www.tufin.club

By default, TufinOS is using a self-signed certificate for authenticating the web server running HTTPS. This is true for SecureTrack Server as well as SecureChange Server. Sometimes it's not wanted to get the warnings in the browser, so an official certificate needs to be used.

It's possible to change the certificate the web server uses. In many cases, it's necessary to generate a Certificate Signing Request (CSR) before the certificate signed by a trustworthy Certificate Authority (CA) can be imported.

 

Generating a CSR

For importing a valid certificate into the web server running on TufinOS, a Certificate Signing Request (CSR) needs to be generated before. This can be done in several ways. In TufinOS the command openssl is used by the user root. If the system doesn't allow using this account, the command can be executed with elevated permissions using sudo (for sure, this also needs to be configured correctly). The next line shows an example for a CSR being created for the host "hostname":

[root]# openssl req -new -nodes -keyout hostname.key -out hostname.csr -newkey rsa:2048 -sha256

The file hostname.key includes the private key which needs to be protected (!). The other file is hostname.csr which needs to be sent to the CA for singing. Before this, some more details need to be provided:

  • Country Name (2 letter code) [AU]:
    provide the country code, e.g. DE
  • State or Province (full name) [Some-State]:
    provide the state, e.g. Bavaria
  • Locality Name (eg, city []:
    provide the name of the city, e.g. Munich
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Provide the name of the company, e.g. AERAsec
  • Organization Unit Name (eg, section) []:
    provide the unit, e.g. IT Department
  • Common Name (eg, YOUR name) []:
    provide the exact name including Domain that shall be protected by the certificate.
    Important: Only for this name the certificate is valid
  • Email Address []:
    provide the E-Mail address of the responsible person

The file hostname.csr is going to be sent to the signing CA.

If you need a certificate for more than one host, this command structure is recommended:

[root]# openssl req -new -sha256 -nodes -out \hostname.csr -newkey rsa:2048 -keyout \hostname.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
 
[ dn ]
C=DE
ST=Bayern
L=Munich
O=AERAsec
OU=IT Department
emailAddress=This email address is being protected from spambots. You need JavaScript enabled to view it.
CN = host1.example.com
 
[ req_ext ]
subjectAltName = @alt_names
 
[ alt_names ]
DNS.1 = host1.example.com
DNS.2 = host2.example.com
EOF
)

Also in this case, the file hostname.csr is going to be sent to the signing CA.

 

Importing the signed certificate

For a smooth import of a signed certificate (.crt), the use of this certificate should be possible without a password. How to remove it is shown below. Further on, it needs to be guaranteed that external servers are reachable.

To import a certificate, these steps are necessary:

  • Copy the certificate file (e.g. hostname.crt) and the matching private key file (e.g. hostname.key) to the server
  • Edit the file for SSL configuration (e.g. /etc/httpd/conf.d/ssl_conf):
    • Search for Server Privte Key and adapt the following line:
      SSLCertificateKeyFile <full path to .key file>
    • Search for Server Certificate and adapt the following line:
      SSLCertificateFile <fill path to .crt file>
    • Save the file
  • Restart the web server using the command
    [root]# service httpd restart

 

Removing a password for certificate use

It's possible and sometimes necessary to remove a password from a certificate, e.g. when it's used by a server. To do so, take these steps:

  • Use OpenSSL for generating a new certificate that can be used without password. This is done with the command
    [root]# openssl rsa -in <path to .key file> -out <path to new .key file>
  • Edit the file for SSL configuration (e.g. /etc/httpd/conf.d/ssl_conf):
    • Change the line
      SSLCertificateKeyFile <full path to .key file>
      in
      SSLCertificateKeyFile <full path to new .key file>
    • Save the file
  • Restart the web server using the command
    [root]# service httpd restart

 

 

Since today (Feb. 20th, 2017) the new version of the Tufin Orchestration Suite (TOS) is available: 16-4.
This GA Version delivers some improvements, e.g.

Cloud:

  • Cisco ACI Support
    Monitor ACI Platform as a device, Manage ACI Application Profiles in SecureApp, Integration in Tufin Unified Security Policy (USP), etc.
  • Cloud Tag Policy (SecureTrack)
    Defining a tag policy as part of Tufin USP for AWS or via APIs for any cloud platform supported by Tufin plus further options

Security Change Automation:

  • Zero-touch End-to-End Automation for Check Point R80
  • Updated Palo Alto NGFW Application IDs
  • Rule Decomissionin a cross-suite workflow
  • Server Decommission for Cisco ASA/IOS and Juniper SRX delivers required commands which can be used with copy/paste
  • Server Decommission for Cisco ASA and Juniper SRXis fully automated possible
  • Palo Alto Panorama Post-Rule Automation
  • New Role Permission: View handlers of my requests
  • New SecureChange E-Mail Template: Request automatically closed

Security, Risk and Compliance:

  • Policy Browser is now located on the HOME tab
  • Enhancements for the Policy Browser

Application Management:

  • Application Connection Search
  • Performance Improvement for SecureApp

Devices and Platforms:

  • Check Point: Full Support of R80, including MDS, CMA, and SmartCenter
  • Forcepoint: Support of Stonesoft SMC 6.1 using 5.10 APIs
  • Forcepoint: Enhancements in Stonesoft IPv6 support
  • Fortinet: Support of FortiManager and FortiGate 5.2.9
  • Fortinet: FortiManager 5.4 and 5.4.1 NAT Support

 

Further improvements as well as corrections are included.
The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com

 

 

 

In a workflow the field „Manager“ can be used. This might be useful if the manager has to approve a ticket requested by a member of his team.

The requester provides the E-Mail address of his manager so this person can approve the request in the next step.It's mandatory to have in the next step a "Manager Assignment" so the decision who has to work on the ticket is flexible. Besides this, if the mail address provided by the requester isn's valid for Manager function, the E-Mail will be sent to a "Default Manager" provided in the following step. This person (named Default_Manager below) is able to approve/reject the ticket as well to reassign it.

 

If the manager gets the E-Mail from SecureChange, logging in to SecureChange is necessary. After this, working on the ticket is possible.

Having local users configured, the validity of the mail address is checked. Examples:

  • If the assigned manager has the appropriate right, approval is possible.
  • If there is no right for approval, but a link sent by E-Mail, the approval is possible for this case.
  • If the mail address isn't known in SC, Default Manager is taken.

So as a result, when this option is used with local users, everything works as designed in SecureChange.The Manager is able to approve a step even if he doesn't have "global rights by role" to do so. Having a LDAP Server connected to SecureChange, this is the result:

  • If the assigned manager has the appropriate right, approval is possible.
  • If there is no right for approval, but a link, then the approval is possible for this ticket.
  • If the mail address isn't known in SC but in LDAP, the ticket is assigned and even without being defined in SecureChange, the manager can follow the link and to approve the step.
  • If the mail address is "external", the Default Manager is taken.

Please be aware, that the MANAGER as well as the DEFAULT-MANAGER need to be known in SecureChange or LDAP Server. The MANAGER doesn't need appropriate rights in every case.

 

 

Sometimes it's necessary to have a documentation about changes at the system itself or about changes in Workflows defined in SecureChange. System changes can be documented in SecureTrack easily, but what about changes in Workflows that are defined and used in SecureChange?
Currently there is no option in the WebUI to get a report about these changes, but they are recorded in the system, i.e. in the database table change_audit.

To view the table content, a SQL query is used at the CLI of the SecureChange Server:

# psql -Upostgres securechangeworkflow -x -c " select * from change_audit"

This delivers all changes to the CLI, including the name of the user as well as a XML output of the workflow before and after. If necessary, the output can be redirected to a file, e.g. for further inspection.

 

 

 

 

On March 31, 2017, TufinOS 1.x will reach its End of Live (EOL) as CentOS 5 does. This correlation is there since TufinOS is based on CentOS. After this date, no more patches or even security related patches will be published for TufinOS 1.x. The last versions that will run on TufinOS 1.x are 16-3 and 16-4, respectively.

So it's recommended to upgrade to TufinOS 2.x before EOL of TufinOS 1.x. Tufin describes how to upgrade in their Knowledge Center. Main information given here:

  • Upgrade should be possible from TufinOS 1.22 / TOS R13-3 or above
  • If the TOS Database is smaller than 20 GB a simple backup from the old system should be made
  • There is no way to upgrade from TufinOS 1.x to TufinOS 2.x without a new installation of the system, so a new install of TufinOS 2.x is necessary
  • After having the OS installed, the same TOS version as running on the old system needs to be installed (pls. remember, the restore of a backup works only for the same build-number)
  • Then, a simple restore of the data is possible
  • After having checked that everything works, TOS should be upgraded to the latest version, too

How to find out what is running?

TufinOS: # cat /etc/redhat-release

TOS:      # tos version

 

 

 

 

The latest version of Tufin Orchestration Suite (TOS) is now 16-3. This GA Version delivers some improvements for its software parts, e.g.

Cloud:

  • AWS Security Groups are automatically recommended per required access
  • Changes are automatically verified per required access

Security Change Automation:

  • New Role in SecureChange allowing "Assign tickets to any handler"
  • "Modify Group" allows adding/removing IP ranges now
  • Designer suggestion is shown in Policy Context, i.e. suggested changes are shown in existing policy
  • Palo Alto Networks Panorama Device Group Policy Automation
    • Automatic selection of Device Group per required access
    • Automatic risk/compliance Analysis
    • Automatic Change Design and Provisioning incl. AppID
    • Automatic verification after changes
  • REST API allows now to export Designer results
  • Designer CLI

Security and Compliance:

  • Rule Documentation (Policy Browser) now allows to search for disabled rules
  • Palo Alto Networks Panorama Device Group integraion
    • Changes are tracked and monitored
    • Full visibility into Panorama Device Group hierarchy
    • Full intetration into Policy Browser (including rule usage information)
    • Cleanup support
    • Integration into SecureTrack Unified Security Policies
    • Reports are possible
    • Support of Tufin SeureTrack Topology
    • SecureApp connection status monitoring (currently not for AppID)

Application Management:

  • Introduction of application-centric User Permissions

Devices and Platforms:

  • Juniper: Topology Support for Virtual Routers in SRX Routes
  • Fortinet: Support of FortiManager 5.4.1
  • VMware: Support of NSX 6.2.4
  • F5: F5 12-1 is supported by TOS, but no iApps
  • Cisco: Support of ASA

 

Further improvements and corrections are included.

The latest version of the Tufin Orchestration Suite can be found at the Tufin Portal: https://portal.tufin.com