unisys stealth(cloud) for amazon web services deployment guide · unisys stealth(cloud) for amazon...
TRANSCRIPT
Unisys Stealth(cloud) for Amazon Web
Services
Deployment Guide
Release 2.0
unisys
May 2016 8205 5658-002
NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information
described herein is only furnished pursuant and subject to the terms and conditions of a duly executed agreement to
purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the
products described in this document are set forth in such agreement. Unisys cannot accept any financial or other
responsibility that may be the result of your use of the information in this document or software material, including
direct, special, or consequential damages.
You should be very careful to ensure that the use of this information and/or software material complies with the laws,
rules, and regulations of the jurisdictions with respect to which it is used.
Unisys Stealth contains encryption features and is subject to, and certain information pertaining to Unisys Stealth may
be subject to, limitations imposed by the United States, the European Union and other governments on encryption
technology. Information about these U.S. government limitations may currently be found at http://www.bis.doc.gov.
For more information about your obligations, please see the agreement entered by your company and Unisys.
The information contained herein is subject to change without notice. Revisions may be issued to advise of such
changes and/or additions.
Notice to U.S. Government End Users: This software and any accompanying documentation are commercial items
which have been developed entirely at private expense. They are delivered and licensed as commercial computer
software and commercial computer software documentation within the meaning of the applicable acquisition
regulations. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys’ standard commercial
license for the products, and where applicable, the restricted/limited rights provisions of the contract data rights
clauses.
Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, aretrademarks or registered trademarks of Unisys Corporation.Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or othercountries.All other trademarks referenced herein are the property of their respective owners.
Contents
Section 1. Introduction
1.1. Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–1
1.2. What’s New? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–1
1.3. Understanding Components of Stealth(cloud) for AWS . . . . . 1–2
1.4. Understanding Default Stealth Configurations and User
Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–3
1.5. Understanding Default Filters . . . . . . . . . . . . . . . . . . . . . . . 1–6
1.6. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–7
1.7. Understanding Differences with Stealth Deployed in a
Data Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–7
Section 2. Launching the Stealth(cloud) Management Server Instance
2.1. Optionally Configuring the Administration and
Diagnostics System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–1
2.2. Determining the Management Server Instance Size and
License Capacity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–3
2.3. Subscribing to Enterprise Manager . . . . . . . . . . . . . . . . . . . 2–3
2.4. Selecting Parameters and Launching the Management
Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–4
Section 3. Launching Stealth Endpoint Instances
3.1. Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–1
3.2. Determining the Stealth User Role for the Endpoint
Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–1
3.3. Subscribing to Endpoint Instances . . . . . . . . . . . . . . . . . . . . 3–2
3.4. Selecting Parameters and Launching the Stealth Endpoint
Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–3
Section 4. Understanding Your Stealth(cloud) for AWS Environment
4.1. Accessing the Enterprise Manager Interface . . . . . . . . . . . . 4–1
4.2. Accessing Windows Endpoints and Viewing Stealth
Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–2
4.3. Accessing Linux Endpoints and Viewing Stealth Status . . . . . 4–4
4.4. Limitations When Accessing AWS Services . . . . . . . . . . . . . 4–5
8205 5658-002 iii
Section 5. Making Changes to Your Stealth(cloud) for AWS
Environment
5.1. Updating the Initial Configuration . . . . . . . . . . . . . . . . . . . . . 5–1
5.2. Optionally Updating the Management Server Instance
Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–1
5.3. Optionally Updating Endpoint Instance Types . . . . . . . . . . . . 5–2
5.4. Launching Endpoint Instances Using Private AMIs . . . . . . . . 5–3
Section 6. Upgrading or Updating Management Server and Endpoint
Instances
6.1. Subscribing to and Launching the Upgrade System. . . . . . . . 6–1
6.2. Connecting to the Upgrade System and Downloading
Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–2
6.3. Upgrading or Updating the Management Server. . . . . . . . . . 6–4
6.4. Upgrading or Updating Windows Endpoint Instances . . . . . . 6–5
6.5. Upgrading or Updating Linux Endpoint Instances . . . . . . . . . 6–5
6.6. Launching Upgraded Endpoint Instances in an Upgraded
Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–6
Section 7. Troubleshooting
7.1. Resolving Common Problems . . . . . . . . . . . . . . . . . . . . . . . 7–1
7.2. Enterprise Manager Interface Requirements . . . . . . . . . . . . 7–2
7.3. Troubleshooting the Stealth Applet Connection to the
Unisys Stealth Logon Service on Windows Endpoints. . . . 7–4
7.4. Enabling Active Scripting on the Management Server
Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7–5
7.5. Troubleshooting Private AMIs . . . . . . . . . . . . . . . . . . . . . . . 7–6
7.6. Obtaining Services and Support from Unisys . . . . . . . . . . . . 7–7
7.7. Collecting Diagnostics from the Management Server and
Endpoint Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7–9
7.8. Deleting the Management Server or Endpoint Instances. . . 7–11
Appendix A. Parameter Worksheets
A.1. Management Server Instance Planning . . . . . . . . . . . . . . . . A–1
A.2. Endpoint Instance Planning . . . . . . . . . . . . . . . . . . . . . . . . . A–4
Contents
iv 8205 5658-002
Figures
1–1. Default Segmented Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–4
1–2. Default Tiered Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–5
8205 5658-002 v
Figures
vi 8205 5658-002
Tables
A–1. Management Server Instance Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . A–1
A–2. Endpoint Instance Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A–4
8205 5658-002 vii
Tables
viii 8205 5658-002
Section 1Introduction
Unisys Stealth(cloud) for Amazon Web Services (AWS) enables you to secure an AWS
virtual private cloud (VPC) environment using Unisys Stealth technology.
This document provides the information required to deploy Stealth(cloud) for AWS.
1.1. Documentation Updates
This document contains all the information that was available at the time of publication.
Changes identified after release of this document are included in problem list entry (PLE)
19123197. To obtain a copy of the PLE, access the following URL:
http://public.support.unisys.com/common/epa/macro.aspx?path0=all&path1=ple&
path2=19123197
1.2. What’s New?
The following is new in this release:
• In the previous release, you could create up to three user roles in one configuration,
and those user roles were completely segmented by default (meaning that only
endpoints that shared the same user role could communicate). In this release, you can
create up to three additional user roles in a tiered configuration. See
1.4 Understanding Default Stealth Configurations and User Roles for more
information.
• The list of automatically generated filters for Amazon services has been updated to
include a more descriptive name and now provides regular polling services. This
ensures that the filter list is up-to-date if Amazon changes the IP addresses of its
services. See 1.5 Understanding Default Filters for more information.
• In the previous release, you were required to manually create one Administration and
Diagnostics System to provide administrative access to the Management Server
instance and the endpoint instances. In this release, you can manually create up to
three systems to perform this function, or you can have an Administration and
Diagnostics System automatically generated for you. See 2.1 Optionally Configuring
the Administration and Diagnostics System for more information.
8205 5658-002 1–1
When you subscribe to and launch the Management Server instance, there are three
new fields under the Unisys Stealth Configuration category that are related to the
configuration of the Administration and Diagnostics Systems. See 2.4 Selecting
Parameters and Launching the Management Server Instance for more information.
• An update is available that applies fixes and updates to your Enterprise Manager and
Stealth endpoint software. See Section 6, Upgrading or Updating Management Server
and Endpoint Instances.
Note: This update does not make configuration changes to an existing environment.
For example, this update does not create the new tiered configuration in your existing
environment, and it does not change the name or design of any of your filters. This
protects the integrity of your customized configuration. If you want to use the new
tiered configuration, the new filter design, or any other changes available with this
release, you can deploy a new Management Server instance.
1.3. Understanding Components of Stealth(cloud)for AWS
Stealth(cloud) for AWS enables you to configure a Stealth-enabled virtual private cloud
(VPC) environment to host your secure workloads and applications.
A Stealth(cloud) for AWS environment includes the following components:
• Amazon Virtual Private Cloud (VPC) – This is a virtual network that hosts the
Stealth(cloud) components. You subscribe to and launch the Management Server
instance and its associated Stealth AWS endpoint instances into a VPC.
Note: A single Stealth-enabled VPC can support only one Management Server
instance. If your environment requires more than one Management Server instance
(because each Management Server can support only 500 endpoints), you must create
one VPC for each Management Server instance that you want to subscribe to.
A Management Server can only be used to manage the endpoints within its VPC.
• Administration and Diagnostics System – This is an Amazon Elastic Compute Cloud
(EC2) instance which is used to provide administrative access to the Management
Server instance and the endpoint instances and can be used to collect diagnostic
information as needed.
• Management Server instance – This is an Amazon EC2 Windows Server instance that
runs the Stealth Enterprise Manager software, which is used to authorize Stealth
AWS endpoint instances and to provide the user interface for managing your Stealth
environment.
The Management Server instance must be sized appropriately so that it can manage
all of the endpoint instances in your VPC, as described in 2.2 Determining the
Management Server Instance Size and License Capacity.
• Endpoint instances – These are Amazon EC2 instances running supported Windows
or Linux operating systems, which also run the Stealth endpoint software to provide a
secure working environment. These instances that run the Stealth endpoint software
are known as Stealth endpoints.
Introduction
1–2 8205 5658-002
1.4. Understanding Default Stealth Configurationsand User Roles
Each Management Server instance can be used to manage up to 500 endpoint instances,
and each endpoint participates in one of the user roles you define. Each user role is made
up of multiple Communities of Interest (COIs). Stealth endpoint instances that share a COI
can communicate with one another; endpoint instances that do not share a COI cannot
communicate. In addition, other non-Stealth-enabled components cannot communicate
with any Stealth endpoint instances, unless a filter is specifically created to enable that
communication.
When you launch the Management Server instance, you have the option to automatically
create user roles in two different configurations that you can use for secure
communications in your environment. In addition, a configuration is created for
administration. The three configurations are as follows:
• StealthAdmin configuration – This configuration is used for the Enterprise Manager
software running on the Management Server to authorize, license, and administer the
Stealth endpoints.
In Figure 1–1 and Figure 1–2, the COI used for communication between the
Management Server and the endpoints is the purple StealthAdminLicenseCOI. For
security, Stealth filters are applied to the StealthAdminLicenseCOI so that endpoint
instances can only use this COI to communicate with the Management Server
instance (and cannot use this COI to communicate between user roles).
• Segmented configuration – In this configuration, you can create up to three user roles.
These user roles are completely segmented, meaning that endpoints in different roles
cannot communicate with one another. (Only endpoints that share the same user role
can communicate.)
In Figure 1–1, you see three Segmented user roles, each of which includes one
SegmentCOI that enables communication with other endpoints in the same user role
and the StealthAdminLicenseCOI that enables communication with the Management
Server. (As stated previously, Stealth filters are applied to the
StealthAdminLicenseCOI so that endpoints can only use this COI to communicate
with the Management Server and never with other endpoints.) Finally, each
Segmented user role includes the ADSAccessClearTextFilter, which enables endpoint
communication with the Administration and Diagnostics System and with Amazon
services.
Introduction
8205 5658-002 1–3
Figure 1–1. Default Segmented Configuration
• Tiered configuration – In this configuration, you can also create up to three user
roles. These user roles are tiered, meaning that endpoints in the Tier2 user role can
communicate with endpoints in the Tier1 user role and endpoints in the Tier3 user
role. For example, in a standard Web Server, Application Server, and Database
Server configuration, the Application Servers can communicate with the Web
Servers and Database Servers, but the Web Servers and Database Servers cannot
communicate with one another.
In Figure 1–2, you see three Tiered user roles, each of which includes one TierCOI
that enables communication with other endpoints in the same user role and the
StealthAdminLicenseCOI that enables communication with the Management Server.
(As stated previously, Stealth filters are applied to the StealthAdminLicenseCOI so
that endpoints can only use this COI to communicate with the Management Server
and never with other endpoints.)
In addition, a shared COI enables communication between endpoints assigned to
Tier1 and Tier2 (green colored Tier1+2COI) and a shared COI enables communication
between endpoints assigned to Tier2 and Tier3 (pink colored Tier2+3COI).
Introduction
1–4 8205 5658-002
Finally, each Tiered user role includes the ADSAccessClearTextFilter, which enables
endpoint communication with the Administration and Diagnostics System and with
Amazon services.
Figure 1–2. Default Tiered Configuration
When you create the Management Server instance, you are prompted to name and create
these user roles. You can create as little as one user role (in either configuration) or as
many as six user roles (three in each configuration). Depending on your needs, you can
create user roles for the Segmented configuration, the Tiered configuration, or both.
You can name these user roles using a naming convention of your choice. For example,
you might want to give the Segmented user roles names that correspond to segmented
security levels in your environment (such as Classified, Secret, and TopSecret) or that
correspond to segmented departments (such as HR, Marketing, and Executive). In
contrast, you might want to give the Tiered user roles names that correspond to tiered
functions (such as WebServer, AppServer, and DBServer).
Introduction
8205 5658-002 1–5
Based on the user role names you enter, a Certificate-Based Authorization (CBA)
certificate is created and added to each endpoint instance (for example, a certificate
named Classified is created for the Classified user role or a certificate named WebServer
is created for the WebServer user role). These certificates are used to authorize the
endpoint instances so that they can communicate with one another.
If your security needs are met by these user roles and configurations, you can simply
specify the names of up to six user roles (three in each configuration) when you launch the
Management Server instance, and then you can assign each endpoint instance to use one
of these three user roles when you launch the endpoint instances. No further action is
required for endpoint instances within the same user role to communicate with one
another securely.
However, if required, you can create additional user roles and configurations, and then you
can manually update the user roles used by your endpoint instances. Once your
environment is configured, see the Unisys Stealth(cloud) for Amazon Web Services
Advanced Concepts and Operations Guide for more information on how to add additional
user roles and configurations using the Enterprise Manager interface.
The Advanced Concepts and Operations Guide is available on the Unisys Security website
at http://unisyssecurity.com/aws.
1.5. Understanding Default Filters
You use filters to control whether your endpoints can communicate with other
components and services.
By default, filters are predefined for your endpoint instances. These filters enable you to
communicate with all available Amazon services using clear text (non-Stealth-secured)
communication. For example, these include filters that enable you to communicate with
the Amazon S3 service for storage and the Amazon Route53 service for DNS. Because
Amazon periodically changes the IP addresses used for these services, Enterprise
Manager checks for updates to the Amazon service addresses every 24 hours and creates
new filters as necessary.
In addition, when you launch the Management Server instance, clear text filters are
automatically created to allow communication with the Administration and Diagnostics
Systems in your environment.
If your filtering needs are met by these default filters for Amazon services and the
Administration and Diagnostics System, no further action is required. However, if needed,
you can create additional filters once your environment is configured. See the Unisys
Stealth(cloud) for Amazon Web Services Advanced Concepts and Operations Guide for
more information on how to update, add, and assign filters using the Enterprise Manager
interface.
Introduction
1–6 8205 5658-002
In addition, note that the IP addresses in a subnet that are reserved by AWS have clear text
filters applied to them (so that they are never Stealth-enabled). See the AWS
documentation on VPCs and subnets
(http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#SubnetSize)
for more information on these reserved IP addresses.
1.6. Prerequisites
Before you begin to deploy Stealth(cloud) for AWS, you must meet the following
prerequisites.
Note: See the AWS documentation (http://aws.amazon.com/documentation) for more
information on meeting these prerequisites.
• You must have configured one or more virtual private clouds (VPCs) with access to
the AWS CloudFormation services.
You can use an existing VPC, or you can create a new VPC that is dedicated to your
Stealth(cloud) for AWS deployment.
The instances that you launch within the VPC must be able to access the AWS
CloudFormation services, which means that the instances within the VPC must either
have a public IP address or they must have the capability to use Network Address
Translation (NAT) to access these services.
For more information on configuring IP addressing for your VPC and instances, see
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Networking.html.
Note: Each Management Server instance in the AWS environment can support up to
500 endpoint instances, and each Management Server instance requires its own VPC.
Therefore, depending on the number of Stealth-enabled endpoints you plan to launch
in the AWS environment, you might need to configure multiple VPCs.
• You must have one or more Amazon EC2 key pairs. Key pairs are an Amazon
administrative requirement for all EC2 instances. You can use an existing key pair or
you can create a new key pair for your Stealth(cloud) for AWS deployment.
You must select a key pair name when you initially configure each instance.
1.7. Understanding Differences with StealthDeployed in a Data Center
In addition to the Stealth(cloud) for AWS, the Stealth Solution can be purchased from
Unisys and deployed directly in your data center.
The following are the differences between the Stealth(cloud) for AWS and when Stealth is
deployed in a data center:
• Stealth(cloud) for AWS supports the following operating systems running on endpoint
instances:
- Windows Server 2008 R2
- Windows Server 2012 R2
Introduction
8205 5658-002 1–7
- Red Hat Enterprise Linux 6.x and 7.x
- SUSE Linux Enterprise Server 11.x
- Ubuntu 14.04 LTS
When Stealth is deployed in a data center, the following additional operating systems
are supported:
- Windows 7
- Windows 8 and Windows 8.1
- Windows Server 2012
- Ubuntu 12.04 LTS
- IBM AIX V6.1 and V7.1
• Windows endpoint instances are configured to run with Stealth Always On.
Stealth Always On for Windows endpoints means that Stealth is always enabled on
running Windows endpoints (and cannot be disabled by users). In contrast, Windows
endpoints in the data center can run Stealth On Demand, which means that users can
enable and disable the Stealth service if they need to communicate with other
resources in the environment.
Note: Stealth can be enabled and disabled for Linux endpoints.
• Stealth deployed in a data center can provide redundant authorization through the use
of standalone Authorization Servers. This component is not supported in this release
of Stealth(cloud) for AWS.
• Stealth deployed in a data center supports IPv6 addressing. IPv6 addressing is not
supported in Stealth(cloud) for AWS, because IPv6 addressing is not supported by
AWS.
• Stealth deployed in a data center can support mobile users through a feature known
as Secure Remote Access. This feature is not supported in Stealth(cloud) for AWS.
• Stealth deployed in a data center can enable systems and servers running operating
systems that are not supported by Stealth to connect to the network and participate in
Stealth COIs through a feature known as Secure Virtual Gateway. This feature is not
supported in Stealth(cloud) for AWS.
If you want to use any of the features that are not supported in Stealth(cloud) for AWS,
contact Unisys at http://unisyssecurity.com/aws for more information about deploying
Stealth in your data center.
Introduction
1–8 8205 5658-002
Section 2Launching the Stealth(cloud)Management Server Instance
The Management Server instance is an Amazon EC2 instance that runs Windows Server
2012 R2 and the Stealth Enterprise Manager software, which is used to authenticate,
authorize, license, and administer Stealth AWS endpoint instances. The Management
Server instance also provides the user interface for managing your Stealth environment.
Before continuing, be sure that you met the prerequisites listed in 1.6 Prerequisites, and
then perform the procedures in this section.
2.1. Optionally Configuring the Administration andDiagnostics System
Stealth(cloud) for AWS requires an EC2 instance to act as the Administration and
Diagnostics System. This system provides administrative access to the Management
Server instance and the endpoint instances and can be used to collect diagnostic
information as needed.
You can launch up to three EC2 instances to use as Administration and Diagnostics
Systems by following the guidelines in this topic. When you deploy the Management
Server instance, you can specify these existing systems to use as Administration and
Diagnostics Systems. Alternatively, if you do not have an existing EC2 instance to use as
the Administration and Diagnostics System and you do not want to manually configure
one using the guidelines in this topic, the Management Server CloudFormation template
can automatically deploy a new t2.micro Windows 2012 R2 instance to be used for this
purpose. Skip this topic if you want the CloudFormation template to automatically deploy
an Administration and Diagnostics System.
If you want to manually deploy an Administration and Diagnostics System, it must meet
the following requirements:
• Because this system provides access to all Stealth-enabled instances in the VPC, you
should ensure that the system is secure and that access is controlled.
• It must be an Amazon EC2 instance in the same VPC as the Management Server
instance. If you have more than one Management Server instance, each running in a
separate VPC, then you must configure a separate Administration and Diagnostics
System in each VPC.
8205 5658-002 2–1
• The Administration and Diagnostics System can run any operating system; however, it
is recommended that you select the Windows Server 2012 R2 operating system,
which by default, includes the Remote Desktop software necessary for connecting to
the Management Server instance.
Note: If you plan to subscribe to and launch Linux endpoints, you should install an
SSH client (for example, PuTTY) that you can use to access Linux endpoint instances.
• The Administration and Diagnostics System must be able to use TCP port 80 to
download files.
Do the following if you want to manually configure an EC2 instance as the Administration
and Diagnostics System:
1. Launch an EC2 instance that meets the requirements listed earlier in this topic.
Note: The Administration and Diagnostics system can use any Amazon instance
type. (There are no minimum requirements for vCPU or memory.)
When you launch the EC2 instance, you must do the following:
• Configure a method to access the Administration and Diagnostics System.
For example, configure an AWS security group to allow inbound RDP access to
the Administration and Diagnostics System.
• Configure a method to use the Administration and Diagnostics System to access
the Management Server instance and the endpoint instances. By default, a
security group enables all outbound RDP and SSH access. If you have restrictions
on your security group, you must allow outbound access as follows:
- RDP access to connect to the Management Server instance and Stealth
Windows endpoints
- SSH access to connect to Linux endpoint instances
See the Amazon EC2 documentation at https://aws.amazon.com/documentation/ec2
for specific information for launching an EC2 instance, and see
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
for more information on configuring the required security groups.
2. Wait for the instance to be created (that is, wait until the status reads running).
3. Confirm that you can connect to the Administration and Diagnostics System.
4. Record the private IP address of the Administration and Diagnostics System. (To
locate the IP address, on the EC2 Management Console, select the instance, and then
locate the Private IP under the Description tab.)
When you configure the Management Server instance, you must specify the private
IP address of the Administration and Diagnostics System, and a clear text filter is
created to enable the Management Server instance and endpoint instances to
communicate with this system.
Launching the Stealth(cloud) Management Server Instance
2–2 8205 5658-002
2.2. Determining the Management Server InstanceSize and License Capacity
Enterprise Manager provides licenses to Stealth endpoint instances from a pool of
licenses called AWS Marketplace licenses. The total number of available licenses is
determined by the Enterprise Manager instance size that you select when you configure
the Management Server instance.
When you subscribe to Stealth(cloud) Enterprise Manager and launch the Management
Server instance, you select one of the following sizes, depending on how many Stealth
endpoint instances you plan to subscribe to and launch in your VPC:
• Small – Launches an m4.large EC2 instance that supports up to 25 endpoint instances
• Medium – Launches an m4.large EC2 instance that supports up to 50 endpoint
instances
• Large – Launches an m4.xlarge EC2 instance that supports up to 250 endpoint
instances
• Extra Large – Launches an m4.2xlarge EC2 instance that supports up to 500 endpoint
instances
Notes:
• If you select the South America (São Paulo) region, m3 instance types are used.
• For more information on Amazon EC2 instance types, see https://aws.amazon.com/
ec2/instance-types.
You must select a capacity that is sufficient for the number of Stealth endpoint instances
that you plan to subscribe to and launch. In addition, it is a best-practice to select a
capacity that will accommodate a slightly expanded configuration; however, you can
change the instance size as your needs change. If you change your instance type, the
maximum number of subscribed endpoints that can be authorized is automatically
updated. See 5.2 Optionally Updating the Management Server Instance Type for more
information on resizing the Management Server instance.
If you plan to include more than 500 Stealth endpoint instances in your Stealth(cloud) for
AWS deployment, you must create additional Management Server instances; only one
Management Server instance is supported in a single Amazon VPC. If you require more
than one Management Server instance, each must be launched in a separate VPC.
2.3. Subscribing to Enterprise Manager
To launch a Management Server instance from the AWS Marketplace, you must
subscribe to Unisys Stealth(cloud) Enterprise Manager. Do the following:
1. Navigate to the AWS Marketplace webpage (https://aws.amazon.com/marketplace).
2. At the top of the page, click Sign in, and then sign in using your AWS account
credentials.
3. In the search box, enter Unisys Stealth.
Launching the Stealth(cloud) Management Server Instance
8205 5658-002 2–3
4. On the results page, select Unisys Stealth(cloud) Enterprise Manager on
Windows.
5. On the Unisys Stealth(cloud) Enterprise Manager solutions page, do the following:
a. Under Pricing Details, under For region, use the default region or select a new
region.
b. Under Pricing Details, under Delivery Methods, select Stealth(cloud)
Enterprise Manager.
Note: A CloudFormation template is the required method to launch the
Management Server; therefore, you must select this option. (Do not select
Single AMI.)
6. Click Continue.
7. If you have previously subscribed to this product, skip to the next step.
If this is your first time subscribing to this product, you are prompted to accept the
terms; do the following:
a. On the Launch on EC2 page, click Accept Terms.
You see the Thank You page, which states that you will receive an email with
more details.
b. Review the email when it arrives, and then return to the Thank You page.
c. On the Thank You page, click Return to Product Page.
You see the Launch on EC2 page.
8. On the Launch on EC2 page, confirm that the region you want to use is selected, and
ensure that Stealth(cloud) Enterprise Manager is selected under Deployment
Options.
9. Click Launch with CloudFormation Console.
Note: If you do not see the Launch with CloudFormation Console button, change the
value under Deployment Options from Single AMI to Stealth(cloud) Enterprise
Manager.
The values you entered are processed, and the CloudFormation console launches with the
Management Server CloudFormation template selected.
Continue by performing the procedure in the following topic: 2.4 Selecting Parameters and
Launching the Management Server Instance.
2.4. Selecting Parameters and Launching theManagement Server Instance
Note: For a printable worksheet that you can use to record the values you enter here,
see A.1 Management Server Instance Planning.
Launching the Stealth(cloud) Management Server Instance
2–4 8205 5658-002
After you subscribe to Enterprise Manager, do the following to select parameters and
launch the Management Server instance:
1. On the CloudFormation console, on the Select Template page, click Next.
The Specify Details page appears and provides a set of parameters that you use to
configure the Management Server instance.
Note: The parameters you enter on this page are not verified until you create the
CloudFormation stack. Therefore, you should be very careful to enter these values
correctly. For example, you are prompted to enter and verify passwords multiple
times on this page, and you should ensure that these passwords match and that they
meet the specific requirements for each password; if they do not, the CloudFormation
stack creation will fail.
2. Enter a name for the stack in the Stack name box.
3. Under Amazon EC2 Configuration, enter the following:
a. For VPC, select the VPC where you want to launch the Management Server
instance.
Notes:
• A VPC can include only one Management Server instance.
• Stealth endpoint instances that will be managed by this Management Server
instance must also be launched in the same VPC.
b. For Subnet, select the subnet within the VPC that you want to use for the
Management Server instance. The subnet you select must exist in the VPC you
selected.
Note: The Management Server instance and Stealth endpoint instances can use
separate subnets within the same VPC.
c. For EC2 Key Name, select the name of an existing EC2 key pair that you want
to use to meet the Amazon administrative requirement to have a key pair for all
EC2 instances.
4. Under Unisys Stealth Configuration, enter the following:
a. For Capacity, select the Management Server capacity that corresponds to your
planned number of Stealth endpoint instances. See 2.2 Determining the
Management Server Instance Size and License Capacity for more information.
b. For Existing Administration and Diagnostics System IP Addresses,
enter up to three IP addresses (comma separated) if you have existing systems
that you want to use as Administration and Diagnostics Systems. (If you do not
have existing systems and want the CloudFormation template to create an
instance for this purpose, leave this value blank.)
Notes:
• You must enter a value for either this parameter or for the following
parameter.
• If you want to use this option, you must have configured the Administration
and Diagnostics System as described in 2.1 Optionally Configuring the
Administration and Diagnostics System.
Launching the Stealth(cloud) Management Server Instance
8205 5658-002 2–5
c. For RDP Access IP Address (CIDR) for New Administration and
Diagnostics System, if you want CloudFormation to autogenerate a new
Administration and Diagnostics System, enter an IP address in CIDR notation that
you will use to access this system. (That is, enter the IP address of the local
system, from which you will launch RDP to access the new Administration and
Diagnostics System.)
A standard t2.micro instance running Windows Server 2012 R2 will be launched,
which will be accessible from this IP address range. For example, enter
192.0.2.0/32 for a single IP address or 192.0.2.0/24 for a range of IP addresses.
Note: You must enter a value for either this parameter or for the previous
parameter.
d. For Allowed Ports for the Administration and Diagnostics System,
optionally, for added security enter up to ten TCP ports. Allowed communication
between Stealth endpoints and the Administration and Diagnostics System is
restricted to only those ports. Leave the default values 22 and 3389 to allow only
SSH and RDP communication, respectively. Delete these values to allow
communication over all ports and protocols.
5. Skip the Extended Data Center (XDC) Feature parameters. The XDC feature is used to
extend an existing Stealth data center environment into the AWS VPC. See the Unisys
Stealth Solution Information Center for more information on the XDC feature.
6. Under Unisys Stealth Micro-Segmented User Roles, enter the following values to
create up to three segmented user roles.
Notes:
• You must create at least one segmented user role or one tiered user role.
• You can create up to three segmented user roles and up to three tiered user roles.
If you do not want to create any segmented user roles, ensure that all of the
Segmented Username and Password boxes are blank.
• You must enter a unique user name for every user role that you create.
a. For Segment1 Username, enter a name for the Segment1 user role. You can
assign Stealth endpoint instances to this user role when you launch them, and
only endpoint instances that share a user role can communicate.
For example, you might want to give this user role a name that corresponds to
segmented security levels in your environment (such as Classified, Secret, or
TopSecret) or that corresponds to segmented departments (such as HR,
Marketing, or Executive). See 1.4 Understanding Default Stealth Configurations
and User Roles for more information on Stealth user roles.
Note: The user name must be between one and 15 characters, and it can only
include alphanumeric characters and hyphens.
b. For Segment1 Password, enter a password for the Segment1 user role.
Note: The password must be between six and 50 characters, and it must
include all of the following:
• At least one uppercase letter
• At least one lowercase letter
Launching the Stealth(cloud) Management Server Instance
2–6 8205 5658-002
• At least one number
• At least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
c. For Segment1 Password Verify, verify the password for the Segment1 user
role.
d. For Segment2 Username, optionally enter a name for the Segment2 user role.
Like the Segment1 user role, you can assign Stealth endpoint instances to this
user role when you launch them, and you can name this user role according to
function, department, or any other method for your environment.
Note: The name must also meet the requirements for the Segment1 user role,
listed previously.
e. If you entered a name for the Segment2 user role, for Segment2 Password,
enter a password for the Segment2 user role.
Note: This password must also meet the requirements for the Segment1
password, listed previously.
f. If you entered a name for the Segment2 user role, for Segment2 Password
Verify, verify the password for this user role.
g. For Segment3 Username, optionally enter a name for the Segment3 user role.
Like the Segment1 user role, you can assign Stealth endpoint instances to this
user role when you launch them, and you can name this user role according to
function, department, or any other method for your environment.
Note: The user name must also meet the requirements for the Segment1 user
role, listed previously.
h. If you entered a name for the Segment3 user role, for Segment3 Password,
enter a password for this user role.
Note: This password must also meet the requirements for the Segment1
password, listed previously.
i. If you entered a name for the Segment3 user role, for Segment3 Password
Verify, verify the password for this user role.
7. Under Unisys Stealth Tiered User Roles, enter the following values to create up to
three tiered user roles.
Note: You can create up to three segmented user roles and up to three tiered user
roles. If you do not want to create any tiered user roles, skip to the next step.
Launching the Stealth(cloud) Management Server Instance
8205 5658-002 2–7
a. For Tier1 Username, enter a name for the Tier1 user role. You can assign
Stealth endpoint instances to this user role when you launch them. In this
configuration, endpoints in Tier2 can communicate with endpoints in Tier1 and
Tier3. For example, in a standard Web Server, Application Server, and Database
Server configuration, the Application Servers can communicate with the Web
Servers and Database Servers, but the Web Servers and Database Servers cannot
communicate with one another.
For example, you might want to give this user role a name that correspond to
tiered functions (such as WebServer, AppServer, or DBServer). See
1.4 Understanding Default Stealth Configurations and User Roles for more
information on Stealth user roles.
Note: The user name must be between one and 15 characters, and it can only
include alphanumeric characters and hyphens.
b. For Tier1 Password, enter a password for the Tier1 user role.
Note: The password must be between six and 50 characters, and it must
include all of the following:
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• At least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
c. For Tier1 Password Verify, verify the password for the Tier1 user role.
d. For Tier2 Username, optionally enter a name for the Tier2 user role.
Like the Tier1 user role, you can assign Stealth endpoint instances to this user role
when you launch them, and you can name this user role according to function,
department, or any other method for your environment.
Note: The name must also meet the requirements for the Tier1 user role, listed
previously.
e. If you entered a name for the Tier2 user role, for Tier2 Password, enter a
password for the Tier2 user role.
Note: This password must also meet the requirements for the Tier1 password,
listed previously.
f. If you entered a name for the Tier2 user role, for Tier2 Password Verify, verify
the password for this user role.
g. For Tier3 Username, optionally enter a name for the Tier3 user role.
Like the Tier1 user role, you can assign Stealth endpoint instances to this user role
when you launch them, and you can name this user role according to function,
department, or any other method for your environment.
Note: The user name must also meet the requirements for the Tier1 user role,
listed previously.
Launching the Stealth(cloud) Management Server Instance
2–8 8205 5658-002
h. If you entered a name for the Tier3 user role, for Tier3 Password, enter a
password for this user role.
Note: This password must also meet the requirements for the Tier1 password,
listed previously.
i. If you entered a name for the Tier3 user role, for Tier3 Password Verify, verify
the password for this user role.
8. Under Unisys Stealth Administrator Passwords, enter the following:
a. For Enterprise Manager Administrator Password, enter a password for
the Enterprise Manager Administrator account. EMAdmin is the account that you
use to log on to the Management Server instance and that you use to run the
Stealth services on that instance.
Note: This password must be between six and 50 characters long, and it must
include all of the following:
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• At least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
In addition, the user name cannot be included as part of the password.
b. For Enterprise Manager Administrator Password Verify, verify the
password for the Enterprise Manager Administrator account, EMAdmin.
c. For MySQL Root Password, enter a password for the MySQL Root account
(root) for the MySQL database running on the Management Server instance.
Note: This password must be between eight and 50 characters long, and it must
include all of the following:
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• At least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
d. For MySQL Root Password Verify, verify the password for the MySQL Root
account.
e. For Interface Administrator Password, enter a password for the Enterprise
Manager interface administrator account, portaladmin.
Note: This password must be between six and 50 characters, and it must
include all of the following:
• At least one uppercase letter
• At least one lowercase letter
Launching the Stealth(cloud) Management Server Instance
8205 5658-002 2–9
• At least one number
• At least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
f. For Interface Administrator Password Verify, verify the password for the
Enterprise Manager interface administrator account, portaladmin.
g. For Tomcat User Password, enter a password for the user associated with the
Tomcat service (TomcatUser) that runs on the Management Server instance.
Note: This password must be between six and 50 characters long, and it must
include all of the following:
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• At least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
In addition, the user name cannot be included as part of the password.
h. For Tomcat User Password Verify, verify the password for the Tomcat
service user.
9. When you have finished specifying the configuration parameters, click Next.
10. On the Options page, optionally enter one or more key-value pairs to tag the
Management Server instance. Tags are used to help identify resources in the AWS
console.
11. Optionally set any additional advanced options for the new instance.
Note: Do not change the value for the Rollback on failure option (the default
value is Yes).
12. Click Next.
13. On the Review page, verify that the parameters and options that you specified appear
correctly, select the check box to acknowledge the I acknowledge that this
template might cause AWS CloudFormation to create IAM resources
notice, and then click Create.
14. Wait until the Management Server instance is created (that is, wait until the status
reads CREATE_COMPLETE).
The Windows Server 2012 R2 instance that forms the basis for the Management
Server instance can take approximately 30 to 45 minutes to launch from AWS. In
addition, the CloudFormation template requires an additional 10-20 minutes to be
completed. If the AWS geographic region you are using is experiencing a heavy traffic
load, this process might require additional time. Therefore, you should allow at least
90 minutes for the Management Server instance status to read CREATE_COMPLETE.
Note: If the instance reads CREATE_COMPLETE in only a few minutes, this is
usually an indicator that the Management Server instance has failed to launch
correctly. This is most commonly a result of parameters being entered incorrectly; for
example, entering different passwords for the same user name or entering a
Launching the Stealth(cloud) Management Server Instance
2–10 8205 5658-002
password that does not meet the specific requirements. In that case, select the
instance, and then select the Outputs tab to review the provided error message.
If the instance reads CREATE_FAILED or ROLLBACK_FAILED, the CloudFormation
logs and Stealth diagnostics are collected and uploaded to the Amazon S3 bucket,
which is created during the CloudFormation process, in the EnterpriseManager\log
subfolder.
Launching the Stealth(cloud) Management Server Instance
8205 5658-002 2–11
Launching the Stealth(cloud) Management Server Instance
2–12 8205 5658-002
Section 3Launching Stealth Endpoint Instances
This section provides information about launching Stealth endpoint instances, which are
Amazon EC2 instances secured with Stealth endpoint software. The Stealth endpoint
software and Stealth user roles enable you to secure communication between the Stealth
endpoint instances in your environment.
3.1. Before You Begin
Before you begin to configure and launch Stealth endpoint instances in your VPC, ensure
that you have launched a Management Server instance with the appropriate capacity to
manage the number of endpoint instances you plan to launch. See Section 2, Launching
the Stealth(cloud) Management Server Instance, for more information.
In addition, you must record the StealthSecurityGroup and StealthBucket keys from the
Management Server instance that you want to use to manage this new endpoint instance.
Do the following:
1. Access the CloudFormation console.
2. Select the Stack that corresponds to the Management Server instance.
3. On the Outputs tab, record the following key values:
• StealthSecurityGroup
• StealthBucket
3.2. Determining the Stealth User Role for theEndpoint Instance
When you launch an endpoint instance, you select a Stealth user role to assign to the
instance.
You assign user roles to enable secure communication in your environment. Endpoint
instances that share a COI can communicate with one another; endpoint instances that do
not share a COI cannot communicate.
In addition, other non-Stealth-enabled components cannot communicate with any Stealth
endpoint instance. To enable Stealth endpoint instances to communicate with non-
Stealth-enabled components, you must create filters to allow clear text communication
with those components.
8205 5658-002 3–1
You created up to three Segmented user roles and up to three Tiered user roles when you
launched the Management Server instance in 2.4 Selecting Parameters and Launching the
Management Server Instance. For example, you might have given these user roles names
that correspond to segmented security levels in your environment (such as Classified,
Secret, and TopSecret) or that correspond to segmented departments (such as HR,
Marketing, and Executive). In contrast, you might have given the Tiered user roles names
that correspond to tiered functions (such as WebServer, AppServer, and DBServer).
Ensure that you understand which Stealth user role (associated with which
configuration—Segmented or Tiered) you want to assign before you launch an endpoint
instance.
Note: Changing the user role after an endpoint instance is launched is a manual process.
See the Unisys Stealth(cloud) for Amazon Web Services Advanced Concepts and
Operations Guide for more information on adding and changing user roles.
3.3. Subscribing to Endpoint Instances
Stealth(cloud) for AWS supports the following operating systems running on endpoint
instances:
• Windows Server 2008 R2
• Windows Server 2012 R2
• Red Hat Enterprise Linux 6.x and 7.x
• SUSE Linux Enterprise Server 11.x
• Ubuntu Linux 14.04
Do the following to subscribe to one or more Stealth(cloud) endpoint instances:
1. Navigate to the AWS Marketplace webpage (https://aws.amazon.com/marketplace).
2. At the top of the page, click Sign in, and then sign in using your AWS account
credentials.
3. In the search box, enter Unisys Stealth.
4. On the results page, select one of the following types of Stealth endpoints:
• Unisys Stealth(cloud) on Windows Server 2008 R2
• Unisys Stealth(cloud) on Windows Server 2012 R2
• Unisys Stealth(cloud) on Red Hat Enterprise Linux 6
• Unisys Stealth(cloud) on Red Hat Enterprise Linux 7
• Unisys Stealth(cloud) on SUSE Linux Enterprise Server 11
• Unisys Stealth(cloud) on Ubuntu Linux 14.04
Launching Stealth Endpoint Instances
3–2 8205 5658-002
5. On the solutions page for the Stealth endpoint type you selected, do the following:
a. Under Pricing Details, under For region, use the default region or select a new
region.
b. Under Pricing Details, under Delivery Methods, select Stealth(cloud) on
<operating system>.
Note: A CloudFormation template is the required method to launch the Stealth
endpoint; therefore, you must select this option. (Do not select Single AMI.)
6. Click Continue.
7. If you have previously subscribed to this product, skip to the next step.
If this is your first time subscribing to this product, you are prompted to accept the
terms; do the following:
a. On the Launch on EC2 page, click Accept Terms.
You see the Thank You page, which states that you will receive an email with
more details.
b. Review the email when it arrives, and then return to the Thank You page.
c. On the Thank You page, click Return to Product Page.
You see the Launch on EC2 page.
8. On the Launch on EC2 page, confirm that the region you want to use is selected, and
ensure that Stealth(cloud) on <operating system> is selected under
Deployment Options.
9. Click Launch with CloudFormation Console.
Note: If you do not see the Launch with CloudFormation Console button, change the
value under Deployment Options from Single AMI to Unisys Stealth(cloud) on
<operating system>.
The values you entered are processed, and the CloudFormation console launches with the
endpoint CloudFormation template selected.
Continue by performing the procedure in the following topic: 3.4 Selecting Parameters and
Launching the Stealth Endpoint Instance.
Note: After you complete the procedure in 3.4 Selecting Parameters and Launching the
Stealth Endpoint Instance, you can return to this procedure and perform these steps again
to launch as many endpoint instances as are required in your environment.
3.4. Selecting Parameters and Launching theStealth Endpoint Instance
Note: For a printable worksheet that you can use to record the values you enter, see
A.2 Endpoint Instance Planning.
Launching Stealth Endpoint Instances
8205 5658-002 3–3
After you subscribe to the endpoint type, do the following to select parameters and launch
the endpoint instance:
1. On the CloudFormation console, on the Select Template page, click Next.
The Specify Details page appears and provides a set of parameters that you use to
configure the endpoint instance.
Note: The parameters you enter on this page are not verified until you create the
CloudFormation stack. Therefore, you should be very careful to enter these values
correctly. For example, you are prompted to enter and verify the user role password on
this page, and you should ensure that these passwords match; if they do not, the
CloudFormation stack creation will fail.
2. Enter a name for the stack in the Stack name box.
3. Under Amazon EC2 Configuration, enter the following:
a. For VPC, select the VPC where you launched the Management Server instance.
b. For Subnet, select the subnet within the VPC that you want to use for this
endpoint instance.
Note: The Management Server instance and Stealth endpoint instances can use
separate subnets within the same VPC.
c. For Stealth Security Group, select the security group created by the
Management Server instance, which you were directed to record earlier in this
topic.
d. For EC2 Key Name, select the name of an existing EC2 key pair that you want
to use to meet the Amazon administrative requirement to have a key pair for all
EC2 instances.
e. For EC2 Instance Type, select the EC2 instance type you want to use for the
new instance.
The default is m4.large, but you can use any available instance type in the list.
Note: If you select the South America (São Paulo) region, you must change the
default value. m4 instance types are not supported in this region.
f. For IAM Instance Profile, optionally specify an existing Identity and Access
Management (IAM) instance profile, if you do not want to use the instance profile
created by the CloudFormation template. (An instance profile is a container for an
IAM role that you can use to pass role information to an EC2 instance when the
instance starts.)
Note: If you specify an existing IAM instance profile, that profile must have
access to the bucket that you select in the following step.
4. Under Unisys Stealth Configuration, enter the following:
a. For Stealth S3 Bucket, enter the S3 bucket ID that corresponds to the
Management Server instance, which you were directed to record earlier in this
topic.
b. For Stealth Username, select the name of the Stealth user role that you want
to assign to this instance.
Launching Stealth Endpoint Instances
3–4 8205 5658-002
You specified up to six user roles (three Segmented user roles and three Tiered
user roles) when you configured the Management Server instance in
2.4 Selecting Parameters and Launching the Management Server Instance.
c. For Stealth Username Password, enter the password for the user role that
you specified for the StealthUsername parameter. You entered this password
when you configured the Management Server instance in 2.4 Selecting
Parameters and Launching the Management Server Instance.
Note: Be very careful to enter the correct password. This password is not
verified against the Management Server CloudFormation template when the
endpoint instance is launched. If you enter an incorrect password, the
CloudFormation stack creation will fail.
d. For Stealth Username Password Verify, verify the password that you
entered.
5. When you have finished specifying the configuration parameters, click Next.
6. On the Options page, optionally enter one or more key-value pairs to tag the instance.
Tags are used to help identify resources in the AWS console.
7. Optionally set any additional advanced options for the new instance.
Note: Do not change the value for the Rollback on failure option (the default
value is Yes).
8. Click Next.
9. On the Review page, verify that the parameters and options that you specified appear
correctly, select the check box to acknowledge the I acknowledge that this
template might cause AWS CloudFormation to create IAM resources
notice, and then click Create.
10. Wait until the endpoint instance is created (that is, wait until the status reads
CREATE_COMPLETE).
Windows operating system instances can take approximately 30 minutes to launch
from AWS, while Linux operating system instances can take approximately 15
minutes to launch from AWS. The CloudFormation template requires an additional five
minutes to be completed. If the AWS geographic region you are using is experiencing
a heavy traffic load, this process might require additional time. Therefore, you should
allow at least 45 minutes for a Windows endpoint instance or 20 minutes for a Linux
endpoint instance status to read CREATE_COMPLETE.
Launching Stealth Endpoint Instances
8205 5658-002 3–5
Notes:
• If the instance reads CREATE_COMPLETE in only a few minutes, this is usually an
indicator that the endpoint instance has failed to launch correctly. This is most
commonly a result of parameters being entered incorrectly; for example, entering
different passwords for the same user role. In that case, select the instance, and
then select the Outputs tab to review the provided error message.
• If the instance reads CREATE_FAILED or ROLLBACK_FAILED, the
CloudFormation logs and Stealth diagnostics are collected and uploaded to the
Amazon S3 bucket, which is created during the Management Server
CloudFormation process, in the <user role>\log subfolder (where <user role> is
the user role name you specified earlier in this procedure).
• If you select an endpoint instance type that is not available in your region, you see
an error on the CloudFormation page, Events tab, which reads “The requested
configuration is currently not supported. Please check the documentation for
supported configurations.”
Launching Stealth Endpoint Instances
3–6 8205 5658-002
Section 4Understanding Your Stealth(cloud) forAWS Environment
After you configure the Management Server instance and at least two endpoints in the
same user role, your endpoints can use secure Stealth tunnels to communicate.
This section provides an overview on how to access the Management Server instance and
view the Enterprise Manager interface, as well as how to view the endpoint instances and
the current Stealth status.
4.1. Accessing the Enterprise Manager Interface
You use the Enterprise Manager interface, running on the Management Server instance,
to manage your Stealth configuration.
To log on to the Management Server instance and access the Enterprise Manager
interface, perform the following procedure:
1. From the AWS Management Console, select EC2 under Compute.
2. On the EC2 Dashboard, select Instances in the left pane (under Instances).
3. Right-click the Administration and Diagnostics System instance, and select Connect.
4. If your Administration and Diagnostics System was automatically generated by the
Management Server CloudFormation template, do the following to obtain the
Administrator user account password to log on to the Administration and Diagnostics
System:
a. On the Connect to Your Instance dialog box click Get Password.
b. Click Browse, and then select the EC2 key pair that you selected when you
initially configured the Management Server instance.
c. Click Decrypt Password to obtain the Administrator user account password for
the Administration and Diagnostics System. Make a note of this password or copy
it to the clipboard.
5. On the Connect to Your Instance dialog box, if required, download and open the
Remote Desktop File.
6. Log on to the Administration and Diagnostics System using the user name and
password.
7. On the Administration and Diagnostics System, use Remote Desktop Connection
8205 5658-002 4–1
(RDP) or another connection software (if you selected a Linux operating system for
your Administration and Diagnostics System), and connect to the Management Server
instance using its private IP address.
8. If you receive a warning that the identity of the remote computer cannot be verified,
click Yes to continue.
9. Log on to the Management Server instance using the EMAdmin user name and the
password that you set for the EMAdminPassword in 2.4 Selecting Parameters and
Launching the Management Server Instance.
10. On the Management Server instance desktop, double-click the Unisys Enterprise
Manager Portal icon.
Note: Alternatively, you can enter https://<Management Server private IP
address>:29080/ in a browser window.
11. If you see a warning that there is a problem with the website security certificate, click
Continue to this website (not recommended).
12. Log on to the Enterprise Manager interface using the portaladmin user name and
the password that you set for the Interface Administrator Password in 2.4 Selecting
Parameters and Launching the Management Server Instance.
The Enterprise Manager interface displays the Stealth Network Dashboard, which
provides an overview of your configuration.
Caution
Be very careful when deleting or reassigning any components in the Enterprise
Manager interface. If you delete any configurations, roles, users, or
certificates, or if you reassign components to different roles or configurations,
you could disrupt all Stealth communications in your environment.
For information on how to change your configuration, closely follow the
procedures in the Unisys Stealth(cloud) for Amazon Web Services Advanced
Concepts and Operations Guide.
For more information on using the Enterprise Manager interface, select Help from the
menu bar to launch the Unisys Stealth Solution Enterprise Manager Interface Help. To
access context-sensitive help information for a specific interface element, click the
question mark (?) help icon for that element.
4.2. Accessing Windows Endpoints and ViewingStealth Status
Stealth endpoint instances running the Windows operating system include the Stealth
Applet (USS-Applet). You use the Stealth Applet to view the status of the Stealth service
on the endpoint instance.
Understanding Your Stealth(cloud) for AWS Environment
4–2 8205 5658-002
Note: You should wait until the status reads CREATE_COMPLETE before connecting to
the endpoint instance. If you connect to the endpoint instance before the CloudFormation
process is complete, the Stealth Applet might not start.
Do the following:
1. Obtain the password for the endpoint by doing the following:
a. From the system that includes the EC2 keypair, access the EC2 Dashboard and
browse to the endpoint instance.
b. Right-click the endpoint instance and select Connect.
c. On the Connect to Your Instance dialog box, click Get Password.
d. Click Browse, and then select the EC2 key pair that you selected when you
initially configured the endpoint instance.
e. Click Decrypt Password to obtain the Administrator user account password for
the endpoint instance. Make a note of this password or copy it to the clipboard.
f. Close the Connect To Your Instance dialog box.
2. Log on to an endpoint instance by doing the following:
a. Log on to the Administration and Diagnostics System using the user name and
password.
Note: You should have already obtained the Administration and Diagnostics
System password and downloaded the Remote Desktop File, as described in
4.1 Accessing the Enterprise Manager Interface.
b. On the Administration and Diagnostics System, use Remote Desktop Connection
(RDP) or another connection software (if you selected a Linux operating system
for your Administration and Diagnostics System), and connect to the endpoint
instance using its private IP address.
c. If you receive a warning that the identity of the remote computer cannot be
verified, click Yes to continue.
d. Log on to the endpoint instance using the Administrator user account and the
password that you copied when you decrypted the password earlier in this
procedure.
3. On the endpoint instance, to access the Stealth Applet, click the Show hidden
icons (arrow) button in the taskbar, and then click the Stealth Shield icon.
Note: If the Applet does not appear in the taskbar, you can access it from the Start
menu by typing USS-Applet in the Search box.
4. Optionally, do the following to display the Stealth Shield icon in the taskbar:
a. Click the Show hidden icons (arrow) button in the taskbar, and then click
Customize.
b. On the Select which icons and notifications appear on the taskbar
window, for the Unisys Stealth Solution shield icon, select Show icon and
notifications from the Behaviors list, and then click OK.
Understanding Your Stealth(cloud) for AWS Environment
8205 5658-002 4–3
The Stealth Applet shows the status of your Stealth communications on the endpoint. For
more information on using the Stealth Applet, click Help in the left menu on the Applet.
4.3. Accessing Linux Endpoints and Viewing StealthStatus
Stealth endpoint instances running the Linux operating systems use a command to view
the status of the Stealth service on the endpoint instance.
Notes:
• You should wait until the status reads CREATE_COMPLETE before connecting to the
endpoint instance.
• To access a Linux endpoint from a Windows-based Administration and Diagnostics
System, you must install an SSH client (for example, PuTTY).
Do the following to access the endpoint and view the status of the Stealth service on the
endpoint instance:
1. Log on to an endpoint instance by doing the following:
a. Log on to the Administration and Diagnostics System using the user name and
password.
Note: You should have already obtained the Administration and Diagnostics
System password and downloaded the Remote Desktop File, as described in
4.1 Accessing the Enterprise Manager Interface.
b. On the Administration and Diagnostics System, use SSH to connect to the
endpoint instance using the endpoint private IP address and the EC2 key pair that
you selected when you initially configured the endpoint instance.
There are several methods you can use to connect to a Linux endpoint and log on.
For more information, see the “Connect to Your Instance” topic in the Amazon
Elastic Compute Cloud User Guide for Linux Instances,
(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-connect-to-
instance-linux.html).
Note: Although the Amazon “Connect to Your Instance” procedure instructs you
to use the public DNS name to connect to your Linux endpoint, because you are
connecting to the endpoint from a private location (from the Administration and
Diagnostics System), you must use the private IP address. For example, if you are
using PuTTY, Amazon instructs you to enter user_name@public_dns_name.
However, you must enter user_name@private_IP_address to successfully access
the Linux endpoint instance.
2. Enter the following command as root:
stconfig -S
The stconfig -S command shows the status of your Stealth communications on the
endpoint.
Understanding Your Stealth(cloud) for AWS Environment
4–4 8205 5658-002
4.4. Limitations When Accessing AWS Services
As described in 1.5 Understanding Default Filters, external AWS services (outside of the
VPC) are automatically white-listed for clear text communication.
Internal AWS services (inside of the VPC)—including elastic load balancing (ELB) and
auto-scale groups—should be deployed on known subnets so that you can easily create
filters to enable clear-text communications. For more information on adding filters to
access non-Stealth-enabled components and other services, see the Unisys Stealth(cloud)
for Amazon Web Services Advanced Concepts and Operations Guide.
Understanding Your Stealth(cloud) for AWS Environment
8205 5658-002 4–5
Understanding Your Stealth(cloud) for AWS Environment
4–6 8205 5658-002
Section 5Making Changes to Your Stealth(cloud)for AWS Environment
This section includes information about updating the initial configuration for your
Stealth(cloud) environment and updating your AWS instance types.
5.1. Updating the Initial Configuration
After you initially configure and deploy your environment, you can manually update the
initial configuration.
See Section 2, “Modifying the Stealth(cloud) AWS Environment” in the Unisys
Stealth(cloud) for Amazon Web Services Advanced Concepts and Operations Guide for
detailed information on the following:
• Creating new filters and applying them to user roles
• Updating existing user roles
• Creating new user roles and updating endpoint instances
5.2. Optionally Updating the Management ServerInstance Type
You selected an instance type and associated license capacity when you initially
configured the Management Server instance in 2.2 Determining the Management Server
Instance Size and License Capacity.
However, if you need to change the instance type and maximum license capacity (for
example, if you subscribed to more Stealth AWS endpoint instances than Enterprise
Manager is licensed to authorize concurrently), you can optionally resize the Management
Server instance.
You can resize your instance to use any of the following Amazon instance types:
• Small – m4.large EC2 instance that supports up to 25 endpoint instances
• Medium – m4.large EC2 instance that supports up to 50 endpoint instances
• Large – m4.xlarge EC2 instance that supports up to 250 endpoint instances
• Extra Large – m4.2xlarge EC2 instance that supports up to 500 endpoint instances
8205 5658-002 5–1
Note: If you select the South America (São Paulo) region, m3 instance types are used.
When you resize your instance, the maximum number of subscribed endpoint instances
that can be authorized is automatically updated to match the new size.
Caution
You should not select any instance type besides m4.large, m4.xlarge, or
m4.2xlarge (or the corresponding m3 instance types if you select the South
America (São Paulo) region). These instance types have been specifically
selected to meet the vCPU, memory, and configuration requirements of the
Enterprise Manager software.
If you select another instance type, your Management Server instance might
not be able to start or run.
See the following:
• For more information on Amazon EC2 instance types, see https://aws.amazon.com/
ec2/instance-types.
• For directions on how to resize the Management Server instance, see http://
docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html.
5.3. Optionally Updating Endpoint Instance Types
You selected an instance type when you initially configured endpoint instances in
3.4 Selecting Parameters and Launching the Stealth Endpoint Instance.
If you need to change the instance type, you can do so at any time. You can change your
endpoint instance to use any current generation AWS instance type that supports AWS
hardware virtual machine (HVM) virtualization.
You should not use instance types that support only paravirtual (PV) virtualization, because
this could negatively impact the performance of your endpoint instances.
See the following:
• For more information on Amazon EC2 instance types, see https://aws.amazon.com/
ec2/instance-types.
• For more information on HVM and PV virtualization, see
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html.
• For directions on how to resize an endpoint instance, see http://
docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html.
Making Changes to Your Stealth(cloud) for AWS Environment
5–2 8205 5658-002
5.4. Launching Endpoint Instances Using PrivateAMIs
After you use the CloudFormation templates to deploy Stealth-enabled endpoint
instances, you can deploy duplicate endpoint instances using private AMIs. You might
want to duplicate an endpoint instance to deploy multiple, identical workload servers that
run the same customized software. Performing this procedure eliminates the need to
reinstall customized software on multiple workload server instances.
Note: To perform this procedure successfully, you must use an AWS account that has
already subscribed to the Unisys Stealth(cloud) for AWS endpoint instance type.
Launching Windows Endpoint Instances from a Private AMI
Do the following to create a private AMI based on a Windows endpoint and deploy
endpoint instances using the private AMI:
1. Create a new private AMI based on the endpoint instance.
See the Amazon documentation at http://docs.aws.amazon.com/AWSEC2/latest/
WindowsGuide/ami-create-standard.html for more detailed information.
When you create a new private AMI, you use the EC2Config service to run Sysprep to
configure the new AMI.
Consider the following best practices for configuring the private AMI:
• You can use the default EC2Config service answer file (C:\Program
Files\Amazon\Ec2ConfigService\sysprep2008.xml) without modification, or you
can review the file and make changes as appropriate for your environment.
• When specifying the Administrator password, it is recommended that you select
Random and then click Shutdown with Sysprep.
2. On the EC2 Console, launch one or more endpoint instances using the private AMI
that you created.
When you launch the new endpoint instances, you must do the following:
• Deploy the endpoint instances in the same VPC as the Management Server
instance.
• Select the StealthSecurityGroup that was created when you deployed the
Management Server instance.
3. After you launch an endpoint instance, log on to the instance.
4. On the endpoint instance, access the Stealth Applet by clicking the Show hidden
icons (arrow) button in the taskbar, and then clicking the Stealth Shield icon.
Note: If the Applet does not appear in the taskbar, you can access it from the Start
menu by typing USS-Applet in the Search box.
Making Changes to Your Stealth(cloud) for AWS Environment
8205 5658-002 5–3
5. Do one of the following, depending on the color of the Stealth Applet:
• Blue – Stealth is enabled and the endpoint is secured. No further action is
required.
• Yellow – Do the following to enable the Stealth Applet to monitor and report the
status of Stealth services:
a. Run PowerShell as an administrator.
b. Enter the following command to change to the Stealth Solution folder:
cd "C:\ProgramData\Unisys\Stealth Solution"
c. Enter the following command:
.\Restore-Java-Keystore.ps1
The Stealth Applet running on the endpoint instance restarts. When the blue
Stealth Shield icon appears in the task bar, Stealth is enabled and the
endpoint is secured.
• Red – Stealth is disabled. Verify that the endpoint instance is using the
StealthSecurityGroup that was created when you deployed the Management
Server instance, as instructed in the previous step. If required, update the
StealthSecurityGroup.
If this does not resolve the problem, see Section 7, Troubleshooting.
For more information on verifying the Stealth status, see 4.2 Accessing Windows
Endpoints and Viewing Stealth Status.
Launching Linux Endpoint Instances from a Private AMI
Do the following to create a private AMI based on a Linux endpoint and deploy endpoint
instances using the AMI:
1. On the EC2 Console, ensure that the endpoint instance that you want to use to create
the private AMI is stopped.
2. Create a new private AMI based on the endpoint instance.
See the Amazon documentation at http://docs.aws.amazon.com/AWSEC2/latest/
UserGuide/creating-an-ami-ebs.html for more detailed information.
3. On the EC2 Console, launch one or more endpoint instances using the private AMI
that you created.
When you launch the new endpoint instances, you must do the following:
• Deploy the endpoint instances in the same VPC as the Management Server
instance.
• Select the StealthSecurityGroup that was created when you deployed the
Management Server instance.
Making Changes to Your Stealth(cloud) for AWS Environment
5–4 8205 5658-002
Managing the Instance Used to Create Private AMIs
After you finish creating private AMIs, you can do any of the following to the instance that
you used to create these AMIs:
• Stop the endpoint instance (if it is not already stopped) and leave it in a stopped state.
• Delete the instance, and delete the CloudFormation stack associated with the
instance.
• Power on the instance and use it as a Stealth endpoint.
Troubleshooting
For information on troubleshooting issues with private AMIs, see 7.5 Troubleshooting
Private AMIs.
Making Changes to Your Stealth(cloud) for AWS Environment
8205 5658-002 5–5
Making Changes to Your Stealth(cloud) for AWS Environment
5–6 8205 5658-002
Section 6Upgrading or Updating ManagementServer and Endpoint Instances
This section describes the process for upgrading or updating your subscribed
Management Server and endpoint instances. When you upgrade, you install a new
software level. When you update, you install a new version of your existing software
level.
When upgrades or updates become available, you receive an email from Amazon. For your
convenience and for security, Unisys provides the upgrade or update files on an Upgrade
System that you can subscribe to and launch within your VPC. This enables you to
securely update your Management Server and endpoint instances without having to
transfer files over a potentially unsecure Internet connection.
Also for security, the Upgrade System does not include a public IP address by default,
which ensures that it can only communicate with other components in the VPC. In
addition, the Security Group is restricted to only enable http traffic using port 80.
After you launch the Upgrade System in your VPC, you can connect to its web server from
your Administration and Diagnostics System and download the appropriate upgrade or
update files. You can then transfer those files from the Administration and Diagnostics
System to your Management Server and endpoint instances, and then deploy the files.
See the following procedures for additional details.
Note: Before you begin, it is a best practice to back up any instances that you plan to
upgrade. See the Amazon documentation at
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EBSSnapshots.html for
more detailed information.
6.1. Subscribing to and Launching the UpgradeSystem
Do the following to subscribe to and launch the Upgrade System:
1. Navigate to the AWS Marketplace webpage (https://aws.amazon.com/marketplace).
2. At the top of the page, click Sign in, and then sign in using your AWS account
credentials.
8205 5658-002 6–1
3. In the search box, enter Unisys Stealth.
4. On the results page, select Unisys Stealth(cloud) Upgrade System.
5. On the Unisys Stealth(cloud) Upgrade System solutions page, click Continue.
6. On the Launch on EC2 page, do the following:
a. Under Version, ensure that the latest software version is selected.
b. Under Region, ensure that the correct region is selected, or expand Region and
select a new region from the list.
c. Expand VPC Settings, and select the VPC where you launched the
Management Server instance.
Note: You can select any subnet within the VPC that supports t2.micro
instances.
d. Under Security Group, review the default settings. It is a best practice to retain
the default settings.
e. Expand Key Pair, and select the name of an existing EC2 key pair that you want
to use to meet the Amazon administrative requirement to have a key pair for all
EC2 instances.
f. Click Launch with 1-Click.
7. Review the information in the window that states that an instance of the software is
now deploying, and then close that window.
8. After the instance is running, click the Manage in AWS Console link next to the
Unisys Stealth(cloud) Upgrade System.
9. After the Upgrade System launch process is complete, click the Manage in AWS
Console link next to the Stealth(cloud) Upgrade System.
10. Make a note of the Upgrade System private IP address (which is listed on the
Description tab for the instance).
6.2. Connecting to the Upgrade System andDownloading Files
After the Upgrade System has been launched, do the following to connect to its web
server, and then download the upgrade and update files:
1. Log on to the Administration and Diagnostics System running in your VPC.
2. Open a browser window, and connect to the web server address of the Upgrade
System, which is
http://<Upgrade System private IP address>
Upgrading or Updating Management Server and Endpoint Instances
6–2 8205 5658-002
3. Select the files that you want to download (upgrade or update files for the
Management Server and endpoints), as follows:
Stealth(cloud) Component File Name
Stealth(cloud) Enterprise Manager
(Management Server)
EMInstaller-3.1.xxx.zip
UnisysStealthSolutionAMIx64-3.1.xxx.msi
Stealth(cloud) for Windows endpoints,
including:
• Stealth(cloud) for Windows Server 2008
• Stealth(cloud) for Windows Server 2012
UnisysStealthSolutionAMIx64-3.1.xxx.msi
Stealth(cloud) for Linux endpoints, including:
• Stealth(cloud) for Red Hat Enterprise
Linux 6
• Stealth(cloud) for Red Hat Enterprise
Linux 7
• Stealth(cloud) for SUSE Linux Enterprise
Server 11
• Stealth(cloud) for Ubuntu Linux 14.04
UnisysStealthSolution-Linux-3.1.xxx.sh
Note: If you use Internet Explorer to download files from the Upgrade System, the
Enhanced Security Configuration (ESC) feature automatically disables downloads
from websites that are not included in the Trusted sites list. When you select the first
file, you see one of the following errors, which must be resolved:
• If you see an error reads: “You are attempting to download a file from a site that is
not part of your Trusted Sites{,” you must manually add the web server address
to the Trusted sites list (by selecting Internet options on the Tools menu and
then adding a new Trusted site on the Security tab).
After you add the web server address to Trusted sites, refresh your browser, and
then download the file. You might still see an error that reads: “The signature of
<file name> is corrupt or invalid,” but you should be able to download the file.
• If you are asked if you want to add the web server address to the Trusted sites list
click Yes. However, if you immediately try to download the file that was just
blocked, a corrupted version of this file will be saved to the Administration and
Diagnostics System. You must either refresh your browser window after adding
this site to the Trusted sites list, or you must download the file twice (to overwrite
the corrupted version of the file). Subsequent downloads are not corrupted.
If you are unable to download the files using Internet Explorer, either disable the ESC
feature or use a different browser.
Upgrading or Updating Management Server and Endpoint Instances
8205 5658-002 6–3
The files you select are automatically downloaded to the Administration and
Diagnostics System. The directory in which the files are saved depends on your
browser settings, but they are usually saved in the Downloads folder.
4. Using the standard method for distributing software in your AWS environment, copy
the files as follows:
• Copy EMInstaller-3.1.xxx.zip and UnisysStealthSolutionAMIx64-3.1.xxx.msi to the
Management Server instance
• Copy UnisysStealthSolutionAMIx64-3.1.xxx.msi to the Windows endpoint
instances
• Copy UnisysStealthSolution-Linux-3.1.xxx.sh to the Linux endpoints instances
6.3. Upgrading or Updating the Management Server
To upgrade or update the Management Server, you must install the files in EMInstaller-
3.1.xxx.zip as well as UnisysStealthSolutionAMIx64-3.1.xxx.msi.
Note: During the installation of the new Enterprise Manager software, the associated
Stealth endpoint instances will be rekeyed, meaning that the Stealth tunnels used by the
endpoints will be closed and then reopened. Therefore, you should perform this procedure
during a period when your environment can tolerate a disruption in Stealth
communications.
Do the following:
1. Log on to the Management Server instance using the EMAdmin user name and the
password that you set for the EMAdminPassword in 2.4 Selecting Parameters and
Launching the Management Server Instance.
2. Using Windows Explorer, navigate to EMInstaller-3.1.xxx.zip, and unzip the file.
3. On the Start menu, search for PowerShell, and then right-click PowerShell and
select Run as administrator.
4. In the Administrator: Windows PowerShell window, change to the directory where
you unzipped the file.
5. Enter the following command:
.\Upgrade.ps1
6. When prompted, enter the Enterprise Manager Administrator (EMAdmin) password.
7. When prompted, confirm the Enterprise Manager Administrator (EMAdmin)
password.
8. When prompted, enter the Tomcat user password.
9. When prompted, confirm the Tomcat user password.
10. Wait while the Enterprise Manager software is installed. This can take between 10
and 20 minutes to complete.
11. After the Enterprise Manager software is installed, perform the procedure in
6.4 Upgrading or Updating Windows Endpoint Instances to install the
Upgrading or Updating Management Server and Endpoint Instances
6–4 8205 5658-002
UnisysStealthSolutionAMIx64-3.1.xxx.msi on the Management Server.
Note: Because the Management Server also runs the endpoint software, you must
install this software on the Management Server as well as on all Windows endpoints.
6.4. Upgrading or Updating Windows EndpointInstances
Note: During the installation of the new software, there is a brief network interruption
when the Stealth services are restarted.
To upgrade or update Windows endpoint instances using a silent installation process, do
the following:
1. Open a command prompt using the Run as administrator option.
2. Enter the following command:
msiexec /qn /i <file path>\UnisysStealthSolutionAMIx64-3.1.xxx.msi
For example, enter msiexec /qn /i C:\Temp\UnisysStealthSolutionAMIx64-
3.1.157.msi.
The new version of Stealth software is installed.
6.5. Upgrading or Updating Linux EndpointInstances
Note: During the installation of the new software, Stealth is briefly disabled and then
reenabled.
To upgrade or update files on Linux endpoint instances using a silent installation process,
do the following:
1. On the Linux endpoint, open a terminal window, and change to the directory where
you saved the UnisysStealthSolution-Linux-3.1.xxx.sh file.
2. On the Linux endpoint, enter the following command to change the mode:
chmod +x UnisysStealthSolution-Linux-3.1.xxx.sh
For example, enter chmod +x UnisysStealthSolution-Linux-3.1.157.sh.
3. Enter the following command to install the software:
sudo .\UnisysStealthSolution-Linux-3.1.xxx.sh
For example, enter sudo .\UnisysStealthSolution-Linux-3.1.157.sh.
The software is installed. When the installation is complete, you see a message that
reads “Stealth configured.”
4. Enter the following command to restart the Stealth software.
Upgrading or Updating Management Server and Endpoint Instances
8205 5658-002 6–5
Caution
If you do not enter this command to restart the Stealth software after you
install the new software version, your endpoint will be unprotected by Stealth
and will be unable to communicate with other Stealth endpoints that it shares
a COI with.
service stealthd restart
6.6. Launching Upgraded Endpoint Instances in anUpgraded Environment
If you created a Stealth(cloud) for AWS 1.0 environment, you can launch both release 1.0
and 2.0 endpoint instances; however, only release 1.0 endpoint instances will launch
successfully. Therefore, if you upgraded your Management Server to release 2.0 and you
want to launch new release 2.0 endpoint instances, you must perform this procedure.
Note: If you perform this procedure, you will no longer be able to launch release 1.0
endpoints successfully. If you want to continue to launch release 1.0 endpoints, do not
perform this procedure.
If you choose to continue to launch release 1.0 endpoints (and do not perform the steps in
this procedure), you can upgrade those release 1.0 endpoints at any time, using the
procedure in 6.4 Upgrading or Updating Windows Endpoint Instances or 6.5 Upgrading or
Updating Linux Endpoint Instances.
Do the following:
1. On the Amazon Web Services console, under Storage & Content Delivery,
select S3.
2. Select the Stealth S3 Bucket that corresponds to the Management Server
CloudFormation stack for your environment.
Within the Stealth S3 Bucket, you see folders that correspond to each Stealth user
role that you created when you used the CloudFormation templates to launch the
Management Server using release 1.0. For example, if you created user roles for a
three-tier environment, you might see a WebServer folder, an AppServer folder, and a
DBServer folder.
3. Do the following to update the user role folder:
a. Select one of the folders in the Stealth S3 Bucket (for example, select the
WebServer folder).
b. Select the Configuration subfolder, and then select the Packages subfolder.
The folder path should appear like the following:
<Stealth S3 Bucket name>/<User role folder name>/Configuration/Packages
Upgrading or Updating Management Server and Endpoint Instances
6–6 8205 5658-002
c. Within the Packages folder, locate the following two files:
• SegmentationWinPackage.exe
• SegmentationLinuxPackage.sh
d. Rename these two files, and change the word Segmentation to Segmented.
e. Verify that the files are now named as follows:
• SegmentedWinPackage.exe
• SegmentedLinuxPackage.sh
4. Repeat the previous step to change the file names for the other folders in your S3
Bucket (for example, repeat this step for the AppServer folder and the DBServer
folder).
You can now use the Stealth(cloud) for AWS CloudFormation templates to successfully
launch release 2.0 endpoint instances.
Upgrading or Updating Management Server and Endpoint Instances
8205 5658-002 6–7
Upgrading or Updating Management Server and Endpoint Instances
6–8 8205 5658-002
Section 7Troubleshooting
This section provides troubleshooting information for your Stealth for AWS environment.
Review this section for information on diagnosing and resolving problems in your
environment.
7.1. Resolving Common Problems
If you are having trouble launching or connecting to your instances, or problems
authorizing or communicating with Stealth-enabled endpoints, do the following:
• Ensure that instances launched from your VPC are able to access the AWS
CloudFormation services.
In order to launch your Management Server instance and endpoint instances, these
instances must be able to access the CloudFormation services using either a public IP
address or NAT. If your instances do not have a method to access the CloudFormation
services, they will fail to launch after about an hour.
For general information on configuring IP addressing for your VPC and instances, see
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Networking.html.
For specific information about modifying the IP addressing for your instances, see
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-
addressing.html#subnet-public-ip.
• Ensure that you created an Administrative and Diagnostics System, and ensure that
you can connect to it.
• Ensure that you created a Management Server instance.
• Ensure that the endpoint instances that you want to communicate include the same
COI. See 1.4 Understanding Default Stealth Configurations and User Roles for
information about user roles and their communication based on the configuration
(Segmented or Tiered).
• Ensure that your Management Server instances and your endpoint instances are
running. If your instances are not running and cannot be started, contact Amazon AWS
support.
• If you have problems using the Enterprise Manager interface on the Management
Server instance, ensure that you meet all of the requirements in 7.2 Enterprise
Manager Interface Requirements.
• Depending on your operating system, review the Windows application and system
event logs or the Linux Syslog for warning and informational messages that can
provide guidance and suggestions.
8205 5658-002 7–1
• For Windows endpoints, view the status of the Stealth connection using the Stealth
Applet. For Linux endpoints, view the status of the Stealth connection using the
stconfig -S command. See 4.2 Accessing Windows Endpoints and Viewing Stealth
Status and 4.3 Accessing Linux Endpoints and Viewing Stealth Status for more
information.
• Verify that there are no firewalls blocking communication. For more information about
configuring firewall settings to enable communications for Windows endpoint
instances, see the Unisys Stealth Solution Advanced Concepts and Operations Guide.
• Web proxy servers (HTTP proxy servers) can interfere with Stealth authorization;
ensure that there are no web proxy servers between Stealth endpoints and the
Management Server instance.
• Verify the status of the Stealth services. If any of the Stealth services are not in a
Running state, do the following:
- For Windows: Verify that the Unisys Stealth Logon Service, Unisys Stealth
PreLogon Service, and Unisys Stealth Protocol Service are running.
If any service status is paused, restart the Unisys Stealth Protocol Service, which
automatically restarts the other two services.
- For Linux: Log on with root privileges, and enter the following to see the state of
the stealthd daemon:
service stealthd status
If the services are in the process of connecting, wait a few minutes, then try to
verify the status of the services again.
• Verify that your environment includes enough licenses for your endpoints (and verify
that there are no license errors in your log files).
• Reboot the Management Server instance.
7.2. Enterprise Manager Interface Requirements
If you have any problems viewing the Enterprise Manager interface, ensure that you meet
the following requirements.
Resolution and Browser Requirements
The Enterprise Manager interface was tested using a resolution in the following range,
and you should configure a screen resolution in this range:
• Minimum resolution: 1152× 864
• Maximum resolution: 1440× 900
You must run one of the following browsers:
• Internet Explorer 11.x
• Firefox 35 or later
Troubleshooting
7–2 8205 5658-002
Note: Stealth Enterprise Manager was qualified using Internet Explorer 11.x and Firefox
35. Because Mozilla regularly releases new versions of Firefox, if you experience any
problems with a later version of Firefox, it is recommended that you use Internet Explorer
11.x.
In addition, configure the following browser settings:
• Ensure that the pop-up blocker is disabled.
• Set the browser zoom level to 100%.
• If you are using Internet Explorer 11.x, do the following:
- Ensure that Active Scripting is enabled
Do the following:
1. Open Internet Explorer and select Internet options.
2. On the Internet Options dialog box, select the Security tab, and then select
Custom Level.
3. Under Scripting, ensure that Active scripting is enabled.
- Ensure that the Document Mode is set to Edge
Do the following:
1. Open Internet Explorer, and press F12.
2. On the menu that appears at the bottom of the screen, select the icon on the
far right (the Document Mode icon), and then select Edge.
• If you are using Firefox, do the following:
- Set the browser cache to 15 MB or higher.
Do the following:
1. Open Firefox, and enter about:config into the address bar.
2. If you see a warning, click I’ll be careful, I promise.
3. In the Search box, enter browser.cache.disk.capacity.
4. Ensure that the value is at least 15360.
If the value is less than 15360, double-click browser.cache.disk.capacity, and
enter a new value that is at least 15360.
- Ensure that JavaScript is enabled.
Do the following:
1. In the Firefox about:config Search box, enter javascript.enabled.
2. Verify that javascript.enabled is set to true.
If it is set to false, right-click it, and click Toggle.
3. Close the Firefox window.
Troubleshooting
8205 5658-002 7–3
TLS 1.2 Requirement
The Management Server is required to use TLS 1.2.
If you use Firefox, do the following:
1. Open Firefox.
2. Enter about:config into the address bar, and press Enter.
3. If a warning appears, click I’ll be careful, I promise!
4. In the Search box above the list, enter TLS, and wait while the list is filtered.
5. Double-click security.tls.version.min, enter 1, and then click OK.
6. Double-click security.tls.version.max, enter 3, and then click OK.
7. Close Firefox.
If you use Internet Explorer, do the following:
1. Open Internet Explorer.
2. On the Tools menu, select Internet options.
3. On the Internet Options dialog box, select the Advanced tab.
4. Under Security, verify that the Use TLS 1.2 is selected. Verify that all other Use
SSL and Use TLS checkboxes are cleared.
5. Click OK to close the Internet Options dialog box.
7.3. Troubleshooting the Stealth Applet Connectionto the Unisys Stealth Logon Service onWindows Endpoints
If a user is logged on to a Windows endpoint (including the Management Server), and
closes the Remote Desktop window without logging off of the endpoint, the Stealth
Applet running in that session does not terminate the connection to the Unisys Stealth
Logon Service. If another user logs on to the endpoint, the Stealth Applet in the new
session cannot open a new connection to the Unisys Stealth Logon Service. In this case,
the Stealth Applet enters an Error state (indicated by a yellow Stealth Shield icon in the
taskbar), and you receive a message that states that the Unisys Stealth Logon Service is
not available.
Troubleshooting
7–4 8205 5658-002
If the Stealth Applet cannot connect to the Unisys Stealth Logon Service, do the following
to log off a user that disconnected from the endpoint without logging off:
1. On the endpoint, access Windows Task Manager and select the Users tab.
2. Select the user that you want to log off of the endpoint, and then click Logoff or
Sign out (depending on the version of Windows running on the endpoint).
The user is logged off of the endpoint, and the associated connection is terminated.
3. Verify that the Stealth Applet is successfully connected to the Unisys Stealth Logon
Service (indicated by a blue Stealth Shield icon in the taskbar).
If the Stealth Applet remains in an Error state, do the following to reboot the endpoint and
verify that it can connect to the Unisys Stealth Logon Service:
1. Reboot the endpoint and wait several minutes for the endpoint to restart.
2. Log on to the endpoint.
3. Verify that the Stealth Applet is successfully connected to the Unisys Stealth Logon
Service (indicated by a blue Stealth Shield icon in the taskbar).
7.4. Enabling Active Scripting on the ManagementServer Instance
Active scripting must be manually enabled on the Management Server instance for the
Enterprise Manager software to operate. If you are accessing the Enterprise Manager
interface using Internet Explorer, you might see an error that reads: “JavaScript must be
enabled to use Stealth Enterprise Manager. Please enable JavaScript in your browser and
refresh the page.” This means that you have Active Scripting has been disabled. Do the
following to reenable Active Scripting:
1. From the AWS Management Console, select EC2 under Compute.
2. On the EC2 Dashboard, select Instances in the left pane (under Instances).
3. Right-click the Administration and Diagnostics System instance, and then select
Connect.
4. If you have not already done so, get the password for the Administration and
Diagnostics System instance.
5. If required, download and open the Remote Desktop File.
6. Log on to the Administration and Diagnostics System using the user name and
password.
7. On the Administration and Diagnostics System, use Remote Desktop Connection
(RDP) or another connection software (if you selected a Linux operating system for
your Administration and Diagnostics System), and connect to the Management Server
instance using its private IP address.
8. Log on to the Management Server instance using the EMAdmin user name and the
password that you set for the EMAdminPassword in 2.4 Selecting Parameters and
Launching the Management Server Instance.
Note: Do not use the default Administrator user name and password.
Troubleshooting
8205 5658-002 7–5
9. If you receive a warning that the identity of the remote computer cannot be verified,
click Yes to continue.
10. Ensure that there are no open browser windows.
11. From the Start menu, enter gpedit.msc in the Search box, and then press Enter.
12. In the Local Group Policy Editor window, in the left pane under Computer
Configuration, expand Administrative Templates, expand Windows
Components, expand Internet Explorer, expand Internet Control Panel,
expand Security Page, and then click Internet Zone.
13. Double-click Allow active scripting.
14. On the Allow active scripting dialog box, select the Enabled option, and then ensure
that Enable appears in the Allow active scripting list (under Options).
15. Click OK to close the Allow active scripting dialog box.
16. In the left pane of the Local Group Policy Editor window, select Intranet Zone
(under Security Page).
17. Double-click Allow active scripting.
18. On the Allow active scripting dialog box, select the Enabled option, and then ensure
that Enable appears in the Allow active scripting list (under Options).
19. Click OK to close the Allow active scripting dialog box.
20. Close the Local Group Policy Editor window.
If you want to create endpoint instances, you can minimize or close the Management
Server desktop and perform the procedures in Section 3, Launching Stealth Endpoint
Instances.
If you want to review the current configuration of your Management Server using the
Enterprise Manager interface, perform the procedure in 4.1 Accessing the Enterprise
Manager Interface.
7.5. Troubleshooting Private AMIs
If you performed the procedure in 5.4 Launching Endpoint Instances Using Private AMIs
and if you experience problems with the duplicate endpoint instances using private AMIs,
verify the following:
• You used an AWS account that was already subscribed to the Unisys Stealth(cloud) for
AWS endpoint instance type.
If you use an account that has not subscribed to the Unisys Stealth(cloud) for AWS
endpoint instance type, you must redeploy the private AMIs using a subscribed
account.
• The private AMI has an appropriate validation code.
Troubleshooting
7–6 8205 5658-002
Do one of the following, depending on the endpoint operating system:
- For Windows endpoints, check the Windows Application Event log to see if the
following error exists:
Event ID: 103
Source: USSL_Logon
Log Name: Application
Level: Error
Message: Function USSL_Logon: C Thread::Logon_ThreadProc: Failed
AWSMarketplace instance validation. Wait 30 seconds; then try
again. Returned error 183. Description: Cannot create a file
when that file already exists.
Explanation
If you see these errors, the product code validation has failed. Contact Unisys for
support. See 7.6 Obtaining Services and Support from Unisys.
- For Linux operating systems, use an editor and open /var/log, and search for the
following errors:
Validating AWSMarketplace license typeValidating AWSMarketplace product codeAWS meta-data query failed. Response code: 404Validating AWSMarketplace owner-idAWSMarketplace owner-id validation failedAWSMarketplace license type validation failed
If you see these errors, the product code validation has failed. Contact Unisys for
support. See 7.6 Obtaining Services and Support from Unisys.
If you used a subscribed account and if you do not see these product code validation
errors, search the Windows Application Event log or the Linux /var/log file for more
information on errors that could be interfering with the private AMI deployment.
7.6. Obtaining Services and Support from Unisys
Unisys provides support and optional services for your Stealth(cloud) for AWS
environment.
Troubleshooting
8205 5658-002 7–7
Obtaining Support
To obtain support, do the following, depending on whether you have a technical question
or non-technical question:
• For technical questions about your Stealth(cloud) for AWS environment—including
installation and configuration questions—or if you need to report a Stealth product
issue, call one of the following numbers:
- 1-800-417-1393 (toll-free)
- +1 385-355-2969 (charges apply)
When you call the Unisys User Support Desk, you will be asked to provide your valid
AWS Account ID, a description of your issue, and any diagnostics you have collected.
A ticket will be created for your reference, and then you will be transferred to a Unisys
Stealth(cloud) for AWS Support Analyst.
The Support Analyst will work with you to answer your questions and verify that you
have met all of the requirements for deploying the Stealth(cloud) for AWS
environment. If your instances cannot be launched, or if your properly configured
endpoints cannot communicate with other endpoints in the same user role or with
other components for which they have filters configured, Unisys will help to diagnose
and resolve your issues.
• For non-technical questions—including questions about Test Drive experiences,
licensing options, and professional services—call one of the following numbers,
depending on the time:
- During the hours of 9:00 a.m. to 9:00 p.m. Eastern Standard Time, call +1 310-793-
3100.
- During the hours of 9:00 p.m to 9:00 a.m. Eastern Standard Time, call 1-800-417-
1393 (toll-free) or +1 385-355-2969 (charges apply).
We make the best possible effort to respond to calls within the same business day.
Calls received on weekends and Unisys holidays will be returned the next business
day.
Be sure to review our documentation, which is available at
http://unisyssecurity.com/aws. This page includes informational articles, product
alerts, and answers to frequently asked questions.
Troubleshooting
7–8 8205 5658-002
Optional Professional Services
Unisys offers the following professional services—which are available for an additional
fee—to help you optimize your Stealth(cloud) for AWS environment. We can assist you
with creating a detailed Stealth architecture that meets your needs, including setting up
additional user roles and filters to further segment your endpoints and manage detailed
control over communications in your environment. Our services include the following:
1. Discovery Service: The Discovery Service is a hosted, four hour participant-driven
activity that introduces you to Stealth solutions and the uses of Stealth(cloud) for
Amazon Web Services.
2. Design Service: With the Design Service, Unisys works with you to identify changes
you might want to make in your AWS environment, such as adding or modifying
existing roles, filters, Communities of Interest (COIs) or endpoints within your Stealth-
enabled Virtual Private Cloud (VPC). If desired, Unisys can work with you to define the
parameters for integrating your network elements to connect the Stealth-enabled
AWS VPC using a defined AWS gateway.
3. Integration Service: The Integration Service is based on the outcome of the Design
Service. Unisys assists you in making the changes you have defined, which could
include the expansion of the existing Stealth-enabled VPC (roles, filters, or adding
COIs) or integrating your network elements to connect the Stealth-enabled AWS VPC
using a defined AWS gateway. In addition to aiding in the network configuration,
Unisys can update your Stealth-enabled VPC with the necessary security filters or
changes as defined as part of the Design Service.
Note: Although Unisys supports client creation of new filters and user roles, in complex
environments, you might find it necessary to leverage Unisys expertise in security and
micro-segmentation to ensure that your environment is properly configured and secured.
If you create, change, or delete multiple roles and filters using the Enterprise Manager
interface but your environment is not performing as you intended, Unisys consultants can
provide the services you need to implement your design.
7.7. Collecting Diagnostics from the ManagementServer and Endpoint Instances
If you are directed to collect diagnostics by Unisys Support personnel, perform the
procedures in this topic.
Collecting Diagnostics from the Management Server
The Management Server software includes the Collect Diagnostics utility. To use the
Collect Diagnostics utility on the Management Server instance, do the following:
1. From the Start menu, enter Collect Diagnostics in the Search box.
2. Double-click Collect Diagnostics.
Troubleshooting
8205 5658-002 7–9
The Collect Diagnostics utility collects diagnostic information for your configuration,
and stores the information in the C:\Stealth directory on the Management Server, in
the following subfolders:
• The Management Server endpoint software diagnostics are collected in the folder
C:\Stealth\Diag-<Computer Name>-<Date>, where <Computer Name> is the
computer name of the Management Server, and <Date> is the date when the
diagnostics were collected.
• The Enterprise Manager diagnostics are collected in the subfolder DiagEM-
<Computer Name>-<Date>, where <Computer Name> is the computer name of
the Management Server, and <Date> is the date when the diagnostics were
collected.
Collecting Diagnostics from Windows Endpoints
You can collect the diagnostic information from a Windows Stealth endpoint by running
the collectdiags.cmd script, which is provided with the Stealth endpoint software. You can
run this script on any Windows endpoint.
To run this script, do the following:
1. From the Start menu, enter Collect Diagnostics in the Search box.
2. Right-click Collect Diagnostics and select Run as administrator.
The diagnostic output files are collected in the C:\Stealth\<day MMDDYYYY> directory on
the Stealth endpoint. (For example, the folder is named C:\Stealth\Fri 12312015.)
Note: If you run this script multiple times in one day, all diagnostic files collected on the
same day are stored in the same folder.
The diagnostic files include:
• Probes@<date-time>.prb – Stealth driver diagnostics file
• Diag_<date-time>-xxx.txt – Network and Stealth query output and log files
• Diag_<date-time>-xxx.log – Stealth installation log files
• Diag_<date-time>-xxx.evtx – Windows system and application event log files
• Diag_cfg-msinfo32.txt – Windows system information
• Diag_cfg-xxx.reg – Selected Windows registry exports
Note: The Diag_cfg files are not time-stamped and are collected only once each
day. To collect the latest data, delete the old files first.
Collecting Diagnostics from Linux Endpoints
You can collect diagnostic information from a Linux Stealth endpoint by executing the
collectdiags.sh script, which is installed as part of the Stealth endpoint software. This
script file is located in the /etc/stealth/admin-scripts directory. You can run this script on
any Linux endpoint.
Troubleshooting
7–10 8205 5658-002
Execute the collectdiags.sh script by entering the following commands as root:
cd /etc/stealth/admin-scripts./collectdiags.sh
The collectdiags.sh script collects several log and configuration files and archives the files
in a single file with a name in the format stealth-diags<MMDDYYYY-HHMM>.tar.gz. All
diagnostic archive files are stored in the /var/tmp/stealth directory. (An example file is
/var/tmp/stealth/stealth-diags05062015-1305.tar.gz.)
From a remote session, you must establish a secure method to transfer the file. (You can
use any method for copying secure files that is allowed in your environment.) For example,
if your server includes the appropriate software packages, you could use SSH and enter
the following SCP command:
scp <source_file_name><username>@<destination_host>:<destination_folder>
Note: Before attempting to transfer this file remotely, you must ensure that the Linux
endpoint and the destination server share a COI, or that the Linux endpoint has an
appropriate filter to communicate with the destination server.
You might find it useful to increase the logging level when diagnosing an issue. Do the
following.
Note: The logging level you set determines the level of diagnostics that are collected by
the collectdiags.sh script.
1. Open the /etc/stealth/system.ini file using an editor such as vi.
2. Locate the [global] section, and make the following changes:
• Ensure that the verbose line appears (and is uncommented) and set the value to
1.
This line should appear like the following:
verbose=1
• Ensure that the trace_flags line appears (and is uncommented) and set the value
to all.
This line should appear like the following:
trace_flags=all
3. Save and close the system.ini file.
7.8. Deleting the Management Server or EndpointInstances
If you want to delete the Management Server instance, you must first empty the
associated S3 bucket. You can delete the files in the bucket, or you can copy these files to
another location.
Troubleshooting
8205 5658-002 7–11
Note: Before deleting any files in the S3 bucket, you should ensure that you do not want
to retain this data, because it is not backed up in any other location.
After the bucket is empty, you can use the standard Amazon method of deleting stacks to
delete the associated Management Server stack.
If you want to delete an endpoint instance, use the standard Amazon method of deleting
stacks to delete the associated endpoint stack.
Troubleshooting
7–12 8205 5658-002
Appendix AParameter Worksheets
If you choose, you can print a copy of the following worksheets to record the values you
enter for the Management Server instance and endpoint instances.
A.1. Management Server Instance Planning
Use the following table to plan and record values for the Management Server instance.
Table A–1. Management Server Instance Planning
Category Parameter Value
Stack name Stack name
Amazon EC2
Configuration
VPC
Subnet
EC2 Key Name
Unisys Stealth
Configuration
Capacity (instance type and
size)
Note: If you select the
South America (São Paulo)
region, m3 instance types
are used.
• Small – m4.large (25 endpoints)
• Medium – m4.large (50 endpoints)
• Large – m4.xlarge (250 endpoints)
• Extra Large – m4.2xlarge (500 endpoints)
Existing Administration and
Diagnostics System IP
Addresses
RDP Access IP Address
(CIDR) for New
Administration and
Diagnostics System
Allowed Ports for the
Administration and
Diagnostics System
8205 5658-002 A–1
Table A–1. Management Server Instance Planning (cont.)
Category Parameter Value
Unisys Stealth
Micro-Segmented
User RolesNote: Stealth User Role passwords must be between six and 50 characters long and
must include at least one uppercase letter, at least one lowercase letter, at least one
number, and at least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
Segment1 Username
Segment1 Password
Segment2 Username
Segment2 Password
Segment3 Username
Segment3 Password
Unisys Stealth
Tiered User Roles Note: Stealth User Role passwords must be between six and 50 characters long and
must include at least one uppercase letter, at least one lowercase letter, at least one
number, and at least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
Tier1 Username
Tier1 Password
Tier2 Username
Tier2 Password
Tier3 Username
Tier3 Password
Parameter Worksheets
A–2 8205 5658-002
Table A–1. Management Server Instance Planning (cont.)
Category Parameter Value
Unisys Stealth
Administrator
PasswordsNote: The Enterprise Manager Administrator password must be between six and 50
characters long and must include at least one uppercase letter, at least one lowercase
letter, at least one number, and at least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
In addition, the user name cannot be included as part of the password.
Enterprise Manager
Administrator
User name: EMAdmin
Password:
Note: The MySQL Root password must be between eight and 50 characters long
and must include at least one uppercase letter, at least one lowercase letter, at least
one number, and at least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
MySQL Root User name: root
Password:
Note: The Enterprise Manager portal administrator password must be between six
and 50 characters long and must include at least one uppercase letter, at least one
lowercase letter, at least one number, and at least one of the following special
characters:
! @ # $ % ^ & * ( ) _ + =
Interface Administrator User name: portaladmin
Password:
Note: The Tomcat user password must be between six and 50 characters long and
must include at least one uppercase letter, at least one lowercase letter, at least one
number, and at least one of the following special characters:
! @ # $ % ^ & * ( ) _ + =
In addition, the user name cannot be included as part of the password.
Tomcat User User name: TomcatUser
Password:
Parameter Worksheets
8205 5658-002 A–3
A.2. Endpoint Instance Planning
Use the following table to plan and record values for the endpoint instances.
Table A–2. Endpoint Instance Planning
Parameter Value
Endpoint 1 Stack name
VPC
Subnet
Stealth Security Group
EC2 Key Name
EC2 Instance Type
IAM Instance Profile
Stealth S3 Bucket
Stealth Username
Endpoint 2 Stack name
VPC
Subnet
Stealth Security Group
EC2 Key Name
EC2 Instance Type
IAM Instance Profile
Stealth S3 Bucket
Stealth Username
Endpoint 3 Stack name
VPC
Subnet
Stealth Security Group
EC2 Key Name
EC2 Instance Type
IAM Instance Profile
Stealth S3 Bucket
Stealth Username
Parameter Worksheets
A–4 8205 5658-002
Parameter Value
Endpoint 4 Stack name
VPC
Subnet
Stealth Security Group
EC2 Key Name
EC2 Instance Type
IAM Instance Profile
Stealth S3 Bucket
Stealth Username
Endpoint 5 Stack name
VPC
Subnet
Stealth Security Group
EC2 Key Name
EC2 Instance Type
IAM Instance Profile
Stealth S3 Bucket
Stealth Username
Endpoint 6 Stack name
VPC
Subnet
Stealth Security Group
EC2 Key Name
EC2 Instance Type
IAM Instance Profile
Stealth S3 Bucket
Stealth Username
Parameter Worksheets
8205 5658-002 A–5
Parameter Worksheets
A–6 8205 5658-002
.
*82055658-002*8205 5658-002
Copyright © 2016 Unisys Corporation.
All rights reserved.