TDP SECREF Communications System How To Guide The communications system [Commsl is the primary means that systems use to communicate among seryers in the same cluster as well as with the outside world. The hub for the communications system is sks_comms_seryer. Nearly all communications in operate yia the Comms system. Separate I'seryice" processes within the system perform specialized tasks such as query execution, statistics gathering, and dictionary updates. Comms makes it easy to configure and to write new seryices. More important, howeyer, Comms is much more scalable than is the sol?based infrastructure. For example, a single I'supermaster" communications seryer should be able to handle throughput of all communications for an entire site, including those with multiple deep diyes. The Comms system is identified in the alts proc file as ?sks_comms_seryer? or ?scs.? It can be found in yersions 1.5.8 and higher. Firewall Holes It is important to note that the Comms system needs a port yisible to its "nest hop" towards sks?central {alts?control. By default, the Comms system uses port 2412 to communicate with I'peers." A peer is a communications seryer residing on a different cluster, proxy, or yiewer. Connection paths among peers and skscentral can go in any direction {central?eprosy?a-site, centraIc?prosy?esite, site?:prosyccentral, etc.}, but an installation can only listen on one port. So if you chose port 2412 for central, then anyone's connection TD central will need to connect on 2412. Note: The system does support a mode where the Comms system can I'share" a port with Apache {443, which is typically already open}. Classi?ed By: pdkronm Deriyed From: NSAICSSM 1?52 Dated: EDDTDIDB Declassify 0n: 2D32D901 TDP SECREF TDP SECRET Set-Up Setup and een?guratien ef the HHS Cemms system takejust a few steps: StEp 1: Leg en as the user eper. StEp 2: At the eemmand prempt, type: ed and press Enter te get te the Cemms direetery. StEp 3: Frem the Cemms direetery, type vi eernrne . eenfig and then press Enter. The Cemmsrenfig ?le will epen. The Cemms system uses te handle all een?guratiens fer ?talking? ameng the site?s eyerlerd, masters and the slayes. The default yalues fer mest eenfiguratiens (see page 5, Cemmunieatiens Cen?guratien Table} sheuld NUT be altered unless abselutely Fer eyery eenneetien between twe peers, there are en y a few rules that MUST be eenfigured manually: a reeipreeal Jpeer rule en the ether end efthe eenneetien. an ellew ru e en ene end efthe eenneetien. a bandwidtb_rule en each end ef the eenneetien. The name ef the rule en each end dees net matter, and bandwidth eaps can be different in each direetien if the eenneetien speed is different. These rules are described in Steps 4 threugh E. StEp 4: Change the Jpeer een?guratien. Esempie: pert=2412, bandwidtb=te_eentral, netwerk=erternal A peer is a eemmunieatiens seryer residing en a different eluster, presy, er yiewer. Peer eenneetiens are initiated when the rks_eemms_seryer starts. In an HKS eluster, peer eenneetiens are made enly by the cluster master er eluster eyerlerd. There are feur settings: a. This is the IP address er hestname ef the peer. b. pert={ Default: 2412}: This is the pert that is epen fer eenneetiens en the giyen hestnameflP address. 2 TDP SECRET TDP SECREF bandwidtn=bandwidtn_ru le This is the maximum amount of bandwidth the Comms system will use for all between the local seryer and this peer. lfou can configure this with a rule name that is defined in Setup 6, or you might choose to enter a specific yalue (in bits} instead. Note: To assist in selecting a good bandwidth setting, a bandwidth tester is pro yided in: SE SE io'th_tes t. py network={ internal l'e xternal} The Comms system uses this parameter to establish an "inside" and an "outside" when configuring proxies and making routing decisions. For example, a site connecting to a particular proxy would haye a peer rule of external TD the proxy, and the proxy would haye an allow rule of internal FFt?l'y'l the site (Step Similarly, anything flowing the proxy toward xks?central would haye a peer rule of external. If not speci?ed, the default is "external". Less common is an internal peer rule such as a country leyel proxy. For example, in a USA GER proxy, eyerything on the USER side is internal. Eyerything else is external. Stop 5: Change the al low configuration. Example: bandwidtn={some bandwidth The Comms system will only accept connections from address ranges it has been speci?cally configured to allow. If a proxyfyiewer is going to receiye incoming connections from a peer, then an allow rule for each connection must be entered in There are three settings. El. subnet=walue This can be a hostname, IP address, or a subnet in CIDR notation. The default setting is EH. bandwidth: {ole fan lt: bandwidtn_ru le As with the peer con?guration, this is the maximum amount of bandwidth the Comms system will use for all communications between the local seryer and the peer. You can configure this with a rule name that is defined in Setup E, or you might choose to enter a specific yalue in bits. Note: To assist in selecting a good bandwidth setting, a bandwidth tester is pro yided in: SX SC io'th_tes t. py network: defau lt: i nternal The Comms system uses this parameter to establish an "inside" and an "outside" when configuring proxies and making routing decisions. For example, a site connecting to a particular proxy would haye a peer rule of external TD the proxy, and the proxy would haye an allow rule of internal FRDM the site. Refer to Step 4d for more information about the network rule. 3 TDP SECREF TCIP SECRET Stop 6: Change the poo dwi'o'th_ruie configuration. Esompie: bandwidtb_rule[to_oeotral] The Comms svstem fairlv balances bandwidth among all its services. This prevents one service using up all the bandwidth and effectiver ?blocking? another service. To ensure that all services will work, it is very important to tell the Comms svstem how much bandwidth is available. Identifving a value that accurater reflects the amount of bandwidth available on the connection is paramount in making the system work ef?cientlv and correctlv. Note: Each physical connection should have its own bandwidth rule. Anv ?virtual? connections that use that physical connection also should share the same rule name, which also causes them to share the same pool. Each bandwidth rule has two components: ruienome The unique name assigned to the bondwidth_ruie. This is the name that might be referred to in the bandwidth part ofthe peer and oliow configurations. unit sizefmeosure?The bandwidth size. Bandwidths are measured in lb}, l'v'lbps A unit ii.erequired for all bandwidth values. Note: the unit size is alwavs in bits per second, never bvtes. In the example, co_oep cral isthe rule name and 15D Di: is the maximum bandwidth (in kiloBlTS, k} that can be allocated to all services on the entire connection. Tvpicallv, ifthe physical connection between two nodes is symmetrical, then a peer rule and its corresponding oiiow rule will share the same numeric bandwidth limit. If you do not want the nodes to share the named pool ie.g., to_oeotral}, then vou can always use different names. Alternativelv, you do not have to use names at all. Instead, you might put the bandwidth size limit in the baodw icitb= part of the peerf'ciient definition. Note: rare occasions, the connection between two nodes is asvmmetrical, where the bandwidth for ?upload? is different from the bandwidth for ?download these occasions, each side ofthe connection will have a different numerical bandwidth. Tvpicallvr a site has one limited pipe it uses to talk to the world, so there should be one bandwidth rule {perhaps named and all peer and ofiow rules should use that rule. fmu tip e peer and oiiow rules use the same bandwidth ru e, thev also will share the same cap. Stop T: Change anv other configurations as presented in Communications Configurations Table onlvr as advised bv your Network Administrator. Stop 3: Type :wa and press Enter to save and exit commscon?'p. 4 SECRET TDP SECRET Communications Configuration Table 2 Sets the port for the communications server to listen for fail 111:2 4 12} connections from other communications servers {peers}. 2 Sets the port for the communications server to listen for fail 111:2 4 11} connections from other clients. Instructs the communications server to behave like an RE site and to pull some configurations from xks.config. ie_xke_eite {default:true} Proxv Viewer Instance Names Similar to EMS in an IP network, proxies and viewers need to specifvr a "name" that thevr will be known as to the rest of the world. This can be anv name, but it is best to come up with a name that "makes sense" xks?central or nsa?central}. Hoxiesfviewers can have more than 1 name, but it is best to pickjust one or two to avoid confusion later. Sets a human readable name for a proxvaiewer. fthis rule is left emptv, it will default to sigad for an HHS site and to the hostna me for all other installations. At load time, these names will be replaced automaticallyr with the instance name correct name. important: Instance names are shared with all peers that are directlv connected to this server. Therefore, DD NUT directlv connect peers to which the CLASSIFICATIDN and INSTANCE NAMES of THIS serverare not releasable. Proxv Viewer Classification There are two types of proxies: "transparent" proxies which are basicallvjust a hop towards a site and don't do filtering. countrv?level proxies which do filtering and sanitization. Everyr proxv and server has a classification. A Comms server?s "clearances" reflect the countrv that owns the server and the classification of messages that are allowed to pass through the node. WhEn is_xks_site is true and all classification and marking fields {below} are emptv, their values will be taken from xks.config. f is_xks_site is false, there is no default and this value must be supplied in the comm.config ?le. Sets the clearances tag list of the current server and is presented in the form Note that the tag indicates the countrv that owns the server. The CTZEL tag learan es . . . Is what gets checked agalnst the REL tags on a pIece of data. Note: There can be manvr owners for a piece of data, but onlvr one CTEN tag for a piece of hardware. 5 TDP SECRET TDP SECRET Proxv Viewer Classification {cont} internal clearances Sets the clearance ta of the I'internal" network on roxies. {default: clearance tag value} It Is not necessarv to set Internal values on Non?proxyr servers. external clearances Sets the clearance ta of the "external" network on roxi es. {default: clearance tag value} It Is not necessarv to set external values on non?proxv servers. Sets the default classification of data produced lav the server. dEfaU1t_marking The value is formatted as an HKS classification tag. For example: Ts, s1 routing classification faUltl Sets classification of routing messages produced lav this server. do fau lt_rnarking} MAILDRDER MAILDRDER is also configured as a peer but with no address speci?cation and a :11 re otion= of in or out. Additional options and their defaults: Depending on the direction of the flovvr of data, this is the location where files are read from or written to. If not specified, this uses the comms_moiloro'er_in put_ directory entrv in xks.config file. If not there, then it defaults toorioro'er If not specified for output, then this uses the moilorder_output_directorv in xks.config. If not there, then it defaults to: fexportfo'otokaevscore/outpu oilo ro'er_worxin Specifies the destination of Comms messages that this flovvr recelves. ThIs Is requlred for output. Specifies the maximum amount oftime {in seconds} the output fIle Is kept open. ThIs Is requlred for output. Specifies the maximum size of the output file. The file will be closed once the ?le size is met or exceeded. This is required for output. Specifies the collection source of Comms messages. If not 13? @119: dEfE-lu 1t: specified, this uses the entrv in xks.config. If not found there, then it defaults to This is required for output. E- TDP SECRET TDP SECRET MAILDRDER {cent} cemms_dest_trigraph= {default:} Specifies the destinatien the Cemms message will lee reuted te. f net specified, this uses the cemms_dest_trigreph entry in skscen?g, f net feund there, then it defaults te KKJ. This is required fer eutput. mailerder_prierity= {default:} Sets the prierity ef all Cemms messages being transperted using MAILGRDEH. The highest prierity is 1 en a scale ef 1 te 5. If net specified, this uses the mai lercier_prierity entry in sirscen?g. f net feund there, then it defaults te 2. This is required fer eutput. eeuree_digraph= {default:} Reuting_rne cie=p res-1y Sets the seurce ecatien ef the Cemms messages. If net specified, this uses the eeuree_ciigraph entry in skscen?g. f net feund there, then it defaults te XX. This is required fer eutput. Reuting Mede This is used fer "security" presies. Ne reuting is pessilale threugh this nede. Cemmunicatiens threugh this nede are in beth directiens. Reuting_mecie=encipeint This is the default fer HHS site installatiens. Heuting is pessilele ameng the nede's internal interfaces and ameng the nede's internal and external interfaces. It is NUT pessilale ameng the nede's external cennectiens. Reuting_mecie=micipeint Reuting is ameng anyfall peers cennected te this nede. Cemmunicatiens Prexy Cennectiens te the cemmunicatiens seryer that de net the cemmunicatiens pretecel can lee presied te a different P:Pert instead ef being clesed. This is useful if yeu want te use the cemmunicatiens seryer en a pert usually used lay anether seryice, such as HTTP er and want te ferward nermal cennectiens te the new pert used lay that seryice. Nete that this enly werks fer pretecels in which the client sends the first message. This werks fer HTTP and but net 55H er unknewn_presy_ip De?nes the presy IP pert. unknewn_presy_pert 444 De?nes the presy pert. 7" TDP SECRET TDP SECREF Key Terms Cluster: A single Master and to Slaves. A system mav have frent?end andfc-r backend clusters. Front? end clusters pert-arm FEIW packet cc-llectien and back?end clusters perferm pretc-cel precessing. Master: A single machine that runs the scuttvvare and distributes the cen?guratien to all Slaves in its cluster. At a site with multiple systems and an Dverlc-rd, the Master receives its cenfiguratien frem its IJZIIverlc-rd. ?verierd: A single machine that runs the RE seftvvare and cc-ntrels the clusters in a cemples: svstem. t passes cenfiguratien ?les to the individual Masters. Site: A single SIG INT Activitvr Designatc-r A site mav centain 1 te svstems. Sieve: A single machine running the scuttvvare that receives its cen?guratien from its cluster Master. System: ?ne to clusters and er 1 everlerd. 3 TDP SECREF