SSMC appliance configurations

Procedure
  1. Set the CA-signed certificates for SSMC.
  2. Configure the following properties in ssmc.properties and save it: 
    security.max.active.ui.sessions=50
security.max.active.ui.per.user.sessions=1
ssmc.smtps.enabled=true
ssmc.secure.tls.only=true
server.session.timeout=10
server.absolute.session.timeout=60
ssmc.management.notification.disable=true
ssmc.tls.trustmanager.enabled=true
  3. Set the following properties in /ssmc/conf/security_config.properties and save it. The properties that need your input are enclosed within angular braces < >: 
    ssmc.sshd.service.network=ens192               #eth1 if hyper-v
ssmc.webserver.service.network=ens160          #eth0 if hyper-v
ssmc.shell.session.inactivity.timeout=300
ssmc.ntp.DnsOrIP=<NTP Host DNS or IP>
ssmc.inbound.hosts.allow=<IPs of inbound whitelisted hosts>
ssmc.outbound.hosts.allow=<IPs of whitelisted outbound hosts on any network>

ssmc.rsyslog.server.host=<rsyslog server ip>
ssmc.rsyslog.server.port=<rsyslog server port> #6514
ssmc.rsyslog.server.protocol=tcp
ssmc.rsyslog.server.tls-enabled=1

ssmc.rsyslog.cert.caroot=</home/ssmcadmin/rsyslog/ca.pem>
ssmc.rsyslog.cert.clientcert=</home/ssmcadmin/rsyslog/client.pem>
ssmc.rsyslog.cert.clientkey=</home/ssmcadmin/rsyslog/client.key>
ssmc.rsyslog.server.permittedPeers=”<remote logging host name>”
ssmc.rsyslog.server.device=ens192             #eth1 if hyper-v
ssmc.rsyslog.queue.maxdiskspace=1
ssmc.rsyslog.smtp.alert=true
ssmc.rsyslog.smtp.server=<smtp server ip>
ssmc.rsyslog.smtp.port=<smtp port>
ssmc.rsyslog.smtp.recipient=<comma separated recipient email address list>
ssmc.rsyslog.smtp.notify-interval=5
ssmc.rsyslog.smtp.mailFrom=<ssmcadmin@ssmc.com>
  4. Run the following commands in the given sequence (opt no for service restarts): 
    sudo /ssmc/bin/config_security.sh -o set_file_permission
sudo /ssmc/bin/config_security.sh -o cnsa_mode_appliance -a enable
sudo /ssmc/bin/config_security.sh -o session_log -a enable
sudo /ssmc/bin/config_security.sh -o ssh_service_network -a set
sudo /ssmc/bin/config_security.sh -o webserver_service_network -a set
sudo /ssmc/bin/config_security.sh -o session_lock -a enable
sudo /ssmc/bin/config_security.sh -o shell_session_idle_timeout -a set
sudo /ssmc/bin/config_security.sh -o remote_syslog_appliance -a set
sudo /ssmc/bin/config_security.sh -o host_access -a set
sudo /ssmc/bin/config_security.sh -o http_access_log -a enable
sudo /ssmc/bin/config_security.sh -o tcp_access_log -a enable
sudo /ssmc/bin/config_security.sh -o long_password_policy -a enable
sudo /ssmc/bin/config_security.sh -o config_failedlogin_delay -a enable
sudo /ssmc/bin/config_security.sh -o sudo_password -a enable
sudo /ssmc/bin/config_security.sh -o verbose_shell_session_logs -a enable
sudo /ssmc/bin/config_security.sh -o configure_ntp -a set
sudo /ssmc/bin/config_security.sh -o fips_mode -a enable
    NOTE: Ensure that all operations are successful. Recheck your configuration and re-run until each of the above operations is successful.
  5. Reboot the appliance using TUI menu option 3.

This completes all the configurations needed to set up SSMC to adhere to standards security.