Cybersecurity Suite. HFCS 2101 (January 2021) Communication Server (CommServer) Installation Guide. CS-HFCSE503en-2101A.

(1)

Cybersecurity Suite

HFCS 2101 (January 2021)

(2)

Disclaimer

This document contains Honeywell proprietary information. Information contained herein is to be used solely for the purpose submitted, and no part of this document or its contents shall be reproduced, published, or disclosed to a third party without the express permission of Honeywell International Sàrl.

While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer.

In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The information and specifications in this document are subject to change without notice.

(3)

Notices

Trademarks

Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered trademarks of Honeywell International, Inc.

ControlEdge™ is a trademark of Honeywell International, Inc. OneWireless™ is a trademark of Honeywell International, Inc.

Other trademarks

Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Trademarks that appear in this document are used only to the benefit of the trademark owner, with no intention of trademark infringement.

Third-party licenses

This product may contain or be derived from materials, including software, of third parties. The third party materials may be subject to licenses, notices, restrictions and obligations imposed by the licensor. The licenses, notices, restrictions and obligations, if any, may be found in the materials accompanying the product, in the documents or files accompanying such third party materials, or in a file named third_party_ licenses on the media containing the product.

Documentation feedback

You can find the most up-to-date documents on the Honeywell Process Solutions support website at:

http://www.honeywellprocess.com/support

If you have comments about Honeywell Process Solutions documentation, send your feedback to:

(4)

problem, contact your local Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC).

How to report a security vulnerability

For the purpose of submission, a security vulnerability is defined as a software defect or weakness that can be exploited to reduce the operational or security capabilities of the software.

Honeywell investigates all reports of security vulnerabilities affecting Honeywell products and services.

To report a potential security vulnerability against any Honeywell product, please follow the instructions at:

https://honeywell.com/pages/vulnerabilityreporting.aspx

Submit the requested information to Honeywell using one of the following methods:

Send an email [email protected]. or

Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC) listed in the

“Support” section of this document.

Support

For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To find your local CCC visit the website,

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx.

Training classes

Honeywell holds technical training classes that are taught by process control systems experts. For more information about these classes, contact your Honeywell representative, or see

(5)

About this Guide

This guide provides instructions for installing the Communication Server.

Scope

This guide describes how to administer and configure the Communication Server.

Intended audience

This guide is primarily intended for field personnel who install, configure, troubleshoot, and uninstall the Communication Server.

Prerequisite skills

This guide assumes basic knowledge of the Cybersecurity Suite 2101 modules relevant to the Security Center, the VSE, or both, depending on your specific role.

Conventions used in this guide

This guide uses the following conventions: ● v<m.n>

Indicates the software version, with the following variables: ■ v – a constant that stands for version

■ m – a variable that indicates a major version number ■ n – a variable that indicates a minor version number For example: v4.3

● %<directory>%

(6)

Revision history

Revision Supported Release Date Description

C 2101 January 2021 This software is an upgrade-only release from release 1911

B 1911 November 2019 This software is an upgrade-only release from release 1909

A 1909 September 2019 First release of product under the Honeywell Forge

Cybersecurity brand

B 510.2 September 2019 This version offers both an upgrade from Release 510.1 and a clean installation A 510.1 August 2019 This software is an

upgrade-only release from release 501.1

(7)

List of Figures

(11)

1 Security Considerations

This chapter outlines the security measures for the Communication Server.

1.1 Physical security

Caution: HFCS-Communication Server is a mission-critical component.

Take all necessary physical security measures to prevent attacks or disasters.

Ensure that the server where the product is installed is located in an approved physically secure location that is accessible only to authorized personnel.

1.2 Secured zone

Communication Server contains sensitive information, the loss of which could have severe consequences. Therefore, there is a need to protect the sensitive information and prevent attacks against the product. To do that, the Communication Server software, as well as its related extensions, must be installed in an internally secured zone with strict access control lists and appropriate firewall/routing rules.

Ensure that Communication Server is installed in a directory that is only accessible to authorized personnel responsible for the product.

In addition, you must take the following precautions:

● Use a NextGeneration firewall to limit access to the Communication Server to only specific IP addresses (such as the IP address of each VSE), and only through port 443.

● Enable Intrusion/Threat Prevention on this firewall and update the threat signatures at least once a month.

(12)

● Ensure that all access to the Communication Server, as well as all other Security Center Components, is protected by this or another, similar firewall.

● Ensure that the Security Center network is only accessible by trusted, authorized personnel and devices.

Caution: If Communication Server is installed on one or more servers that are exposed to untrusted networks such as the Internet, protection against denial-of-service (DoS) attacks must be implemented.

1.3 Limiting access

It is highly recommended to follow regulatory, industry, and enterprise standards for limiting access to sensitive information as specified below.

1.3.1 At the Communication Server level

Access to the Communication Server must be restricted through appropriate firewall rules, by white listing VSE and Security Center IP addresses.

You are strongly advised to use Client Authentication for Communication Server connections. For additional details, please see section

Configuring Client Authentication. .

1.3.2 At the directory or file level

Access to directories and files should also be granted in accordance with the principles of need to know and least privilege: Only users who

absolutely must have access to the requested directory and file are granted access, and these users are assigned the minimal set of permissions allowing them to perform their jobs.

(13)

Use the built-in file access audit logging on the OS to monitor unauthorized changes to sensitive files.

1.3.3 Ports used by the application

By default, Communication Server only uses port 443, an inbound port used for Web UI.

Note: You can configure random port per site specification.

1.4 Authorization measures

You are strongly advised to implement the following security measures: ● Change the default administrative password and delete/disable the

default service accounts as soon as new administrative accounts are created.

● Disable any default Administrator/Root user on the computer. ● Disable any default Guest user on the computer.

● Disable any unauthenticated access to the computer via shared directories etc.

● Ensure that the OS is up to date with the latest security patches provided by the OS vendor.

1.5 Encryption and validation

All cryptographic keys generated for the encrypted communication must follow the current industry standards, including key size, encryption suites, certificate swapping and so on.

Caution: You are strongly recommended to use a valid certificate issued by a trusted Certificate Authority (CA), either the organization’s internal CA or an external CA.

(14)

2 Terms and Definitions

Note: The terms and definitions are listed in alphabetical order.

C

Communication Server (CS)

The Communication Server provides secure communication

between the Security Center and the VSEs and, optionally,

between the VSEs themselves.

compliance

Whether the asset meets the organization policy.

K

Keystore

A repository of cryptographic keys including private keys

necessary for secure communication.

R

Remote Access Bridge (RAB)

A Cybersecurity Suite component installed externally to the

Security Center, which enables secure remote access

between the Security Center and the VSE.

Remote Access Gateway (RAG)

The Remote Access Gateway is part of the Cybersecurity

Suite remote access solution. When initiated, the Remote

Access Gateway automatically pulls the connection details

from the database. For each request to access a remote

site, the Remote Access Gateway establishes a secure

connection to the Remote Access Bridge to enable a secure

communication tunnel.

(15)

S

Security Center (SC)

A Cybersecurity Suite component that is installed at the

corporate data center. The Security Center is composed of

various software components, which enable it to remotely

collect, analyze, view, manage, and store data retrieved from

the VSEs. This data refers to the monitored network assets

and devices found at the VSE’s sites.

site

A remote physical location, such as an industrial plant,

which includes one or more network environments and has

at least one VSE.

T

toolkit

A single utility program, a set of software routines or a

complete integrated set of software utilities that are used to

develop and maintain applications.

Truststore

A repository of cryptographic keys including public trusted

certificates necessary for secure communication.

V

Virtual Security Engine (VSE)

The Cybersecurity Suite component that is installed at the

remote site, monitors the assets at the site, and provides

additional functionalities such as remote access.

(16)

3 Preparing for the Installation

3.1 Installation Package

The Communication Server installation package includes the Communication Server application installer.

3.2 System requirements

Note: The system requirements set out in this section should be understood as general guidelines. Each

Cybersecurity Suite product is essentially a unique solution, specific to the client’s hardware and performance requirements

3.2.1 Hardware requirements

● Minimum hardware configuration: ■ CPU: 3.0 GHz

■ RAM: 4 GB

■ Storage: Internal disk for application and database ■ Minimum amount of storage: 100 GB

● Recommended hardware configuration: ■ CPU: 3.0 GHz (or greater) 4 processors ■ RAM: 8 GB or more

■ Storage: Internal disk 500 GB

(17)

3.2.2 Software requirements

● Operating systems

■ Windows 2012 R2 Server ■ Windows 2016 (64-bit) ■ Windows 2019 (64-bit)

● Communication Server installation is only supported if installed on physical drives or partitioned drives. Logical drives (subst) are not supported.

● You are also advised to have the installation follow standard IT guidelines, including virus protection, firewall and so on.

3.2.3 Before you begin

Before you begin the installation process, you should have the following: ● Communication Server installation package.

● <keystore file>. For instructions how to create a new .keystore file see Appendix A: Server Certificate.

● Security Center ID

Note: Security Center ID is required for receiving public key certificates from the Security Center. For any questions, contact Support.

(18)

4 Installing/Upgrading

Communication Server

● If you upgrade Communication Server from a previous version, follow the instructions provided in sectionUpgrading Communication Server.

● If you install Communication Server on a clean machine, follow the instructions provided in section Installing Communication Server.

4.1 Upgrading Communication Server

Note: This document does not cover upgrade from any version older than 4.8

To upgrade the Communication Server:

1. Open windows services and Stop the Communication Server service. 2. Create a backup directory (e.g. C:\ Program Files\NextNine\backup) 3. Back up the following file/folders to the backup directory:

■ <Communication Server installation directory>\Tomcat\Security\

Note: You should use the same .keystore file (that appears under Tomcat\Security folder) in the new CS installation.

■ <Communication Server installation directory>\Tomcat\conf ■ <Communication Server installation directory>\Config ■ <Communication Server installation directory>\toolkits 4. Uninstall the previous version of Communication Server in

(19)

sectionUninstalling Communication Serverand Rolling back Communication Server.

5. Delete <Communication Server installation directory> (e.g. C:\Program Files\NextNine\CommunicationServer).

6. Ensure that you change the keystore and truststore passwords if it does not meet the below minimum password requirement. If you have any questions, contact support.

Note: Then new password must meet the minimum password requirements, namely: minimum ten characters, one upper case letter, one lower case letter, and one numeric value.

7. Proceed as instructed in sectionInstallation.

4.2 Installing Communication Server

This section provides the following information with regard to the communication server installation:

● Installation prerequisites ● Installation

4.2.1 Installation prerequisites

Ensure that the Communication Server is not currently installed on the machine.

Attention: You are strongly advised to quit all programs before

continuing with this installation

(20)

4.2.2 Installation

To install the Communication Server:

1. If you downloaded the installation package by FTP or any other means, unzip the installation package into its own directory on a local disk.

Note: Installation should be run from the local disk. When run from the network resource, the installation may fail.

2. Double-click install_CommunicationServer_7_0_9.exe to launch the Communication Server InstallAnywhere wizard.

3. Click Next in the Introduction wizard page.

4. Use the License Agreement page to read the license agreement carefully. Select the check box I accept the terms of the License Agreement, and click Next.

5. Use the Choose Install Folder page to either specify a custom installation path or leave the default location, and click Next to proceed.

6. Use the Get Customer Information wizard page to enter the details listed in the figure below and click Install.

(21)

Figure 4-1: Installation wizard – Get Customer Information

7. Fill in the requested information.

Note: If you are upgrading Communication Server, select a keystore file that was backed up as instructed in section Upgrading Communication Server. For instructions how to create a new .keystore file see Appendix A: Server Certificate.

a. To establish secure communication, browse to select the keystore file that was backed up as instructed in step3. of section

Upgrading Communication Serverfor instructions how to create a new .keystore file seeAppendix A: Server Certificate.

If you are upgrading Communication Server, proceed to stepb. Otherwise, proceed to stepc.

b. Browse to select a truststore file (cacert) from the previous version of Communication Server, to be used for upgrade.

c. Enter the keystore and truststore password. For further details, hover over the field to display a tooltip.

(22)

Note: Communication Server can be configured with multiple TCP connectors and possibly with different keystores or truststores. The keystore password should be identical to the password provided when creating the keystore.

d. Set the TCP connection to VSE parameters (host and port). e. Set the TCP connection to the Security Center parameters (host

and port).

f. In the Security Center ID field, enter the ID of the Security Center.

Note: If you defined the same host for two or more connections, ensure that these connections use different ports.InstallAnywhere does not validate address uniqueness; it is your responsibility to define hosts and ports correctly.

8. Review all the details you entered before proceeding. 9. Click Next.

10. In the Pre-Installation Summary screen, click Install to begin installing the software. (Alternatively, click Cancel to exit the installation procedure.)

Communication Server InstallAnywhere wizard begins installing the software. The Installing Communication Server screen appears, showing Communication Server installation progress. When the installation is complete, Install Complete window appears. 11. Click Done.

(23)

Note: Check the Communication Server service in Windows services to verify the service is running successfully.

Note: If you are upgrading Communication Server, you have to perform additional steps. For details, see section Post-upgrade configuration.

4.3 Post-upgrade configuration

To configure the Communication Server after the installation of the upgraded version:

1. Stop the Communication Server service.

2. Compare the server.xml file between the backup and the new (Ciphers, SSL-enabled protocols).

3. Compare and change the new CS parameters with the ones that appear in the backed-up Config folder & …\Tomcat\conf folder 4. Copy the toolkits folder from the backup to the new folder. 5. Start the Communication Server service (Communication Server).

Note: If for some reason the upgrade process failed, or you want to return to the previous version of

Communication Server, follow the section Rolling back Communication Server

(24)

5 Post-install Configuration

The instructions below are optional and should be used further to customer requests.

5.1 Adding TCP connectors

TCP Configuration file is available under <Communication Server installation directory>\Config\tcp.properties.

By default, two connectors are defined. You can configure as many connectors as you like as long as the first connector starts with zero and counting.

Note: The examples below are color-coded to reflect different connector types. For Example: incoming-dir=E:\\CommunicationServer\\incoming\\ dispatcher-wait-time-sec=30 tcp-idle-both-sec=3600 close-on-deactivation=true executor-min-threads=1 executor-max-threads=10 executor-thread-keep-alive-ms=60000 proceed-on-unknown-file=true

# connectors starts from 0 and counting connector.0.host=xx.xx.xx.xx

connector.0.port=xxx

#connector.0.processor-count=3

(25)

connector.0.ssl-enabled=true connector.0.ssl-client-authentication=false connector.0.ssl-keystore=E:\\CommunicationServer\\Tomcat\\Security\\.keystore connector.0.ssl-truststore=E:\\CommunicationServer\\Tomcat\\Security\\cacerts connector.0.debug=false

# A comma delimited list of the required secured protocols: TLSv1.2 connector.0.ssl-protocols=TLSv1.2

(26)

connector.1.debug=false

# A comma delimited list of the required secured protocols: TLSv1.2 connector.1.ssl-protocols=TLSv1.2

# A comma delimited list of the required secured cipher suites connector.1.ssl-cipherSuites= TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

5.2 Configuring TLS protocols and ciphers

Starting from version HFCS 2101, the default communication protocol for Cybersecurity Suite is TLSv1.2 with industry-accepted strong cipher suites. You are strongly recommended to use these default settings for optimal communication security.

Installations of older HFCS components, such as the VSE, may not support TLSv1.2 with strong cipher suites or may not support TLSv1.2 at all. While in such scenarios you can keep communication up and running by downgrading communication protocol to TLSv1.2 with any cipher suites or to TLSv1.1, we strongly recommend that you upgrade your VSE and your Security Center so as to benefit from TLSv1.2.

(27)

Note: The cipher suites must match the TLS protocol that is being used. The default cipher suites provided for TLSv1.2 must be modified if you would like to downgrade to a lower version such as TLSv1.1.

If you choose, you can configure the Communication Server to comply with your current company policy, for example, by using different cipher suites or additional ones and/or a different TLS version.

Communication with the Communication Server can either be by HTTPS (polling) or by TCP (continuous) connection modes.

The following procedure specifies how to change the TLS version and the cipher suites used by the Communication Server during communication with the VSE and Security Center.

To change the default TLS configuration in HTTPS:

1. Go to path CommunicatorServer_<version>\Tomcat\conf\server.xml. 2. Edit the server.xml file.

3. Go to the HTTPS Connector section.

4. Under the connector tag, change the value of the parameter sslEnabledProtocols from (default value TLSv.1.2) to the requested protocol/s; for example:"TLSv1.1+TLSv1.2"

5. If you wish to change the cipher suites using your TLS connection, modify the cipher fields as in the example below.

(28)

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" ></Connector>

To change the default TLS configuration in TCP:

1. Go to path CommunicatorServer_<version>\config\tcp.properties. 2. Edit the tcp.properties file.

3. For every TCP connector you would like to modify, go to connector.<connector_number>.ssl-protocols.

4. Change the value to the requested TLS protocol. For example: "TLSv1.1+TLSv1.2"

5. If you wish to change the cipher suites using your TLS connection, modify the cipher fields as in the example below.

connector.0.ssl-protocols="TLSv1.1, TLSv1.2"

(29)

5.3 Configuring Client Authentication

This section provides instructions for configuring Tomcat to use Client Authentication, an optional procedure that can be performed in any of the modes described in the following sections :

● Setting Client Authentication on HTTPS (polling) connection mode ● Setting Client Authentication on TCP (continuous) connection mode ● Enabling RAG to support Client Authentication when connecting to

the RAB

● Setting key pair rotation and grace period for Client Authentication

5.3.1 Setting Client Authentication on HTTPS (polling) connection

mode

To set Client Authentication on HTTPS (polling) connection mode:

1. Stop the Communication Server service. 2. Go to: C:\\ Program

Files\NextNine\CommunicationServer\Tomcat\conf\server.xml 3. Search for HTTPS connector:

<Connector protocol="com.honeywell.Http11NioCustomProtocol" port="443"

4. Set the value of the attribute clientAuth to true.

Note: If GARD is enabled, you need to add a connector that has no client authentication. To do that, proceed to steps5. and6. If GARD is not enabled, skip to step7.

5. Copy the settings of this HTTPS connector and add it right below. 6. In the newly added connector settings, modify the value of the

attribute clientAuth to false and provide a new port number.

(30)

Attention: The port number assigned to the GARD

connector should be identical to the one used in the Security center's GARD port settings.

7. Save and close the file. 8. Go to: C:\\ Program

Files\NextNine\CommunicationServer\config\coms.properties 9. Remove the comment from the following row:

truststore-refresh-delay-in-min=30 10. Save and close the file.

11. Start the Communication Server service.

5.3.2 Setting Client Authentication on TCP (continuous)

connection mode

To set Client authentication on TCP (continuous) connection mode:

1. Go to: C:\ Program Files\NextNine\CommunicationServer\config\. 2. Open the tcp.properties file.

3. Find the connector that represents the connection between the VSE to the CS.

4. Set the value of the ssl-client-authentication parameter to true. 5. Save and close the file.

6. Go to: C:\ Program

Files\NextNine\CommunicationServer\config\coms.properties. 7. Remove the comment from the following row

truststore-refresh-delay-in-min=30 8. Save and close the file.

9. Start the Communication Server service. .

(31)

5.3.3 Enabling RAG to support Client Authentication when

connecting to the RAB

To enable Remote Access Gateway to support Client Authentication when connecting to the Bridge, the RAG's public certificate must be manually imported to the Communication Server. For more information, see the Remote Access Gateway Installation Guide,section Importing the RAG certificate to the Communication Server.

The RAG certificate will only be available upon completion of the RAG installation.

5.3.4 Setting key pair rotation and grace period for Client

Authentication

Note: Ensure that you have installed the most recent version of Secure Connect. For instructions, see section Installing and Upgrading Secure Connect in the Security Center Getting Started Guide.

This section provides instructions for modifying the following parameters for the key pair, which is used for creating a secure tunnel between the remote access utility Secure Connect and the Remote Access Bridge: ● Key pair rotation period

The maximum time for retention of the key pair before it is replaced; by default, 24 hours.

● Key pair grace period

The period in which the previous key pair can still be used even though the rotation has already begun. If a key rotation occurs when the Secure Connect is communicating, the grace period allows the communication to continue with the previous key pair before it becomes obsolete. By default the grace period is set to five minutes.

(32)

To modify these default values:

1. Open the registry editor and navigate to the following path: Computer\HKEY_LOCAL_

MACHINE\SOFTWARE\WOW6432Node\NextNine\VendorServer\Co mmunicator

2. For the key pair rotation period:

■ If the parameter RAKRotationPeriodHours does not exist, create this parameter and assign it the requested value.

■ If the parameter exists, change its value as needed. 3. For the grace period:

■ If the parameter RAKGracePeriodMinutes does not exist, create this parameter and assign it the requested value.

■ If the parameter exists, change its value as needed.

5.4 Configuring permitted Security Center IP addresses

This section provides instructions for configuring permitted Security Center IP addresses in the Communication Server, an action that

increases security by limiting access to only white-listed IP addresses. We strongly recommend this procedure to restrict certain operations only to the Security Center IP address.

1. Stop the Communication Server service. 2. Go to: <Communication Server installation

directory>\CommunicationServer\config\ security.properties

3. Update the “allowed.ips” parameter with the IP address of the Security Center in the following format.

allowed.ips=plain:xx.xx.xx.xx

For example: allowed.ips=plain:10.10.10.10

(33)

Note: If there are multiple IP addresses assigned to a Security Center, they can be updated to the allowed.ips address parameter separated by a “,” (comma).

4. Save and close the file

Note: The values provided for “allowed.ips” will be encrypted after starting the Communication Server.

5.5 Enabling Polling Connection and GARD

This section provides instructions for configuring the Communication Server to enable polling connection mode or GARD, as described in the following sections :

● Enabling Polling Connection ● Enabling GARD

5.5.1 Enabling Polling Connection

To enable polling connection mode:

1. Stop the Communication Server service. 2. Go to <Communication Server installation

directory>\Tomcat\conf\server.xml 3. Search for the HTTPS connector:

Connector protocol="com.honeywell.Http11NioCustomProtocol" 4. Set the value of the attribute address to the HTTPS address provided

during the installation.

5. Set the value of the attribute port to the HTTPS port provided during the installation.

(34)

7. Go to <Communication Server installation

directory>\Tomcat\webapps\ROOT\WEB-INF\web.xml.

8. Enable all the <servlet> and <servlet-mapping> entries listed below this line by uncommenting.

.

9. Save and close the file.

5.5.2 Enabling GARD

To enable polling connection mode:

1. Stop the Communication Server service. 2. Go to <Communication Server installation

directory>\Tomcat\conf\server.xml 3. Search for the HTTPS connector:

Connector

protocol="com.honeywell.Http11NioCustomProtocol" 4. Set the value of the attribute address to the HTTPS address

provided during the installation.

5. Set the value of the attribute port to the HTTPS port provided during the installation.

7. Go to <Communication Server installation

directory>\Tomcat\webapps\ROOT\WEB-INF\web.xml.

8. Enable the <servlet> and <servlet-mapping> entries listed right below this line by uncommenting.

.

(35)

(36)

6 Working with GARD

Honeywell’s Global Analysis, Research, and Defense (GARD) provides solutions for protecting Operational Technology (OT) environments. This is done by leveraging Honeywell’s combination of extensive R&D

operations and massive on-site security deployments

The Forge interface to GARD performs a GARD file hash reputation check on any file sent from the Security Center to a VSE by using the Send File functionality. The results of each GARD file check are logged at the Security Center.

Note: GARD uses hash codes of the files to validate the file reputation. The actual files are not sent to GARD.

Attention: Cybersecurity Suite 2012 provides the initial release of

Forge interface to GARD, which checks individual files before they are sent from Security Center. Later versions will expand coverage to all files transferred within Forge Cyber products.

If a file selected to be sent from Security Center is determined to be malicious by the GARD file check, the user will be notified and can choose whether to send the file or not.

If a user decides to send a malicious file despite the warning, that file will be quarantined before it is sent. This is done by zipping the file with a common password and bundling a Readme file that explains how to recover the quarantined file at the destination. This process ensures the user at the VSE that receives such a file is forewarned about a possible threat.

To enable the Forge interface with GARD, the Communication Server from site needs to be formally registered with GARD by using the procedures described in section Updating GARD connector properties file

(37)

Attention: For instructions about enabling GARD in

Communication Server, see section 5.5.2,Enabling GARD.

6.1 Updating GARD connector properties file

To update GARD connector properties file:

1. Have site administrator send an email message with the device name, or any other unique identifier of the device, to the GARD administrator [email protected].

The GARD team creates a device and provides a unique identifier of a SerialNum to complete enrollment; for example:

SERIALeb53ec9d-6ae4-4035-9de8-96c14b726c96 2. Enter this unique identifier in the Communications Server

configuration file, to enable the Forge interface to GARD from that Communications Server.

Caution: The serial number's unique identifier must be protected and not shared with any other devices or sites.

To configure the GARD Connector details on the Communications Server:

a. Stop the Communication Server service.

b. Open the GARD connector properties file from the following address:

<comm server install location>/config/gard-connector.properties c. Go to the gard.serial.num entry in the

gard-connector.properties file.

d. Insert the serial number obtained from the GARD team.

(38)

f. Replace the existing URL with the URL obtained from the GARD team.

g. Start the Communication Server service.

6.2 Debugging issues with the Forge interface to GARD

Status messages and errors are logged in the Communication Server log, at the following address:

c:\Program Files\NextNine\CommunicationServer\logs\comm-server.log The level of logging is determined by the configuration file at the

following address:

C:\Program Files\NextNine\CommunicationServer\config\log4j2.xml

Attention: Setting the logging level to Info results in having full

status details of each GARD check logged in the comm-server.log file. This leads to having more details

continuously logged, and can eventually adversely affect performance on a heavily used Communication Server.

(39)

7 Communication Server

Uninstall/Rollback

If you only want to uninstall Communication Server, follow the steps described in sectionUninstalling Communication Server.

If you going to downgrade Communication Server to the previous version, make steps, described in sectionRolling back Communication Server.

7.1 Uninstalling Communication Server

To uninstall Communication Server:

1. In Windows Explorer application, open the directory <path of CS installation>\CommunicationServer\

CommunicationServerSupport\InstallInfo\7.0.9.1\ Uninstall_ CommunicationServer.

2. Run Uninstall CommunicationServer.exe to launch the Uninstall Communication Server InstallAnywhere wizard.

3. Click Uninstall.

The uninstalling progress is displayed until the uninstallation is completed.

4. In the Uninstall Complete screen, click Done.

5. If the Uninstaller does not remove the Communication Server installation directory (for example, C:\ Program

Files\NextNine\CommunicationServer), delete it manually. 6. Restart the Communication Server.

(40)

7.2 Rolling back Communication Server

To downgrade Communication to the previous version:

1. Create a backup directory (for example: C:\Program Files\NextNine\backup70)

2. Back up the data directory.

3. Uninstall the Communication Server based on the instructions provided in section Uninstalling Communication Server. 4. Install the previous version of the Communication Server. 5. Stop the Communication Server service.

6. Restore all the files, except Data directory, backed up to the backup directory, created as described in step2. of section Upgrading Communication Server, back to the same locations in the new installation respectively.

7. Copy data directory.

(41)

Appendices

This guide includes the following appendix: ● Server Certificate

(42)

Appendix A: Server Certificate

This appendix explains how to create the server certificate.

Note: The instructions provided below are only relevant for scratch installation. To perform an upgrade, copy the file .keystore (for example. C:\Program

Files\NextNine\CommunicationServer\Tomcat\Sec urity\.keystore) from the current version of the Communication Server to the new version.

A.1 Creating and sending requests

This section explains how to create and send certificate requests from any computer on which Java is installed.

Attention: To download and install Java, click either of the links

below. You are strongly recommended to download the most recent stable version. If you have any questions, contact Support.

● https://java.com/en/download/ ● https://adoptopenjdk.net/

To create a request for an SSL certificate:

1. Open a command line and change to the directory where Java is installed; for example:

C:\Program Files\Java\<current java version>\bin 2. Create the new KeyStore as shown below.

Note: The keystore password must meet the minimum password requirements, namely: minimum ten characters, one upper case letter, one lower case

(43)

letter, and one numeric value.

<java home>\bin>keytool -genkey -alias tomcat -keyalg RSA -keystore <Communication Server Installation directory>\Tomcat\Security\.keystore -storepass <pass>

For Example: C:\Program

Files\NextNine\CommunicationServer\Java\AdoptOpenJDK_ FULL_11.0.1_13\bin\keytool genkey alias tomcat -keyalg RSA -keystore

E:\CommunicationServer\Tomcat\Security\.keystore -storepass <pass>

3. When prompted for your first and last name (common name), enter the Communication Server IP Address:

What is your first and last name?

[Unknown]: xxx.xxx.xxx.xxx - (“Communication Server IP” (check with ping))

4. When prompted for the following information enter the client’s details: ■ Organizational unit

■ Organization ■ City or locality ■ State or province

■ Two-letter country code

5. Confirm the operation by clicking yes.

6. If prompted to provide a password, use the predefined password by pressing Enter.

7. Create the certificate request by running the command below. <java home\bin>keytool certreq alias tomcat

(44)

directory>\Tomcat\Security\.keystore" –storepass <pass>

For Example: C:\Program

Files\NextNine\CommunicationServer\Java\AdoptOpenJDK_ FULL_11.0.1_13\bin\keytool certreq alias tomcat -keystore "C:\Program

Files\NextNine\CommunicationServer\Tomcat\Security\.k eystore" -storepass <pass>

8. Copy the entire section, from ---BEGIN NEW CERTIFICATE

REQUEST--- up to ---END NEW CERTIFICATE REQUEST---,

to the clipboard.

You can paste this text to a text file, to be sent to the Support.

9. Send the certificate request file you created to the certificate authority (CA), by using any method you choose.

Note: The certificate request file does not have to be sent secured.

The certificate authority signs the file and sends back a *.p7b file.

A.2 Using the certificate

If you send the SSL certificate to the client the certificate must be sent secured, by using whatever method you and the Communication Server administrator choose.

(45)

A.3 Receiving the certificate file and installing the

certificate

To install the certificate on the Communication Server

1. Place the *.p7b file under any directory. 2. Import the certificate to the keystore:

<java installation directory>\bin>keytool import -noprompt -alias tomcat -keystore "<path to

keystore>\.keystore" -file "<certificate file directory>\*.p7b file" keypass <keystorepass> -storepass <key-storepass>

For example:

<C:\Program Files\Java\<current java

version>\bin>keytool -import -noprompt -alias tomcat -keystore "C:\CommunicationServer\.keystore" -file "C:\CommunicationServer\certnew.p7b" -keypass

<keystorepass> -storepass <keystorepass> The certificate reply is now installed in keystore.

(46)

Honeywell Process Solutions

1250 W Sam Houston Pkwy S #150, Houston, TX 77042 Honeywell House, Skimped Hill Lane

Bracknell, Berkshire, RG12 1EB

Cybersecurity Suite. HFCS 2101 (January 2021) Communication Server (CommServer) Installation Guide. CS-HFCSE503en-2101A.

Notices

Trademarks

Other trademarks

Third-party licenses

Documentation feedback

How to report a security vulnerability

Support

Training classes

About this Guide

Scope

Intended audience

Prerequisite skills

Conventions used in this guide

Related documents

Revision history

Contents

1 Security Considerations

11

1.1 Physical security

11

1.2 Secured zone

11

1.3 Limiting access

12

1.3.1 At the Communication Server level

12

1.3.2 At the directory or file level

12

1.3.3 Ports used by the application

13

1.4 Authorization measures

13

1.5 Encryption and validation

13

2 Terms and Definitions

14

3 Preparing for the Installation

16

3.1 Installation Package

16

3.2 System requirements

16

3.2.1 Hardware requirements

16

3.2.2 Software requirements

17

3.2.3 Before you begin

17

4 Installing/Upgrading Communication Server

18

4.3 Post-upgrade configuration

23

5 Post-install Configuration

24

5.1 Adding TCP connectors

24

5.2 Configuring TLS protocols and ciphers

26

5.3 Configuring Client Authentication

29

5.3.1 Setting Client Authentication on HTTPS (polling) connection

mode

29

5.3.2 Setting Client Authentication on TCP (continuous) connection

mode

30

5.3.3 Enabling RAG to support Client Authentication when

connecting to the RAB

31

5.3.4 Setting key pair rotation and grace period for Client

Authentication

31

5.4 Configuring permitted Security Center IP addresses

32

5.5 Enabling Polling Connection and GARD

33

5.5.1 Enabling Polling Connection

33

5.5.2 Enabling GARD