Security

From Tranzman Documentation
Revision as of 08:27, 26 June 2026 by Lakshmi (talk | contribs)
Jump to: navigation, search



Tranzman Security Features

Tranzman is equipped with multiple security features to ensure data integrity and system protection across all migration scenarios.
Security is enforced at the operating system, network, authentication, and application levels.

Operating System Security

  • Tranzman Appliance (OVA/ISO deployment) is built on RHEL 8.6 sources.
  • CLISH access is restricted to:
    • admin / P@ssw0rd (initial network setup)
    • srladmin / SRLP@ssw0rd (support & troubleshooting)
  • SHELL access is exclusive to Stone Ram support.
  • System disk encryption prevents unauthorized access and modification.
  • Enhanced security enforcement blocks root disk access outside normal booting; tampering with the boot process causes startup failure.

Networking Security

  • Single NIC connects to both ORIGIN and DESTINATION servers.
  • Secure communication via SSL on port 55560; legacy (obfuscated FTP) uses ports 55501-55555.
  • Administration:
    • WebUI over HTTPS (443)
    • CLISH via SSH (22)
    • NTP sync (UDP 123, bidirectional)
    • DNS (UDP/TCP 53)
    • NFS/CIFS shares for cross-vendor/recovery (139, 445, 137, 138)

Authentication Security

  • Tranzman Agent (TZMTD): Uses client certificates for authentication, packaged within the agent installer. Operates under the Agent user role.
  • WebUI (HTTPS): Uses Admin user role with username/password authentication, secured by mangled MD5 password hashing.

Web Application Security

  • Broken Authentication: Agent/client authentication integrated into TLS; CA never leaves appliance. Trusted Agents only; GUI restricted to port 443.
  • Sensitive Data Exposure: Metadata (hostnames, policies, backup size, storage configs, encrypted credentials) stored securely. Encryption keys/credentials not accessible via web interface.
  • XML External Entities: Only REST API is used; XML content type rejected.
  • Broken Access Control: Agents validated via certificate CN; each agent accesses only its designated data.
  • Security Misconfiguration: Security measures are built-in, minimizing user misconfiguration risks.
  • Known Vulnerabilities: Periodic vulnerability scans using Qualys.
  • Cross-Site Request Forgery (CSRF): Not required for agent (uses CURL); GUI not publicly accessible and decommissioned after migration.

Authentication Flow

  • Agent / TZMTD – Tranzman Transfer Daemon:
    TZMCURL Agent → TLS connection (client certificate authorization) → CN authentication → access granted.
  • Web Browser User Interface / HTTPS:
    Browser → TLS connection → user/password authentication → Auth tokens issued (30 min) → requests sent with Auth header → access granted.
    Token expired → reissue token provided → new token issued (30 min) → requests sent with Auth header → access granted.

WebUI Certificate

    By default, Tranzman will use a self‑signed certificate for HTTPS traffic. If you need to have a trusted certificate authority, please follow the steps below to create and deploy your own certificate.

    Steps

    1. Select System > Certificates from the navigation menu.
    2. Fill in the Certificate Request information. (All fields are optional.)
    3. Press Generate to create a new Certificate Request.
    4. Copy the Certificate Request and send it to the Certificate Authority for signing.
    5. Copy and paste the signed Certificate into the right text field.
    6. Press Submit and wait for Tranzman to update the certificate and restart web services. 
      * This process can take a few minutes.

    Notes

    • The certificate request and signed certificate must be handled securely.
    • Restarting web services may temporarily interrupt access to the WebUI. 
   Prev icon.jpg Previous

   Next Next icon.jpg
Retrieved from "https://docs.stoneram.com/index.php?title=Security&oldid=3507"