TufinOS

Details

Category: TufinOS

Last Updated: 31 March 2023

By default, TufinOS is using a self-signed certificate for authenticating the web server running HTTPS. This is true for SecureTrack Server as well as SecureChange Server. Sometimes it's not wanted to get the warnings in the browser, so an official certificate needs to be used.

It's possible to change the certificate the web server uses. In many cases, it's necessary to generate a Certificate Signing Request (CSR) before the certificate signed by a trustworthy Certificate Authority (CA) can be imported.

Generating a CSR

For importing a valid certificate into the web server running on TufinOS, a Certificate Signing Request (CSR) needs to be generated before. This can be done in several ways. In TufinOS the command openssl is used by the user root. If the system doesn't allow using this account, the command can be executed with elevated permissions using sudo (for sure, this also needs to be configured correctly). The next line shows an example for a CSR being created for the host "hostname":

[root]# openssl req -new -nodes -keyout hostname.key -out hostname.csr -newkey rsa:2048 -sha256

The file hostname.key includes the private key which needs to be protected (!). The other file is hostname.csr which needs to be sent to the CA for singing. Before this, some more details need to be provided:

• Country Name (2 letter code) [AU]:
  provide the country code, e.g. DE
• State or Province (full name) [Some-State]:
  provide the state, e.g. Bavaria
• Locality Name (eg, city []:
  provide the name of the city, e.g. Munich
• Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  Provide the name of the company, e.g. AERAsec
• Organization Unit Name (eg, section) []:
  provide the unit, e.g. IT Department
• Common Name (eg, YOUR name) []:
  provide the exact name including Domain that shall be protected by the certificate.
  Important: Only for this name the certificate is valid
• Email Address []:
  provide the E-Mail address of the responsible person

The file hostname.csr is going to be sent to the signing CA.

If you need a certificate for more than one host, this command structure is recommended:

[root]# openssl req -new -sha256 -nodes -out \hostname.csr -newkey rsa:2048 -keyout \hostname.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
 
[ dn ]
C=DE
ST=Bayern
L=Munich
O=AERAsec
OU=IT Department
emailAddress=This email address is being protected from spambots. You need JavaScript enabled to view it.
CN = host1.example.com
 
[ req_ext ]
subjectAltName = @alt_names
 
[ alt_names ]
DNS.1 = host1.example.com
DNS.2 = host2.example.com
EOF
)

Also in this case, the file hostname.csr is going to be sent to the signing CA.

Importing the signed certificate

For a smooth import of a signed certificate (.crt), the use of this certificate should be possible without a password. How to remove it is shown below. Further on, it needs to be guaranteed that external servers are reachable.

To import a certificate, these steps are necessary:

• Copy the certificate file (e.g. hostname.crt) and the matching private key file (e.g. hostname.key) to the server
• Edit the file for SSL configuration (e.g. /etc/httpd/conf.d/ssl_conf):
  • Search for Server Privte Key and adapt the following line:
    SSLCertificateKeyFile <full path to .key file>
  • Search for Server Certificate and adapt the following line:
    SSLCertificateFile <fill path to .crt file>
  • Save the file
• Restart the web server using the command
  [root]# service httpd restart

Removing a password for certificate use

It's possible and sometimes necessary to remove a password from a certificate, e.g. when it's used by a server. To do so, take these steps:

• Use OpenSSL for generating a new certificate that can be used without password. This is done with the command
  [root]# openssl rsa -in <path to .key file> -out <path to new .key file>
• Edit the file for SSL configuration (e.g. /etc/httpd/conf.d/ssl_conf):
  • Change the line
    SSLCertificateKeyFile <full path to .key file>
    in
    SSLCertificateKeyFile <full path to new .key file>
  • Save the file
• Restart the web server using the command
  [root]# service httpd restart

Details

Category: TufinOS

Last Updated: 09 January 2017

On March 31, 2017, TufinOS 1.x will reach its End of Live (EOL) as CentOS 5 does. This correlation is there since TufinOS is based on CentOS. After this date, no more patches or even security related patches will be published for TufinOS 1.x. The last versions that will run on TufinOS 1.x are 16-3 and 16-4, respectively.

So it's recommended to upgrade to TufinOS 2.x before EOL of TufinOS 1.x. Tufin describes how to upgrade in their Knowledge Center. Main information given here:

• Upgrade should be possible from TufinOS 1.22 / TOS R13-3 or above
• If the TOS Database is smaller than 20 GB a simple backup from the old system should be made
• There is no way to upgrade from TufinOS 1.x to TufinOS 2.x without a new installation of the system, so a new install of TufinOS 2.x is necessary
• After having the OS installed, the same TOS version as running on the old system needs to be installed (pls. remember, the restore of a backup works only for the same build-number)
• Then, a simple restore of the data is possible
• After having checked that everything works, TOS should be upgraded to the latest version, too

How to find out what is running?

TufinOS: # cat /etc/redhat-release

TOS:      # tos version

Details

Category: TufinOS

Last Updated: 04 November 2016

Tufin has released a Security Announcement regarding "Dirty COW" (CVE-2016-5195)

Background:

A race condition has been found in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings.
An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings, and thus increase their privileges on the system.

Vulnerable Systems:

All versions of TufinOS are affected: TufinOS 1.8 - 1.22 as well as 2.00 - 2.12
Installations using Red Hat Enterprise Linux and CentOS are affected also. Please find a patch on the website of the Linux distribution itself.

Remediation:

Tufin will publish a fix for TufinOS 2.12 on November, 2^nd. A fix for TufinOS 1.22 will be published after Red Hat has published a fix for RHEL 5.
If you are not running the latest version of TufinOS, you should upgrade to be able to install the fix.

Update (20161102):

The fix for TufinOS 2.x is included in TufinOS 2.13 which is available since November, 1^st.
A patch for TufinOS 2.12 will be released on November, 6^th. This is relevant if an update to TufinOS 2.13 isn't possilble.

Update (20161104):

The fix for TufinOS 1.x is included in TufinOS 1.23 which is available since November, 4^th. An upgrade to this version is recommended if still TufinOS 1.x is used.
Please be aware that TufinOS 1.x reaches its End of Live (EOL) on March 31^st, 2017 - as CentOS 5 does. After this date, no updates or security patches will be created for TufinOS 1.x, so upgrading to TufinOS 2.x before this date is recommended.

Details

Category: TufinOS

Last Updated: 07 October 2016

Since TufinOS is a Linux working with networks, these settings need to be configured for the management interface. One way to do so is using the "traditional" way by editing files like e.g.

/etc/sysconfig/network
/etc/sysconfig/network-scripts/ifcfg-eth0

etc. This is not always the easiest way, esp. if an administrator isn't too familiar with Linux. An easier way is to use a command of TufinOS:

/usr/local/sbin/config_mgmt_if

Since this directory is mostly in the environment path, the command can be used also as a single command without typing the whole path:

config_mgmt_if

This command asks the administrator for all important settings to configure the management interface of the system, as shown in the example below
(Please use YOUR IP-ADDRESSES ONLY for lab and productive environment). It also restarts the network service so the changes become active.

[root@TufinOS ~]# config_mgmt_if
Please enter the network details for the TOS management interface (eth0).
IP address: 192.168.1.1
Netmask: 255.255.255.0
Default gateway: 192.168.1.254
IP address for DNS server 1, or press ENTER to continue: 192.168.1.253
IP address for DNS server 2, or press ENTER to continue: 192.168.2.253
IP address for DNS server 3, or press ENTER to continue:
Do you want to configure IPv6 (yes|no)?: no

Network settings for TOS management interface
=============================================

(1) IP address:           192.168.1.1
(2) Netmask:              255.255.255.0
(3) Gateway IP:           192.168.1.254
(4) DNS Servers:          192.168.1.253, 192.168.2.253

To change the settings, enter the item number to change.
Enter c to apply the changes and continue, or enter e to exit
> c
Warning: The current network settings for the eth0 adapter will be overridden.
Are you sure you want to continue (yes|no)?: yes
Configuring eth0 settings...
Restarting network service...
Done.
[root@TufinOS ~]#

 So this command might help to configure the management interface of TufinOS.

Details

Category: TufinOS

Last Updated: 19 May 2016

Problem

On May 3rd, the OpenSSL project team has announced the release of OpenSSL v1.0.2h and 1.0.1t, respectively. This version addresses some vulnerabilities.
One of the most severe is the OpenSSL Memory Corruption Vulnerability (CVE-2016-2108) which  also affects TufinOS (as many other Linux).

Solution

If you run Tufin TOS under Red Hat Enterprise Linux or CentOS, please download updated packages and install them on your system.
Tufin is working on a patch for the OpenSSL Memory Corruption Vulnerability. patches for TufinOS 2.11 and TufinOS 1.22 are scheduled for the week of May 16th. So next week an update will be possible. If you don't run the latest version, an upgrade might be necessary before installing the patch.
Further information will be provided by This email address is being protected from spambots. You need JavaScript enabled to view it.upon request.

19.05.2016 - Update:
The patch for TufinOS 2.11 is available now: https://portal.tufin.com/Doc/Default.aspx?id=1208 (Authentication necessary)
For TufinOS 1.22 the patch will be published after Red Hat has published a patch for RHEL 5.