificateToInstalltheTrustedCACertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragecontainingthecertificate.
3.
InstallaCAcertificatebyenteringthefollowingcommandsonthehostconsole.
#cd#xepool-certificate-installfilename=74.
Unmountandremovetheremovablestorage.
4.
3.
2.
GeneratingHostCertificatesNote:KeysusedontheXenServerhostmustbegeneratedinaccordancewithOE.
Secure_Keysasdefinedin[XSCCST].
WhencreatingaCertificateSigningRequest(CSR)itisalsoimportanttoconsiderthefollowing:OnlyasingleCommonName(CN)entryisinspectedduringhostnamevalidation.
OnlySubjectAlternativeNames(SAN)withtypeDNSareinspectedduringhostnamevalidation.
Hostnamewildcardsarenotsupported.
ThehostIPaddressmustbeincludedineitherCNorSAN.
AFullyQualifiedDomainName(FQDN)canbeprovidedinadditiontothehostIPaddress,howeverthisisnotessential.
127.
0.
0.
1mustbeincludedineithertheCNorSAN.
Allowashortperiodoftimeforxapitobereadyafterperformingservicexapistart.
SeeAppendixA,OpenSSLConfigurationforanexampleusingOpenSSL.
ToInstalltheSSLCertificateonaHost1.
CopyyourtrustedCAcertificatetoremovablestorage.
2.
Mounttheremovablestoragemediacontainingthecertificate.
3.
Enterthefollowingcommandsonthehostconsole:#servicexapistop#pkillstunnel#cp/etc/xensource/xapi-ssl.
pem/etc/xensource/orig-xapi-ssl.
pem#cp/etc/xensource/xapi-ssl.
pem#servicexapistart4.
Unmountandremovetheremovablestorage.
4.
4.
CreatingaXenServerPoolXenServerresourcepoolscanbecreatedusingeithertheXenCentermanagementconsoleortheCLI.
Whenyoujoinanewhosttoaresourcepool,thejoininghostsynchronizesitslocaldatabasewiththepool-wideone,andinheritssomesettingsfromthepool.
Formoreinformationonresourcepools,refertothechaptercalled"XenServerHostsandResourcePools"([XSAdmin]).
BeforecreatingaXenServerPool,chooseoneofthehoststobetheinitialpoolmaster.
Therearenospecialrequirementsforchoosingthepoolmaster.
Onceyouhaveselectedthepoolmaster,joinalltheremaininghosts(whichwillbepoolslaves)tothemasterusingthefollowingprocedure.
ToJoinXenServerHostslave1tomasterUsingCLI1.
OpenaconsoleonXenServerhostslave1.
2.
ConfiguretheXenServerslave1hosttoactasaslaveofPoolMastermasterbyenteringthefollowingontheconsole:xepool-joinmaster-address=master-username=root\master-password=Themaster-addressmustbesettothefully-qualifieddomainnameorIPaddressoftheXenServerhostmasterandthepasswordmustbethepasswordsetwhenXenServerhostmasterwasinstalled.
8ToNametheResourcePoolBydefault,XenServerhostsbelongtoanunnamedpool.
Tonametheresourcepool,enterthefollowingcommand:#xepool-listparams=uuidminimal=truexepool-param-setname-label=uuid=4.
5.
NetworkConfigurationTheTOErequirestheuseofseparatenetworksformanagement,storageandguesttraffic.
GuestsmustonlyeverbeconnectedtotheGuestNetworks.
ThisensuresthatproperseparationismaintainedandthatVIFsareonlycreatedontheGuestNetwork.
UndernocircumstancemustaGuesteverbeconnectedtoeithertheManagementNetworkortheStorageNetwork.
Asdom0doesnotneedVIFstoaccesstheManagementandStoragenetworks,noVIFsshouldeverbedefinedforthem.
Referto[CCXSAdmin]forfurtherinformationonconfiguringnetworkingonXenServerandtothesectionSecurityProblemDefinitionin[XSCCST],specificallyA.
Separate_Networks.
4.
5.
1.
ConfiguringtheStorageNetworkNote:ThefollowingstepsforconfiguringtheStorageNetworkmustbeperformedonALLhosts,includingthePoolMaster.
ToconfiguretheStorageNetwork:1.
FindtheUUIDofthehost:#xehost-listname-label=params=uuiduuid(RO):2.
FindtheUUIDofthePIFrelatedtodeviceeth1(NIC1)andtheUUIDofitsnetwork:#xepif-listdevice=eth1host-uuid=params=uuiduuid(RO):3.
ConfiguretheStorageNetworkIPaddress:#xepif-reconfigure-ipuuid=mode=staticIP=netmask=4.
SetthePIFtobepermanentlyattached:#xepif-param-setuuid=disallow-unplug=true4.
6.
StorageConfigurationTheTOEallowsonlytwotypesofStorageRepository(SR):read-onlyISOonNFSorVHDonNFS.
FormoreinformationaboutISOonNFSSRs,seeSection4.
2.
4,"ISOSRs"([XSAdmin]).
FormoreinformationaboutVHDonNFSSRs,seeSection4.
2.
9,"NFSVHDSRs"([XSAdmin]).
Note:ThesestepsmustbeexecutedonlyonthePoolMaster'sconsole.
4.
6.
1.
AddingaVHDonNFSSR1.
ToaddaVHDonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truedevice-config:server=\device-config:serverpath=type=nfsThisreturnsthesr-uuid.
92.
RepeatthecommandforallsubsequentNFSSRsthatshouldbeavailabletothepool.
4.
6.
2.
RegisteringaDefaultSRAfteraddingalltheNFSSRs,chooseoneandmakeitthedefaultSR:#xepool-listparams=uuidminimal=true#xepool-param-setuuid=default-SR=\suspend-image-SR=crash-dump-SR=4.
6.
3.
AddinganISOonNFSSR1.
ToaddanISOonNFSSRat:enterthefollowingcommand:#xesr-createname-label=""shared=truetype=iso\device-config:location=content-type=isoThisreturnsthesr-uuid.
2.
RepeatthecommandforallsubsequentISOonNFSSRsthatshouldbeavailabletothepool.
10AppendixA.
OpenSSLConfigurationFollowingisanexampleofaconfigurationfileforusewithOpenSSL(version1.
0.
0)thatwouldcreateaCSRwhichsatisfiestherequirementsXenServerhasoncertificates.
Beforeusingit,pleaseensurethatthisfilecomplieswithyourorganisationalsecuritypolicy.
ExampleA.
1.
OpenSSLConfigurationHOME=.
oid_section=new_oids[new_oids][req]default_days=365default_keyfile=.
/new_key.
pemdefault_bits=2048distinguished_name=req_distinguished_nameencrypt_key=nostring_mask=nombstrreq_extensions=v3_req[req_distinguished_name]CN=10.
80.
2.
63C=GBO=MyFirmLtdOU=TechnicalSupportemailAddress=my.
email@address.
myfirm.
co.
uk[v3_req]subjectAltName=@alt_names[alt_names]DNS.
1=127.
0.
0.
111AppendixB.
FirewallConfigurationBydefault,arestrictivefirewallisconfiguredduringCommonCriteriaXenServerhostinstallation.
Detailsoftheportsusedcanbefoundinthesectionsthatfollow.
B.
1.
ManagementNetworkFirewallTheportsthatareusedontheManagementNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionHTTPS443tcpbothPingN/Aicmp(echo-request)bothLicensing7279tcpoutLicensing27000tcpoutNTP123udpoutDNS53tcpoutDNS53udpoutB.
2.
StorageNetworkFirewallTheportsthatareusedontheStorageNetworkintheTOEasdefinedin[XSCCST]:ServicePortProtocolDirectionPingN/Aicmp(echo-request)bothDNS53tcpoutDNS53udpoutNFS111tcp&udpoutNFS2049tcp&udpoutNFS26345-26348tcp&udpoutB.
3.
GuestNetworkFirewallTheGuestNetworkissolelyusedbytheGuestVMsandthefirewalldoesnotrequireconfiguration.