DX Unified Infrastructure Management

 View Only
  • 1.  Validating Probes

    Posted Aug 15, 2019 06:35 PM
    Hi,

    What does validation do to the probes? There times that I was able to solve problems because of this step (Right Click Probe > Security > Validate > Yes All) but I don't know what it does.

    Thanks


  • 2.  RE: Validating Probes

    Broadcom Employee
    Posted Aug 15, 2019 07:47 PM
    Hi

    callback 'probe_verify' followed by a 'probe_activate' is what the infrastructure manager callback 'probe_verify' followed by a 'probe_activate' is what the infrastructure manager does  behind the scenes when you right click a probe and choose validate and 'yes'.

    From controller whitepaper
    =====================
    probe_verify (name)  Accept the probe as valid and generate a new checksum for it for validation use on subsequent probe starts

    Parameter Type Req Descriptionname String yes
    The name of the probe to be validated.This must be a defined probe. Which files that need a checksum generated / checked is flagged in the package from which the probe was originally installed.


  • 3.  RE: Validating Probes

    Posted Aug 15, 2019 08:45 PM
    Hi,

    Thanks for response but I'm still confused. What is the checksum for? And when I execute validation, I observed that it restarts the controller probe and hub probe, is this expected?


  • 4.  RE: Validating Probes
    Best Answer

    Broadcom Employee
    Posted Aug 15, 2019 10:57 PM
    Hi 
    controller/hdb/spooler/hub probes if you validate ->security it will restart robot / hub .This is expected

    Not expected to restart robot / hub when other probes are validated

    The signed checksum is generated from the main binaries/script in the probe package, it is based on the IP address + secret key.

    If probe fails to start due to any changes you need to validate it manually for security

    Only a user with administrator privileges has acccess to validate ->Security in such case for probe to start in such scenario
    ===========

    Probe Security

    Probes have different tasks. Most of them have simple tasks such as monitoring something and sending an alarm if a threshold is reached. Other have more complex tasks such as collecting information from and executing commands on other probes.The first type does not need a SID, because all they do is to send messages on the Nimsoft. The other one needs permission to connect to and execute commands on remote probes; these probes are a potential security risk.

    To obtain a SID without a login, two conditions must be fulfilled.
    1. The robot must install the probe in order to get a signed checksum generated. This requires administration rights and cannot be performed by intruders or operators.

    2. The controller must start the probe. A magic number scheme ensures that this
    cannot be circumvented.
    If these requirements are met and the probe needs a SID; the controller connects to the Hub to get the appropriate SID for the probe. This again requires that the probe has been added to the security configuration with the appropriate permissions and IP-mask.

    Signed checksum installation

    To prevent that unauthorized probes are installed and started on a robot have we devised a system that ensures that only probes installed by a user with administrator rights can obtain a SID on start up.
    The controller generates a signed checksum (HMAC) during installation; this HMAC is saved and is later used to verify the probe identity each time it is stared. If the checksum has changed the probe will not be started by the controller and cannot do any harm.
    The signed checksum is generated from the main binaries/script in the probe package, it is based on the IP address + secret key.

    Magic number scheme
    A magic number is generated into the probe-environment just before the probe is started. When a probe starts, the magic number is passed to the controller to ensure that the controller is in full control of the probe that is started, thus making it impossible for intruders to use probes.

    Administration
    Please note that all changes to the security configuration must be done with the Infrastructure Manager; manual changes of the security file will render it invalid!!

    Also see

    https://community.broadcom.com/communities/community-home/librarydocuments/viewdocument?DocumentKey=29f9e989-6b43-4088-b6b7-520dfa63ecaa