========================================================================
Support Note: 13
Product:      The Operations Pack (TOP)
Version:      All versions
Title:        Encrypting communications between TOP and MIP
Created:      29 November 2007
Updated:      -

Copyright 2007 Gresham Software Labs Pty Ltd



---------------------------------------------
Encrypting Communications Between TOP and MIP
---------------------------------------------
Communications between the TOP client and the MIP process are not
encrypted. Encrypting the communications using third party products is
simple to do. This support notes describes how to set up encryption using
various third party products.


Standard Installation
---------------------
Without added encryption, the TOP programs communicate directly with the
MIP process on the NonStop, connecting using TCP/IP sockets.

    --------------------->
TOP                        MIP
    <---------------------


Encrypted Installation
----------------------
All of the encryption solutions described work in the same way. Programs
running on the PC and the NonStop act as proxies for TOP and MIP. TCP/IP 
traffic is re-directed via the proxies, which encrypt/decrypt the data before
passing it on to the application.

    -->          -???????????->               ----->
TOP     PC proxy                NonStop proxy        MIP
    <--          <-???????????-               <-----
    


Products Described
==================
Software must be installed on both the NonStop server and each client PC. The
following combinations are described:


- ComForte SecureCS
- ComForte SWAP Server with the open source Stunnel client
- CAIL SSLProxy on the host with the open source Stunnel client 
- XYGATE Secure Client, XYGATE Host Encryption, XYGATE Encrypted FTP
- Open source stunnel on both client and host


Detailed instructions on installation and configuration are provided with 
the relevant pieces of software. Where this support note provides examples, 
they are basic and further customisation may be appropriate.




ComForte SecureCS
=================
ComForte SecureCS provides tunneling of client-server traffic over SSL. A 
server component, known as SWAP (Secure Web and Proxy server) runs on the 
NonStop server, and a PC hosted component, called Remote Proxy, runs on the 
client.

The TOP client sends messages to a port on the PC its is running on, where the
Remote Proxy program receives them, encrypts them and sends them on to a SWAP 
process on the NonStop. The SWAP process on the NonStop then decrypts the 
data and sends it on to the MIP process.

Clearly the Remote Proxy program must know which address to send messages to on
the NonStop, and the SWAP process must know how to address messages for the MIP
process.

The ComForte SWAP Server Reference Manual describes how to install and 
configure SWAP. 

The ComForte Remote Proxy Reference Manual describes how to install and 
configure the Remote Proxy.

Example
-------
A customer has an existing installation of TOP. The TOP clients connect to the 
MIP process using IP address 192.168.0.3, port 2345. The corresponding TCP/IP
process is $ZB019.

The NonStop administrator says the secure port number should be 23450 and the
name of the SWAP process should be $SWAPM.

The startup command for SWAP should be:

run swap/name $swapm/PROXYS; subnet $zb019; port 23450; targetport 2345

On the client PC, the user needs to add a session to the Remote Proxy, with the following settings:
Protocol: Generic TCP/IP
Computer will be: Client
Sessions started: Automatically
Target: 192.168.0.3
Target Port: 23450
Accepting Port: 2345

When the user runs TOP, they will need to connect to the following port:
Host: 127.0.0.1
Port: 2345


Communications is routed as follows:

TOP Software ->>> 127.0.0.1:2345  (Remote Proxy) 
                    |
                    V
                    V
                    V
                    |
                   192.168.0.3:23450 (SWAP) ->>> 192.168.0.3:2345 (MIP)









ComForte SWAP server with Stunnel client
========================================

The stunnel software is open source and is available free of charge from 
www.stunnel.org. It can be used in place of the ComForte Remote Proxy if
desired to provide client (PC) side SSL functionality.


ComForte Secure Web and Proxy server (SWAP) runs on the NonStop server, and
provides NonStop server-side SSL functionality.

The TOP client sends messages to a port on the PC its is running on, where the
stunnel program receives them, encrypts them and sends them on to a SWAP 
process on the NonStop. The SWAP process on the NonStop then decrypts the 
data and sends it on to the MIP process.

The Stunnel documentation describes how to install and configure the Remote 
Proxy. Example configurations are available on the stunnel web-site.

The ComForte SWAP Server Reference Manual describes how to install and 
configure SWAP. 

Example
-------
A customer has an existing installation of TOP. The TOP clients connect to the 
MIP process using IP address 192.168.0.3, port 2345. The corresponding TCP/IP
process is $ZB019.

The NonStop administrator says the secure port number should be 23450 and the
name of the SWAP process should be $SWAPM.

The startup command for SWAP should be:

run swap/name $swapm/PROXYS; subnet $zb019; port 23450; targetport 2345

On the client PC, the user needs to edit the stunnel.conf file and set the 
following configuration:

client = yes
				
[23450]
accept = 127.0.0.1:2345
connect = 192.168.0.3:23450


When the user runs TOP, they will need to connect to the following port:
Host: 127.0.0.1
Port: 2345


Communications is routed as follows:

TOP Software ->>> 127.0.0.1:2345  (stunnel) 
                    |
                    V
                    V
                    V
                    |
                   192.168.0.3:23450 (SWAP) ->>> 192.168.0.3:2345 (MIP)







CAIL SSLProxy with Stunnel Client
=================================

The stunnel software is open source and is available free of charge from 
www.stunnel.org. It can be used in place of the ComForte Remote Proxy if
desired to provide client (PC) side SSL functionality.


CAIL SSLProxy runs on the NonStop server, and provides NonStop server-side SSL
functionality.

The TOP client sends messages to a port on the PC its is running on, where the
stunnel program receives them, encrypts them and sends them on to an SSLProxy 
process on the NonStop. The SSLProxy process on the NonStop then decrypts the 
data and sends it on to the MIP process.

The Stunnel documentation describes how to install and configure the Remote 
Proxy. Example configurations are available on the stunnel web-site.

The document "CAIL SSLProxy.doc" describes how to install and configure
SSLProxy. 

Example
-------
A customer has an existing installation of TOP. The TOP clients connect to the 
MIP process using IP address 192.168.0.3, port 2345. The corresponding TCP/IP
process is $ZB019.

The NonStop administrator says the secure port number should be 23450 and the
name of the SWAP process should be $SSL0.

The startup commands for SSLProxy should be:

param proxyipaddress 192.168.0.3
param proxyipport 23450
param relayipaddress 127.0.0.1
param relayipport 2345
assign certificate,$system.sslprxy.testserv
param passphrase test
run $system.sslprxy.sslprxy/name $ssl0,nowait,cpu 1/

On the client PC, the user needs to edit the stunnel.conf file and set the 
following configuration:

client = yes
				
[23450]
accept = 127.0.0.1:2345
connect = 192.168.0.3:23450


When the user runs TOP, they will need to connect to the following port:
Host: 127.0.0.1
Port: 2345


Communications is routed as follows:

TOP Software ->>> 127.0.0.1:2345  (stunnel) 
                    |
                    V
                    V
                    V
                    |
                   192.168.0.3:23450 (SSLProxy) ->>> 192.168.0.3:2345 (MIP)










XYGATE/HE, XYGATE/EF
====================
1. Follow the instructions provided with XYGATE/HE and XYGATE/EF to install
   them on each NonStop server to which TOP is connected.
   
   In this example, an installation of TOP exists. The TOP clients connect to
   the MIP process using IP address 192.168.0.3, port 2345. The corresponding 
   TCP/IP process is $ZB019.
   

   The instructions tell you to modify your PORTCONF file:

   o  To add an entry for XYGATE/HE, use a host protocol of "TOP".

      23450 $system.xygatehe.xygatehe -p2345 -t$ZB019 -aTOP

      Refer to the MIP README for instructions on installing and
      starting the MIP.

   o  To add an entry for XYGATE/EF, configure XYGATE/EF to listen on
      the port that is being used for FTP transfers. (This is likely
      to be port 21 because this is the default port to which the
      NonStop server FTP client listens).

      In other words, you should remove the existing FTP entry, which
      probably looks similar to this:

      ftp $system.ztcpip.ftpserv

      and add an entry for XYGATE/EF similar to this:

      ftp $system.xygateef.xygateef

2. Follow the instructions provided with XYGATE/SC to install it on
   each workstation where TOP is installed.

3. Run SCMANAGER on each workstation and enable secure communication
   with XYGATE/HE. For example:

   a. Click XYGATESC Protection Disabled

   b. Click Server/Encryption Settings

   c. Add an entry to the server list, for example:

      Protocol: TOP
      Host Address: 192.168.0.3
      Port Number: 23450
      Encryption: DES168,DH1024
      Fixed Key:

   d. Click XYGATESC Protection Enabled

4. Run SCMANAGER on each workstation and enable secure communication
   with XYGATE/EF. For example:

   a. Click XYGATESC Protection Disabled

   b. Click Server/Encryption Settings

   c. Add an entry to the server list, for example:

      Protocol: FTP
      Host Address: 192.168.0.3
      Port Number: 21
      Encryption: DES168,DH1024
      Fixed Key:

   d. Click XYGATESC Protection Enabled

5. Click Close.




Stunnel client and server
=========================

The stunnel software is open source and is available free of charge from 
www.stunnel.org. It can be used to provide client (PC) side SSL 
functionality.

Stunnel has been ported to OSS on the NonStop - the software can be 
downloaded from ITUG (http://www.itug.org). The prngd package must also be
installed. Running stunnel on the NonStop server provides NonStop server-side
SSL functionality. During the initial configuration,its often useful to see 
messages output by stunnel immediately - set the following flags in the 
stunnel.conf file:
debug = 7
foreground = yes

The TOP client sends messages to a port on the PC its is running on, where the
stunnel program receives them, encrypts them and sends them on to an stunnel 
process on the NonStop (in OSS). The stunnel process on the NonStop then 
decrypts the data and sends it on a port that the MIP process is listening to.

Example
-------
A customer has an existing installation of TOP. The TOP clients connect to the 
MIP process using IP address 192.168.0.3, port 2345.

The NonStop administrator says the secure port number should be 23450.

The relevant entries in stunnel.conf on the NonStop should be:

client = no

[2345]
accept = 23450
connect = 2345



On the client PC, the user needs to edit the stunnel.conf file and set the 
following configuration:

client = yes
				
[23450]
accept = 127.0.0.1:2345
connect = 192.168.0.3:23450


When the user runs TOP, they will need to connect to the following port:
Host: 127.0.0.1
Port: 2345


Communications is routed as follows:

TOP Software ->>> 127.0.0.1:2345  (stunnel) 
                    |
                    V
                    V
                    V
                    |
                   192.168.0.3:23450 (stunnel) ->>> 192.168.0.3:2345 (MIP)