Trend Micro Incorporated reserves the right to make ...docs.trendmicro.com/all/ent/sc/v2.0/en-us/SC20_MSP_AG.pdf · • Ubuntu r e v r e S s w o ... 85MB to install SecureCloud Management

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme. This document and SecureCloud are released pursuant to NDA Only and is confidential.

Copyright © 1996 - 2012 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated.

Document Part No. APEM25321/120118

Release Date: February, 2012

The user documentation for Trend Micro SecureCloud is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software.

To contact Trend Micro Support, please see Appendix C, Contact Information and Web-based Resources of this document.

Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

http://www.trendmicro.com/download/documentation/rating.asp

Contents

Preface

SecureCloud Documentation .........................................................................viii

Audience ............................................................................................................viii

Document Conventions ................................................................................... ix

Chapter 1: Introducing SecureCloud

System Requirements ..................................................................................... 1-2SecureCloud Management Server Requirements .................................. 1-2

Features and Benefits ..................................................................................... 1-3

New Features ................................................................................................... 1-7

How SecureCloud Works .............................................................................. 1-8SecureCloud Interaction with the vCloud API ................................... 1-10Basic Components of SecureCloud ...................................................... 1-12Using the SecureCloud Central Management Console ...................... 1-13

Logs ....................................................................................................... 1-14

Summary of Operations ............................................................................... 1-16

Chapter 2: Administration

Account Management for SecureCloud for Managed ServiceProviders .......................................................................................... 2-1

Adding an Account .................................................................................... 2-2Changing an Account ................................................................................ 2-2Enabling and Disabling Accounts ........................................................... 2-3

Managing Users in the Central Management Console .............................. 2-3Adding a New User to the Central Management Console .................. 2-3

iii

SecureCloud 2.0 Administrator’s Guide

Changing Central Management Console User Information ................2-4Deleting a Central Management Console User ......................................2-4

User Roles .........................................................................................................2-5About User Roles .......................................................................................2-5

Database Encryption Key Management ......................................................2-5Backing Up a Database Encryption Key ................................................2-6Importing an Encryption Key ..................................................................2-6

Managing Profile Information .......................................................................2-7Changing the Log In Password ................................................................2-7

Central Management Console Notifications ...............................................2-8Specifying SNMP and SMTP Settings ....................................................2-8Adding Central Management Console Notifications ............................2-9Changing an Existing Central Management Console Notification ...2-10Deleting a Central Management Console Notification ......................2-10

Authentication Methods in SecureCloud ..................................................2-10Using Local Authentication ....................................................................2-11Using TMSSO ...........................................................................................2-11Using an ID Provider ..............................................................................2-11

Specifying Proxy Server Settings .................................................................2-13

Product License .............................................................................................2-13Product License Activation Code ..........................................................2-14

Appendix A: Installing and Uninstalling SecureCloud for an On-Premise Deployment

Installation Summary .....................................................................................A-2

Creating a User with Minimal Rights ..........................................................A-3

Installing SecureCloud ...................................................................................A-3Launching the Installation Wizard ..........................................................A-4Performing a Typical Installation ............................................................A-5Performing a Custom Installation ...........................................................A-6

Installing the Database Server ............................................................A-6Installing the Application Server ........................................................A-7Installing the Web Server ....................................................................A-9

iv

Contents

Setting Up for Tenant Usage and Registering the Product ................... A-10

Uninstalling SecureCloud ........................................................................... A-12

Appendix B: Frequently Asked Questions

What Hypervisors are Supported? ...............................................................B-1

In Which Time Zones are the Logs Saved and Can I Change the Time Zones? ..............................................................................................B-1

How are All Communications Secure? ........................................................B-1

What Kind of Encryption Key Security Exists? ........................................B-2

How is SecureCloud Protected From Man-in-the-Middle Attacks? .......B-2

How do I Manually Modify Credential Information if I Changed the Account Password After Installing the On-Premise Management Server? ..............................................................................................B-2

Why the On-Premise Management Server Installation Will Fail on Windows 2008 Server? ..................................................................B-3

Why Does the Management Server Installation Fail? ...............................B-4

How do I Acquire the Installation Log File for InstallationDebugging? ......................................................................................B-4

How do I Start and Stop a Dependent Service ..........................................B-4

Appendix C: Contact Information and Web-based Resources

Knowledge Base ..............................................................................................C-2

TrendEdge .......................................................................................................C-2

Contacting Technical Support ......................................................................C-2General Contact Information ..................................................................C-3

TrendLabs ........................................................................................................C-4

Appendix D: Basic Troubleshooting Information

Network Configuration and vCloud ...........................................................D-1

v


Log Management ............................................................................................D-2How to Turn on the Debug Log on the Server Side ...........................D-2SSL Configuration and Troubleshooting ...............................................D-2

Appendix E: Managing SecureCloud Using RightScale

Glossary

Index

vi

Preface

Preface

Welcome to the Trend Micro™ SecureCloud™ Administrator’s Guide for the 2.0 release of SecureCloud for Managed Service Providers. This guide provides detailed information about configuring and using SecureCloud. Topics include how to add users, devices, and machine images and how to approve or deny a key request.

This preface describes the following:

• SecureCloud Documentation

• Audience

• Document Conventions

vii


SecureCloud DocumentationIn addition to the Trend Micro™ SecureCloud Administrator’s Guide, the documentation set includes the following:

• Quick Reference Guide—Provides overview information in a manner that allows for quick and easy access.

• Online Help—Provides “how to” information for the main product tasks, usage advice, and field-specific information such as valid parameter ranges and optimal values.

Online Help is accessible from the SecureCloud Central Management Console.

• Readme file—Provides late-breaking product information that is not found in the online or printed documentation. Topics include a description of new features, installation tips, known issues and, release history.

The latest versions of the Administrator’s Guide, Quick Reference Guide, and readme file are available in electronic form at:

http://www.trendmicro.com/download/

AudienceThe SecureCloud documentation is written for IT managers and administrators working in a medium or large enterprise environment. This guide was created based on the assumption that you have in-depth knowledge of networks schemas, including details related to the following:

• Amazon EC2

• Eucalyptus

• VMware vCloud

• vSphere

• Linux

• CentOS

• Red Hat Enterprise Linux (RHEL)

• Ubuntu

• Microsoft Windows Server

viii

Preface

• Hosted services

• Virtual machines

The documentation does not assume the reader has any knowledge of antivirus or malware technology.

Document ConventionsTo help you locate and interpret information easily, the SecureCloud documentation uses the following conventions.

TABLE P-1. Document Conventions

CONVENTION DESCRIPTION

LOCATION:

Example:LOCATION: WEB CONSOLE MAIN

MENU | POLICIES > POLICIES PAGE | ADD POLICY BUTTON > ADD POLICY PAGE

The path to the location where the action is being performed in SecureCloud. This includes screens and/or windows and any buttons and/or links that you need to click.

ALL CAPITALS Acronyms, abbreviations, and names of certain commands and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs, and options

Italics References to other documentation

Monospace Examples, sample command lines, program code, Web URL, file name, and program output

Note:Configuration notes

Tip: Recommendations

ix


WARNING!Reminders on actions or configurations that should be avoided

TABLE P-1. Document Conventions (Continued)

CONVENTION DESCRIPTION

x

Chapter 1

Introducing SecureCloud

Trend Micro™ SecureCloud provides security for virtualized environments and public and private cloud infrastructures. Data is encrypted on a virtual machine before being written to storage and decrypted when read back. The keys for the encryption are stored off site and delivered when required. A manual or automatic approval process takes place before SecureCloud releases the keys. SecureCloud's unique identity and integrity policy-based key management allows it—with a degree of confidence—to ensure encryption keys are released only into safe cloud environments. This is achieved through numerous rules that help SecureCloud assess the cloud environment’s identity and integrity.

Topics in this chapter include:

• System Requirements

• Features and Benefits

• New Features

• How SecureCloud Works

1-1


System RequirementsUse one of the following browsers to access the SecureCloud Web Console and Central Management Console:

• Microsoft® Internet Explorer 7.0 or 8.0

• Mozilla Firefox 3.x

Note: In order for the browser to work properly with SecureCloud, JavaScript must be enabled.

SecureCloud Management Server RequirementsThe system requirements for SecureCloud involves the operating system running the server and the type of database used by the Management Server.

SecureCloud supports Microsoft Active Directory. Using this feature, you can integrate user accounts with the Web Console and then utilize these domain-based accounts to access the Web Console. If you choose to use Active Directory, then specific operating system requirements are necessary.

Operating Systems Supported:

• Windows Server 2003 R2 SP2 32-bit

• Windows Server 2008 SP2 32-bit

• Windows Server 2008 R2 64-bit

• Windows Server 2003 Active Directory (used for Active Directory)

• Windows Server 2008 Active Directory (used for Active Directory)

Databases Supported:

• Microsoft SQL 2008 Server R2 Express with Advanced Services

• Microsoft SQL 2008 Server R2 Enterprise with Reporting Services

Hardware Requirements:

• CPU: One virtual-core processor

• Memory: 768MB

• Hard disk space: 85MB to install SecureCloud Management Server

1-2


Features and BenefitsThe following are the main features of SecureCloud and their benefits.

Standard Protocols and Advanced Techniques for Securing Information

• Uses industry-standard AES encryption (128, 192 or 256)

• Encrypts and decrypts data in real time, so data at rest and data traversing the cloud infrastructure is always protected

• Applies whole-volume encryption to secure all data, metadata and associated structures without impacting application functionality

Access and Authentication Controls

• Employs role-based management to help ensure proper separation of duties

• Optional Active Directory authentication is supported

Robust Auditing, Reporting and Alerting

• Performs audit logging for all agent, key, policy and user events

• Provides detailed reporting and alerting features for logged events

SecureCloud can issue several types of notifications in response to cloud security events. Administrator notifications are sent via email to the designated administrator contacts. User notifications are presented in the requesting client’s browser. Both administrator and user notifications can be customized.

Policy-driven Key Management

• Utilizes identity- and integrity-based policy enforcement to ensure that only authorized virtual machines receive keys or access secure volumes

• Automates key release and virtual machine authorization for rapid operations or requires manual approval for increased security

• Delivers keys using SSL encrypted internet channels with additional layers of encrypted communication

Active Directory Support

From the SecureCloud Central Management Console, you can integrate user accounts accessing the Management Server Console with the Active Directory directory service and utilize the domain-based accounts to access the Management Server Console.

1-3


System Monitoring

From the Central Management Console, you can set the thresholds for each monitored system attribute on the server:

• Disk size remaining

• Database size

• Database connection

• Encryption state

If one of these fails or reaches a specified threshold, an alert will be generated and either emailed to the administrator or sent to an SNMP server.

Scheduled Reporting

SecureCloud enables you to generate reports reoccurring for a specified span of time. Reports are saved to the Management Server so you can download a previously generated report (either one-time or reoccurring) from the Management Server Console.

Log Maintenance

SecureCloud offers log-maintenance-plan functionality and allow the appropriate account-user roles to delete system logs and manage the log maintenance.

Support for Cloud Service Provider Plug-ins

SecureCloud enables you to write an plug-in for a Cloud Service Provider (CSP) that is not supported "out of the box." The plug-in is a thin, translation layer which communicates with the API of the CSP and presents a uniform interface between CSPs. The CSP-specific implementation will handle all logic specific to the CSP such that the rest of the Runtime Agent is CSP agnostic.

Support for Virtual Machine and Bare Metal Plugins

You can use a bare-metal (native) plugin to encrypt storage devices in a physical, as well as a vSphere environment. Using a native plugin, SecureCloud can support IDE, NFS, SCSI and iSCSI storage devices.

1-4


Trend Micro Single Sign-on Support

Trend Micro Single Sign-On (TMSSO) provides a shared licensee account between the Trend Micro License Management Platform (TMLMP) console and SecureCloud, where the user only needs to sign on once to access both systems. With only one account to manage, there is little risk of duplicate account errors.

Note: Only the licensee user account is replicated to SecureCloud. All other user accounts within an organization are stored and managed locally by SecureCloud. The licensee account is the first user account of an organization that signs up for SecureCloud.

TMSSO is a more secure method of authentication than traditional SSO, which relies on cookies. TMSSO implements Security Assertion Markup Language (SAML), giving it the ability to integrate with other SSO solutions.

SecureCloud provides TMSSO for the SaaS, Hosted SecureCloud for Managed Service Providers, and SecureCloud for Managed Service Providers models. For the SecureCloud for Managed Service Providers model, managed-service providers can integrate SecureCloud into their system and use their own identity management solutions.

Trend Micro License Management Platform Support

SecureCloud works with TMLMP to manage product licensing for tenant customers. A tenant customer can acquire a TMLMP account and register the SecureCloud service by signing up for a user account on TMLMP by completing a trial registration form. The TMLMP user account is assigned the administrator role in the SecureCloud Web Console. The tenant customer is able to accesses the SecureCloud Web Console using TMSSO without the need to logon again.

Simplistic Data Storage Device Provisioning

The SecureCloud Runtime Agent provides the Configuration Tool that enables you to specify your Cloud Service Provider (CSP) or load a new cloud service provider plugin that you have created, and save the configuration file for later use. From the SecureCloud Web Console you can easily provision devices for encryption.

1-5


Deep Security Integration

Deep Security Manager (DSM) is a powerful, centralized web-based management system that allows security administrators to create and manage comprehensive security policies and track threats and preventive actions taken in response to them. DSM integrates with different aspects of the datacenter including: VMware vCenter, Microsoft Active Directory and has a Web services API for integration with SecureCloud.

DSM provides additional integrity checking of your environment, thus ensuring the integrity is safe to access sensitive, encrypted information. Should the environment integrity change based on a bad file being found, SecureCloud can revoke the encryption key, thus protecting the sensitive data.

KMIP Support

The Key Management Interoperability Protocol (KMIP) establishes a single, comprehensive protocol for the communication between key management systems, providing a compatible key management process between systems.

By implementing KMIP, SecureCloud key management is compatible with the other key management solutions allowing administrators to take advantage of their pre-existing key management solutions, while utilizing SecureCloud to validate the identity and integrity of the environment prior to releasing the encryption keys.

FIPS 140-2 Certified

SecureCloud utilizes the new Trend Micro Encryption Module—a FIPS 140-2 certified crypto engine, providing Full Disk Encryption (FDE) to your physical, virtual or cloud environment for SCSI, iSCSI, IDE and NFS storage devices.

IPv6 Support

SecureCloud supports IPv6, an Internet layer protocol for packet-switched internetworking. This protocol provides end-to-end datagram transmission across multiple IP networks.

1-6


New Features

Deep Security Integration

See Features and Benefits on page 1-3.

KMIP Support


FIPS 140-2 Certified


IPv6 Support


Device RAID Support

SecureCloud supports the Redundant Array of Inexpensive Disks (RAID) for the RAID 0 level. With this support, you can have multiple encrypted devices in a RAID, each controlled by a separate encryption key.

Amazon Credential Keys Rotation

In an effort to optimize security, Amazon allows you to create a new pair of credential keys (access key ID and secret access key). While Amazon does not enforce the use of this key pair, it does recommend that you replace your old key pair with a new one every 90 days. In doing so, SecureCloud provides additional security and clearly separates the duties between the Cloud Service Provider (CSP) administrator and your SecureCloud administrator.

RightScale Script Enhancements

The enhanced RightScale scripts give you the ability to separate the Runtime Agent installation and device provisioning operations. These no longer have to be done as one operation. The enhanced RightScale script will also automatically detect the guest operating system for Runtime Agent installation. Devices can be added and removed from your environment by replacing the device list. Only devices on the list will be part of your environment.

1-7


The enhanced RightScale scripts also support credential key rotation for Amazon.

More Guest OS Support

SecureCloud supports certain versions of the CentOS, Ubuntu, SUSE, and Windows Server guest operating systems to implement an extra layer of security. Runtime Agents running on these operating system can employ a crypto engine which encrypts endpoints with coverage that is FIPS 140-2 certified.

Runtime Proxy Server Support

SecureCloud supports the use of a proxy server with the Runtime Agent. The proxy server connection can either be authenticated or unauthenticated. SecureCloud also supports both the HTTP and HTTPS protocols for a proxy server.

How SecureCloud WorksSecureCloud provides a data encryption layer within a virtual machine image to decrypt customer data in real-time after the appropriate credentials have been validated. Likewise, SecureCloud encrypts customer data in real-time when putting the information back into data storage.

When the virtual machine image boots up, it uses the Runtime Agent to provide its credentials to SecureCloud and request an encryption and decryption key along with the appropriate information to connect to data storage. For example, a virtual machine image could provide such integrity information as pattern file version, and location of the instance to SecureCloud during the request. The integrity and credential information helps to ensure that the instance meets the policy criteria set by the administrator in order to run certain applications.

SecureCloud provides and maintains your encryption keys. The virtual machine image does not store encryption or decryption keys. SecureCloud also provides other management capabilities such as reporting and auditing functions.

SecureCloud for Managed Service Providers is installed in a Windows environment. The application consist of three components: Database Server, Application Server, and Web Server. All of these components can be installed on the same computer or each component can be installed on separate computers.

1-8


SecureCloud for Managed Service Providers is an On-Premise product where a Managed Service Provider (MSP) hosts the Database, Application, and Web Servers along with the Runtime Agent. From the hosting environment of the MSP, tenant customers subscribe to SecureCloud. SecureCloud has a multi-tenant environment where multiple organizations can be served.

Tenant accounts for SecureCloud are managed from the Trend Micro License Management Platform (TMLMP) Console and the default ID Provider (IdP) is Trend Micro Single Sign-on (TMSSO). If you choose not to use TMSSO, SecureCloud enables you to use a popular third-party (external) IdP. (The external IdP is configured by the SecureCloud Tenant Setup Tool.)

The MSP sets up and manages SecureCloud using the Central Management Console. This console is where you specify the settings necessary for tenant customers to use the core functions of SecureCloud, which is done through the Web Console. For instance, from the Central Management Console the MSP defines system settings like the database security and authentication. SecureCloud provides clear separation of duties whereby the MSP cannot define the criteria on which instances can receive encryption/decryption keys. Only the tenant customer is able to login to the SecureCloud Web Console to manage their encryption keys. The tenant customer can create a user account for the MSP to login to the SecureCloud Web Console. From within the SecureCloud Management Console, one is able to define policies. For example, criteria can include the location of the application, host name, the latest operating system patch, and/or the latest Trend Micro engine and pattern file. In addition, you can get report and audit information about your account. The tenant customers have no access to the Central Management Console.

1-9


FIGURE 1-1. How SecureCloud for Managed Service Providers functions

SecureCloud Interaction with the vCloud APIThe vCloud API is used by SecureCloud to determine the identity of a machine image in the vCloud environment. The Configuration Tool uses the vCloud API to learn what data storage devices in the vCloud environment are available for encryption.

The SecureCloud Runtime Agent uses the vCloud API to learn the identity and integrity of the vCloud machine image. This information is retrieved from the vCloud API and sent to the Management Server where the user can either grant or deny an encryption key to the requesting machine image, based on the identity and integrity credentials of the vCloud machine image.

1-10


FIGURE 1-2. How SecureCloud functions in the vCloud Environment

1-11


Basic Components of SecureCloud

Runtime Agent

The SecureCloud Runtime Agent is a component used by a tenant customer. It is the software module that is installed with their virtual machine image in their cloud service provider’s environment. The SecureCloud Runtime Agent provides integrity check functionality such as IP address and location, in addition to information from other Trend Micro products installed on the virtual machine image. The Runtime Agent is also responsible for mounting a configured data storage device. Finally, the Runtime Agent uses AES as the encryption and decryption standard.

Configuration Tool

The Configuration Tool is a component used by the tenant customer. It is part of the SecureCloud Runtime Agent. After product installation, the tenant customer can launch the Configuration Tool from the installation wizard. If the tenant customer declines to run the Configuration Tool at that time, they can launch it later.

The Configuration Tool configures the following:

• Cloud service provider and cloud service provider plugin

• Cloud service provider’s credentials (includes the rotation of credential keys for Amazon environment)

• SecureCloud account ID

• Web Service API URL

• Device information for the running machine instance

• Device encryption

The tenant customer can also achieve the Configuration Tool functions listed above by using the optional SecureCloud RightScripts for RightScale. See Appendix E, Managing SecureCloud Using RightScale and your RightScale documentation for complete details.

Management Server (Database Server, Application Server, Web Server)

The Management Server hosts the key approval process, log collection and reporting. The Management Server allows for multiple users, having varying user roles (see User Roles on page 2-5).

1-12


Trend Micro License Management Platform

This management application works with SecureCloud to complete product licensing and establish TMSSO.

Using the SecureCloud Central Management ConsoleAfter product install, you have the option to go directly in the Central Management Console and specify SecureCloud settings. Before you can use the product, you must specify certain settings and activate the software license. This process registers the SecureCloud On-Premise product. See Setting Up for Tenant Usage and Registering the Product on page A-10.

To access the Central Management Console, choose Start Menu > Trend Micro SecureCloud > Central Management Console.

The Central Management Console consists of a main menu with a viewing area to the right of this menu. The main menu items are described Table 1-2 along with any associated sub-menu items.

TABLE 1-2. Menu items in the Central Management Console

MENU ITEM DESCRIPTION USAGE

Administration

User Management Use to add new users, all of which have the System Administrator role.

• See Adding a New User to the Central Management Console on page 2-3

• See User Roles on page 2-5

DB Encryption Key Use to backup and restore the database encryption key which is used to secure informa-tion in the SecureCloud database.

See Backing Up a Database Encryption Key on page 2-6

1-13


LogsSecureCloud logs all the system events from the Management Server as part of the audit trail. And since the Central Management Console employs the Management Server to do notifications, licensing, and user management, SecureCloud also logs these events as part of the audit trail.

SecureCloud enables you to query logs based on the following configurable information:

• Date range

• Log event types

Notifications This menu item gives you access to the System Monitoring and Settings tabs. Use the System Monitoring tab to create a system event notifica-tion. Use the Settings tab to specify the SMTP (email) and SNMP (sys-tem monitoring) settings.

• See Specifying SNMP and SMTP Settings on page 2-8

• See Adding Central Management Console Notifications on page 2-9

Proxy Settings Use to specify proxy server settings if required by your corporate IT pol-icy for the SecureCloud Management Server to access the Internet (for tasks such as product registration).

See Specifying Proxy Server Settings on page 2-13

Change Password Use to change the cur-rent user's password, necessary to access the Central Management Console.

See Changing the Log In Pass-word on page 2-7

TABLE 1-2. Menu items in the Central Management Console (Continued)

MENU ITEM DESCRIPTION USAGE

1-14


As part of the audit trail, SecureCloud logs system events from the Management Server, events sent to the Management Server from the Runtime Agent, and events triggered in the Management Server by the Central Management Console.

System events from the Management Server:

• Date and time of the Management Server start-up

• Date and time of the Management Server shutdown

• Date and time of account creation

• Record of machine image group creation, removal, modification

• Record of successful user account login

• Record of failed user account login attempts

• User activity in the Management Server Web Console (date, time, and user)

• Policy creation/deletion/edits.

• Key actions (approval [Manual/auto]/deny/pending)

• Report actions (generate/configuration/deletion)

• Agent actions (register/delete instance)

• Device actions (register/delete/clone)

• System settings changed

System events sent to the Management Server from the Runtime Agent:

• Agent ID, volume ID, date & time of device key request and resulting action.

• Agent ID, date & time of Agent image boot-up and shutdown

• Date & time of virtual image's boot-up and shutdown

System events triggered in the Management Server by the Central Management Console:

• Notifications

• Licensing

• User management

Archived logs are stored in the CSV format.

1-15


Summary of OperationsThe following are the basic steps necessary to launch the SecureCloud Central Management Console.

Step 1. Install the SecureCloud Database, Application, and Web Servers.

For a typical installation, all three SecureCloud components are installed at the same time and on the same computer. For a custom installation, you install each component on a separate computer by running the Installation Wizard on each individual computer.

See Installing SecureCloud on page A-3.

Step 2. Setup your on-premise deployment for tenant usage.

Before you can logon and configure the SecureCloud Management Server, the tenant setup procedure needs to be done first in order to establish communication between SecureCloud and the Trend Micro License Management Platform (TMLMP). This procedure can be processed using the Tenant Setup Tool.

See Setting Up for Tenant Usage and Registering the Product on page A-10.

Step 3. Register your SecureCloud product with Trend Micro.

Product registration is done at log on. As an MSP, you are able to register multiple accounts on behalf of your tenant customers at this time.


1-16

Chapter 2

Administration

Topics in this chapter include the following:

• Adding a New User to the Central Management Console

• Changing Central Management Console User Information

• Deleting a Central Management Console User

• User Roles

• Database Encryption Key Management

• Central Management Console Notifications

• Specifying Proxy Server Settings

• Product License

Account Management for SecureCloud for Managed Service Providers

Tenant accounts for SecureCloud are managed from the Trend Micro License Management Platform (TMLMP) Console and the default ID Provider (IdP) is TMSSO. If you choose not to use TMSSO, SecureCloud enables you to use a popular third-party (external) IdP. (The external IdP is configured by the SecureCloud Tenant Setup Tool.) You can only configure one external IdP. Once you configure an external IdP, the Log

2-1


On page gives you the option to choose your configured IdP. If you choose not to use an external IdP, then the Log On page will only have the options for your SecureCloud password and TMSSO.

This section describes the following:

• Adding an Account on page 2-2

• Changing an Account on page 2-2

Adding an AccountTo add a new account to SecureCloud, create a tenant account from the TMLMP Console. Or the tenant can access the trial registration form the TMLMP Console and complete and submit this form. In either case, the TMLMP system creates and processes the tenant accounts. Finally, the TMLMP system replicates the tenant accounts to SecureCloud using internal API calls. The tenant accounts are TMSSO-based and are now listed in the Accounts page of the application. Being TMSSO-based, tenant users can sign in to SecureCloud and the TMLMP system.

Note: If you choose to use an ID Provider other than TMSSO, SecureCloud must determine whether the IdP is trustworthy. This process is based on certificates and is done when the user account logs into SecureCloud using TMSSO. At this time, TMSSO authenticates the logon request based on the certificate.

Procedure:

• See the TMLMP user documentation for complete details.

Changing an AccountThe MSP can change the tenant customer profile and license characters. The MSP can also change encryption key units, license expiration date, auto-renewal function, and expiration notification days.

Procedure:


2-2

Administration

Enabling and Disabling AccountsWhen a tenant account is disabled, the service for this customer is removed. The tenant customer also cannot login to TMLMP.

Note: You cannot delete a tenant account.

Procedure:


Managing Users in the Central Management Console

From the Central Management Console, the System Administrator can add another System Administrator. A System Administrator can create group accounts and assign Account Administrators to these accounts.

This section describes the following:

• Adding a New User to the Central Management Console on page 2-3

• Changing Central Management Console User Information on page 2-4

• Deleting a Central Management Console User on page 2-4

Adding a New User to the Central Management ConsoleThe System Administrator can only add another person as a System Administrator to the Central Management Console. The System Administrator can also create a group account and then assign an Account Administrator to manage the account. The Account Administrator can later add users to the group account from Web Console.

Procedure:

LOCATION: CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > USER MAN-AGEMENT> USER MANAGEMENT PAGE

1. Click Add User.

2. From the "Authentication Method" area, complete all the required fields.

2-3


Since the System Administrator is the only role that can operate the Central Management Console, there are no roles for you to choose. See User Roles on page 2-5 for a description of the System Administrator role.

3. Click Save.

The new user appears in the "Account Management" page.

Changing Central Management Console User InformationPrerequisite:

Create a Central Management Console user (see Adding a New User to the Central Management Console on page 2-3).

Procedure:

LOCATION: CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > ACCOUNT MANAGEMENT > ACCOUNT MANAGEMENT PAGE

1. Click the link of the desired user.

2. From the "Authentication Method" area, change the desired field(s).

Since the System Administrator is the only role that can operate the Central Management Console, there are no roles for you to choose. See User Roles on page 2-5 for a description of the System Administrator role.

3. Click Save.

The updated user appears in the "Account Management" page.

Deleting a Central Management Console UserSecureCloud enables you to remove a user you no long want accessing the Central Management Console and adding users to the Web Console.

Procedure:

LOCATION CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > USER MAN-AGEMENT > ACCOUNT MANAGEMENT PAGE

1. Click the check box of the desired user(s) to delete.

2. Click Delete.

2-4

Administration

User Roles

About User RolesThe assigned user role determines the level of funtionality a user has in SecureCloud.

User roles are used both in the Central Management Console and the Web Console. Since the Central Management Console is used to manage all the accounts within your enterprise, the System Administrator role—which offers unlimited functionality, is the only role offered in this console. The System Administrator can create a group account, and then assign an Account Administrator to the group account.

Note: The first user role created for a specific account is the user role that is replicated with the License Management Platform.

Database Encryption Key ManagementThe database encryption key encrypts the database where the device encryption key is stored. The database encryption key is initialized at the installation of the first instance of the Management Server. Once you specify a passphrase or accept a generated passphrase for the database encryption key, key back up is possible.

The passphrase is needed to import the backed up data encryption key. You would need to import the data encryption key backup in order to restore a corrupt database encryption key. You would also need to import the data encryption key backup to give any additional Management Servers access to the device encryption key database.

2-5


Backing Up a Database Encryption KeyProcedure:

LOCATION CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > DB ENCRYP-TION KEY > ENCRYPTION KEYS

1. In the "Database Encryption Key" area, specify the passphrase information.

If you choose the Automatically assign me a passphrase for backup file option, SecureCloud will display the passphrase in the Database Encryption Key page once you click Backup.

It is important to record the generated passphrase or the one you create and keep it in a safe place. If you forget your database encryption key password, you will not be able to import the database encryption key.

2. Click Backup.

The database encryption key data is located in a text file.

Importing an Encryption KeyIf the database encryption key becomes corrupt and you enabled the Send message if encryption state has any error notification, then you will receive an email notification regarding this situation (see Adding Central Management Console Notifications on page 2-9).

If you did not enable the Send message if encryption state has any error notification, then you will learn of the corrupt database encryption key in the Database Encryption Key page or the generated reports and logs pages in the Web Console. The Runtime Agent would also be unable to communicate with the Management Server.

Procedure:

LOCATION CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > DB ENCRYP-TION KEY > ENCRYPTION KEYS

1. In the "General Information" area, locate the database encryption key backup and then specify the passphrase for the key.

2. Click Import.

2-6

Administration

Managing Profile InformationThe account manager has the ability to specify the corporate time zone and the format for this time. This time in the format specified will be used by all other account members when generating reports and notifications, no matter what time zone in which they are working.

The Password option is for all account users. Using this option, you can change your login password.

Changing the Log In PasswordSecureCloud enables you to change your log-in password. The Web Console password was originally set during product registration.

The Central Management Console password was originally set during product installation. See Setting Up for Tenant Usage and Registering the Product on page A-10.

SecureCloud also enables you to change your Central Management Console log-in password. Since the user interface in the Central Management Console for changing your password is the same as in the Web Console, the two procedures are the same.

Procedure:

LOCATION: CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > CHANGE PASS-WORD > CHANGE PASSWORD PAGE

1. Specify the current password and the new password in the appropriate fields.

The password must be 8 to 32 characters, containing at least one of the following:

• Upper case character

• Lower case character

• Numeral

• Special character (~!@#$%^&*()_+)

2. Re-specify the new password in the Confirm new password field.

3. Click Save.

2-7


Central Management Console NotificationsSecureCloud can issue Central Management Console-based notifications for the following system attributes:

• Server disk space status

• Database size

• Database connection status

• Data storage device encryption status

SecureCloud can issue a notification when SecureCloud successfully provisions a data storage device or if the provisioning fails.

SecureCloud uses SNMP to monitor the system attributes and SMTP to issue email notifications.

Specifying SNMP and SMTP SettingsThe SNMP (system-attribute monitoring) and SMTP (email) protocol settings must be set before SecureCloud can issue Central Management Console-based notifications.

Procedure:

LOCATION: CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > NOTIFICATIONS > NOTIFICATIONS PAGE | SETTINGS TAB

1. In the "Simple Mail Transfer Protocol (SMTP) Settings" area, specify all the necessary information for your SMTP server.

The SMTP Server field, Port field, and Email sender address field are required.

If the SMTP server requires authentication, then specify a username and password.

For the SMTP Server field, specify either a hostname or IP address.

2. In the "Simple Network Management Protocol (SNMP) Settings" area, specify your SNMP information.

Select the Enable SNMP check box to receive real-time, consolidated SecureCloud alerts through your network management server.

Deselecting the Enable SNMP check box does not delete any information you may have typed in the SNMP server and Community fields.

The SNMP server field is required to be specified as an IP address.

2-8

Administration

Type in the Community field the group to which the devices and management stations running SNMP belong. The SNMP Community string functions like a password for network elements. This information is needed by SecureCloud to send system monitoring information. A SNMP device or agent may belong to more than one SNMP community. The device or agent will only respond to requests from management stations that belong to its same community. Write = private and Read = public are the SNMP default communities.

3. Click Save.

Adding Central Management Console NotificationsPrerequisite:

The SNMP and SMTP protocols must be set (see Specifying SNMP and SMTP Settings on page 2-8).

Procedure:

LOCATION: CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > NOTIFICATIONS > NOTIFICATIONS PAGE | SYSTEM MONITORING TAB

1. Click Add Notification.

2. In the "General Information" area, specify a group name and description.

3. The Name field is required.

4. In the "Email Message" area, specify the email address of the individual or individuals who are to receive the email notifications.

Use a semicolon (;) to separate multiple email addresses.

5. In the "Body Section" area, specify the email subject, header, contents, and footer.

In the "Content" section, specify the condition(s) to which you want to be notified.

If you are not satisfied with the default message for a notification event, type a new message in the text box.

To use a variable in the message, place the cursor in the desired position in the text, click Insert Variable, and then choose the appropriate variable.

Select the Include SNMP Alert check box to receive real-time, consolidated SecureCloud alerts through your network management server

6. In the "Notification Frequency" area, specify how often you want to send email notifications.

2-9


A consolidated notification is an email that contains all the issued notifications.

7. Click Save.

The new notification appears in the Notifications page.

Changing an Existing Central Management Console Notification

Procedure:

LOCATION: CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > NOTIFICATIONS > NOTIFICATIONS PAGE

1. From the "System Monitoring" tab, click the desired notification in the "Name" column.

2. In the "Notification Settings" page, make the appropriate changes and then click Save.

See Adding Central Management Console Notifications on page 2-9 starting with Step 2.

Deleting a Central Management Console NotificationProcedure:

LOCATION: CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > NOTIFICATIONS > NOTIFICATIONS PAGE

1. From the "System Monitoring" tab, click the check box(s) of the notification(s) you want to delete.

2. Click Delete.

Authentication Methods in SecureCloudSecureCloud enables to you to log on to the system using of the following means:

• Local (SecureCloud password)

• Trend Micro Single Sign-On (TMSSO)

• ID Provider (IdP)

2-10

Administration

Using Local AuthenticationThe SecureCloud log on password is the default method for logging on to SecureCloud. The password is establish at product registration (see Changing the Log In Password on page 2-7).

Using TMSSOTrend Micro Single Sign-On (TMSSO) provides a shared licensee account between TMLMP and SecureCloud, where the user only needs to sign on once to access both systems. With only one account to manage, there is little risk of duplicate account errors. Moreover, SecureCloud provides the ability to synchronize account information with TMLMP.

For complete details on setting up a TMLMP account, see your TMLMP documentation.

Using an ID ProviderThis is the authentication method provided by the Managed Service Provider. This method requires you to establish a connection with the Security Assertion Markup Language (SAML) IdP.

Procedure:

1. Use the IdP information below.

This includes the Single Sign-on service URL, Single Log-out service URL, and certificate (.crt). Below is an example from SimpleSAMLPhp.

$metadata['https://saml-idp.securecloud2.local'] = array (

'metadata-set' => 'saml20-idp-remote',

'entityid' => 'https://saml-idp.securecloud2.local',

'SingleSignOnService' => 'https://saml-idp.securecloud2.local/saml2/idp/SSOService.php',

'SingleLogoutService' => 'https://saml-idp.securecloud2.local/saml2/idp/SingleLogoutService.php',

2-11


2. Make sure you have the SecureCloud certificate (.crt) and private key (.pfx).

3. Add SAML SSO IdP.

tenantsetup.exe addidp -t Mkh3t

Mkh3t is an example of a Tenant ID.

Note: Tenantsetup.exe must be executed by the service user account that you use to install SecureCloud server.

4. Complete all necessary IdP information.

The Tenant Setup Tool outputs the SecureCloud Entity ID, Single Sign-on service URL, and Single Log-out service URL.

5. Add a trusted service provider in the external IdP.

Use the results from the Tenant Setup Tool. This method is IdP-dependent.

SP Entity ID : https://opwin2k8x86/MWWW?TenantID=Mkh3t

SP SSO URL : https://opwin2k8x86/Signin.mvc/SSO/Mkh3t

SP SLO URL : https://opwin2k8x86/Signin.mvc/SLO/Mkh3t

For example, below are simpleSAMLphp settings. Use the format as the following:

$metadata['https://opwin2k8x86/MWWW?TenantID=Mkh3t'] = array(

'AssertionConsumerService' => 'https://opwin2k8x86/Signin.mvc/SSO/Mkh3t',

'SingleLogoutService' => 'https://opwin2k8x86/Signin.mvc/SLO/Mkh3t',

'redirect.validate' => TRUE,

'certificate' => 'saml.crt',

'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:email',

'simplesaml.nameidattribute' => 'email',

//'simplesaml.attributes' => FALSE,

);

2-12

Administration

You will see the additional SP on the list in SAML IdP.

6. Check the correct IdP status using the Tenant Setup Tool.

tenantsetup swidp

Specifying Proxy Server SettingsIf your corporate IT policy requires you to use a proxy server to access the Internet, then you will have to set your proxy settings in SecureCloud in order to register the product.

Procedure:

LOCATION: CENTRAL MANAGEMENT CONSOLE MAIN MENU | ADMINISTRATION > PROXY SET-TINGS > PROXY SETTINGS PAGE

1. In the "Proxy Information" area, specify all the necessary information for your proxy server.

Select the Enable Proxy check box to implement the proxy settings for the proxy server.

Deselecting the Enable Proxy check box does not delete any information you typed in "Proxy Information" area.

Specify the username and password needed to access the proxy server.

2. Click Save.

Product License A license comes with an activation code that you use to activate the SecureCloud product. A license grants permission to a certain amount of keys used to encrypt and decrypt a data storage device.

SecureCloud warns you when the number of concurrent keys is approaching the maximum number of licensed keys.

The Trend Micro License Management Platform (TMLMP) automatically adds the activation code to your account.

2-13


Once you activate your account within TMLMP, the system adds the SecureCloud activation code to your account. Upon entering SecureCloud, the application automatically accepts the activation code from your account. No action is required from you. See the TMLMP documentation for complete details.

Product License Activation CodeThe activation code is necessary for the following scenarios:

• Renewing or updating your license with more or less seats

• Updating your license from a trial license

This is automated and managed by TMLMP.

2-14

Appendix A

Installing and Uninstalling SecureCloud for an On-Premise Deployment

Note: This appendix is only for Managed Service Providers (MSP’s) with on-premise installations. If Trend Micro is hosting your Management Sever, then this appendix does not apply to you.

The SecureCloud for Managed Service Providers is installed in a Windows environment. The application consists of three components: Database Server, Application Server, and Web Server. All these components can be installed on the same computer or each component can be installed on separate computers.

Using the Tenant Setup Tool, the MSP needs to register all tenant customers in the Trend Micro License Management Platform (TMLMP) and in the SecureCloud product. Once the API communication channel between TMLMP and SecureCloud has been established, the tenant customers created by the MSP are automatically synchronized.

A-1


Installation SummaryThe following are the basic steps required to install SecureCloud for Managed Service Providers:

Step 1. Determine if you want to do a typical or custom installation

All three components of SecureCloud have to be installed the same way—using either the typical or custom method. In a typical installation, you install all three components on the same computer at the same time. For a custom installation, you install each component on a separate computer by running the Installation Wizard on each individual computer.

Step 2. Creating a User with Minimal Rights

See Creating a User with Minimal Rights on page A-3.

Step 3. Perform the installation

Perform either a typical or custom installation.

• Perform a typical installation

See Performing a Typical Installation on page A-5.

• Perform a custom installation

See Performing a Custom Installation on page A-6.

a. Install the Database Server.

See Installing the Database Server on page A-6.

b. Install the Application Server.

See Installing the Application Server on page A-7.

c. Install the Web Server.

See Installing the Web Server on page A-9.

Step 4. Register SecureCloud for Managed Service Providers


A-2


Creating a User with Minimal RightsThe user credentials specified in the Installation Wizard are used to run the SecureCloud Management Server. For best practice, Trend Micro recommends that you create a dedicated service user with the minimal, necessary rights to increase the security of the deployed application.

Note: For the first three steps in the procedure, refer to the Microsoft SQL Server Reporting Service Report Manager documentation.

Procedure:

1. Create a new user (either local or domain-based, depending on your environment).

2. Create a secure password.

Disable password expiration, the ability to change the password, and optionally (for domain accounts) deny terminal service logon.

3. Using the Microsoft SQL Server Reporting Service Report Manager, configure the browser role and publisher role for the new user.

The publisher role is only required during installation. After installation, you can remove this role from the new user.

4. Continue with the product installation.

• For a typical installation, see Performing a Typical Installation on page A-5.

• For a custom installation, see Performing a Custom Installation on page A-6.

5. When prompted during the product installation, enter this user’s credentials.

Note: The product installation assigns the necessary rights to the user created in order for SecureCloud to function correctly. These rights include the following:- Add user to IIS_IUSRS- Add user to "log on as a service"

Installing SecureCloudPrerequisites:

The following prerequisites apply to either a typical or custom installation.

A-3


• It is recommended that you create a user with minimal rights (see Creating a User with Minimal Rights starting on page A-3)

• Add as role assignment in the SQL Server Reporting Service Report Manager

For a remote connection, a domain account must be setup as SecureCloud services account.

• Install the Microsoft .NET Framework 3.5 SP1

Windows installer 4.5 is required.

• Install the Internet Information Server (IIS) 6 or 7

If you are running on Windows 2008 Server, install the IIS 6 Metabase compatibility and WCF Activation features of IIS.

• Enable Microsoft ASP.NET 2.0 within the IIS Extensions

• Ensure the host name by which the Management Server is intended to be published can be resolved correctly.

• SQL Server 2008

Launching the Installation WizardThe Installation Wizard is used for both the typical and custom installation of SecureCloud. User this procedure to start the installation process.

Procedure:

1. Download the MSI file from the Trend Micro Download Center.http://downloadcenter.trendmicro.com/

2. Double click the MSI file to launch the Installation Wizard.

3. Click Next in the "Welcome" screen.

4. Read the license agreement and then accept it if you agree to the terms.

Proceed to either Performing a Typical Installation on page A-5 or Performing a Custom Installation on page A-6.

A-4


Performing a Typical InstallationIn a typical installation, you install the Database Server, Application Server, and Web Server on the same computer at the same time. The websites and Web services are created under <SystemDrive>\Inetpub\SecureCloud Management Server by default. Other files are created in <ProgramFilesFolder>\Trend Micro\SecureCloud Management Server by default.

Procedure:

1. Launch the Installation Wizard.

See Launching the Installation Wizard on page A-4.

2. From the "Choose Setup Type" screen, click Typical.

Click Custom to install the Database Server, Application Server, and Web Server on different computers (see Performing a Custom Installation starting on page A-6).

3. From the "Website Configurations" screen, specify the information for the SecureCloud consoles and Web service and then click Next.

The first four fields apply to the Web Console, Central Management Console, and Web Service.

Note: In order to secure the Web Service and Web Console connections, SecureCloud requires an HTTPS connection. The certificate trust must be able to be verified by the Runtime Agent and Configuration Tool.

4. Complete the fields in the "Service Account" screen and then click Next.

5. Complete the fields in the "Database Configuration" screen and then click Next.

Select the Use Windows Authentication to connect database in Application Server check box if you are using a Windows authentication and not the default SQL authentication.

Using the Initialize key encryption for DB and backup key to file option, you can specify a file path (for example, C:\dbkey.key) to store the database encryption key. The key is initialized during installation.

Specify a passphrase to encrypt the database encryption key.

A-5


Note: The SecureCloud services and websites run in the context of the credentials supplied. These credentials must also have browse and publish permissions to the SQL Server Reporting Services Web service in order to generate and manage SecureCloud reports.

6. Specify the Report Server Web Services URL in the "Reporting Configuration" screen and then click Next.

7. Specify in the "System Administration Configuration" screen the account information needed to login to the Central Management Console and then click Next.

8. Click Install in the next installation screen.

In order to receive system alerts in SecureCloud, you need to configure your SMTP server.


9. Install the public CA certificate for the Runtime Agent.

10. It is recommend that you now back up the database encryption key.

See Backing Up a Database Encryption Key starting on page 2-6.

Performing a Custom InstallationTo perform a custom installation, install the Database Server first, followed by the Application Server, and finally the Web Server.

Installing the Database ServerBefore installing the Application Server and Web Server, you must install and setup the Database Server. SecureCloud uses this database to store encryption keys and other sensitive information. This database must be a SQL Server 2008 instance available to the Management Server through the network (see SecureCloud Management Server Requirements on page 1-2).

SecureCloud for Managed Service Providers provides a one-time database encryption initialization at product installation.

A-6


Note: Unless specified in the Installation Wizard, the DB user name field expects a SQL Server local user, not a Windows user. However, Windows authentication is still supported.

Procedure:

1. From the desired computer, launch the Installation Wizard.


2. From the "Choose Setup Type" screen, click Custom.

3. Complete the fields in the "Database Configuration" screen and then click Next.

In the "Database Configuration" screen, the Installation Wizard asks whether to create a new SQL Local User (SQL Authentication) or to add a Windows User (Windows Authentication) to the newly created SecureCloud Database. If you use SQL Authentication, we recommend the tenant customer stores the new user name and password somewhere because this information is required during the Web Server and Application Server installation.


5. Click Finish in the final installation screen.

Continue with the "Custom Installation" for Installing the Application Server on page A-7.

Installing the Application Server1. From the desired computer, launch the Installation Wizard.



3. From the Custom Setup screen, choose Application Server.

An "X" next to a SecureCloud component indicates that this component is not selected.

4. From the "Website Configurations" screen, specify the information for the SecureCloud Central Management Console and then click Next.

A-7


Note: In order to secure the traffic between the Management Server and browser, SecureCloud requires an HTTPS connection.

5. From the "Web Service Configurations" screen, specify the information for the SecureCloud Web service and then click Next.

Note: In order to secure the Web Service and Web Console connections, SecureCloud requires an HTTPS connection.

6. From the "Service Account" screen, complete the fields and then click Next.

If you created a user with minimum rights, the information you specify here is for that user (see Creating a User with Minimal Rights on page A-3).

7. From the "Database Configuration" screen, specify the necessary information and then click Next.

Completing this screen is necessary in order for the Application Server to communicate with the Database Server.

Select the Use Windows Authentication to connect database in Application Server check box if you are using a Windows authentication and not the default SQL authentication.

Using the Initialize key encryption for DB and backup key to file option, you can specify a file path (for example, C:\dbkey.key) to store the database encryption key. The key is initialized during installation.

Specify a passphrase to encrypt the database encryption key.

8. From the "Reporting Configuration" screen, specify the Report Server Web Services URL then click Next.

9. From the "System Administration Configuration" screen, specify the information needed to login to the Central Management Console and Web Console, then click Next.

Note: The SecureCloud services and websites run in the context of the credentials supplied. These credentials must also have browse and publish permissions to the SQL Server Reporting Services (SSRS) Web service in order to generate and manage SecureCloud reports.

A-8


10. Click Finish in the next installation screen.

In order to receive system alerts in SecureCloud, you need to configure your SMTP server.


Installing the Web Server1. From the desired computer, launch the Installation Wizard.



3. From the "Custom Setup" screen, choose Web Server.

An "X" next to a SecureCloud component indicates that this component is not selected.

4. From the "Website Configurations" screen, specify the information for the SecureCloud Web Console and then click Next.

Note: In order to secure the traffic between the Management Server and browser, SecureCloud requires an HTTPS connection.

5. From the "Web Service Configurations" screen, specify the information for the SecureCloud Web service and then click Next.

Note: In order to secure the Web Service and Web Console connections, SecureCloud requires an HTTPS connection. The certificate trust must be able to be verified by the Runtime Agent and Configuration Tool.

6. From the "Application Server Configuration" screen, specify the application and Web Server port.

The Web Service port is used for the Web Server to connect to the Web Services. The service port is mandatory in this installation screen. If it is a HTTPS port, select the Use HTTPS check box; otherwise, leave the check box unchecked indicating the HTTP protocol is used.

7. From the "Service Account" screen, complete the fields and then click Next.

A-9


8. From the "Database Configuration" screen, specify all the necessary information and then click Next.

Completing this screen is necessary in order for the Web Server to communicate with the Database Server.

Usually the key initialization will be done in Application Server installation. After that, the key will be backed up to a database key file (for example: C:\dbkey.key). In the Web Server installation, the Use an existing key option should be used. (This is the recommended installation sequence.)

Note: The SecureCloud services and websites run in the context of the credentials supplied. These credentials must also have browse permissions to the SQL Server Reporting Services Web service in order to generate and manage SecureCloud reports.


10. It is recommended that you now back up the database encryption key.

See Backing Up a Database Encryption Key starting on page 2-6.

Setting Up for Tenant Usage and Registering the Product

Before you can logon to the Central Management Console to configure the SecureCloud Management Server, the tenant setup procedure needs to be done first in order to establish communication between SecureCloud and the Trend Micro License Management Platform (TMLMP). This procedure can be processed using the Tenant Setup Tool which is installed at C:\<Default SecureCloud Program installed path>\TenantSetup\

Use the Tenant Setup Tool to generate the corresponding configuration information of the SecureCloud kit. This kit must be given to the TMLMP team to exchange their TMLMP kit, in order to be used for completing the following procedure.

Procedure:

1. Execute cmd.exe using Run as the user.

2. Change a directory to the Tenant Setup Tool Directory.

A-10


3. Execute TenantSetup.exe ShowSCKitInfo.

4. Collect the output information (SecureCloud service URL, Profile Sync URL, License Sync URL,TMSSO SP Entity ID,TMSSO SP SSO URL and TMSSO SP SLO URL) as SecureCloud kit.

5. Exchange SecureCloud kit with TMLMP kit.

When you get the TMLMP kit, go back to SecureCloud Server and complete the tenant setup procedure. The information that you specify below comes from the TMLMP kit.

Procedure:

1. Execute cmd.exe using Run as the user.

2. Change directory to the Tenant Setup Tool Directory.

3. Execute TenantSetup.exe CreateTenant.

4. Enter the Tenant ID.

5. Enter the Tenant name.

6. Enter the Tenant description.

7. Enter TMSSO IdP certification file (.crt).

8. Single Sign-on (TMSSO) from TMSSO SP key pair.

9. Enter SecureCloud private key file (.pfx) for Trend Micro Single Sign-on (TMSSO) from TMSSO SP key pair.

10. Enter the corresponding passphrase for the private key file you specified in step 7.

11. Enter the Single Sign-on and SLO URL for TMSSO IdP.

12. Enter the TMLMP service name.

13. Enter SecureCloud certification file (.crt) for TMLMP from TMSSO SP key pair.

14. Enter SecureCloud private key file (.pfx) for TMLMP from TMSSO SP key pair.

15. Enter the corresponding passphrase for the private key file that you specified in step 12.

16. Notify TMLMP operation team to complete the setup at both sides.

See Specifying SNMP and SMTP Settings on page 2-8.

To specify your Internet proxy information, see Specifying Proxy Server Settings on page 2-13.

A-11


Uninstalling SecureCloudFor a custom installation, this uninstallation procedure should be launched on each server where a SecureCloud component has been installed. Therefore, if you installed on three servers, you have to run the uninstallation application on each of these servers in order to remove all the SecureCloud components.

For a typical installation, it is only necessary to run the uninstallation once on the server where all the SecureCloud components are installed.

Procedure:

• Choose Start menu > Trend Micro SecureCloud Agent > Uninstall.

You can also choose to uninstall the SecureCloud Servers from the system Control Panel using "Add or Remove Programs".

Note: The SecureCloud database is not removed when the SecureCloud Management Server is uninstalled from the system.

A-12

Appendix B

Frequently Asked Questions

This appendix describes questions that may arise when using SecureCloud.

What Hypervisors are Supported?SecureCloud is designed to be used within cloud environments. Integrating at the operating system level, it is not aware of the hypervisor. Therefore, as long as SecureCloud supports the cloud provider API and operating system it will work with any underlying hypervisor the cloud service provider is using.

In Which Time Zones are the Logs Saved and Can I Change the Time Zones?

SecureCloud saves the logs in the UTC time zone. It is not possible to change the time zone preference.

How are All Communications Secure?In addition to HTTPS, SecureCloud employs AES 256 encryption for all internal communication protocols.

B-1


What Kind of Encryption Key Security Exists?The encryption keys used to encrypt the volumes in the cloud are stored within an encrypted database. The encryption key for the database is securely stored off site. Controls and measures have been put in place to ensure the encryption keys are secure and protected; however in the event an encryption key and, or SecureCloud Runtime Agent is suspected to be compromised; customers can migrate data from the original volume to a newly encrypted volume using a different encryption key.

How is SecureCloud Protected From Man-in-the-Middle Attacks?

All transmissions of information are encrypted using AES 256 and takes place over SSL to provide an additional layer of protection.

How do I Manually Modify Credential Information if I Changed the Account Password After Installing the On-Premise Management Server?

If, after installing the Management Server, you change the account password for the service account, you will need to manually modify the credential information for the SecureCloud services so they can continue to run.

Procedure:

1. Configure the Service identity

a. From the start menu, select run and enter services.msc to launch the services control panel applet.

b. Locate SecureCloud Service in the service list.

c. Right click on SecureCloud Service and select Context menu > Properties.

d. Click the "Log On" tab.

e. In the Password and Confirm password fields, enter the new account password and then click OK.

B-2

Frequently Asked Questions

2. Configure the Application Pool identity.

a. From the Start menu, select Administrative Tools > Internet Information Services (IIS) Manager.

b. Expand the computer name and application pools branches in the left hand tree menu

c. For each of the application pools listed, repeat the following steps:

• SecureCloud API_Agent

• SecureCloud API_Broker

• SecureCloud API_Provisioning

• SecureCloud Console_AppPool

• SecureCloud Central Management Console_AppPool

i. Right click on the application pool name and select Context menu > Properties.

ii. Click the "Identity" tab.

iii. In the Password field, enter the new password and click OK.

iv. Confirm the password when prompted.

Additionally, you may need to restore your database encryption key (see Database Encryption Key Management on page 2-5).

Why the On-Premise Management Server Installation Will Fail on Windows 2008 Server?

One possible reason is that the Internet Information Server (IIS) 6 Metabase compatibility component is not installed for IIS 7. Another possible reason is that WCF Activation features of .Net Framework are not installed.

B-3


Why Does the Management Server Installation Fail?

The installation package will evaluate the requirements in the system. If some of the requirements are not installed, an error will occur. See the Prerequisites in Installing SecureCloud on page A-3.

How do I Acquire the Installation Log File for Installation Debugging?

In order to generate a debug log file during a manual installation of the Management Server, run the following command from the command prompt:

msiexec /i <msi path> /lv*x install.log

Note: Please substitute the <msi path> with the path of the SecureCloud MSI file.

How do I Start and Stop a Dependent ServiceTo ensure the smooth operation of a dependent service, it is a good practice to start your dependant service after the data storage device is mounted and then stop it before the device is dismounted.

To implement this functionality, you have to modify the config.xml file.

Procedure:

Update the config.xml file under the Runtime Agent folder by adding the following:

<userScripts mountComplete="" teardown=""/>

Also, set the correct script path for mountComplete and teardown.

B-4

Appendix C

Contact Information and Web-based Resources

This appendix provides information on getting further assistance with any technical support questions that you may have.

Topics in this appendix include:

• Knowledge Base

• TrendEdge

• Contacting Technical Support

• TrendLabs

C-1


Knowledge BaseThe Trend Micro Knowledge Base is a 24x7 online resource that contains thousands of do-it-yourself technical support procedures for Trend Micro products and services. Use Knowledge Base, for example, if you are getting an error message and want to find out what to do to. New solutions are added daily.

Also available in Knowledge Base are service FAQs, hot tips, preventive antivirus advice, and regional contact information for support and sales.

http://esupport.trendmicro.com/

And, in case if you cannot find an answer to a particular question, the Knowledge Base includes an additional service that allows you to submit your question in an email message. Response time is typically 24 hours or less.

Note: Because SecureCloud is a new product, the Knowledge Base does not yet contain much information on this product.

TrendEdgeA program for Trend Micro employees, partners, and other interested parties that provides information on unsupported, innovative techniques, tools, and best practices for Trend Micro products. The TrendEdge database contains numerous documents covering a wide range of topics.

http://trendedge.trendmicro.com

Note: Because SecureCloud is a new product, the TrendEdge database does not yet contain much information on this product.

Contacting Technical SupportIf you should encounter problems while using SecureCloud, please use the following email address to contact Trend Micro and report your problem:

http://esupport.trendmicro.com/SRFMain.aspx

C-2

Contact Information and Web-based Resources

General Contact InformationGeneral US phone and fax numbers follow:

Voice: +1 (408) 257-1500 (main)

Fax: +1 (408) 257-2003

Our US headquarters is located in the heart of Silicon Valley:

Trend Micro, Inc.10101 N. De Anza Blvd.Cupertino, CA 95014

For a list of the worldwide support offices, go to:

http://kb.trendmicro.com/solutions/includes2/ContactTechSupport.asp

C-3


TrendLabsTrendLabs is Trend Micro’s global infrastructure of antivirus research and technical support centers that provide customers with up-to-the minute security information.

The “virus doctors” at TrendLabs monitor potential security risks around the world, to ensure that Trend Micro products and services remain secure against emerging risks. The daily culmination of these efforts are shared with customers through frequent virus pattern file updates and scan engine refinements.

TrendLabs is staffed by a team of several hundred engineers and certified support personnel who provide technical support for a wide range of products and services. Dedicated service centers and rapid-response teams are located in Tokyo, Manila, Taipei, Munich, Paris, and Lake Forest, CA.

C-4

Appendix D

Basic Troubleshooting Information

This appendix provides trouble shooting information if you should encounter network configuration problems with vCloud or log management issues.

Topics in this appendix include:

• Network Configuration and vCloud

• Log Management

Network Configuration and vCloudEnsure that the network configuration of your cloud service provider’s environment enables communications between the virtual machine instances (vApps) running the SecureCloud agent or Configuration Tool are able to connect to the vCloud Director (vCD) Web services using HTTP and HTTPS. Failure to do so may result in errors when provisioning devices or starting the SecureCloud Runtime Agent in the vCloud environment. If your cloud environment is configured such that the vCD is firewalled from the vApps, enable a firewall rule to allow inbound traffic on TCP ports 80 and 443 from the vApp network to the vCD IP address.

D-1


Log Management

How to Turn on the Debug Log on the Server SideModify the Log Level setting from INFO to DEBUG in the C9Configuration table in the SecureCloud database. The log file is generated at C:\inetpub\SecureCloud Management Server\logs folder.

SSL Configuration and TroubleshootingSecureCloud utilizes SSL to establish a secure connection between the Management Server and the Runtime Agent and Configuration Tool. The validity of the SSL certificates installed on the Management Server are verified by the Runtime Agent and Configuration Tool prior to establishing a communications protocol. If you are experiencing SSL certificate validation issues, there are two methods to resolve this. These are described below.

1. Install the Issuer Certificate files on the Runtime Agent and Configuration Tool machine images.

The Runtime Agent and Configuration Tool provide a mechanism for users to upload their own certificate issuer files in order to establish a trust relationship with the Management Server. These certificates should be in PEM (base64 encoded DER) format and placed in the appropriate folder:

Runtime Agent:

/var/lib/securecloud/certs (Linux)

C:\Program Files\Trend Micro\SecureCloud\Agent\bin\certs\ (Windows)

2. Disable SSL certification validation in the Runtime Agent and Configuration Tool machine images

In the event of using a Self Signed certificate, or a certificate whose common name doesn't match the hostname which the Runtime Agent and Configuration Tool use to connect to the Management Server, SSL certificate validation can be disabled.

Edit the config.xml file and set the ignore_errors attribute to True on the openssl element:

<openssl certTimeout="60" ignore_errors='True'/>

D-2

Basic Troubleshooting Information

The config.xml file is located in the following location:

Runtime Agent:

/var/lib/securelcoud/config.xml (Linux)

C:\Program Files\Trend Micro\SecureCloud\Agent\bin\config.xml (Windows)

D-3


D-4

Appendix E

Managing SecureCloud Using RightScale

The Trend Micro right script takes AWS credentials and device configuration information as input and then performs provisioning.

This appendix describes how to locate and install the SecureCloud RightScripts in your RightScale account.

Procedure:

1. Create the multi-cloud image from the RightScale console

See your RightScale documentation.

2. Go to the "Scripts" tab and locate the SecureCloud script from the published scripts

3. Go to the "Inputs" tab and specify the following:

• AWS_ACCESS_ID — Amazon access ID

• AWS_SECRET_KEY — Amazon secret key

• DEVICES_CONF — Devices to be provisioned and their configurations• format: id={volumeid},mountpoint={mount

point},os={[linux, windows]},filesystem={[etx2,ext3,NTFS,fat32]},kmtype={[LUKS,none]},keysize={[128,192,256]};...

E-1


• KMS_API_URL — API URL received from SecureCloud

• PACKAGE_NAME — Agent package to be installed, depending on the operating system

• SC_ACCOUNT_ID — SecureCloud account ID received from SecureCloud UI

4. Complete the fields and start the instance.

5. View the monitor to see the status of the script.

6. At the end of the process, the new data storage device will be added to the SecureCloud inventory and appear with a status of "Encrypted" in the "Devices" page.

E-2

Glossary

Account nameA name that uniquely identifies you, or your organization's organization’s account in the Management Server.

BundlingThe process of creating a template image from a running instance in the cloud service provider environment.

Cloned deviceA data storage device that was created from another data storage device. The device clone is exactly the same as the originating device and therefore functions the same as the originating device. SecureCloud does not encrypt a device clone since it retains the encryption from the originating, cloned device.

Configuration ToolThis is a one-time-used, command-line tool that encrypts the data storage device you want to attach and mount in the Runtime Agent. The SecureCloud Configuration Tool also registers the device information with the SecureCloud Management Server for either an Amazon, Eucalyptus, or VMware vCloud environment, or for a private cloud provider.

Database encryption keyThe database encryption key encrypts the database where the device encryption key is stored. The database encryption key is initialized at the installation of the first instance of the Management Server. Once you specify a passphrase or accept a generated passphrase for the database encryption key, key back up is possible.

GL-1


Device encryption keyFor securing data on the encrypted data storage device, a 128-bit randomly generated key is used for devices that are encrypted and a 256-bit randomly generated key for all internal encryption.

HypervisorIn virtualization technology, hypervisor is a software program that manages multiple operating systems (or multiple instances of the same operating system) on a single computer system. The hypervisor manages the system's processor, memory, and other resources to allocate what each operating system requires. Hypervisors are designed for a particular processor architecture.

ICMIntegrity Check Module (ICM) is a module running inside the Runtime Agent that checks the integrity of security products within a machine instance.

InstanceA running machine image in the cloud service provider environment.

IPv4IPv4 is a connectionless protocol for use on packet-switched Link Layer networks (e.g., Ethernet). It operates on a best effort delivery model, in that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery. These aspects, including data integrity, are addressed by an upper layer transport protocol, such as the Transmission Control Protocol (TCP).

IPv6IPv6 is an Internet layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks. IPv6 simplifies aspects of address assignment (stateless address auto-configuration), network renumbering and router announcements when changing Internet connectivity providers. Network security is also integrated into the design of the IPv6 architecture, and the IPv6 specification mandates support for IPsec as a fundamental interoperability requirement.

GL-2

Glossary

KMIPThe Key Management Interoperability Protocol (KMIP) establishes a single, comprehensive protocol for the communication between SecureCloud and other third-party encryption key management systems. By using a consolidated protocol, organizations will be able to simplify key management and reduce operational cost significantly.

Machine imageA system virtual machine which provides a complete system platform that supports the execution of a complete operating system. SecureCloud supports the Amazon Machine Image (AMI), Eucalyptus Machine Image (EMI), and vCloud Machine Image. These machine images are a special type of virtual appliance which is used to instantiate (create) a virtual machine within the cloud service provider’s environment. The machine image serves as the basic unit of deployment for services delivered using the environment of the cloud service provider.

Management ServerThe server provides centralized management functionality around machine identity validation, key issue and management, access logs. This server is hosted as SaaS in a multi-tenant service.

Trend Micro License Management PlatformSecureCloud works with Trend Micro License Management Platform (TMLMP) to manage product licensing for tenant customers and establish Single Sign-on using Trend Micro Single Sign-on (TMSSO).

Private key and certificate filesAmazon credentials obtained when creating your Amazon account and required by SecureCloud to interact with the Amazon environment.

GL-3


Runtime AgentThis agent is installed inside the production virtual machines for runtime validation, key access and encrypt/decrypt functionality. It consists of the main three modules: 1) data encryption/decryption module, 2) integrity check module and 3) credential validation and key acquisition module.

SecureCloud Central Management ConsoleSecureCloud On-Premise is set up and maintained through the Central Management Console. This console is where you specify the settings necessary to use the main functionality of SecureCloud On-Premise, which is done through the Web Console.

See Also:

• How SecureCloud Works on page 1-8

• Using the SecureCloud Central Management Console on page 1-13

SecureCloud Web ConsoleThe Web-based user interface to the Management Server.

VendorAn organization or person that subscribes to SecureCloud for Managed Service Providers.

GL-4

IndexIndex

Aaccount ID 1-12

account name, definition of G-1

activation code 2-13Active Directory

authentication 1-3

Add or Remove Programs A-12

AES 256 B-2

AES 256 encryption B-1

AES encryption 1-3

AES-128 1-12

API B-1

Application Pool identity B-3

ASP.NET 2.0 A-4

Bbundling, definition of G-1

Ccheck boxes

Include SNMP Alert 2-9

Configuration Tool 1-12

Configuration Tool, definition of G-1contact

general information C-3

Control Panel A-12

crypto engine 1-6

CSV format 1-15

Ddecryption key 1-8

Deep Security Manager (DSM) 1-6

DSM 1-6

Eemail Technical Support C-2

encryption key 1-8

encryption key, definition of G-2

FFAQs C-2

FDE 1-6

FIPS 140-2 1-6

Firefox 1-2

Full Disk Encryption (FDE) 1-6

Hhot tips C-2

HTTP D-1

HTTPS B-1, D-1

hypervisor B-1

hypervisor, definition of G-2

IIIS A-4, B-3

Include SNMP Alert check box 2-9

Installation Wizard A-4–A-5, A-7, A-9

installation wizard 1-12

instance, definition of G-2

Internet Explorer 1-2

Internet Information Server (IIS) A-4, B-3

IPv6 1-6

IX-1


JJavaScript 1-2

KKey Management Interoperability Protocol (KMIP)

1-6keys

decryption 1-8

encryption 1-8

KMIP 1-6

Knowledge Base viii, C-2

Knowledge Base URL C-4

Mmachine image, definition of G-3

main menu 1-13

Management Server, definition of G-3

Microsoft .NET Framework A-4

MSI file B-4

MSP 1-16

Oonline help viii

Ppassword requirements 2-7

preventive antivirus advice C-2

private key and certificate files, definition of G-3

public CA certificate A-6

QQuick Reference Guide viii

Rreadme viii

role-based management 1-3

Runtime Agent 1-8, 1-12

Configuration Tool G-1

vCloud Director D-1

runtime agent, definition of G-4

SSAML 2-11

SAML IdP 2-11

scan engine refinements C-4

SecureCloud certification file A-11

SecureCloud private key file A-11

SecureCloud Web console, definition of G-4

Security Assertion Markup Language (SAML) 2-11

SQL Server Reporting Services A-8

SSL 1-3, B-2

SSRS A-8Support

contacting C-2

support by email C-2

TTCP ports D-1Technical Support

contacting C-2

Tenant Setup Tool 1-9, 1-16–2-1, A-1, A-10

TMLMP service name A-11

TMSSO IdP certification file A-11Trend Micro

contact information C-3

Trend Micro Download Center A-4

Trend Micro Encryption Module 1-6

TrendEdge C-2

TrendLabs C-4

UUTC time zone B-1

VvApps D-1

vCD D-1

vCD IP address D-1

vCenter 1-6

vCloud D-1

vCloud Director D-1Virus Doctor. See TrendLabs

IX-2

Index

virus pattern file updates C-4

WWeb Console password 2-7

Windows authentication A-5

worldwide support offices C-3

IX-3


IX-4

Documents

Trend Micro Incorporated reserves the right to make ...docs.trendmicro.com/all/ent/sc/v2.0/en-us/SC20_MSP_AG.pdf · • Ubuntu r e v r e S s w o ... 85MB to install SecureCloud Management