Checkpoint Command Centre - User Guide

Advanced Topics

Author: Will Dickson, CCS
Editor: John Dickson, CCS
Version: 1.3.1
Date: 06 July 2007
<<Front Page <Introduction Advanced CPC Plus >

Installing modules and parcels

You can use CPCC to create tasks manually, and use Checkpoint Commander Plus (bundled with CPCC) to create CDBs the same way. However, there are various pre-packaged applications and value-added databases which are designed to use Checkpoint, and these are provided as Checkpoint modules which you install using CPCC. These modules contain all the task definitions and CDBs you need in order to use the application. Checkpoint modules come in files with a .cpm filename extension.

Alternatively, a package may come as a Checkpoint parcel. This in turn contains one or more Checkpoint modules. However, the modules in a parcel may be (and usually, are) encrypted. Before they can be installed, Checkpoint must obtain the decryption keys from a parcel key server. Generally the key server will require you to have paid for the parcel before it will release the decryption key.

Installing a module or parcel is a fairly simple procedure, as long as you follow the on-page instructions fairly carefully. CPCC asks you all necessary questions, and checks everything it can, before installing anything; at any point before you choose "Commit Install", you can cancel the procedure, and nothing will have changed.

Start the procedure from the front page by clicking the "This subsystem" hyperlink in the sidebar, then the "Install Module" link. At this point the sidebar goes blank: from here on, do all your navigating from the buttons in the main panel, or use the navigation bar at the top of the main panel. To avoid the display getting out of step with what's going on behind the scenes, don't use your browser's navigation facilities either.

[NOTE] In various places during the procedure, you will see a form which, inter alia, requires you to enter the path to a file or a folder on your machine. These provide a text box where you can type the path manually if you want, but also have a "choose" button. This will take you to a sequence of pages which allows you to navigate to the file or folder required; if you enter a path in the box before clicking choose, then the navigation will start from there. When you're done, you'll get taken back to the form.

Start by navigating to the folder containing the module file(s) (.cpm extension) of the application which you wish to install. This may be on the distribution media - or wherever you downloaded modules the modules to. Many applications come as more than one module. Checkpoint applications usually come with up to four. One contains the application code (program or programs), others contain any chrome (data used to generate the application's interface), application documentation, or skeleton CDBs which the application requires. (A skeleton CDB contains the correct structure, but no data; you will then use the application to populate the CDB with your data). By convention, Checkpoint code modules are called something like foobar-1.6.66.cpm, chrome modules something like foobar.chrome-1.8.05.cpm, documentation modules something like foobar.docs-1.2.12.cpm, and skeleton modules something like foobar.skel-1.1.0.cpm.

[NOTE] In any particular release of an application there is no requirement for the module version numbers to be the same as each other, or the same as the application version number. Indeed, they may all be different.

The individual modules of an application release may have dependencies on other modules. In particular the code module probably has dependencies on all the other modules in a release. So to install an application from scratch, or update the code, you should chooose the code module. You will then be shown a page with the tree of dependencies on, which will allow you to disable those dependencies you don't want to install. For example, if you're updating an application that's already installed, and don't want your data to be overwritten, disable the skeleton module. On the other hand, if you only want to update some other module of an installed application, such as changed chrome, say, then choose that module to install.

If a module you're installing (either the "root" module you chose at the start of the procedure, or any of its dependencies you've chosen to install) contains CDBs, you will be shown a page which displays the list of CDBs, describes whether they "clash" with any pre-existing CDB - and if so, lets you choose what to do about this - or, if not, allows you to choose where to put them.

Finally, as described above, CPCC won't actually change anything until (unless) you choose "Commit" on the "Commit Install" page, which follows all the questions. You can back out at any time before that, so don't worry too much if you make a mistake.

Where a module contains Java code, Checkpoint stores all this code in a central repository; this makes it easier to find. You must have the correct privilege to update this repository - see below. If you don't have the privilege, you can still install the module, provided that some other user who does has previously installed the same module in another subsystem; you can use the copy of the code which they installed.

Privileges

As well as access to tasks and / or CDBs granted by CPAC, users can be given certain "privileges" which apply in any subsystem. The set of privileges is fixed. These privileges are as follows, and are shown in roughly increasing order of potency.

Login enabled
This DN may be used to login (start a Checkpoint session). If it's a user ID or email address, this means it will need a password or token / password pair. Logins as an X.509 DN only occur when a user presents a TLS client certificate claiming that DN. No password is needed in this case, which is one of the major attractions of this mechanism.
May access CPCC
This DN may access CPCC. The Login enabled privilege is needed as well. If a DN has Login enabled but not may access CPCC, it may be allowed to access other applications instead.
May create subsystems
This DN may create new subsystems. Users without this privilege can only log into subsystems created by other users, who have given them permission to do so.
May install code and binaries
This DN can update Checkpoint's repository of Java code, and add or update files in the Checkpoint installation. Users who do not have this privilege can only use code installed by those who do.
May list existing subjects
This DN may read Checkpoint's list of known subjects, and their DNs. The may manage subjects privilege includes this as a subset.
May create new subjects
This DN may create new subjects and allocate DNs to them. However, this privilege does not allow it to modify subjects which exist already. The may manage subjects privilege includes this as a subset.
Owns global subsystem
This DN can act as an owner of the global subsystem, and can administer it. Unlike every other subsystem, the global subsystem can have more than one owner.
May manage global log
This DN may read and clear the global error log, which records all attempted access-control violations which did not take place in any particular subsystem. In general these are login failures. Typically most will be honest mistakes, but there may be evidence of attempted cracking activity as well! Attempted violations which occur while logged into a subsystem are reported in a subsystem-specific log, which is managed by the owner of that subsystem.
May manage subjects (except host owners)
This DN may create new subjects, may change the privileges granted to any DN (including their own), may change the password of any DN (but cannot determine their current password), and may destroy subjects entirely. Guard this one well! However, this privilege does not allow the DN to modify any subject who has the host owner privilege (qv.).
May manage host configuration
This DN may change various settings which apply to the entire Checkpoint installation. This is of little use to ordinary users, but is useful to attackers. Best left to the host owners.
Host owner
This DN, and the subject it names, cannot be modified by any DN which does not also have this privilege. This is intended to guard against a rogue subject manager attempting to lock everybody else out. This privilege includes the may manage subjects privilege as a subset. [This provision removes the "host owner gotcha" found in Checkpoint 5.]

CPAC: the advanced manual

General

This section describes some additional features of CPAC; these were left out of Access Control - Basics so as not to drown you in detail.

Error messages and logging

When a request is denied on access-control grounds (an "access-control violation") the error message which CPAC returns can be anything from an incomplete truth to an outright lie. This is necessary to avoid "side channels" of leaked information. For example, if you fail to log into a subsystem (although your user ID and password were OK), then Checkpoint will always say "subsystem does not exist", even if it does exist (but you're not allowed in). Otherwise, you'd be able to tell that it existed by the wording of the error message, and you're not entitled to know that.

All access-control violations are logged. The log entry will tell the truth.

Login tasks

Normally when you log into a subsystem you see the Front Desk page. However, it's also possible to set a login task. This task will be launched automatically as soon as the user logs in. Note that this is a convenience measure; if you need to limit access to tasks you should use the access-control system, since a knowledgable user (i.e. one who has read the troubleshooting section at the end of this manual) will be able to break round this and get back to the front page.

You can set up a subsystem-global login task (that will be executed for any user, by default) from the "This subsystem" link off the front page.

You can set alternative login tasks for individual users by setting subsystem ACL entries for those users. You can also set an ACL entry which asserts that there is no login task for that user (which means that they go to the front page).

Task types

Checkpoint supports five kinds of task.

  • Browse tasks allow you to browse in CDBs which contain a filesystem set and so look like the file system on a disk - files are contained within folders. Typically this is used when the CDB contains a web of HTML pages.
  • External tasks are standalone programs which have not been designed to work with Checkpoint. You can define external tasks for your own convenience (so that you can work with everything from the same place). However, Checkpoint does not provide any kind of real access-control to these - a knowledgeable user will probably be able to launch them in some other way.
  • Internal tasks are applications which run inside CPCC itself. Where the application fits the constraints which this imposes, this embedding makes the app easier to write and takes up fewer resources than running stand-alone beside Checkpoint.
  • Java tasks are applications written in Java and often (but not necessarily) designed to work within Checkpoint, which do not fit the constraints imposed on an internal task.
  • Protected tasks are a kind of high-security external task. A protected task defines a set of files which will be extracted from CDBs to fixed, user-defined locations on the hard disk filesystem before the application is launched. After the application shuts down, these files are copied back into their CDBs and the out-in-the-open copies are wiped. In this way you can secure your vital data, and even (key parts of) the application itself inside an encrypted CDB. Thus the application cannot easily be run outside the control of CPCC, and cannot be run at all against your secured data without your permission. This is ideal for confidential data held on your PC, such as financial records.

Destruction rolls downhill

When you destroy CPAC objects, there's a hierarchy which is followed, to keep everything in step.

  • Destroying a task or CDB deletes any ACL entries to it. In the case of a CDB, you have the option of whether to delete the file it points to; sometimes the same file is pointed to in several different CDB definitions.
  • Destroying a subsystem deletes all the tasks and CDBs in it, with knock-on effects as above.
  • Destroying a user deletes all the subsystems that user owns, the global subsystem excepted, with knock-on effects as above.

CPCC always provides one, and sometimes two, interlock boxes of various kinds which you must enable in order to destroy an object. (Exception: ACL entries, which are very easy to re-create). Where a CDB is involved, the interlock is usually a drop-down; the default selection is (interlock) , and you must change this to one of the other settings (which specifies how to deal with the corresponding disk file) before the destroy will work. Other objects are usually guarded by a checkbox.

If you click the "destroy" button without enabling the interlock(s), you will get an "access denied" message.

Your secrets

Checkpoint's two-factor authentication provides greatly better security than passwords alone. However, there are many third-party applications which still rely on passwords for security. In particular, X.509 client certificates, used for X.509-based login to Checkpoint Applications (among other things), are stored in your browser, and are only protected by a typed-in "master password" in most cases. Security is a chain, and this link is weak indeed.

To fix this, Checkpoint allows you to store secrets (passwords) inside the Checkpoint root database. This allows all these secrets to be secured by two-factor authentication. Also, since you no longer have to remember any of these passwords, they can be random, and hence much stronger than ordinary passwords which you have any chance of memorising. A mixed-case random password which is longish but not excessively so (around 22 characters) is equivalent to a 128-bit security level - very strong.

X.509

What is X.509?

X.509 is the mainstream Public Key Infrastructure or PKI. It's a huge, complicated beast, and a detailed description of it would be much longer than we can fit in here. However, it's a big part of Checkpoint 6, so we'll try to give you a reasonable precis.

Why do I need a PKI?

Suppose you need to communicate securely with some other entity across the Internet, eg. a Checkpoint service running on another machine. How might you go about it?

Well, if you could somehow arrange, in advance, a shared secret (a password) which you know, and the service knows, but nobody else does, then you could use conventional, symmetric cryptography (the kind which is used to encrypt CDBs) to secure the link. Unfortunately, that's not very practical.

Next we have asymmetric or public-key cryptography. For this, each party (yourself and the service, to continue the example) has two different keys. One key is public, the other private. However, these are related mathematically, and have two useful properties: firstly, you can use the public key to encrypt a message such that it can only be decrypted with the corresponding private key (and not with the public key); and secondly, you can't determine the private key even if you know the public one. Therefore, if you know the service's public key, you can send it a one-off shared secret [more-or-less - it's more complicated in practice, but the idea's the important thing here] and set up a secure link that way.

So far, so good. However, there's a problem: how do you get hold of the service's public key? Well, you could just ask. Unfortunately, there are various ways that an industrious attacker could subvert this process; we need cryptographic assurance that the public key belongs to the party we have been told it does, and not to some impersonator.

To solve this, we turn to another trick which asymmetric cryptography has up its sleeve, called digital signing. What this means is that one party can use their private key to create a digital signature for some piece of data, which any other party who knows the corresponding public key can verify. If the data is altered in any way, the verification process will fail.

This brings us to the idea of a digital certificate. This consists of:

  • A distinguished name;
  • A public key, for which the corresponding private key is controlled by the rightful owner of the DN;
  • copious amounts of housekeeping data and other red tape, which we don't need to care about here;
  • all bound together by a digital signature.

This, finally, is where the whole PKI comes in. A group of industry worthies have caused to be widely distributed a range of these certificates, each of which is signed by the (private key corresponding to) the public key on the certificate itself. These self-signed root certificates ship with browsers, the Java VM which Checkpoint runs in, etc. The idea is that if you want to get into this secure-communication business, you do the following:

  1. Generate a keypair (a public key and the private key which goes with it).
  2. Send the public key, the DN, and some evidence that you own same, to one of the said worthies.
  3. The worthy (Certificate Authority, or CA, as they like to be called) will generate a certificate and sign it (after your payment has cleared), thus attesting that this is, indeed, your public key.

[NOTE] Astute readers will probably have noticed several large holes in this scheme. We know. However, in practice it seems to work anyway.

How does it work?

The idea is that, when you contact a service, the service will present you with its certificate chain. This consists of its own certificate (which contains its DNS name), the certificate of the CA which signed same, and so on until the last certificate in the chain, which is a self-signed root certificate. However, you've already got the root certificate (it came with your browser) so you can verify the entire chain.

After you've gone through this part successfully, you know that the service is genuine. However, the service doesn't know anything about you; you still need to authenticate yourself to it.

Normally this is done via some conventional authentication process; eg. DN and password. However, if you're feeling keen (and / or can't be bothered with typing in passwords all the time) you can reply by presenting your own certificate chain to the service. It does the same thing, and in the end it knows who you are, just as you know who it is.

All of this requires that the service be using the standard TLS (also known as SSL) security layer. All major browsers support this. As well as the X.509 authentication described here, TLS also provides confidentiality (data on the wire is encrypted and can't be eavesdropped) and data authenticity (data can't be altered without this being noticed). Contrary to popular opinion, the latter is usually more important than the former.

How does Checkpoint help?

Checkpoint and CPCC provides the certificate lifecycle management tools which are needed to make use of X.509, in a clean and easy-to-use manner. All of these tools use the well-known, standard formats, and should be compatible with most third-party applications. These formats are usually called "PKCS#n" (where 'n' is a number), after the set of standards documents which define them. Don't worry unduly about which number is which.

Certificate generation
Generates a public / private keypair, and a self-signed certificate to keep the public key in. Checkpoint generates keys for the RSA algorithm; this is well-known, flexible and unencumbered by patents.
Certification request
The self-signed certificate won't be much good on its own unless you intend to become a CA in your own right; you need to get your certificate signed by a CA which is trusted by other parties. [In fact, the CA will issue a new certificate which includes your public key and DN; this replaces your temporary certificate en bloc.] This option generates the request which must be sent to the CA. The format is signed, so it's tamper-evident and does not need to be sent over a secure channel.
Certificate import / export
Export or import a certificate or certificate chain. If you've decided to be a CA, you'll need to export your self-signed certificate so that you can give it to all your clients.
Keypair import / export
Export both the certificate chain and the private key which goes with it. If you want to use a personal certificate to access remote Checkpoint services via your browser (the usual route) you'll need to export these from Checkpoint in order to import them into your browser. This file must be encrypted; options for setting the required password are provided.
Trusted CA import / selection
If this copy of Checkpoint is running services, and you want to allow users to login using X.509 certificates (recommended), then you will need to define the set of CA certificates you want to trust to vouch for those certificates. By default, browsers trust a wide range of CAs for the sake of maximising interoperability. However, we decided that it was more important to ensure that some thought goes into what is actually a fairly important question of security policy, so by default Checkpoint does not trust any. [This feature is located under Host configuration.]
TLS "glue"
Finally (and of more significance to developers than end-users), Checkpoint provides the required "glue code" to make it easy for Checkpoint Applications to use TLS for any kind of network traffic.

The one function which is not supplied by Checkpoint is the ability to act as your own CA: you can generate a CA certificate but the actual certificate-signing operation is not available as part of the Checkpoint Core. If you want to do this, you need Checkpoint COBRA, our addon product.

Application configurations

Many Checkpoint Applications, including CPCC, are "bimorphic". This means that they can either be used as "desktop replacement" applications, accessed via a web browser from the machine where the application is running (only), or equally as full-scale service applications available across the Internet.

The networking settings required to determine this, as well as various other pieces of information which are needed very early in the application startup process, are stored in a .conf file located in the conf subfolder of the Checkpoint installation. This is a plain text file, and can be edited with a text editor such as the Checkpoint Commander text-editor plugin. The exact settings vary a bit between applications. There are notes about each setting in the .conf files themselves.

All these applications are installed in desktop-replacement mode (access from local machine only). When you're ready to let the rest of the world in on an application (if ever), edit the appropriate .conf file accordingly and restart the application.

All applications which use a .conf file accept an optional command-line parameter,

-conf <confname>

If provided, the <confname> parameter gives the name of the .conf file (including the .conf extension) to use. This allows multiple configurations of the same application.

The application-default .conf files are overwritten when the application is upgraded. therefore, if you do want to customise the file, it's a good idea to work with a separate copy rather than the original, even if you don't want multiple configurations.

CPCC Hacking and Troubleshooting

General

This section covers various twinges you may encounter.

Browser effects

Some browser settings can cause problems.

  • Overenthusiastic caching. CPCC pages should never be cached by your browser (they're dynamic, and change unpredictably) and the HTTP headers (which aren't part of the page, but are supposed to be obeyed by the browser anyway) say "don't cache me" in several different dialects! Nevertheless, a few browsers may not obey this. If you think you're running into this, try to force your browser to reload; if this clears the problem, then either try to turn off the cache in whatever way your browser does this, or try a better browser.
  • Smart-alec MIME typing. The MIME type of a page tells the browser what to do with it - render it as a page, save it to disk, hand it off to a video player, etc. CPCC tells the browser what the right MIME type is, but some browsers may ignore this and try to guess instead. Since some of the pages don't have the normal extensions, this tends to go wrong. Typically this is what's happening if the browser brings up a "save as..." dialog rather than displaying the page you were expecting. If you get this, tell the browser not to do this; again, how you do this depends on what browser you're running.
  • Some browsers offer to remember your password for you. This is undoubtedly convenient, but be cautious - some implementations are horribly insecure. How is the browser's password cache guarded?

Chrome hacking

Once you've gotten the hang of CPCC, you may want to customise it - skins, psychedelic backgrounds, dancing 3D menus, whatever takes your fancy. If you understand XSLT, HTML and CSS, you can do this by using Checkpoint Commander to open the unencrypted CDBs called cpcc5.chrome.cdb and common.chrome.cdb, located in the filestore subfolder of the folder in which you installed Checkpoint.

Chrome hacking by end users is not supported by CCS; proceed at your own risk. Take a backup of the original CDBs before you start, in case you foul up. The folder structure inside the chrome CDBs is not officially documented (so we do have the option of changing it without telling you) but, strictly off the record, we don't expect it to change all that much.

common.chrome.cdb contains communal stylesheets and page "furniture" images, shared between many Checkpoint Applications, including CPCC. It also contains some XSLT transform sheets and HTML pages used by the Pasiphae engine which CPCC is built on. These provide shared services such as session initiation (login) and the FileMage. (The FileMage implements a browser-fronted version of the standard "file-open" dialog box; it's used for eg. the various Browse functions you get while installing a module.) NB. Be careful when hacking on these; since Pasiphae is used by several Checkpoint Applications, the effect may have a longer reach than you intended.

cpcc5.chrome.cdb contains XSLT transform sheets and HTML pages used by CPCC5 itself (and nobody else).

Straight HTML pages are not cached, so your changes should take immediately; just hit reload in your browser, and you ought to see the difference. (Note: some browsers need a bit of encouragement to register changes to CSS - if nothing seems to have happened, make some grotesque change and see if that takes; if not, try reloading again.) However, XSLT transform sheets are cached and precompiled for speed - slower machines have to spend significant amounts of time chewing on these to get them ready. This means you have to restart CPCC to test your changes, which is a nuisance.

To change this behaviour, shut down CPCC and open the file cpcc.boot with a simple text editor (e.g. the Checkpoint Commander text editor). This file is in the bin subfolder of the folder where you installed Checkpoint. You'll see some lines which start with -D. Immediately after these, add the following line, exactly as written: 

-Dccs.xml.noXSLCache

No extra spaces, case exactly as shown. Then restart CPCC and start hacking as before. CPCC may seem to run more slowly, but your XSLT changes should take as soon as you hit reload on your browser.

Malignant login tasks

Sometimes you set a login task, but the login task isn't working properly, and won't take you back to the front desk (so you can't disable it while you work out what went wrong). Here's how you get out of it:

  1. Look at the URL of whatever page your login task is giving you. The chances are it'll look something like: 
    http://localhost:33430/i13/42/dyn/foo/garble.html
  2. take out the first /i13 (the number after the 'i' will probably be different, and may well be 0).
  3. Keep the following '/' and the number that follows it (here, 42).
  4. Replace the rest with /dyn/front.html . Thus the URL shown above would be replaced with 
    http://localhost:33430/42/dyn/front.html

This URL should take you to the front desk.

If that doesn't work, you can set a special flag which disables login tasks for the subsystem owner. To do this, shut down CPCC and edit cpcc.boot as described in "Chrome hacking" above, but this time add the line: 

-Dccs.cpcc.noSubsysOwnerLoginTasks

exactly as written, instead.

Forgotten passwords

As a responsible host owner, it is incumbent upon you not to do something as pathetic as forgetting your own password - if anybody else does this, then another user who has the manage-users privilege can change it for them, but your account is protected, and so they can't (if, as is quite likely, there is only one host owner).

However, if you do manage this one - to be fair, most of us have done it once or twice! - here's how you recover.

  1. When you first installed Checkpoint, the ConfigureMage made you save a copy of the root database password. You need to find this. If you've changed the password since, the tool made you save a copy of the updated version; you'll need to find this instead. If you've lost it, you're out of luck.
  2. Shut down all Checkpoint applications, and the Checkpoint Daemon if it's running (it's called checkpoint.exe in Windows).
  3. Make sure you have a good backup of the Checkpoint installation. This procedure is potentially dangerous!
  4. Start the Checkpoint Daemon, but supply the following extra command-line parameters:

    -backdoor <rootPwdPath> <dn> <password>
    • <rootPwdPath> - the path to the root password file described in step 1.
    • <dn> - the DN to restore. This will receive all available permissions.
    • <password> - the password for the restored DN. This will not have a token.

If your installation does not allow tokenless logins, you will have to relax this restriction temporarily while you recover. You can do this as follows.

  1. Shut down any Checkpoint applications which are running, and the Checkpoint Daemon.
  2. Where necessary, become the Checkpoint system user. If you don't understand this, it probably doesn't apply to you.
  3. In the lib subfolder of the Checkpoint installation, rename the existing shadow.cdb to shadow.cdb.real or some other suitable name.
  4. Start CPCC. The ConfigureMage process will start.
  5. Perform the first step of the ConfigureMage process to create a null token. Then shut down CPCC and close the browser window. Don't perform the rest of the ConfigureMage process!
  6. Stop the Checkpoint Daemon again.
  7. Rename shadow.cdb.real back to shadow.cdb.
  8. Restart the Daemon (if you normally need to start the Daemon manually) and CPCC. You should now be able to login as normal using the new password.
 
<<Front Page <Introduction Advanced CPC Plus >
Authored in CXD using Checkpoint Information Engineering Workbench   Copyright © Caversham Computer Services Ltd.