Policy Manager offre une mani\u00e8re modulable de g\u00e9rer la s\u00e9curit\u00e9 de plusieurs applications sur diff\u00e9rents syst\u00e8mes d’exploitation, \u00e0 partir d’un emplacement central. Policy Manager offre les fonctionnalit\u00e9s de d\u00e9finition\/distribution des strat\u00e9gies de s\u00e9curit\u00e9, d’installation des applications et de surveillance des activit\u00e9s de tous les syst\u00e8mes dans l’entreprise afin d’assurer la conformit\u00e9 avec les strat\u00e9gies de l’entreprise et le contr\u00f4le centralis\u00e9.<\/p>\n
<\/p>\n
Proc\u00e9dure pour installer Policy Manager Server et Policy Manager Console sur le m\u00eame serveur en Debian 11 avec interface graphique. Le serveur fraichement install\u00e9 doit acc\u00e9der \u00e0 internet.<\/p>\n
Activer l’architecture i386 car f-secure a besoin libstdc++6:i386<\/p>\n
dpkg --add-architecture i386 && apt-get update && apt install libstdc++6:i386\n<\/code><\/pre>\n\n Pour supprimer l’architecture : dpkg –remove-architecture i386\n<\/p><\/blockquote>\n
R\u00e9cup\u00e9rer les sources debian chez f-secure.com<\/p>\n
# F-Secure Policy Manager Server\nwget https:\/\/download.f-secure.com\/corpro\/pm_linux\/pm_linux15.30\/fspms_15.30.96312_amd64.deb\n# F-Secure Policy Manager Console\nwget https:\/\/download.f-secure.com\/corpro\/pm_linux\/pm_linux15.30\/fspmc_15.30.96312_amd64.deb\n# F-Secure Policy Manager Proxy\nwget https:\/\/download.f-secure.com\/corpro\/pm_linux\/pm_linux15.30\/fspmP_15.30.96312_amd64.deb\n<\/code><\/pre>\nInstaller le serveur et la console f-secure-policy-manager<\/h2>\n
Il est possible d’installer la console s\u00e9parement, par exemple en t\u00e9l\u00e9chargeant le msi pour windows et en ne s\u00e9lectionnant<\/p>\n
Policy Manager Console<\/strong><\/h3>\n# dpkg -i fspmc_15.30.96312_amd64.deb\nSelecting previously unselected package f-secure-policy-manager-console.\n(Reading database ... 160644 files and directories currently installed.)\nPreparing to unpack fspmc_15.30.96312_amd64.deb ...\nUnpacking f-secure-policy-manager-console (15.30.96312) ...\nSetting up f-secure-policy-manager-console (15.30.96312) ...\n\/bin\/grep: \/usr\/bin\/sg: binary file matches\n********************************************************************************\n* F-Secure Policy Manager Console 15.30.96312 has been successfully installed.\n*\n* A new user group 'fspmc' was created. You should add users, who will use\n* the console, to this group.\n*\n* There is README file in \/opt\/f-secure\/fspmc\/ directory. The README contains\n* late-breaking news, usage tips and additional information. Please read the\n* Licence Agreement included in the README file. You must accept the agreement\n* to use F-Secure Policy Manager Console.\n*\n* Then, run \/opt\/f-secure\/fspmc\/fspmc to launch the program.\n********************************************************************************\n<\/code><\/pre>\nPolicy Manager Server<\/strong><\/h3>\n# dpkg -i fspms_15.30.96312_amd64.deb\n\nSelecting previously unselected package f-secure-policy-manager-server.\n(Reading database ... 159978 files and directories currently installed.)\nPreparing to unpack fspms_15.30.96312_amd64.deb ...\nUnpacking f-secure-policy-manager-server (15.30.96312) ...\nSetting up f-secure-policy-manager-server (15.30.96312) ...\n********************************************************************************\n* F-Secure Policy Manager Server 15.30.96312 has been successfully installed.\n*\n* Run \/opt\/f-secure\/fspms\/bin\/fspms-config to finish installation and\n* to start the server.\n********************************************************************************\n<\/code><\/pre>\nExecuter fspms-config<\/strong> pour initialiser les param\u00e8tres de votre serveur<\/p>\n\/opt\/f-secure\/fspms\/bin\/fspms-config\n<\/code><\/pre>\nF-Secure Policy Manager Server configuration utility.\nCopyright (c) 1997-2021 F-Secure Corporation. All Rights Reserved.\nYou will be asked a few questions regarding the product installation.\nThe default value will be shown in square brackets after the questions.\nTo accept the default value, just press Enter.\n[ ok ] Stopping fspms (via systemctl): fspms.service.\n\nConfigure the ports for the Policy Manager Server.\nHost interface HTTP port [80]: enter\nHost interface HTTPS port [443]: enter\nAdministrator interface port [8080]: enter\nRestrict access to administrator interface to local machine only [yes]: no\nEnable Web Reporting [yes]: enter\nWeb Reporting port [8081]: enter\nCreating administrator account.\nEnter password: *******\nConfirm password: *******\n[ ok ] Starting fspms (via systemctl): fspms.service.\n\nConfiguration is complete. You can manage the F-Secure Policy Manager Server\nmanually by typing '\/etc\/init.d\/fspms {start|stop|restart|status}'.\nThank you for using F-Secure product\n<\/code><\/pre>\nV\u00e9rifier l’\u00e9tat du service F-Secure Policy Manager Server<\/p>\n
# systemctl status fspms.service\n\u25cf fspms.service - LSB: F-Secure Policy Manager Server\n Loaded: loaded (\/etc\/init.d\/fspms; generated)\n Active: active (running) since Thu 2022-05-26 09:23:37 CEST; 1h 21min ago\n Docs: man:systemd-sysv-generator(8)\n Process: 469 ExecStart=\/etc\/init.d\/fspms start (code=exited, status=0\/SUCCESS)\n Tasks: 58 (limit: 2317)\n Memory: 11.3M\n CPU: 733ms\n CGroup: \/system.slice\/fspms.service\n \u251c\u2500768 \/usr\/bin\/perl \/opt\/f-secure\/fsaus\/bin\/fsaus -c \/etc\/opt\/f-secure\/fsaus\/conf\/server.cfg\n \u251c\u2500769 sh -c \/opt\/f-secure\/fsaus\/bin\/bwserver -c \/etc\/opt\/f-secure\/fsaus\/conf\/server.cfg >\/dev\/null 2>&1\n \u2514\u2500774 \/opt\/f-secure\/fsaus\/bin\/bwserver -c \/etc\/opt\/f-secure\/fsaus\/conf\/server.cfg\n<\/code><\/pre>\nPolicy Manager Proxy<\/strong><\/h2>\nLe proxy doit etre install\u00e9 sur une machine s\u00e9par\u00e9e typiquement en DMZ. Il faut au pr\u00e9alable r\u00e9cup\u00e9rer la cl\u00e9 publique du fspms pr\u00e9c\u00e9dement install\u00e9<\/p>\n
# wget https:\/\/fspms.interne.mondomaine.fr\/fsms\/fsmsh.dll?FSMSCommand=GetPublicKey -O admin.pub\n<\/code><\/pre>\nInstaller le paquet du proxy<\/p>\n
# dpkg -i fspmp_15.30.96312_amd64.deb\n(Reading database ... 30274 files and directories currently installed.)\nPreparing to unpack fspmp_15.30.96312_amd64.deb ...\nUnpacking f-secure-policy-manager-proxy (15.30.96312) ...\nSetting up f-secure-policy-manager-proxy (15.30.96312) ...\n********************************************************************************\n* F-Secure Policy Manager Proxy 15.30.96312 has been successfully installed.\n*\n* Run \/opt\/f-secure\/fspms\/bin\/fspms-config to finish installation and\n* to start the server.\n********************************************************************************\n<\/code><\/pre>\nExecuter fspms-config<\/strong> pour serveur proxy au serveur manager<\/p>\n\/opt\/f-secure\/fspms\/bin\/fspms-config\n\nF-Secure Policy Manager Proxy configuration utility.\nCopyright (c) 1997-2021 F-Secure Corporation. All Rights Reserved.\n\nYou will be asked a few questions regarding the product installation.\nThe default value will be shown in square brackets after the questions.\nTo accept the default value, just press Enter.\nStopping fspms (via systemctl): fspms.service.\nSpecify the details for communication with F-Secure Policy Manager. Enter the server\u2019s IP address or its DNS name.\nServer address []: fspms.interne.mondomaine.fr\nHTTPS port [443]:\nYou need to install the management public key to ensure secure communication with F-Secure Policy Manager.\nPath to the management public key []: .\/admin.pub\nConfigure the ports for the Policy Manager Proxy.\nHost interface HTTP port [80]:\nHost interface HTTPS port [443]:\nEnter the details for your Policy Manager administrator account to authorize TLS certificate enrollment.\nUser name []: login_du_serveur_fspms\nPassword: mdp_du_serveur_fspms\n\nStarting fspms (via systemctl): fspms.service.\nConfiguration is complete. You can manage the F-Secure Policy Manager Proxy\nmanually by typing '\/etc\/init.d\/fspms {start|stop|restart|status}'.\nThank you for using F-Secure product.\n<\/code><\/pre>\nSi vous rencontrez les erreurs suivantes, vous avez donc d\u00e9ja jou\u00e9 avec les certificats (il faut faire l’int\u00e9gration avec le certificat auto sign\u00e9 de f-secure)<\/p>\n
Error: CA certificate verification failed\n<\/code><\/pre>\nError: error creating bean with name 'com.fsecure.fspms.proxy.TrustAllUpstreamPmClient': Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.fsecure.fspms.proxy.TrustAllUpstreamPmClient]: Constructor threw exception; nested exception is java.lang.RuntimeException: Error during loading admin.pub\n<\/code><\/pre>\nRelancer un enrollment dans le fspms avec le certificat auto sign\u00e9 de f-secure<\/p>\n
\/opt\/f-secure\/fspms\/bin\/fspmp-enroll-tls-certificate\nEnter Policy Manager user to authorize certificate enrollment: admin\nEnter password:\nTLS certificate enrollment completed successfully.\n<\/code><\/pre>\nD\u00e9ploiement d’un certificat sign\u00e9 sectigo au serveur f-secure afin d’etre compatible client macOS<\/h2>\n\n Pr\u00e9requis obligatoire \u00eatre en possession d’un certificat sectigo avec sa cl\u00e9 priv\u00e9e, et avoir d\u00e9ja enrol\u00e9 le serveur f-secure proxy aupr\u00e8s du manager\n<\/p><\/blockquote>\n
Si dessous un exemple de script pour convertir le certificat sectigo au format pkcs12 et l’int\u00e9grer dans la magasin java de f-secure<\/p>\n
#!\/bin\/bash\n\n# Convertir, inclure les certificats, les autorit\u00e9s au format pkcs12\nopenssl pkcs12 -export -name fspms -in \/etc\/letsencrypt\/live\/mondomaine.fr\/fullchain.pem -inkey \/etc\/letsencrypt\/live\/mondomaine.fr\/privkey.pem -out \/tmp\/mondomaine.fr.p12 -password pass:srcpassword\n\n# Importer le pkcs12 dans un keystore java\nkeytool -importkeystore -destkeystore \/tmp\/fspms.jks -deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD -srckeystore \/tmp\/mondomaine.fr.p12 -srcstoretype PKCS12 -srcstorepass srcpassword -srcalias fspms\n\n# V\u00e9rifier l'import\nkeytool -list -keystore \/tmp\/fspms.jks -storepass superPASSWORD\n\n# Sauvegarde, remplcement du certificat autosign\u00e9 par le notre\nmv \/var\/opt\/f-secure\/fspms\/data\/fspms.jks \/var\/opt\/f-secure\/fspms\/data\/fspms.jks.old\nmv \/tmp\/fspms.jks \/var\/opt\/f-secure\/fspms\/data\/fspms.jks\nchmod 660 \/var\/opt\/f-secure\/fspms\/data\/fspms.jks\nchown fspms:fspms \/var\/opt\/f-secure\/fspms\/data\/fspms.jks\nsystemctl restart fspms.service\n<\/code><\/pre>\nD\u00e9ploiement via ilaunchr<\/h2>\n
R\u00e9cup\u00e9rer ilaunchr.exe<\/strong> se trouvant dans \/opt\/f-secure\/fspmc\/bin\/ilaunchr.exe<\/em> du serveur f-secure et le fichier JAR pr\u00e9c\u00e9demment export\u00e9 sur la machine Windows \u00e0 d\u00e9ployer.<\/p>\nDurant l’installation du poste client, vous voyez appara\u00eetre une bo\u00eete de dialogue affichant la progression de l’installation. Si un red\u00e9marrage est n\u00e9cessaire apr\u00e8s l’installation, vous \u00eates invit\u00e9 \u00e0 red\u00e9marrer l’ordinateur comme d\u00e9fini lors de l’exportation du paquet d’installation. Si vous souhaitez que l’installation s’ex\u00e9cute en mode silencieux, entrez la commande au format : ilaunchr.exe .jar \/Q. Dans ce cas \u00e9galement, vous \u00eates invit\u00e9 \u00e0 red\u00e9marrer l’ordinateur apr\u00e8s l’installation. Si une erreur fatale se produit pendant l’installation, un message s’affiche.<\/p>\n
ilaunchr poss\u00e8de les param\u00e8tres de ligne de commande suivants :<\/p>\n
- \/U : Aucun message ne s'affiche, m\u00eame en cas d'erreur fatale\n- \/F : Installation forc\u00e9e, termine l'installation m\u00eame si l'agent de gestion est d\u00e9j\u00e0 install\u00e9.\n- \/user:domain\\username (variation: \/user:username) \u2014 compte utilisateur et le nom de domaine. Nom de domaine optionnel\n- \/password:secret (variation: \/password:\"secret with spaces\") \u2014 mot de passe du compte utilisateur\n<\/code><\/pre>\nExemple de commande pour d\u00e9ployer votre agent<\/p>\n
ilaunchr.exe <jar file> \/user:domain\\user_name \/password:secret_word\n<\/code><\/pre>\nVid\u00e9o de prise en main de la console f-secure avec g\u00e9n\u00e9ration d’un paquet \u00e0 d\u00e9ployer<\/h1>\n