unisys stealth(cloud) for amazon web services deployment guide · unisys stealth(cloud) for amazon...

Unisys Stealth(cloud) for Amazon Web

Services

Deployment Guide

Release 2.0

unisys

May 2016 8205 5658-002

NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information

described herein is only furnished pursuant and subject to the terms and conditions of a duly executed agreement to

purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the

products described in this document are set forth in such agreement. Unisys cannot accept any financial or other

responsibility that may be the result of your use of the information in this document or software material, including

direct, special, or consequential damages.

You should be very careful to ensure that the use of this information and/or software material complies with the laws,

rules, and regulations of the jurisdictions with respect to which it is used.

Unisys Stealth contains encryption features and is subject to, and certain information pertaining to Unisys Stealth may

be subject to, limitations imposed by the United States, the European Union and other governments on encryption

technology. Information about these U.S. government limitations may currently be found at http://www.bis.doc.gov.

For more information about your obligations, please see the agreement entered by your company and Unisys.

The information contained herein is subject to change without notice. Revisions may be issued to advise of such

changes and/or additions.

Notice to U.S. Government End Users: This software and any accompanying documentation are commercial items

which have been developed entirely at private expense. They are delivered and licensed as commercial computer

software and commercial computer software documentation within the meaning of the applicable acquisition

regulations. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys’ standard commercial

license for the products, and where applicable, the restricted/limited rights provisions of the contract data rights

clauses.

Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, aretrademarks or registered trademarks of Unisys Corporation.Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or othercountries.All other trademarks referenced herein are the property of their respective owners.

http://www.bis.doc.gov

Contents

Section 1. Introduction

1.1. Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–1

1.2. What’s New? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–1

1.3. Understanding Components of Stealth(cloud) for AWS . . . . . 1–2

1.4. Understanding Default Stealth Configurations and User

Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–3

1.5. Understanding Default Filters . . . . . . . . . . . . . . . . . . . . . . . 1–6

1.6. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–7

1.7. Understanding Differences with Stealth Deployed in a

Data Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–7

Section 2. Launching the Stealth(cloud) Management Server Instance

2.1. Optionally Configuring the Administration and

Diagnostics System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–1

2.2. Determining the Management Server Instance Size and

License Capacity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–3

2.3. Subscribing to Enterprise Manager . . . . . . . . . . . . . . . . . . . 2–3

2.4. Selecting Parameters and Launching the Management

Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–4

Section 3. Launching Stealth Endpoint Instances

3.1. Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–1

3.2. Determining the Stealth User Role for the Endpoint

Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–1

3.3. Subscribing to Endpoint Instances . . . . . . . . . . . . . . . . . . . . 3–2

3.4. Selecting Parameters and Launching the Stealth Endpoint

Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–3

Section 4. Understanding Your Stealth(cloud) for AWS Environment

4.1. Accessing the Enterprise Manager Interface . . . . . . . . . . . . 4–1

4.2. Accessing Windows Endpoints and Viewing Stealth

Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–2

4.3. Accessing Linux Endpoints and Viewing Stealth Status . . . . . 4–4

4.4. Limitations When Accessing AWS Services . . . . . . . . . . . . . 4–5

8205 5658-002 iii

Section 5. Making Changes to Your Stealth(cloud) for AWS

Environment

5.1. Updating the Initial Configuration . . . . . . . . . . . . . . . . . . . . . 5–1

5.2. Optionally Updating the Management Server Instance

Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–1

5.3. Optionally Updating Endpoint Instance Types . . . . . . . . . . . . 5–2

5.4. Launching Endpoint Instances Using Private AMIs . . . . . . . . 5–3

Section 6. Upgrading or Updating Management Server and Endpoint

Instances

6.1. Subscribing to and Launching the Upgrade System. . . . . . . . 6–1

6.2. Connecting to the Upgrade System and Downloading

Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–2

6.3. Upgrading or Updating the Management Server. . . . . . . . . . 6–4

6.4. Upgrading or Updating Windows Endpoint Instances . . . . . . 6–5

6.5. Upgrading or Updating Linux Endpoint Instances . . . . . . . . . 6–5

6.6. Launching Upgraded Endpoint Instances in an Upgraded

Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–6

Section 7. Troubleshooting

7.1. Resolving Common Problems . . . . . . . . . . . . . . . . . . . . . . . 7–1

7.2. Enterprise Manager Interface Requirements . . . . . . . . . . . . 7–2

7.3. Troubleshooting the Stealth Applet Connection to the

Unisys Stealth Logon Service on Windows Endpoints. . . . 7–4

7.4. Enabling Active Scripting on the Management Server

Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7–5

7.5. Troubleshooting Private AMIs . . . . . . . . . . . . . . . . . . . . . . . 7–6

7.6. Obtaining Services and Support from Unisys . . . . . . . . . . . . 7–7

7.7. Collecting Diagnostics from the Management Server and

Endpoint Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7–9

7.8. Deleting the Management Server or Endpoint Instances. . . 7–11

Appendix A. Parameter Worksheets

A.1. Management Server Instance Planning . . . . . . . . . . . . . . . . A–1

A.2. Endpoint Instance Planning . . . . . . . . . . . . . . . . . . . . . . . . . A–4

Contents

iv 8205 5658-002

Figures

1–1. Default Segmented Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–4

1–2. Default Tiered Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–5

8205 5658-002 v

Figures

vi 8205 5658-002

Tables

A–1. Management Server Instance Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . A–1

A–2. Endpoint Instance Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A–4

8205 5658-002 vii

Tables

viii 8205 5658-002

Section 1Introduction

Unisys Stealth(cloud) for Amazon Web Services (AWS) enables you to secure an AWS

virtual private cloud (VPC) environment using Unisys Stealth technology.

This document provides the information required to deploy Stealth(cloud) for AWS.

1.1. Documentation Updates

This document contains all the information that was available at the time of publication.

Changes identified after release of this document are included in problem list entry (PLE)

19123197. To obtain a copy of the PLE, access the following URL:

http://public.support.unisys.com/common/epa/macro.aspx?path0=all&path1=ple&

path2=19123197

1.2. What’s New?

The following is new in this release:

• In the previous release, you could create up to three user roles in one configuration,

and those user roles were completely segmented by default (meaning that only

endpoints that shared the same user role could communicate). In this release, you can

create up to three additional user roles in a tiered configuration. See

1.4 Understanding Default Stealth Configurations and User Roles for more

information.

• The list of automatically generated filters for Amazon services has been updated to

include a more descriptive name and now provides regular polling services. This

ensures that the filter list is up-to-date if Amazon changes the IP addresses of its

services. See 1.5 Understanding Default Filters for more information.

• In the previous release, you were required to manually create one Administration and

Diagnostics System to provide administrative access to the Management Server

instance and the endpoint instances. In this release, you can manually create up to

three systems to perform this function, or you can have an Administration and

Diagnostics System automatically generated for you. See 2.1 Optionally Configuring

the Administration and Diagnostics System for more information.

8205 5658-002 1–1

http://public.support.unisys.com/common/epa/macro.aspx?path0=all&path1=ple&path2=19123197

http://public.support.unisys.com/common/epa/macro.aspx?path0=all&path1=ple&path2=19123197

When you subscribe to and launch the Management Server instance, there are three

new fields under the Unisys Stealth Configuration category that are related to the

configuration of the Administration and Diagnostics Systems. See 2.4 Selecting

Parameters and Launching the Management Server Instance for more information.

• An update is available that applies fixes and updates to your Enterprise Manager and

Stealth endpoint software. See Section 6, Upgrading or Updating Management Server

and Endpoint Instances.

Note: This update does not make configuration changes to an existing environment.

For example, this update does not create the new tiered configuration in your existing

environment, and it does not change the name or design of any of your filters. This

protects the integrity of your customized configuration. If you want to use the new

tiered configuration, the new filter design, or any other changes available with this

release, you can deploy a new Management Server instance.

1.3. Understanding Components of Stealth(cloud)for AWS

Stealth(cloud) for AWS enables you to configure a Stealth-enabled virtual private cloud

(VPC) environment to host your secure workloads and applications.

A Stealth(cloud) for AWS environment includes the following components:

• Amazon Virtual Private Cloud (VPC) – This is a virtual network that hosts the

Stealth(cloud) components. You subscribe to and launch the Management Server

instance and its associated Stealth AWS endpoint instances into a VPC.

Note: A single Stealth-enabled VPC can support only one Management Server

instance. If your environment requires more than one Management Server instance

(because each Management Server can support only 500 endpoints), you must create

one VPC for each Management Server instance that you want to subscribe to.

A Management Server can only be used to manage the endpoints within its VPC.

• Administration and Diagnostics System – This is an Amazon Elastic Compute Cloud

(EC2) instance which is used to provide administrative access to the Management

Server instance and the endpoint instances and can be used to collect diagnostic

information as needed.

• Management Server instance – This is an Amazon EC2 Windows Server instance that

runs the Stealth Enterprise Manager software, which is used to authorize Stealth

AWS endpoint instances and to provide the user interface for managing your Stealth

environment.

The Management Server instance must be sized appropriately so that it can manage

all of the endpoint instances in your VPC, as described in 2.2 Determining the

Management Server Instance Size and License Capacity.

• Endpoint instances – These are Amazon EC2 instances running supported Windows

or Linux operating systems, which also run the Stealth endpoint software to provide a

secure working environment. These instances that run the Stealth endpoint software

are known as Stealth endpoints.

Introduction

1–2 8205 5658-002

1.4. Understanding Default Stealth Configurationsand User Roles

Each Management Server instance can be used to manage up to 500 endpoint instances,

and each endpoint participates in one of the user roles you define. Each user role is made

up of multiple Communities of Interest (COIs). Stealth endpoint instances that share a COI

can communicate with one another; endpoint instances that do not share a COI cannot

communicate. In addition, other non-Stealth-enabled components cannot communicate

with any Stealth endpoint instances, unless a filter is specifically created to enable that

communication.

When you launch the Management Server instance, you have the option to automatically

create user roles in two different configurations that you can use for secure

communications in your environment. In addition, a configuration is created for

administration. The three configurations are as follows:

• StealthAdmin configuration – This configuration is used for the Enterprise Manager

software running on the Management Server to authorize, license, and administer the

Stealth endpoints.

In Figure 1–1 and Figure 1–2, the COI used for communication between the

Management Server and the endpoints is the purple StealthAdminLicenseCOI. For

security, Stealth filters are applied to the StealthAdminLicenseCOI so that endpoint

instances can only use this COI to communicate with the Management Server

instance (and cannot use this COI to communicate between user roles).

• Segmented configuration – In this configuration, you can create up to three user roles.

These user roles are completely segmented, meaning that endpoints in different roles

cannot communicate with one another. (Only endpoints that share the same user role

can communicate.)

In Figure 1–1, you see three Segmented user roles, each of which includes one

SegmentCOI that enables communication with other endpoints in the same user role

and the StealthAdminLicenseCOI that enables communication with the Management

Server. (As stated previously, Stealth filters are applied to the

StealthAdminLicenseCOI so that endpoints can only use this COI to communicate

with the Management Server and never with other endpoints.) Finally, each

Segmented user role includes the ADSAccessClearTextFilter, which enables endpoint

communication with the Administration and Diagnostics System and with Amazon

services.

Introduction

8205 5658-002 1–3

Figure 1–1. Default Segmented Configuration

• Tiered configuration – In this configuration, you can also create up to three user

roles. These user roles are tiered, meaning that endpoints in the Tier2 user role can

communicate with endpoints in the Tier1 user role and endpoints in the Tier3 user

role. For example, in a standard Web Server, Application Server, and Database

Server configuration, the Application Servers can communicate with the Web

Servers and Database Servers, but the Web Servers and Database Servers cannot

communicate with one another.

In Figure 1–2, you see three Tiered user roles, each of which includes one TierCOI

that enables communication with other endpoints in the same user role and the

StealthAdminLicenseCOI that enables communication with the Management Server.

(As stated previously, Stealth filters are applied to the StealthAdminLicenseCOI so

that endpoints can only use this COI to communicate with the Management Server

and never with other endpoints.)

In addition, a shared COI enables communication between endpoints assigned to

Tier1 and Tier2 (green colored Tier1+2COI) and a shared COI enables communication

between endpoints assigned to Tier2 and Tier3 (pink colored Tier2+3COI).

Introduction

1–4 8205 5658-002

Finally, each Tiered user role includes the ADSAccessClearTextFilter, which enables

endpoint communication with the Administration and Diagnostics System and with

Amazon services.

Figure 1–2. Default Tiered Configuration

When you create the Management Server instance, you are prompted to name and create

these user roles. You can create as little as one user role (in either configuration) or as

many as six user roles (three in each configuration). Depending on your needs, you can

create user roles for the Segmented configuration, the Tiered configuration, or both.

You can name these user roles using a naming convention of your choice. For example,

you might want to give the Segmented user roles names that correspond to segmented

security levels in your environment (such as Classified, Secret, and TopSecret) or that

correspond to segmented departments (such as HR, Marketing, and Executive). In

contrast, you might want to give the Tiered user roles names that correspond to tiered

functions (such as WebServer, AppServer, and DBServer).

Introduction

8205 5658-002 1–5

Based on the user role names you enter, a Certificate-Based Authorization (CBA)

certificate is created and added to each endpoint instance (for example, a certificate

named Classified is created for the Classified user role or a certificate named WebServer

is created for the WebServer user role). These certificates are used to authorize the

endpoint instances so that they can communicate with one another.

If your security needs are met by these user roles and configurations, you can simply

specify the names of up to six user roles (three in each configuration) when you launch the

Management Server instance, and then you can assign each endpoint instance to use one

of these three user roles when you launch the endpoint instances. No further action is

required for endpoint instances within the same user role to communicate with one

another securely.

However, if required, you can create additional user roles and configurations, and then you

can manually update the user roles used by your endpoint instances. Once your

environment is configured, see the Unisys Stealth(cloud) for Amazon Web Services

Advanced Concepts and Operations Guide for more information on how to add additional

user roles and configurations using the Enterprise Manager interface.

The Advanced Concepts and Operations Guide is available on the Unisys Security website

at http://unisyssecurity.com/aws.

1.5. Understanding Default Filters

You use filters to control whether your endpoints can communicate with other

components and services.

By default, filters are predefined for your endpoint instances. These filters enable you to

communicate with all available Amazon services using clear text (non-Stealth-secured)

communication. For example, these include filters that enable you to communicate with

the Amazon S3 service for storage and the Amazon Route53 service for DNS. Because

Amazon periodically changes the IP addresses used for these services, Enterprise

Manager checks for updates to the Amazon service addresses every 24 hours and creates

new filters as necessary.

In addition, when you launch the Management Server instance, clear text filters are

automatically created to allow communication with the Administration and Diagnostics

Systems in your environment.

If your filtering needs are met by these default filters for Amazon services and the

Administration and Diagnostics System, no further action is required. However, if needed,

you can create additional filters once your environment is configured. See the Unisys

Stealth(cloud) for Amazon Web Services Advanced Concepts and Operations Guide for

more information on how to update, add, and assign filters using the Enterprise Manager

interface.

Introduction

1–6 8205 5658-002

http://unisyssecurity.com/aws

In addition, note that the IP addresses in a subnet that are reserved by AWS have clear text

filters applied to them (so that they are never Stealth-enabled). See the AWS

documentation on VPCs and subnets

(http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#SubnetSize)

for more information on these reserved IP addresses.

1.6. Prerequisites

Before you begin to deploy Stealth(cloud) for AWS, you must meet the following

prerequisites.

Note: See the AWS documentation (http://aws.amazon.com/documentation) for more

information on meeting these prerequisites.

• You must have configured one or more virtual private clouds (VPCs) with access to

the AWS CloudFormation services.

You can use an existing VPC, or you can create a new VPC that is dedicated to your

Stealth(cloud) for AWS deployment.

The instances that you launch within the VPC must be able to access the AWS

CloudFormation services, which means that the instances within the VPC must either

have a public IP address or they must have the capability to use Network Address

Translation (NAT) to access these services.

For more information on configuring IP addressing for your VPC and instances, see

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Networking.html.

Note: Each Management Server instance in the AWS environment can support up to

500 endpoint instances, and each Management Server instance requires its own VPC.

Therefore, depending on the number of Stealth-enabled endpoints you plan to launch

in the AWS environment, you might need to configure multiple VPCs.

• You must have one or more Amazon EC2 key pairs. Key pairs are an Amazon

administrative requirement for all EC2 instances. You can use an existing key pair or

you can create a new key pair for your Stealth(cloud) for AWS deployment.

You must select a key pair name when you initially configure each instance.

1.7. Understanding Differences with StealthDeployed in a Data Center

In addition to the Stealth(cloud) for AWS, the Stealth Solution can be purchased from

Unisys and deployed directly in your data center.

The following are the differences between the Stealth(cloud) for AWS and when Stealth is

deployed in a data center:

• Stealth(cloud) for AWS supports the following operating systems running on endpoint

instances:

- Windows Server 2008 R2

- Windows Server 2012 R2

Introduction

8205 5658-002 1–7

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#SubnetSize

http://aws.amazon.com/documentation

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Networking.html

- Red Hat Enterprise Linux 6.x and 7.x

- SUSE Linux Enterprise Server 11.x

- Ubuntu 14.04 LTS

When Stealth is deployed in a data center, the following additional operating systems

are supported:

- Windows 7

- Windows 8 and Windows 8.1

- Windows Server 2012

- Ubuntu 12.04 LTS

- IBM AIX V6.1 and V7.1

• Windows endpoint instances are configured to run with Stealth Always On.

Stealth Always On for Windows endpoints means that Stealth is always enabled on

running Windows endpoints (and cannot be disabled by users). In contrast, Windows

endpoints in the data center can run Stealth On Demand, which means that users can

enable and disable the Stealth service if they need to communicate with other

resources in the environment.

Note: Stealth can be enabled and disabled for Linux endpoints.

• Stealth deployed in a data center can provide redundant authorization through the use

of standalone Authorization Servers. This component is not supported in this release

of Stealth(cloud) for AWS.

• Stealth deployed in a data center supports IPv6 addressing. IPv6 addressing is not

supported in Stealth(cloud) for AWS, because IPv6 addressing is not supported by

AWS.

• Stealth deployed in a data center can support mobile users through a feature known

as Secure Remote Access. This feature is not supported in Stealth(cloud) for AWS.

• Stealth deployed in a data center can enable systems and servers running operating

systems that are not supported by Stealth to connect to the network and participate in

Stealth COIs through a feature known as Secure Virtual Gateway. This feature is not

supported in Stealth(cloud) for AWS.

If you want to use any of the features that are not supported in Stealth(cloud) for AWS,

contact Unisys at http://unisyssecurity.com/aws for more information about deploying

Stealth in your data center.

Introduction

1–8 8205 5658-002


Section 2Launching the Stealth(cloud)Management Server Instance

The Management Server instance is an Amazon EC2 instance that runs Windows Server

2012 R2 and the Stealth Enterprise Manager software, which is used to authenticate,

authorize, license, and administer Stealth AWS endpoint instances. The Management

Server instance also provides the user interface for managing your Stealth environment.

Before continuing, be sure that you met the prerequisites listed in 1.6 Prerequisites, and

then perform the procedures in this section.

2.1. Optionally Configuring the Administration andDiagnostics System

Stealth(cloud) for AWS requires an EC2 instance to act as the Administration and

Diagnostics System. This system provides administrative access to the Management

Server instance and the endpoint instances and can be used to collect diagnostic

information as needed.

You can launch up to three EC2 instances to use as Administration and Diagnostics

Systems by following the guidelines in this topic. When you deploy the Management

Server instance, you can specify these existing systems to use as Administration and

Diagnostics Systems. Alternatively, if you do not have an existing EC2 instance to use as

the Administration and Diagnostics System and you do not want to manually configure

one using the guidelines in this topic, the Management Server CloudFormation template

can automatically deploy a new t2.micro Windows 2012 R2 instance to be used for this

purpose. Skip this topic if you want the CloudFormation template to automatically deploy

an Administration and Diagnostics System.

If you want to manually deploy an Administration and Diagnostics System, it must meet

the following requirements:

• Because this system provides access to all Stealth-enabled instances in the VPC, you

should ensure that the system is secure and that access is controlled.

• It must be an Amazon EC2 instance in the same VPC as the Management Server

instance. If you have more than one Management Server instance, each running in a

separate VPC, then you must configure a separate Administration and Diagnostics

System in each VPC.

8205 5658-002 2–1

• The Administration and Diagnostics System can run any operating system; however, it

is recommended that you select the Windows Server 2012 R2 operating system,

which by default, includes the Remote Desktop software necessary for connecting to

the Management Server instance.

Note: If you plan to subscribe to and launch Linux endpoints, you should install an

SSH client (for example, PuTTY) that you can use to access Linux endpoint instances.

• The Administration and Diagnostics System must be able to use TCP port 80 to

download files.

Do the following if you want to manually configure an EC2 instance as the Administration

and Diagnostics System:

1. Launch an EC2 instance that meets the requirements listed earlier in this topic.

Note: The Administration and Diagnostics system can use any Amazon instance

type. (There are no minimum requirements for vCPU or memory.)

When you launch the EC2 instance, you must do the following:

• Configure a method to access the Administration and Diagnostics System.

For example, configure an AWS security group to allow inbound RDP access to

the Administration and Diagnostics System.

• Configure a method to use the Administration and Diagnostics System to access

the Management Server instance and the endpoint instances. By default, a

security group enables all outbound RDP and SSH access. If you have restrictions

on your security group, you must allow outbound access as follows:

- RDP access to connect to the Management Server instance and Stealth

Windows endpoints

- SSH access to connect to Linux endpoint instances

See the Amazon EC2 documentation at https://aws.amazon.com/documentation/ec2

for specific information for launching an EC2 instance, and see

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

for more information on configuring the required security groups.

2. Wait for the instance to be created (that is, wait until the status reads running).

3. Confirm that you can connect to the Administration and Diagnostics System.

4. Record the private IP address of the Administration and Diagnostics System. (To

locate the IP address, on the EC2 Management Console, select the instance, and then

locate the Private IP under the Description tab.)

When you configure the Management Server instance, you must specify the private

IP address of the Administration and Diagnostics System, and a clear text filter is

created to enable the Management Server instance and endpoint instances to

communicate with this system.

Launching the Stealth(cloud) Management Server Instance

2–2 8205 5658-002

https://aws.amazon.com/documentation/ec2

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

2.2. Determining the Management Server InstanceSize and License Capacity

Enterprise Manager provides licenses to Stealth endpoint instances from a pool of

licenses called AWS Marketplace licenses. The total number of available licenses is

determined by the Enterprise Manager instance size that you select when you configure

the Management Server instance.

When you subscribe to Stealth(cloud) Enterprise Manager and launch the Management

Server instance, you select one of the following sizes, depending on how many Stealth

endpoint instances you plan to subscribe to and launch in your VPC:

• Small – Launches an m4.large EC2 instance that supports up to 25 endpoint instances

• Medium – Launches an m4.large EC2 instance that supports up to 50 endpoint

instances

• Large – Launches an m4.xlarge EC2 instance that supports up to 250 endpoint

instances

• Extra Large – Launches an m4.2xlarge EC2 instance that supports up to 500 endpoint

instances

Notes:

• If you select the South America (São Paulo) region, m3 instance types are used.

• For more information on Amazon EC2 instance types, see https://aws.amazon.com/

ec2/instance-types.

You must select a capacity that is sufficient for the number of Stealth endpoint instances

that you plan to subscribe to and launch. In addition, it is a best-practice to select a

capacity that will accommodate a slightly expanded configuration; however, you can

change the instance size as your needs change. If you change your instance type, the

maximum number of subscribed endpoints that can be authorized is automatically

updated. See 5.2 Optionally Updating the Management Server Instance Type for more

information on resizing the Management Server instance.

If you plan to include more than 500 Stealth endpoint instances in your Stealth(cloud) for

AWS deployment, you must create additional Management Server instances; only one

Management Server instance is supported in a single Amazon VPC. If you require more

than one Management Server instance, each must be launched in a separate VPC.

2.3. Subscribing to Enterprise Manager

To launch a Management Server instance from the AWS Marketplace, you must

subscribe to Unisys Stealth(cloud) Enterprise Manager. Do the following:

1. Navigate to the AWS Marketplace webpage (https://aws.amazon.com/marketplace).

2. At the top of the page, click Sign in, and then sign in using your AWS account

credentials.

3. In the search box, enter Unisys Stealth.


8205 5658-002 2–3

https://aws.amazon.com/ec2/instance-types


https://aws.amazon.com/marketplace

4. On the results page, select Unisys Stealth(cloud) Enterprise Manager on

Windows.

5. On the Unisys Stealth(cloud) Enterprise Manager solutions page, do the following:

a. Under Pricing Details, under For region, use the default region or select a new

region.

b. Under Pricing Details, under Delivery Methods, select Stealth(cloud)

Enterprise Manager.

Note: A CloudFormation template is the required method to launch the

Management Server; therefore, you must select this option. (Do not select

Single AMI.)

6. Click Continue.

7. If you have previously subscribed to this product, skip to the next step.

If this is your first time subscribing to this product, you are prompted to accept the

terms; do the following:

a. On the Launch on EC2 page, click Accept Terms.

You see the Thank You page, which states that you will receive an email with

more details.

b. Review the email when it arrives, and then return to the Thank You page.

c. On the Thank You page, click Return to Product Page.

You see the Launch on EC2 page.

8. On the Launch on EC2 page, confirm that the region you want to use is selected, and

ensure that Stealth(cloud) Enterprise Manager is selected under Deployment

Options.

9. Click Launch with CloudFormation Console.

Note: If you do not see the Launch with CloudFormation Console button, change the

value under Deployment Options from Single AMI to Stealth(cloud) Enterprise

Manager.

The values you entered are processed, and the CloudFormation console launches with the

Management Server CloudFormation template selected.

Continue by performing the procedure in the following topic: 2.4 Selecting Parameters and

Launching the Management Server Instance.

2.4. Selecting Parameters and Launching theManagement Server Instance

Note: For a printable worksheet that you can use to record the values you enter here,

see A.1 Management Server Instance Planning.


2–4 8205 5658-002

After you subscribe to Enterprise Manager, do the following to select parameters and

launch the Management Server instance:

1. On the CloudFormation console, on the Select Template page, click Next.

The Specify Details page appears and provides a set of parameters that you use to

configure the Management Server instance.

Note: The parameters you enter on this page are not verified until you create the

CloudFormation stack. Therefore, you should be very careful to enter these values

correctly. For example, you are prompted to enter and verify passwords multiple

times on this page, and you should ensure that these passwords match and that they

meet the specific requirements for each password; if they do not, the CloudFormation

stack creation will fail.

2. Enter a name for the stack in the Stack name box.

3. Under Amazon EC2 Configuration, enter the following:

a. For VPC, select the VPC where you want to launch the Management Server

instance.

Notes:

• A VPC can include only one Management Server instance.

• Stealth endpoint instances that will be managed by this Management Server

instance must also be launched in the same VPC.

b. For Subnet, select the subnet within the VPC that you want to use for the

Management Server instance. The subnet you select must exist in the VPC you

selected.

Note: The Management Server instance and Stealth endpoint instances can use

separate subnets within the same VPC.

c. For EC2 Key Name, select the name of an existing EC2 key pair that you want

to use to meet the Amazon administrative requirement to have a key pair for all

EC2 instances.

4. Under Unisys Stealth Configuration, enter the following:

a. For Capacity, select the Management Server capacity that corresponds to your

planned number of Stealth endpoint instances. See 2.2 Determining the

Management Server Instance Size and License Capacity for more information.

b. For Existing Administration and Diagnostics System IP Addresses,

enter up to three IP addresses (comma separated) if you have existing systems

that you want to use as Administration and Diagnostics Systems. (If you do not

have existing systems and want the CloudFormation template to create an

instance for this purpose, leave this value blank.)

Notes:

• You must enter a value for either this parameter or for the following

parameter.

• If you want to use this option, you must have configured the Administration

and Diagnostics System as described in 2.1 Optionally Configuring the

Administration and Diagnostics System.


8205 5658-002 2–5

c. For RDP Access IP Address (CIDR) for New Administration and

Diagnostics System, if you want CloudFormation to autogenerate a new

Administration and Diagnostics System, enter an IP address in CIDR notation that

you will use to access this system. (That is, enter the IP address of the local

system, from which you will launch RDP to access the new Administration and

Diagnostics System.)

A standard t2.micro instance running Windows Server 2012 R2 will be launched,

which will be accessible from this IP address range. For example, enter

192.0.2.0/32 for a single IP address or 192.0.2.0/24 for a range of IP addresses.

Note: You must enter a value for either this parameter or for the previous

parameter.

d. For Allowed Ports for the Administration and Diagnostics System,

optionally, for added security enter up to ten TCP ports. Allowed communication

between Stealth endpoints and the Administration and Diagnostics System is

restricted to only those ports. Leave the default values 22 and 3389 to allow only

SSH and RDP communication, respectively. Delete these values to allow

communication over all ports and protocols.

5. Skip the Extended Data Center (XDC) Feature parameters. The XDC feature is used to

extend an existing Stealth data center environment into the AWS VPC. See the Unisys

Stealth Solution Information Center for more information on the XDC feature.

6. Under Unisys Stealth Micro-Segmented User Roles, enter the following values to

create up to three segmented user roles.

Notes:

• You must create at least one segmented user role or one tiered user role.

• You can create up to three segmented user roles and up to three tiered user roles.

If you do not want to create any segmented user roles, ensure that all of the

Segmented Username and Password boxes are blank.

• You must enter a unique user name for every user role that you create.

a. For Segment1 Username, enter a name for the Segment1 user role. You can

assign Stealth endpoint instances to this user role when you launch them, and

only endpoint instances that share a user role can communicate.

For example, you might want to give this user role a name that corresponds to

segmented security levels in your environment (such as Classified, Secret, or

TopSecret) or that corresponds to segmented departments (such as HR,

Marketing, or Executive). See 1.4 Understanding Default Stealth Configurations

and User Roles for more information on Stealth user roles.

Note: The user name must be between one and 15 characters, and it can only

include alphanumeric characters and hyphens.

b. For Segment1 Password, enter a password for the Segment1 user role.

Note: The password must be between six and 50 characters, and it must

include all of the following:

• At least one uppercase letter

• At least one lowercase letter


2–6 8205 5658-002

• At least one number

• At least one of the following special characters:

! @ # $ % ^ & * ( ) _ + =

c. For Segment1 Password Verify, verify the password for the Segment1 user

role.

d. For Segment2 Username, optionally enter a name for the Segment2 user role.

Like the Segment1 user role, you can assign Stealth endpoint instances to this

user role when you launch them, and you can name this user role according to

function, department, or any other method for your environment.

Note: The name must also meet the requirements for the Segment1 user role,

listed previously.

e. If you entered a name for the Segment2 user role, for Segment2 Password,

enter a password for the Segment2 user role.

Note: This password must also meet the requirements for the Segment1

password, listed previously.

f. If you entered a name for the Segment2 user role, for Segment2 Password

Verify, verify the password for this user role.

g. For Segment3 Username, optionally enter a name for the Segment3 user role.

Like the Segment1 user role, you can assign Stealth endpoint instances to this

user role when you launch them, and you can name this user role according to

function, department, or any other method for your environment.

Note: The user name must also meet the requirements for the Segment1 user

role, listed previously.

h. If you entered a name for the Segment3 user role, for Segment3 Password,

enter a password for this user role.

Note: This password must also meet the requirements for the Segment1

password, listed previously.

i. If you entered a name for the Segment3 user role, for Segment3 Password

Verify, verify the password for this user role.

7. Under Unisys Stealth Tiered User Roles, enter the following values to create up to

three tiered user roles.

Note: You can create up to three segmented user roles and up to three tiered user

roles. If you do not want to create any tiered user roles, skip to the next step.


8205 5658-002 2–7

a. For Tier1 Username, enter a name for the Tier1 user role. You can assign

Stealth endpoint instances to this user role when you launch them. In this

configuration, endpoints in Tier2 can communicate with endpoints in Tier1 and

Tier3. For example, in a standard Web Server, Application Server, and Database

Server configuration, the Application Servers can communicate with the Web

Servers and Database Servers, but the Web Servers and Database Servers cannot

communicate with one another.

For example, you might want to give this user role a name that correspond to

tiered functions (such as WebServer, AppServer, or DBServer). See

1.4 Understanding Default Stealth Configurations and User Roles for more

information on Stealth user roles.

Note: The user name must be between one and 15 characters, and it can only

include alphanumeric characters and hyphens.

b. For Tier1 Password, enter a password for the Tier1 user role.

Note: The password must be between six and 50 characters, and it must






! @ # $ % ^ & * ( ) _ + =

c. For Tier1 Password Verify, verify the password for the Tier1 user role.

d. For Tier2 Username, optionally enter a name for the Tier2 user role.

Like the Tier1 user role, you can assign Stealth endpoint instances to this user role

when you launch them, and you can name this user role according to function,

department, or any other method for your environment.

Note: The name must also meet the requirements for the Tier1 user role, listed

previously.

e. If you entered a name for the Tier2 user role, for Tier2 Password, enter a

password for the Tier2 user role.

Note: This password must also meet the requirements for the Tier1 password,

listed previously.

f. If you entered a name for the Tier2 user role, for Tier2 Password Verify, verify

the password for this user role.

g. For Tier3 Username, optionally enter a name for the Tier3 user role.

Like the Tier1 user role, you can assign Stealth endpoint instances to this user role

when you launch them, and you can name this user role according to function,

department, or any other method for your environment.

Note: The user name must also meet the requirements for the Tier1 user role,

listed previously.


2–8 8205 5658-002

h. If you entered a name for the Tier3 user role, for Tier3 Password, enter a

password for this user role.

Note: This password must also meet the requirements for the Tier1 password,

listed previously.

i. If you entered a name for the Tier3 user role, for Tier3 Password Verify, verify

the password for this user role.

8. Under Unisys Stealth Administrator Passwords, enter the following:

a. For Enterprise Manager Administrator Password, enter a password for

the Enterprise Manager Administrator account. EMAdmin is the account that you

use to log on to the Management Server instance and that you use to run the

Stealth services on that instance.

Note: This password must be between six and 50 characters long, and it must






! @ # $ % ^ & * ( ) _ + =

In addition, the user name cannot be included as part of the password.

b. For Enterprise Manager Administrator Password Verify, verify the

password for the Enterprise Manager Administrator account, EMAdmin.

c. For MySQL Root Password, enter a password for the MySQL Root account

(root) for the MySQL database running on the Management Server instance.

Note: This password must be between eight and 50 characters long, and it must






! @ # $ % ^ & * ( ) _ + =

d. For MySQL Root Password Verify, verify the password for the MySQL Root

account.

e. For Interface Administrator Password, enter a password for the Enterprise

Manager interface administrator account, portaladmin.

Note: This password must be between six and 50 characters, and it must





8205 5658-002 2–9



! @ # $ % ^ & * ( ) _ + =

f. For Interface Administrator Password Verify, verify the password for the

Enterprise Manager interface administrator account, portaladmin.

g. For Tomcat User Password, enter a password for the user associated with the

Tomcat service (TomcatUser) that runs on the Management Server instance.

Note: This password must be between six and 50 characters long, and it must






! @ # $ % ^ & * ( ) _ + =


h. For Tomcat User Password Verify, verify the password for the Tomcat

service user.

9. When you have finished specifying the configuration parameters, click Next.

10. On the Options page, optionally enter one or more key-value pairs to tag the

Management Server instance. Tags are used to help identify resources in the AWS

console.

11. Optionally set any additional advanced options for the new instance.

Note: Do not change the value for the Rollback on failure option (the default

value is Yes).

12. Click Next.

13. On the Review page, verify that the parameters and options that you specified appear

correctly, select the check box to acknowledge the I acknowledge that this

template might cause AWS CloudFormation to create IAM resources

notice, and then click Create.

14. Wait until the Management Server instance is created (that is, wait until the status

reads CREATE_COMPLETE).

The Windows Server 2012 R2 instance that forms the basis for the Management

Server instance can take approximately 30 to 45 minutes to launch from AWS. In

addition, the CloudFormation template requires an additional 10-20 minutes to be

completed. If the AWS geographic region you are using is experiencing a heavy traffic

load, this process might require additional time. Therefore, you should allow at least

90 minutes for the Management Server instance status to read CREATE_COMPLETE.

Note: If the instance reads CREATE_COMPLETE in only a few minutes, this is

usually an indicator that the Management Server instance has failed to launch

correctly. This is most commonly a result of parameters being entered incorrectly; for

example, entering different passwords for the same user name or entering a


2–10 8205 5658-002

password that does not meet the specific requirements. In that case, select the

instance, and then select the Outputs tab to review the provided error message.

If the instance reads CREATE_FAILED or ROLLBACK_FAILED, the CloudFormation

logs and Stealth diagnostics are collected and uploaded to the Amazon S3 bucket,

which is created during the CloudFormation process, in the EnterpriseManager\log

subfolder.


8205 5658-002 2–11


2–12 8205 5658-002

Section 3Launching Stealth Endpoint Instances

This section provides information about launching Stealth endpoint instances, which are

Amazon EC2 instances secured with Stealth endpoint software. The Stealth endpoint

software and Stealth user roles enable you to secure communication between the Stealth

endpoint instances in your environment.

3.1. Before You Begin

Before you begin to configure and launch Stealth endpoint instances in your VPC, ensure

that you have launched a Management Server instance with the appropriate capacity to

manage the number of endpoint instances you plan to launch. See Section 2, Launching

the Stealth(cloud) Management Server Instance, for more information.

In addition, you must record the StealthSecurityGroup and StealthBucket keys from the

Management Server instance that you want to use to manage this new endpoint instance.

Do the following:

1. Access the CloudFormation console.

2. Select the Stack that corresponds to the Management Server instance.

3. On the Outputs tab, record the following key values:

• StealthSecurityGroup

• StealthBucket

3.2. Determining the Stealth User Role for theEndpoint Instance

When you launch an endpoint instance, you select a Stealth user role to assign to the

instance.

You assign user roles to enable secure communication in your environment. Endpoint

instances that share a COI can communicate with one another; endpoint instances that do

not share a COI cannot communicate.

In addition, other non-Stealth-enabled components cannot communicate with any Stealth

endpoint instance. To enable Stealth endpoint instances to communicate with non-

Stealth-enabled components, you must create filters to allow clear text communication

with those components.

8205 5658-002 3–1

You created up to three Segmented user roles and up to three Tiered user roles when you

launched the Management Server instance in 2.4 Selecting Parameters and Launching the

Management Server Instance. For example, you might have given these user roles names

that correspond to segmented security levels in your environment (such as Classified,

Secret, and TopSecret) or that correspond to segmented departments (such as HR,

Marketing, and Executive). In contrast, you might have given the Tiered user roles names

that correspond to tiered functions (such as WebServer, AppServer, and DBServer).

Ensure that you understand which Stealth user role (associated with which

configuration—Segmented or Tiered) you want to assign before you launch an endpoint

instance.

Note: Changing the user role after an endpoint instance is launched is a manual process.

See the Unisys Stealth(cloud) for Amazon Web Services Advanced Concepts and

Operations Guide for more information on adding and changing user roles.

3.3. Subscribing to Endpoint Instances

Stealth(cloud) for AWS supports the following operating systems running on endpoint

instances:

• Windows Server 2008 R2

• Windows Server 2012 R2

• Red Hat Enterprise Linux 6.x and 7.x

• SUSE Linux Enterprise Server 11.x

• Ubuntu Linux 14.04

Do the following to subscribe to one or more Stealth(cloud) endpoint instances:



credentials.


4. On the results page, select one of the following types of Stealth endpoints:

• Unisys Stealth(cloud) on Windows Server 2008 R2

• Unisys Stealth(cloud) on Windows Server 2012 R2

• Unisys Stealth(cloud) on Red Hat Enterprise Linux 6

• Unisys Stealth(cloud) on Red Hat Enterprise Linux 7

• Unisys Stealth(cloud) on SUSE Linux Enterprise Server 11

• Unisys Stealth(cloud) on Ubuntu Linux 14.04

Launching Stealth Endpoint Instances

3–2 8205 5658-002


5. On the solutions page for the Stealth endpoint type you selected, do the following:

a. Under Pricing Details, under For region, use the default region or select a new

region.

b. Under Pricing Details, under Delivery Methods, select Stealth(cloud) on

<operating system>.

Note: A CloudFormation template is the required method to launch the Stealth

endpoint; therefore, you must select this option. (Do not select Single AMI.)

6. Click Continue.

7. If you have previously subscribed to this product, skip to the next step.

If this is your first time subscribing to this product, you are prompted to accept the

terms; do the following:

a. On the Launch on EC2 page, click Accept Terms.

You see the Thank You page, which states that you will receive an email with

more details.

b. Review the email when it arrives, and then return to the Thank You page.

c. On the Thank You page, click Return to Product Page.

You see the Launch on EC2 page.

8. On the Launch on EC2 page, confirm that the region you want to use is selected, and

ensure that Stealth(cloud) on <operating system> is selected under

Deployment Options.

9. Click Launch with CloudFormation Console.

Note: If you do not see the Launch with CloudFormation Console button, change the

value under Deployment Options from Single AMI to Unisys Stealth(cloud) on

<operating system>.

The values you entered are processed, and the CloudFormation console launches with the

endpoint CloudFormation template selected.

Continue by performing the procedure in the following topic: 3.4 Selecting Parameters and

Launching the Stealth Endpoint Instance.

Note: After you complete the procedure in 3.4 Selecting Parameters and Launching the

Stealth Endpoint Instance, you can return to this procedure and perform these steps again

to launch as many endpoint instances as are required in your environment.

3.4. Selecting Parameters and Launching theStealth Endpoint Instance

Note: For a printable worksheet that you can use to record the values you enter, see

A.2 Endpoint Instance Planning.


8205 5658-002 3–3

After you subscribe to the endpoint type, do the following to select parameters and launch

the endpoint instance:

1. On the CloudFormation console, on the Select Template page, click Next.

The Specify Details page appears and provides a set of parameters that you use to

configure the endpoint instance.

Note: The parameters you enter on this page are not verified until you create the

CloudFormation stack. Therefore, you should be very careful to enter these values

correctly. For example, you are prompted to enter and verify the user role password on

this page, and you should ensure that these passwords match; if they do not, the

CloudFormation stack creation will fail.

2. Enter a name for the stack in the Stack name box.

3. Under Amazon EC2 Configuration, enter the following:

a. For VPC, select the VPC where you launched the Management Server instance.

b. For Subnet, select the subnet within the VPC that you want to use for this

endpoint instance.

Note: The Management Server instance and Stealth endpoint instances can use

separate subnets within the same VPC.

c. For Stealth Security Group, select the security group created by the

Management Server instance, which you were directed to record earlier in this

topic.

d. For EC2 Key Name, select the name of an existing EC2 key pair that you want


EC2 instances.

e. For EC2 Instance Type, select the EC2 instance type you want to use for the

new instance.

The default is m4.large, but you can use any available instance type in the list.

Note: If you select the South America (São Paulo) region, you must change the

default value. m4 instance types are not supported in this region.

f. For IAM Instance Profile, optionally specify an existing Identity and Access

Management (IAM) instance profile, if you do not want to use the instance profile

created by the CloudFormation template. (An instance profile is a container for an

IAM role that you can use to pass role information to an EC2 instance when the

instance starts.)

Note: If you specify an existing IAM instance profile, that profile must have

access to the bucket that you select in the following step.

4. Under Unisys Stealth Configuration, enter the following:

a. For Stealth S3 Bucket, enter the S3 bucket ID that corresponds to the

Management Server instance, which you were directed to record earlier in this

topic.

b. For Stealth Username, select the name of the Stealth user role that you want

to assign to this instance.


3–4 8205 5658-002

You specified up to six user roles (three Segmented user roles and three Tiered

user roles) when you configured the Management Server instance in

2.4 Selecting Parameters and Launching the Management Server Instance.

c. For Stealth Username Password, enter the password for the user role that

you specified for the StealthUsername parameter. You entered this password

when you configured the Management Server instance in 2.4 Selecting

Parameters and Launching the Management Server Instance.

Note: Be very careful to enter the correct password. This password is not

verified against the Management Server CloudFormation template when the

endpoint instance is launched. If you enter an incorrect password, the

CloudFormation stack creation will fail.

d. For Stealth Username Password Verify, verify the password that you

entered.

5. When you have finished specifying the configuration parameters, click Next.

6. On the Options page, optionally enter one or more key-value pairs to tag the instance.

Tags are used to help identify resources in the AWS console.

7. Optionally set any additional advanced options for the new instance.

Note: Do not change the value for the Rollback on failure option (the default

value is Yes).

8. Click Next.

9. On the Review page, verify that the parameters and options that you specified appear

correctly, select the check box to acknowledge the I acknowledge that this

template might cause AWS CloudFormation to create IAM resources

notice, and then click Create.

10. Wait until the endpoint instance is created (that is, wait until the status reads

CREATE_COMPLETE).

Windows operating system instances can take approximately 30 minutes to launch

from AWS, while Linux operating system instances can take approximately 15

minutes to launch from AWS. The CloudFormation template requires an additional five

minutes to be completed. If the AWS geographic region you are using is experiencing

a heavy traffic load, this process might require additional time. Therefore, you should

allow at least 45 minutes for a Windows endpoint instance or 20 minutes for a Linux

endpoint instance status to read CREATE_COMPLETE.


8205 5658-002 3–5

Notes:

• If the instance reads CREATE_COMPLETE in only a few minutes, this is usually an

indicator that the endpoint instance has failed to launch correctly. This is most

commonly a result of parameters being entered incorrectly; for example, entering

different passwords for the same user role. In that case, select the instance, and

then select the Outputs tab to review the provided error message.

• If the instance reads CREATE_FAILED or ROLLBACK_FAILED, the

CloudFormation logs and Stealth diagnostics are collected and uploaded to the

Amazon S3 bucket, which is created during the Management Server

CloudFormation process, in the <user role>\log subfolder (where <user role> is

the user role name you specified earlier in this procedure).

• If you select an endpoint instance type that is not available in your region, you see

an error on the CloudFormation page, Events tab, which reads “The requested

configuration is currently not supported. Please check the documentation for

supported configurations.”


3–6 8205 5658-002

Section 4Understanding Your Stealth(cloud) forAWS Environment

After you configure the Management Server instance and at least two endpoints in the

same user role, your endpoints can use secure Stealth tunnels to communicate.

This section provides an overview on how to access the Management Server instance and

view the Enterprise Manager interface, as well as how to view the endpoint instances and

the current Stealth status.

4.1. Accessing the Enterprise Manager Interface

You use the Enterprise Manager interface, running on the Management Server instance,

to manage your Stealth configuration.

To log on to the Management Server instance and access the Enterprise Manager

interface, perform the following procedure:

1. From the AWS Management Console, select EC2 under Compute.

2. On the EC2 Dashboard, select Instances in the left pane (under Instances).

3. Right-click the Administration and Diagnostics System instance, and select Connect.

4. If your Administration and Diagnostics System was automatically generated by the

Management Server CloudFormation template, do the following to obtain the

Administrator user account password to log on to the Administration and Diagnostics

System:

a. On the Connect to Your Instance dialog box click Get Password.

b. Click Browse, and then select the EC2 key pair that you selected when you

initially configured the Management Server instance.

c. Click Decrypt Password to obtain the Administrator user account password for

the Administration and Diagnostics System. Make a note of this password or copy

it to the clipboard.

5. On the Connect to Your Instance dialog box, if required, download and open the

Remote Desktop File.

6. Log on to the Administration and Diagnostics System using the user name and

password.

7. On the Administration and Diagnostics System, use Remote Desktop Connection

8205 5658-002 4–1

(RDP) or another connection software (if you selected a Linux operating system for

your Administration and Diagnostics System), and connect to the Management Server

instance using its private IP address.

8. If you receive a warning that the identity of the remote computer cannot be verified,

click Yes to continue.

9. Log on to the Management Server instance using the EMAdmin user name and the

password that you set for the EMAdminPassword in 2.4 Selecting Parameters and


10. On the Management Server instance desktop, double-click the Unisys Enterprise

Manager Portal icon.

Note: Alternatively, you can enter https://<Management Server private IP

address>:29080/ in a browser window.

11. If you see a warning that there is a problem with the website security certificate, click

Continue to this website (not recommended).

12. Log on to the Enterprise Manager interface using the portaladmin user name and

the password that you set for the Interface Administrator Password in 2.4 Selecting

Parameters and Launching the Management Server Instance.

The Enterprise Manager interface displays the Stealth Network Dashboard, which

provides an overview of your configuration.

Caution

Be very careful when deleting or reassigning any components in the Enterprise

Manager interface. If you delete any configurations, roles, users, or

certificates, or if you reassign components to different roles or configurations,

you could disrupt all Stealth communications in your environment.

For information on how to change your configuration, closely follow the

procedures in the Unisys Stealth(cloud) for Amazon Web Services Advanced

Concepts and Operations Guide.

For more information on using the Enterprise Manager interface, select Help from the

menu bar to launch the Unisys Stealth Solution Enterprise Manager Interface Help. To

access context-sensitive help information for a specific interface element, click the

question mark (?) help icon for that element.

4.2. Accessing Windows Endpoints and ViewingStealth Status

Stealth endpoint instances running the Windows operating system include the Stealth

Applet (USS-Applet). You use the Stealth Applet to view the status of the Stealth service

on the endpoint instance.

Understanding Your Stealth(cloud) for AWS Environment

4–2 8205 5658-002

Note: You should wait until the status reads CREATE_COMPLETE before connecting to

the endpoint instance. If you connect to the endpoint instance before the CloudFormation

process is complete, the Stealth Applet might not start.

Do the following:

1. Obtain the password for the endpoint by doing the following:

a. From the system that includes the EC2 keypair, access the EC2 Dashboard and

browse to the endpoint instance.

b. Right-click the endpoint instance and select Connect.

c. On the Connect to Your Instance dialog box, click Get Password.

d. Click Browse, and then select the EC2 key pair that you selected when you

initially configured the endpoint instance.

e. Click Decrypt Password to obtain the Administrator user account password for

the endpoint instance. Make a note of this password or copy it to the clipboard.

f. Close the Connect To Your Instance dialog box.

2. Log on to an endpoint instance by doing the following:

a. Log on to the Administration and Diagnostics System using the user name and

password.

Note: You should have already obtained the Administration and Diagnostics

System password and downloaded the Remote Desktop File, as described in

4.1 Accessing the Enterprise Manager Interface.

b. On the Administration and Diagnostics System, use Remote Desktop Connection

(RDP) or another connection software (if you selected a Linux operating system

for your Administration and Diagnostics System), and connect to the endpoint


c. If you receive a warning that the identity of the remote computer cannot be

verified, click Yes to continue.

d. Log on to the endpoint instance using the Administrator user account and the

password that you copied when you decrypted the password earlier in this

procedure.

3. On the endpoint instance, to access the Stealth Applet, click the Show hidden

icons (arrow) button in the taskbar, and then click the Stealth Shield icon.

Note: If the Applet does not appear in the taskbar, you can access it from the Start

menu by typing USS-Applet in the Search box.

4. Optionally, do the following to display the Stealth Shield icon in the taskbar:

a. Click the Show hidden icons (arrow) button in the taskbar, and then click

Customize.

b. On the Select which icons and notifications appear on the taskbar

window, for the Unisys Stealth Solution shield icon, select Show icon and

notifications from the Behaviors list, and then click OK.


8205 5658-002 4–3

The Stealth Applet shows the status of your Stealth communications on the endpoint. For

more information on using the Stealth Applet, click Help in the left menu on the Applet.

4.3. Accessing Linux Endpoints and Viewing StealthStatus

Stealth endpoint instances running the Linux operating systems use a command to view

the status of the Stealth service on the endpoint instance.

Notes:

• You should wait until the status reads CREATE_COMPLETE before connecting to the

endpoint instance.

• To access a Linux endpoint from a Windows-based Administration and Diagnostics

System, you must install an SSH client (for example, PuTTY).

Do the following to access the endpoint and view the status of the Stealth service on the

endpoint instance:

1. Log on to an endpoint instance by doing the following:

a. Log on to the Administration and Diagnostics System using the user name and

password.

Note: You should have already obtained the Administration and Diagnostics

System password and downloaded the Remote Desktop File, as described in

4.1 Accessing the Enterprise Manager Interface.

b. On the Administration and Diagnostics System, use SSH to connect to the

endpoint instance using the endpoint private IP address and the EC2 key pair that

you selected when you initially configured the endpoint instance.

There are several methods you can use to connect to a Linux endpoint and log on.

For more information, see the “Connect to Your Instance” topic in the Amazon

Elastic Compute Cloud User Guide for Linux Instances,

(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-connect-to-

instance-linux.html).

Note: Although the Amazon “Connect to Your Instance” procedure instructs you

to use the public DNS name to connect to your Linux endpoint, because you are

connecting to the endpoint from a private location (from the Administration and

Diagnostics System), you must use the private IP address. For example, if you are

using PuTTY, Amazon instructs you to enter user_name@public_dns_name.

However, you must enter user_name@private_IP_address to successfully access

the Linux endpoint instance.

2. Enter the following command as root:

stconfig -S

The stconfig -S command shows the status of your Stealth communications on the

endpoint.


4–4 8205 5658-002

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-connect-to-instance-linux.html

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-connect-to-instance-linux.html

4.4. Limitations When Accessing AWS Services

As described in 1.5 Understanding Default Filters, external AWS services (outside of the

VPC) are automatically white-listed for clear text communication.

Internal AWS services (inside of the VPC)—including elastic load balancing (ELB) and

auto-scale groups—should be deployed on known subnets so that you can easily create

filters to enable clear-text communications. For more information on adding filters to

access non-Stealth-enabled components and other services, see the Unisys Stealth(cloud)

for Amazon Web Services Advanced Concepts and Operations Guide.


8205 5658-002 4–5


4–6 8205 5658-002

Section 5Making Changes to Your Stealth(cloud)for AWS Environment

This section includes information about updating the initial configuration for your

Stealth(cloud) environment and updating your AWS instance types.

5.1. Updating the Initial Configuration

After you initially configure and deploy your environment, you can manually update the

initial configuration.

See Section 2, “Modifying the Stealth(cloud) AWS Environment” in the Unisys

Stealth(cloud) for Amazon Web Services Advanced Concepts and Operations Guide for

detailed information on the following:

• Creating new filters and applying them to user roles

• Updating existing user roles

• Creating new user roles and updating endpoint instances

5.2. Optionally Updating the Management ServerInstance Type

You selected an instance type and associated license capacity when you initially

configured the Management Server instance in 2.2 Determining the Management Server

Instance Size and License Capacity.

However, if you need to change the instance type and maximum license capacity (for

example, if you subscribed to more Stealth AWS endpoint instances than Enterprise

Manager is licensed to authorize concurrently), you can optionally resize the Management

Server instance.

You can resize your instance to use any of the following Amazon instance types:

• Small – m4.large EC2 instance that supports up to 25 endpoint instances

• Medium – m4.large EC2 instance that supports up to 50 endpoint instances

• Large – m4.xlarge EC2 instance that supports up to 250 endpoint instances

• Extra Large – m4.2xlarge EC2 instance that supports up to 500 endpoint instances

8205 5658-002 5–1

Note: If you select the South America (São Paulo) region, m3 instance types are used.

When you resize your instance, the maximum number of subscribed endpoint instances

that can be authorized is automatically updated to match the new size.

Caution

You should not select any instance type besides m4.large, m4.xlarge, or

m4.2xlarge (or the corresponding m3 instance types if you select the South

America (São Paulo) region). These instance types have been specifically

selected to meet the vCPU, memory, and configuration requirements of the

Enterprise Manager software.

If you select another instance type, your Management Server instance might

not be able to start or run.

See the following:


ec2/instance-types.

• For directions on how to resize the Management Server instance, see http://

docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html.

5.3. Optionally Updating Endpoint Instance Types

You selected an instance type when you initially configured endpoint instances in

3.4 Selecting Parameters and Launching the Stealth Endpoint Instance.

If you need to change the instance type, you can do so at any time. You can change your

endpoint instance to use any current generation AWS instance type that supports AWS

hardware virtual machine (HVM) virtualization.

You should not use instance types that support only paravirtual (PV) virtualization, because

this could negatively impact the performance of your endpoint instances.

See the following:


ec2/instance-types.

• For more information on HVM and PV virtualization, see

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html.

• For directions on how to resize an endpoint instance, see http://

docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html.

Making Changes to Your Stealth(cloud) for AWS Environment

5–2 8205 5658-002



http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html




http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html



5.4. Launching Endpoint Instances Using PrivateAMIs

After you use the CloudFormation templates to deploy Stealth-enabled endpoint

instances, you can deploy duplicate endpoint instances using private AMIs. You might

want to duplicate an endpoint instance to deploy multiple, identical workload servers that

run the same customized software. Performing this procedure eliminates the need to

reinstall customized software on multiple workload server instances.

Note: To perform this procedure successfully, you must use an AWS account that has

already subscribed to the Unisys Stealth(cloud) for AWS endpoint instance type.

Launching Windows Endpoint Instances from a Private AMI

Do the following to create a private AMI based on a Windows endpoint and deploy

endpoint instances using the private AMI:

1. Create a new private AMI based on the endpoint instance.

See the Amazon documentation at http://docs.aws.amazon.com/AWSEC2/latest/

WindowsGuide/ami-create-standard.html for more detailed information.

When you create a new private AMI, you use the EC2Config service to run Sysprep to

configure the new AMI.

Consider the following best practices for configuring the private AMI:

• You can use the default EC2Config service answer file (C:\Program

Files\Amazon\Ec2ConfigService\sysprep2008.xml) without modification, or you

can review the file and make changes as appropriate for your environment.

• When specifying the Administrator password, it is recommended that you select

Random and then click Shutdown with Sysprep.

2. On the EC2 Console, launch one or more endpoint instances using the private AMI

that you created.

When you launch the new endpoint instances, you must do the following:

• Deploy the endpoint instances in the same VPC as the Management Server

instance.

• Select the StealthSecurityGroup that was created when you deployed the

Management Server instance.

3. After you launch an endpoint instance, log on to the instance.

4. On the endpoint instance, access the Stealth Applet by clicking the Show hidden

icons (arrow) button in the taskbar, and then clicking the Stealth Shield icon.

Note: If the Applet does not appear in the taskbar, you can access it from the Start

menu by typing USS-Applet in the Search box.


8205 5658-002 5–3

http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html

http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html

5. Do one of the following, depending on the color of the Stealth Applet:

• Blue – Stealth is enabled and the endpoint is secured. No further action is

required.

• Yellow – Do the following to enable the Stealth Applet to monitor and report the

status of Stealth services:

a. Run PowerShell as an administrator.

b. Enter the following command to change to the Stealth Solution folder:

cd "C:\ProgramData\Unisys\Stealth Solution"

c. Enter the following command:

.\Restore-Java-Keystore.ps1

The Stealth Applet running on the endpoint instance restarts. When the blue

Stealth Shield icon appears in the task bar, Stealth is enabled and the

endpoint is secured.

• Red – Stealth is disabled. Verify that the endpoint instance is using the

StealthSecurityGroup that was created when you deployed the Management

Server instance, as instructed in the previous step. If required, update the

StealthSecurityGroup.

If this does not resolve the problem, see Section 7, Troubleshooting.

For more information on verifying the Stealth status, see 4.2 Accessing Windows

Endpoints and Viewing Stealth Status.

Launching Linux Endpoint Instances from a Private AMI

Do the following to create a private AMI based on a Linux endpoint and deploy endpoint

instances using the AMI:

1. On the EC2 Console, ensure that the endpoint instance that you want to use to create

the private AMI is stopped.

2. Create a new private AMI based on the endpoint instance.

See the Amazon documentation at http://docs.aws.amazon.com/AWSEC2/latest/

UserGuide/creating-an-ami-ebs.html for more detailed information.

3. On the EC2 Console, launch one or more endpoint instances using the private AMI

that you created.

When you launch the new endpoint instances, you must do the following:

• Deploy the endpoint instances in the same VPC as the Management Server

instance.

• Select the StealthSecurityGroup that was created when you deployed the



5–4 8205 5658-002

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html

Managing the Instance Used to Create Private AMIs

After you finish creating private AMIs, you can do any of the following to the instance that

you used to create these AMIs:

• Stop the endpoint instance (if it is not already stopped) and leave it in a stopped state.

• Delete the instance, and delete the CloudFormation stack associated with the

instance.

• Power on the instance and use it as a Stealth endpoint.

Troubleshooting

For information on troubleshooting issues with private AMIs, see 7.5 Troubleshooting

Private AMIs.


8205 5658-002 5–5


5–6 8205 5658-002

Section 6Upgrading or Updating ManagementServer and Endpoint Instances

This section describes the process for upgrading or updating your subscribed

Management Server and endpoint instances. When you upgrade, you install a new

software level. When you update, you install a new version of your existing software

level.

When upgrades or updates become available, you receive an email from Amazon. For your

convenience and for security, Unisys provides the upgrade or update files on an Upgrade

System that you can subscribe to and launch within your VPC. This enables you to

securely update your Management Server and endpoint instances without having to

transfer files over a potentially unsecure Internet connection.

Also for security, the Upgrade System does not include a public IP address by default,

which ensures that it can only communicate with other components in the VPC. In

addition, the Security Group is restricted to only enable http traffic using port 80.

After you launch the Upgrade System in your VPC, you can connect to its web server from

your Administration and Diagnostics System and download the appropriate upgrade or

update files. You can then transfer those files from the Administration and Diagnostics

System to your Management Server and endpoint instances, and then deploy the files.

See the following procedures for additional details.

Note: Before you begin, it is a best practice to back up any instances that you plan to

upgrade. See the Amazon documentation at

http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EBSSnapshots.html for

more detailed information.

6.1. Subscribing to and Launching the UpgradeSystem

Do the following to subscribe to and launch the Upgrade System:



credentials.

8205 5658-002 6–1

http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EBSSnapshots.html



4. On the results page, select Unisys Stealth(cloud) Upgrade System.

5. On the Unisys Stealth(cloud) Upgrade System solutions page, click Continue.

6. On the Launch on EC2 page, do the following:

a. Under Version, ensure that the latest software version is selected.

b. Under Region, ensure that the correct region is selected, or expand Region and

select a new region from the list.

c. Expand VPC Settings, and select the VPC where you launched the


Note: You can select any subnet within the VPC that supports t2.micro

instances.

d. Under Security Group, review the default settings. It is a best practice to retain

the default settings.

e. Expand Key Pair, and select the name of an existing EC2 key pair that you want


EC2 instances.

f. Click Launch with 1-Click.

7. Review the information in the window that states that an instance of the software is

now deploying, and then close that window.

8. After the instance is running, click the Manage in AWS Console link next to the

Unisys Stealth(cloud) Upgrade System.

9. After the Upgrade System launch process is complete, click the Manage in AWS

Console link next to the Stealth(cloud) Upgrade System.

10. Make a note of the Upgrade System private IP address (which is listed on the

Description tab for the instance).

6.2. Connecting to the Upgrade System andDownloading Files

After the Upgrade System has been launched, do the following to connect to its web

server, and then download the upgrade and update files:

1. Log on to the Administration and Diagnostics System running in your VPC.

2. Open a browser window, and connect to the web server address of the Upgrade

System, which is

http://<Upgrade System private IP address>

Upgrading or Updating Management Server and Endpoint Instances

6–2 8205 5658-002

3. Select the files that you want to download (upgrade or update files for the

Management Server and endpoints), as follows:

Stealth(cloud) Component File Name

Stealth(cloud) Enterprise Manager

(Management Server)

EMInstaller-3.1.xxx.zip

UnisysStealthSolutionAMIx64-3.1.xxx.msi

Stealth(cloud) for Windows endpoints,

including:

• Stealth(cloud) for Windows Server 2008

• Stealth(cloud) for Windows Server 2012

UnisysStealthSolutionAMIx64-3.1.xxx.msi

Stealth(cloud) for Linux endpoints, including:

• Stealth(cloud) for Red Hat Enterprise

Linux 6

• Stealth(cloud) for Red Hat Enterprise

Linux 7

• Stealth(cloud) for SUSE Linux Enterprise

Server 11

• Stealth(cloud) for Ubuntu Linux 14.04

UnisysStealthSolution-Linux-3.1.xxx.sh

Note: If you use Internet Explorer to download files from the Upgrade System, the

Enhanced Security Configuration (ESC) feature automatically disables downloads

from websites that are not included in the Trusted sites list. When you select the first

file, you see one of the following errors, which must be resolved:

• If you see an error reads: “You are attempting to download a file from a site that is

not part of your Trusted Sites{,” you must manually add the web server address

to the Trusted sites list (by selecting Internet options on the Tools menu and

then adding a new Trusted site on the Security tab).

After you add the web server address to Trusted sites, refresh your browser, and

then download the file. You might still see an error that reads: “The signature of

<file name> is corrupt or invalid,” but you should be able to download the file.

• If you are asked if you want to add the web server address to the Trusted sites list

click Yes. However, if you immediately try to download the file that was just

blocked, a corrupted version of this file will be saved to the Administration and

Diagnostics System. You must either refresh your browser window after adding

this site to the Trusted sites list, or you must download the file twice (to overwrite

the corrupted version of the file). Subsequent downloads are not corrupted.

If you are unable to download the files using Internet Explorer, either disable the ESC

feature or use a different browser.


8205 5658-002 6–3

The files you select are automatically downloaded to the Administration and

Diagnostics System. The directory in which the files are saved depends on your

browser settings, but they are usually saved in the Downloads folder.

4. Using the standard method for distributing software in your AWS environment, copy

the files as follows:

• Copy EMInstaller-3.1.xxx.zip and UnisysStealthSolutionAMIx64-3.1.xxx.msi to the

Management Server instance

• Copy UnisysStealthSolutionAMIx64-3.1.xxx.msi to the Windows endpoint

instances

• Copy UnisysStealthSolution-Linux-3.1.xxx.sh to the Linux endpoints instances

6.3. Upgrading or Updating the Management Server

To upgrade or update the Management Server, you must install the files in EMInstaller-

3.1.xxx.zip as well as UnisysStealthSolutionAMIx64-3.1.xxx.msi.

Note: During the installation of the new Enterprise Manager software, the associated

Stealth endpoint instances will be rekeyed, meaning that the Stealth tunnels used by the

endpoints will be closed and then reopened. Therefore, you should perform this procedure

during a period when your environment can tolerate a disruption in Stealth

communications.

Do the following:




2. Using Windows Explorer, navigate to EMInstaller-3.1.xxx.zip, and unzip the file.

3. On the Start menu, search for PowerShell, and then right-click PowerShell and

select Run as administrator.

4. In the Administrator: Windows PowerShell window, change to the directory where

you unzipped the file.

5. Enter the following command:

.\Upgrade.ps1

6. When prompted, enter the Enterprise Manager Administrator (EMAdmin) password.

7. When prompted, confirm the Enterprise Manager Administrator (EMAdmin)

password.

8. When prompted, enter the Tomcat user password.

9. When prompted, confirm the Tomcat user password.

10. Wait while the Enterprise Manager software is installed. This can take between 10

and 20 minutes to complete.

11. After the Enterprise Manager software is installed, perform the procedure in

6.4 Upgrading or Updating Windows Endpoint Instances to install the


6–4 8205 5658-002

UnisysStealthSolutionAMIx64-3.1.xxx.msi on the Management Server.

Note: Because the Management Server also runs the endpoint software, you must

install this software on the Management Server as well as on all Windows endpoints.

6.4. Upgrading or Updating Windows EndpointInstances

Note: During the installation of the new software, there is a brief network interruption

when the Stealth services are restarted.

To upgrade or update Windows endpoint instances using a silent installation process, do

the following:

1. Open a command prompt using the Run as administrator option.

2. Enter the following command:

msiexec /qn /i <file path>\UnisysStealthSolutionAMIx64-3.1.xxx.msi

For example, enter msiexec /qn /i C:\Temp\UnisysStealthSolutionAMIx64-

3.1.157.msi.

The new version of Stealth software is installed.

6.5. Upgrading or Updating Linux EndpointInstances

Note: During the installation of the new software, Stealth is briefly disabled and then

reenabled.

To upgrade or update files on Linux endpoint instances using a silent installation process,

do the following:

1. On the Linux endpoint, open a terminal window, and change to the directory where

you saved the UnisysStealthSolution-Linux-3.1.xxx.sh file.

2. On the Linux endpoint, enter the following command to change the mode:

chmod +x UnisysStealthSolution-Linux-3.1.xxx.sh

For example, enter chmod +x UnisysStealthSolution-Linux-3.1.157.sh.

3. Enter the following command to install the software:

sudo .\UnisysStealthSolution-Linux-3.1.xxx.sh

For example, enter sudo .\UnisysStealthSolution-Linux-3.1.157.sh.

The software is installed. When the installation is complete, you see a message that

reads “Stealth configured.”

4. Enter the following command to restart the Stealth software.


8205 5658-002 6–5

Caution

If you do not enter this command to restart the Stealth software after you

install the new software version, your endpoint will be unprotected by Stealth

and will be unable to communicate with other Stealth endpoints that it shares

a COI with.

service stealthd restart

6.6. Launching Upgraded Endpoint Instances in anUpgraded Environment

If you created a Stealth(cloud) for AWS 1.0 environment, you can launch both release 1.0

and 2.0 endpoint instances; however, only release 1.0 endpoint instances will launch

successfully. Therefore, if you upgraded your Management Server to release 2.0 and you

want to launch new release 2.0 endpoint instances, you must perform this procedure.

Note: If you perform this procedure, you will no longer be able to launch release 1.0

endpoints successfully. If you want to continue to launch release 1.0 endpoints, do not

perform this procedure.

If you choose to continue to launch release 1.0 endpoints (and do not perform the steps in

this procedure), you can upgrade those release 1.0 endpoints at any time, using the

procedure in 6.4 Upgrading or Updating Windows Endpoint Instances or 6.5 Upgrading or

Updating Linux Endpoint Instances.

Do the following:

1. On the Amazon Web Services console, under Storage & Content Delivery,

select S3.

2. Select the Stealth S3 Bucket that corresponds to the Management Server

CloudFormation stack for your environment.

Within the Stealth S3 Bucket, you see folders that correspond to each Stealth user

role that you created when you used the CloudFormation templates to launch the

Management Server using release 1.0. For example, if you created user roles for a

three-tier environment, you might see a WebServer folder, an AppServer folder, and a

DBServer folder.

3. Do the following to update the user role folder:

a. Select one of the folders in the Stealth S3 Bucket (for example, select the

WebServer folder).

b. Select the Configuration subfolder, and then select the Packages subfolder.

The folder path should appear like the following:

<Stealth S3 Bucket name>/<User role folder name>/Configuration/Packages


6–6 8205 5658-002

c. Within the Packages folder, locate the following two files:

• SegmentationWinPackage.exe

• SegmentationLinuxPackage.sh

d. Rename these two files, and change the word Segmentation to Segmented.

e. Verify that the files are now named as follows:

• SegmentedWinPackage.exe

• SegmentedLinuxPackage.sh

4. Repeat the previous step to change the file names for the other folders in your S3

Bucket (for example, repeat this step for the AppServer folder and the DBServer

folder).

You can now use the Stealth(cloud) for AWS CloudFormation templates to successfully

launch release 2.0 endpoint instances.


8205 5658-002 6–7


6–8 8205 5658-002

Section 7Troubleshooting

This section provides troubleshooting information for your Stealth for AWS environment.

Review this section for information on diagnosing and resolving problems in your

environment.

7.1. Resolving Common Problems

If you are having trouble launching or connecting to your instances, or problems

authorizing or communicating with Stealth-enabled endpoints, do the following:

• Ensure that instances launched from your VPC are able to access the AWS

CloudFormation services.

In order to launch your Management Server instance and endpoint instances, these

instances must be able to access the CloudFormation services using either a public IP

address or NAT. If your instances do not have a method to access the CloudFormation

services, they will fail to launch after about an hour.

For general information on configuring IP addressing for your VPC and instances, see

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Networking.html.

For specific information about modifying the IP addressing for your instances, see

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-

addressing.html#subnet-public-ip.

• Ensure that you created an Administrative and Diagnostics System, and ensure that

you can connect to it.

• Ensure that you created a Management Server instance.

• Ensure that the endpoint instances that you want to communicate include the same

COI. See 1.4 Understanding Default Stealth Configurations and User Roles for

information about user roles and their communication based on the configuration

(Segmented or Tiered).

• Ensure that your Management Server instances and your endpoint instances are

running. If your instances are not running and cannot be started, contact Amazon AWS

support.

• If you have problems using the Enterprise Manager interface on the Management

Server instance, ensure that you meet all of the requirements in 7.2 Enterprise

Manager Interface Requirements.

• Depending on your operating system, review the Windows application and system

event logs or the Linux Syslog for warning and informational messages that can

provide guidance and suggestions.

8205 5658-002 7–1

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Networking.html

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html#subnet-public-ip

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html#subnet-public-ip

• For Windows endpoints, view the status of the Stealth connection using the Stealth

Applet. For Linux endpoints, view the status of the Stealth connection using the

stconfig -S command. See 4.2 Accessing Windows Endpoints and Viewing Stealth

Status and 4.3 Accessing Linux Endpoints and Viewing Stealth Status for more

information.

• Verify that there are no firewalls blocking communication. For more information about

configuring firewall settings to enable communications for Windows endpoint

instances, see the Unisys Stealth Solution Advanced Concepts and Operations Guide.

• Web proxy servers (HTTP proxy servers) can interfere with Stealth authorization;

ensure that there are no web proxy servers between Stealth endpoints and the


• Verify the status of the Stealth services. If any of the Stealth services are not in a

Running state, do the following:

- For Windows: Verify that the Unisys Stealth Logon Service, Unisys Stealth

PreLogon Service, and Unisys Stealth Protocol Service are running.

If any service status is paused, restart the Unisys Stealth Protocol Service, which

automatically restarts the other two services.

- For Linux: Log on with root privileges, and enter the following to see the state of

the stealthd daemon:

service stealthd status

If the services are in the process of connecting, wait a few minutes, then try to

verify the status of the services again.

• Verify that your environment includes enough licenses for your endpoints (and verify

that there are no license errors in your log files).

• Reboot the Management Server instance.

7.2. Enterprise Manager Interface Requirements

If you have any problems viewing the Enterprise Manager interface, ensure that you meet

the following requirements.

Resolution and Browser Requirements

The Enterprise Manager interface was tested using a resolution in the following range,

and you should configure a screen resolution in this range:

• Minimum resolution: 1152× 864

• Maximum resolution: 1440× 900

You must run one of the following browsers:

• Internet Explorer 11.x

• Firefox 35 or later

Troubleshooting

7–2 8205 5658-002

Note: Stealth Enterprise Manager was qualified using Internet Explorer 11.x and Firefox

35. Because Mozilla regularly releases new versions of Firefox, if you experience any

problems with a later version of Firefox, it is recommended that you use Internet Explorer

11.x.

In addition, configure the following browser settings:

• Ensure that the pop-up blocker is disabled.

• Set the browser zoom level to 100%.

• If you are using Internet Explorer 11.x, do the following:

- Ensure that Active Scripting is enabled

Do the following:

1. Open Internet Explorer and select Internet options.

2. On the Internet Options dialog box, select the Security tab, and then select

Custom Level.

3. Under Scripting, ensure that Active scripting is enabled.

- Ensure that the Document Mode is set to Edge

Do the following:

1. Open Internet Explorer, and press F12.

2. On the menu that appears at the bottom of the screen, select the icon on the

far right (the Document Mode icon), and then select Edge.

• If you are using Firefox, do the following:

- Set the browser cache to 15 MB or higher.

Do the following:

1. Open Firefox, and enter about:config into the address bar.

2. If you see a warning, click I’ll be careful, I promise.

3. In the Search box, enter browser.cache.disk.capacity.

4. Ensure that the value is at least 15360.

If the value is less than 15360, double-click browser.cache.disk.capacity, and

enter a new value that is at least 15360.

- Ensure that JavaScript is enabled.

Do the following:

1. In the Firefox about:config Search box, enter javascript.enabled.

2. Verify that javascript.enabled is set to true.

If it is set to false, right-click it, and click Toggle.

3. Close the Firefox window.

Troubleshooting

8205 5658-002 7–3

TLS 1.2 Requirement

The Management Server is required to use TLS 1.2.

If you use Firefox, do the following:

1. Open Firefox.

2. Enter about:config into the address bar, and press Enter.

3. If a warning appears, click I’ll be careful, I promise!

4. In the Search box above the list, enter TLS, and wait while the list is filtered.

5. Double-click security.tls.version.min, enter 1, and then click OK.

6. Double-click security.tls.version.max, enter 3, and then click OK.

7. Close Firefox.

If you use Internet Explorer, do the following:

1. Open Internet Explorer.

2. On the Tools menu, select Internet options.

3. On the Internet Options dialog box, select the Advanced tab.

4. Under Security, verify that the Use TLS 1.2 is selected. Verify that all other Use

SSL and Use TLS checkboxes are cleared.

5. Click OK to close the Internet Options dialog box.

7.3. Troubleshooting the Stealth Applet Connectionto the Unisys Stealth Logon Service onWindows Endpoints

If a user is logged on to a Windows endpoint (including the Management Server), and

closes the Remote Desktop window without logging off of the endpoint, the Stealth

Applet running in that session does not terminate the connection to the Unisys Stealth

Logon Service. If another user logs on to the endpoint, the Stealth Applet in the new

session cannot open a new connection to the Unisys Stealth Logon Service. In this case,

the Stealth Applet enters an Error state (indicated by a yellow Stealth Shield icon in the

taskbar), and you receive a message that states that the Unisys Stealth Logon Service is

not available.

Troubleshooting

7–4 8205 5658-002

If the Stealth Applet cannot connect to the Unisys Stealth Logon Service, do the following

to log off a user that disconnected from the endpoint without logging off:

1. On the endpoint, access Windows Task Manager and select the Users tab.

2. Select the user that you want to log off of the endpoint, and then click Logoff or

Sign out (depending on the version of Windows running on the endpoint).

The user is logged off of the endpoint, and the associated connection is terminated.

3. Verify that the Stealth Applet is successfully connected to the Unisys Stealth Logon

Service (indicated by a blue Stealth Shield icon in the taskbar).

If the Stealth Applet remains in an Error state, do the following to reboot the endpoint and

verify that it can connect to the Unisys Stealth Logon Service:

1. Reboot the endpoint and wait several minutes for the endpoint to restart.

2. Log on to the endpoint.

3. Verify that the Stealth Applet is successfully connected to the Unisys Stealth Logon

Service (indicated by a blue Stealth Shield icon in the taskbar).

7.4. Enabling Active Scripting on the ManagementServer Instance

Active scripting must be manually enabled on the Management Server instance for the

Enterprise Manager software to operate. If you are accessing the Enterprise Manager

interface using Internet Explorer, you might see an error that reads: “JavaScript must be

enabled to use Stealth Enterprise Manager. Please enable JavaScript in your browser and

refresh the page.” This means that you have Active Scripting has been disabled. Do the

following to reenable Active Scripting:

1. From the AWS Management Console, select EC2 under Compute.

2. On the EC2 Dashboard, select Instances in the left pane (under Instances).

3. Right-click the Administration and Diagnostics System instance, and then select

Connect.

4. If you have not already done so, get the password for the Administration and

Diagnostics System instance.

5. If required, download and open the Remote Desktop File.

6. Log on to the Administration and Diagnostics System using the user name and

password.

7. On the Administration and Diagnostics System, use Remote Desktop Connection

(RDP) or another connection software (if you selected a Linux operating system for

your Administration and Diagnostics System), and connect to the Management Server





Note: Do not use the default Administrator user name and password.

Troubleshooting

8205 5658-002 7–5

9. If you receive a warning that the identity of the remote computer cannot be verified,

click Yes to continue.

10. Ensure that there are no open browser windows.

11. From the Start menu, enter gpedit.msc in the Search box, and then press Enter.

12. In the Local Group Policy Editor window, in the left pane under Computer

Configuration, expand Administrative Templates, expand Windows

Components, expand Internet Explorer, expand Internet Control Panel,

expand Security Page, and then click Internet Zone.

13. Double-click Allow active scripting.

14. On the Allow active scripting dialog box, select the Enabled option, and then ensure

that Enable appears in the Allow active scripting list (under Options).

15. Click OK to close the Allow active scripting dialog box.

16. In the left pane of the Local Group Policy Editor window, select Intranet Zone

(under Security Page).

17. Double-click Allow active scripting.

18. On the Allow active scripting dialog box, select the Enabled option, and then ensure

that Enable appears in the Allow active scripting list (under Options).

19. Click OK to close the Allow active scripting dialog box.

20. Close the Local Group Policy Editor window.

If you want to create endpoint instances, you can minimize or close the Management

Server desktop and perform the procedures in Section 3, Launching Stealth Endpoint

Instances.

If you want to review the current configuration of your Management Server using the

Enterprise Manager interface, perform the procedure in 4.1 Accessing the Enterprise

Manager Interface.

7.5. Troubleshooting Private AMIs

If you performed the procedure in 5.4 Launching Endpoint Instances Using Private AMIs

and if you experience problems with the duplicate endpoint instances using private AMIs,

verify the following:

• You used an AWS account that was already subscribed to the Unisys Stealth(cloud) for

AWS endpoint instance type.

If you use an account that has not subscribed to the Unisys Stealth(cloud) for AWS

endpoint instance type, you must redeploy the private AMIs using a subscribed

account.

• The private AMI has an appropriate validation code.

Troubleshooting

7–6 8205 5658-002

Do one of the following, depending on the endpoint operating system:

- For Windows endpoints, check the Windows Application Event log to see if the

following error exists:

Event ID: 103

Source: USSL_Logon

Log Name: Application

Level: Error

Message: Function USSL_Logon: C Thread::Logon_ThreadProc: Failed

AWSMarketplace instance validation. Wait 30 seconds; then try

again. Returned error 183. Description: Cannot create a file

when that file already exists.

Explanation

If you see these errors, the product code validation has failed. Contact Unisys for

support. See 7.6 Obtaining Services and Support from Unisys.

- For Linux operating systems, use an editor and open /var/log, and search for the

following errors:

Validating AWSMarketplace license typeValidating AWSMarketplace product codeAWS meta-data query failed. Response code: 404Validating AWSMarketplace owner-idAWSMarketplace owner-id validation failedAWSMarketplace license type validation failed

If you see these errors, the product code validation has failed. Contact Unisys for

support. See 7.6 Obtaining Services and Support from Unisys.

If you used a subscribed account and if you do not see these product code validation

errors, search the Windows Application Event log or the Linux /var/log file for more

information on errors that could be interfering with the private AMI deployment.

7.6. Obtaining Services and Support from Unisys

Unisys provides support and optional services for your Stealth(cloud) for AWS

environment.

Troubleshooting

8205 5658-002 7–7

Obtaining Support

To obtain support, do the following, depending on whether you have a technical question

or non-technical question:

• For technical questions about your Stealth(cloud) for AWS environment—including

installation and configuration questions—or if you need to report a Stealth product

issue, call one of the following numbers:

- 1-800-417-1393 (toll-free)

- +1 385-355-2969 (charges apply)

When you call the Unisys User Support Desk, you will be asked to provide your valid

AWS Account ID, a description of your issue, and any diagnostics you have collected.

A ticket will be created for your reference, and then you will be transferred to a Unisys

Stealth(cloud) for AWS Support Analyst.

The Support Analyst will work with you to answer your questions and verify that you

have met all of the requirements for deploying the Stealth(cloud) for AWS

environment. If your instances cannot be launched, or if your properly configured

endpoints cannot communicate with other endpoints in the same user role or with

other components for which they have filters configured, Unisys will help to diagnose

and resolve your issues.

• For non-technical questions—including questions about Test Drive experiences,

licensing options, and professional services—call one of the following numbers,

depending on the time:

- During the hours of 9:00 a.m. to 9:00 p.m. Eastern Standard Time, call +1 310-793-

3100.

- During the hours of 9:00 p.m to 9:00 a.m. Eastern Standard Time, call 1-800-417-

1393 (toll-free) or +1 385-355-2969 (charges apply).

We make the best possible effort to respond to calls within the same business day.

Calls received on weekends and Unisys holidays will be returned the next business

day.

Be sure to review our documentation, which is available at

http://unisyssecurity.com/aws. This page includes informational articles, product

alerts, and answers to frequently asked questions.

Troubleshooting

7–8 8205 5658-002


Optional Professional Services

Unisys offers the following professional services—which are available for an additional

fee—to help you optimize your Stealth(cloud) for AWS environment. We can assist you

with creating a detailed Stealth architecture that meets your needs, including setting up

additional user roles and filters to further segment your endpoints and manage detailed

control over communications in your environment. Our services include the following:

1. Discovery Service: The Discovery Service is a hosted, four hour participant-driven

activity that introduces you to Stealth solutions and the uses of Stealth(cloud) for

Amazon Web Services.

2. Design Service: With the Design Service, Unisys works with you to identify changes

you might want to make in your AWS environment, such as adding or modifying

existing roles, filters, Communities of Interest (COIs) or endpoints within your Stealth-

enabled Virtual Private Cloud (VPC). If desired, Unisys can work with you to define the

parameters for integrating your network elements to connect the Stealth-enabled

AWS VPC using a defined AWS gateway.

3. Integration Service: The Integration Service is based on the outcome of the Design

Service. Unisys assists you in making the changes you have defined, which could

include the expansion of the existing Stealth-enabled VPC (roles, filters, or adding

COIs) or integrating your network elements to connect the Stealth-enabled AWS VPC

using a defined AWS gateway. In addition to aiding in the network configuration,

Unisys can update your Stealth-enabled VPC with the necessary security filters or

changes as defined as part of the Design Service.

Note: Although Unisys supports client creation of new filters and user roles, in complex

environments, you might find it necessary to leverage Unisys expertise in security and

micro-segmentation to ensure that your environment is properly configured and secured.

If you create, change, or delete multiple roles and filters using the Enterprise Manager

interface but your environment is not performing as you intended, Unisys consultants can

provide the services you need to implement your design.

7.7. Collecting Diagnostics from the ManagementServer and Endpoint Instances

If you are directed to collect diagnostics by Unisys Support personnel, perform the

procedures in this topic.

Collecting Diagnostics from the Management Server

The Management Server software includes the Collect Diagnostics utility. To use the

Collect Diagnostics utility on the Management Server instance, do the following:

1. From the Start menu, enter Collect Diagnostics in the Search box.

2. Double-click Collect Diagnostics.

Troubleshooting

8205 5658-002 7–9

The Collect Diagnostics utility collects diagnostic information for your configuration,

and stores the information in the C:\Stealth directory on the Management Server, in

the following subfolders:

• The Management Server endpoint software diagnostics are collected in the folder

C:\Stealth\Diag-<Computer Name>-<Date>, where <Computer Name> is the

computer name of the Management Server, and <Date> is the date when the

diagnostics were collected.

• The Enterprise Manager diagnostics are collected in the subfolder DiagEM-

<Computer Name>-<Date>, where <Computer Name> is the computer name of

the Management Server, and <Date> is the date when the diagnostics were

collected.

Collecting Diagnostics from Windows Endpoints

You can collect the diagnostic information from a Windows Stealth endpoint by running

the collectdiags.cmd script, which is provided with the Stealth endpoint software. You can

run this script on any Windows endpoint.

To run this script, do the following:

1. From the Start menu, enter Collect Diagnostics in the Search box.

2. Right-click Collect Diagnostics and select Run as administrator.

The diagnostic output files are collected in the C:\Stealth\<day MMDDYYYY> directory on

the Stealth endpoint. (For example, the folder is named C:\Stealth\Fri 12312015.)

Note: If you run this script multiple times in one day, all diagnostic files collected on the

same day are stored in the same folder.

The diagnostic files include:

• Probes@<date-time>.prb – Stealth driver diagnostics file

• Diag_<date-time>-xxx.txt – Network and Stealth query output and log files

• Diag_<date-time>-xxx.log – Stealth installation log files

• Diag_<date-time>-xxx.evtx – Windows system and application event log files

• Diag_cfg-msinfo32.txt – Windows system information

• Diag_cfg-xxx.reg – Selected Windows registry exports

Note: The Diag_cfg files are not time-stamped and are collected only once each

day. To collect the latest data, delete the old files first.

Collecting Diagnostics from Linux Endpoints

You can collect diagnostic information from a Linux Stealth endpoint by executing the

collectdiags.sh script, which is installed as part of the Stealth endpoint software. This

script file is located in the /etc/stealth/admin-scripts directory. You can run this script on

any Linux endpoint.

Troubleshooting

7–10 8205 5658-002

Execute the collectdiags.sh script by entering the following commands as root:

cd /etc/stealth/admin-scripts./collectdiags.sh

The collectdiags.sh script collects several log and configuration files and archives the files

in a single file with a name in the format stealth-diags<MMDDYYYY-HHMM>.tar.gz. All

diagnostic archive files are stored in the /var/tmp/stealth directory. (An example file is

/var/tmp/stealth/stealth-diags05062015-1305.tar.gz.)

From a remote session, you must establish a secure method to transfer the file. (You can

use any method for copying secure files that is allowed in your environment.) For example,

if your server includes the appropriate software packages, you could use SSH and enter

the following SCP command:

scp <source_file_name><username>@<destination_host>:<destination_folder>

Note: Before attempting to transfer this file remotely, you must ensure that the Linux

endpoint and the destination server share a COI, or that the Linux endpoint has an

appropriate filter to communicate with the destination server.

You might find it useful to increase the logging level when diagnosing an issue. Do the

following.

Note: The logging level you set determines the level of diagnostics that are collected by

the collectdiags.sh script.

1. Open the /etc/stealth/system.ini file using an editor such as vi.

2. Locate the [global] section, and make the following changes:

• Ensure that the verbose line appears (and is uncommented) and set the value to

1.

This line should appear like the following:

verbose=1

• Ensure that the trace_flags line appears (and is uncommented) and set the value

to all.

This line should appear like the following:

trace_flags=all

3. Save and close the system.ini file.

7.8. Deleting the Management Server or EndpointInstances

If you want to delete the Management Server instance, you must first empty the

associated S3 bucket. You can delete the files in the bucket, or you can copy these files to

another location.

Troubleshooting

8205 5658-002 7–11

Note: Before deleting any files in the S3 bucket, you should ensure that you do not want

to retain this data, because it is not backed up in any other location.

After the bucket is empty, you can use the standard Amazon method of deleting stacks to

delete the associated Management Server stack.

If you want to delete an endpoint instance, use the standard Amazon method of deleting

stacks to delete the associated endpoint stack.

Troubleshooting

7–12 8205 5658-002

Appendix AParameter Worksheets

If you choose, you can print a copy of the following worksheets to record the values you

enter for the Management Server instance and endpoint instances.

A.1. Management Server Instance Planning

Use the following table to plan and record values for the Management Server instance.

Table A–1. Management Server Instance Planning

Category Parameter Value

Stack name Stack name

Amazon EC2

Configuration

VPC

Subnet

EC2 Key Name

Unisys Stealth

Configuration

Capacity (instance type and

size)

Note: If you select the

South America (São Paulo)

region, m3 instance types

are used.

• Small – m4.large (25 endpoints)

• Medium – m4.large (50 endpoints)

• Large – m4.xlarge (250 endpoints)

• Extra Large – m4.2xlarge (500 endpoints)

Existing Administration and

Diagnostics System IP

Addresses

RDP Access IP Address

(CIDR) for New

Administration and

Diagnostics System

Allowed Ports for the

Administration and

Diagnostics System

8205 5658-002 A–1

Table A–1. Management Server Instance Planning (cont.)


Unisys Stealth

Micro-Segmented

User RolesNote: Stealth User Role passwords must be between six and 50 characters long and

must include at least one uppercase letter, at least one lowercase letter, at least one

number, and at least one of the following special characters:

! @ # $ % ^ & * ( ) _ + =

Segment1 Username

Segment1 Password

Segment2 Username

Segment2 Password

Segment3 Username

Segment3 Password

Unisys Stealth

Tiered User Roles Note: Stealth User Role passwords must be between six and 50 characters long and



! @ # $ % ^ & * ( ) _ + =

Tier1 Username

Tier1 Password

Tier2 Username

Tier2 Password

Tier3 Username

Tier3 Password

Parameter Worksheets

A–2 8205 5658-002

Table A–1. Management Server Instance Planning (cont.)


Unisys Stealth

Administrator

PasswordsNote: The Enterprise Manager Administrator password must be between six and 50

characters long and must include at least one uppercase letter, at least one lowercase

letter, at least one number, and at least one of the following special characters:

! @ # $ % ^ & * ( ) _ + =


Enterprise Manager

Administrator

User name: EMAdmin

Password:

Note: The MySQL Root password must be between eight and 50 characters long

and must include at least one uppercase letter, at least one lowercase letter, at least

one number, and at least one of the following special characters:

! @ # $ % ^ & * ( ) _ + =

MySQL Root User name: root

Password:

Note: The Enterprise Manager portal administrator password must be between six

and 50 characters long and must include at least one uppercase letter, at least one

lowercase letter, at least one number, and at least one of the following special

characters:

! @ # $ % ^ & * ( ) _ + =

Interface Administrator User name: portaladmin

Password:

Note: The Tomcat user password must be between six and 50 characters long and



! @ # $ % ^ & * ( ) _ + =


Tomcat User User name: TomcatUser

Password:


8205 5658-002 A–3

A.2. Endpoint Instance Planning

Use the following table to plan and record values for the endpoint instances.

Table A–2. Endpoint Instance Planning

Parameter Value

Endpoint 1 Stack name

VPC

Subnet

Stealth Security Group

EC2 Key Name

EC2 Instance Type

IAM Instance Profile

Stealth S3 Bucket

Stealth Username


VPC

Subnet


EC2 Key Name

EC2 Instance Type


Stealth S3 Bucket

Stealth Username


VPC

Subnet


EC2 Key Name

EC2 Instance Type


Stealth S3 Bucket

Stealth Username


A–4 8205 5658-002

Parameter Value


VPC

Subnet


EC2 Key Name

EC2 Instance Type


Stealth S3 Bucket

Stealth Username


VPC

Subnet


EC2 Key Name

EC2 Instance Type


Stealth S3 Bucket

Stealth Username


VPC

Subnet


EC2 Key Name

EC2 Instance Type


Stealth S3 Bucket

Stealth Username


8205 5658-002 A–5


A–6 8205 5658-002

unisys stealth(cloud) for amazon web services deployment guide · unisys stealth(cloud) for amazon...

Documents