crd portal · crd portal - manual for third party employees (crd user) manual_crduser.docm page 6...

CRD Portal

Manual for Third Party Employees (CRD User)

Version: 3.4.9

Date: 06.11.2018

State: provided

Copyright © 2018 by T-Com,

Alle Rechte, auch die des auszugsweisen Nachdrucks, der fotomechanischen Wiedergabe (einschließlich

Mikrokopie) sowie der Auswertung durch Datenbanken oder ähnliche Einrichtungen, vorbehalten.

Manual_CRDUser.docm Page ii

Credits

Publisher

Production, Computing Services & Solutions (CSS) GCU MPHS, Security Consulting & Engineering Holzhauser-Straße 4-8 13509 Berlin

Version Date State

3.4.9 06.11.2018 provided

Contact persons Telephone E-mail

Sketch

This document explains how third party employees can access target systems via a CRD Portal.

CRD Portal - Manual for Third Party Employees (CRD User)

Manual_CRDUser.docm Page iii

Table of Contents

1 Introduction and Boundary 1

2 Overview 2

2.1 Task of CRD ..................................................................................................... 2

2.2 Functionality ...................................................................................................... 2

2.3 Connection Establishment ................................................................................ 3

2.4 Software Requirements ..................................................................................... 4

2.5 License ............................................................................................................. 4

3 Working with CRD Console 5

3.1 Providing the Access Information ...................................................................... 5

3.2 Installation and Settings before Starting ............................................................ 5

3.3 Conversion of Existing Sessions ....................................................................... 7

3.3.1 Since Console version 3.0 ..................................................................... 7

3.3.2 Since Console version 3.4.6 .................................................................. 8

3.4 Overview ........................................................................................................... 8

3.5 Session Management ..................................................................................... 10

3.6 Import Sessions .............................................................................................. 11

3.6.1 Main Menu .......................................................................................... 11

3.6.2 Import Ticket ....................................................................................... 12

3.6.3 Drag & Drop ........................................................................................ 12

3.7 Protocols per netelement ................................................................................ 13

3.8 Key Handling .................................................................................................. 13

3.8.1 Generate a RSA Key ........................................................................... 13

3.8.2 Show/Delete RSA Keys ....................................................................... 15

3.8.3 Changing Passphrase of RSA Keys .................................................... 16

3.9 Settings ........................................................................................................... 16

3.9.1 First application launch ........................................................................ 17

3.9.2 Language ............................................................................................ 20

3.9.3 Log level.............................................................................................. 20

3.9.4 Proxy ................................................................................................... 21

3.9.5 Change default Path ........................................................................... 21

3.9.6 Terminal .............................................................................................. 22

3.10 Establishing Connections ................................................................................ 24

3.10.1 Portal configuration ............................................................................. 24

3.10.2 Connecting to a netelement................................................................. 24

3.11 Starting CRD Console with Command Line Arguments ................................... 41


Manual_CRDUser.docm Page iv

4 Error Handling 42

5 Technical Support 50

6 Glossary 51


Manual_CRDUser.docm Page v

Table of Images

Figure 2-1: Functionality of Connection Establishment ...................................................... 3

Figure 3-1: Switch to German ............................................................................................ 6

Figure 3-2: Convert Existing Session Files ........................................................................ 7

Figure 3-3: "sessions" Folder before Conversion ............................................................ 7

Figure 3-4: "sessions" Folder after Conversion............................................................... 7

Figure 3-5 conversion dialog ............................................................................................. 8

Figure 3-6: CRD Console Main Window ............................................................................ 9

Figure 3-7: Menu “CRD Console“ .................................................................................... 11

Abbildung 3-8: Import Ticket ............................................................................................ 12

Abbildung 3-9: import per drag & drop ............................................................................. 13

Figure 3-10: Menu “RSA/DSA key” .................................................................................. 14

Figure 3-11: Key Generation ........................................................................................... 14

Figure 3-12: Public Key ................................................................................................... 15

Figure 3-13: Show and Delete Keys ................................................................................ 16

Figure 3-14: Settings Menu ............................................................................................. 16

Figure 3-15: Wizard page 1 language selection ............................................................... 17

Figure 3-16 Wizard page 2 selecting RSA-key option ...................................................... 18

Figure 3-17 Wizard page 3 selecting the private RSA-key ............................................... 19

Figure 3-18 Wizard page 3 generating a RSA-keypair ..................................................... 20

Figure 3-19: Proxy Settings ............................................................................................. 21

Figure 3-20: Change default Path .................................................................................... 21

Figure 3-21: Dialog Change color .................................................................................... 22

Figure 3-22: Dialog Color selection ................................................................................. 22

Figure 3-23: Dialog Lines of scroll back ........................................................................... 23

Figure 3-24: Tab "CRD gateway" .................................................................................... 24

Figure 3-25: Tab "Net element" ....................................................................................... 25

Figure 3-26: Remote Host Authentication ........................................................................ 25

Figure 3-27: Passphrase Dialog for SSH/Telnet .............................................................. 26

Figure 3-28: SSH Terminal Emulator ............................................................................... 27

Figure 3-29: Select and Copy & Paste ............................................................................. 28

Figure 3-31: Contextmenu VNC-Viewer .......................................................................... 29

Figure 3-31: Tab “VNC settings” for RDP ........................................................................ 30

Figure 3-32: Passphrase Dialog for RDP/NX ................................................................... 30

Figure 3-33: RDP Session ............................................................................................... 31

Figure 3-34: Tab “VNC settings” for NX ........................................................................... 32

Figure 3-35: NX authentication ........................................................................................ 33

Figure 3-36: NX Session with desktop ............................................................................. 34


Manual_CRDUser.docm Page vi

Figure 3-37: Active NX Sessions ..................................................................................... 35

Figure 3-38: X2GO login screen ...................................................................................... 36

Figure 3-39: SCP Protocol Selection ............................................................................... 37

Figure 3-40: SCP for Uploading ....................................................................................... 37

Figure 3-41: SCP Connections Window .......................................................................... 39

Figure 3-42: SCP for Downloading .................................................................................. 40


Manual_CRDUser.docm Page 1

1 Introduction and Boundary

This document explains how third party employees (CRD users) can connect to internal

target systems of Deutsche Telekom AG via a CRD Portal for the purpose of diagnosis

and maintenance.

Chapters:

Chapter 2:Overview of functionality of CRD Chapter 3:Working with the CRD Console, establishment of CRD connections Chapter 4:Overview of error handling Chapter 5:Information about technical support contact



2 Overview

2.1 Task of CRD

Due to different requirements Deutsche Telekom AG as a service provider is in charge of

the operation of their nets and IT systems. However if administrative works cannot be

accomplished by own employees, third party companies are hired for diagnosis and

maintenance. In such cases all connections to internal systems have to be recorded and

supervised.

To meet the requirements of risk management efficiently, the operator of IT systems has

to install appropriate monitoring systems to be able to supervise, record and analyze

connections of external administrators or third party companies.

The CRD Portal is such a monitoring system which allows for granting, recording and

supervising of accesses to internal target systems of Deutsche Telekom AG for the

purpose of diagnosis and maintenance.

2.2 Functionality

To grant access rights to target systems for third party employees (CRD users) via a CRD

Portal, the operator has to issue a so-called CRD session ticket. This ticket explicitly

determines which employees may connect to what target systems in what time, using

what protocols. In this manner a CRD Portal works like a firewall. After providing this

information, third party employees will be able to access the specified target systems

under the specified limitations.

When establishing a connection, the connection parameters get checked by the CRD

Portal. If they are valid and comply with a CRD session ticket, the CRD session gets

activated. A CRD session is a time slot in which CRD users are able to connect to target

systems as specified in the CRD session ticket.

According to limitations of the associated CRD session ticket the CRD user may establish

connections within a CRD session arbitrarily. However, the number of concurrent

connections is limited by the CRD session ticket. A CRD session gets terminated if it

reaches the end of the time slot (as specified in the ticket) or if an operator explicitly

terminates it. This causes all open connections to terminate.

CRD Portal operators are always able to monitor or terminate single connections or

terminate an entire session.



2.3 Connection Establishment

Figure 2-1 gives a high level overview of the connection establishment from a CRD user

terminal over a CRD Portal to target systems.

Figure 2-1: Functionality of Connection Establishment

A CRD user starts a SSH connection from his terminal (extTerminal) to the CRD

Portal. The SSH server is a modified OpenSSH server which is able to parse CRD

specific parameters (such as desired protocol, ticket ID, target system). CRD users

therefore are able to request connections. Currently, the following protocols are

supported: SSH (for remote controlling UNIX systems via command line), SCP (for

downloading or uploading files to UNIX systems), telnet (for remote controlling routers

and switches), RDP (for remote controlling Windows systems via GUI) and NX or X2Go

(for remote controlling UNIX systems via GUI).

The OpenSSH server in collaboration with the CRD SessionManagement component

analyze the provided parameters and check if they comply with active CRD session

tickets. In case of a negative check result, the SSH connection will be refused returning a

corresponding error code. Otherwise, if the check result is positive, additional server

processes will be started and thus, client programs (e.g. VNC viewer) are able to connect

to the CRD Portal using the established SSH tunnel. The CRD Portal then connects to the

requested target system.



The client program CRD Console allows for a convenient input of all parameters and

automatically starts the corresponding client programs (depending on the protocol). As a

java program it can be run on many operating systems.

Hint 1: A connection can only be established as long as there are at least 10

minutes left to the defined session end.

2.4 Software Requirements

Using the CRD Console, only the following software package is required:

• Java Runtime Environment version 1.7.

The CRD Console program is provided as a java archive and thereby can be run on

different operating platforms (tested on Windows XP, Windows 7 and CentOS).

2.5 License

The program contains the following open source components:

• Jsch (JCraft, T-Systems): OpenSSH java implementation

• Log4j (Apache): logging library by Apache

• SecureVncViewer (Tightvnc, T-Systems): VNC viewer with SSH support

• GSI-SSHTerm (SSHTools): SSH-Terminal-Emulator

• Xerces (Apache): Java-XML-Handling

CRD Console is published under GNU General Public License (v2).



3 Working with CRD Console

3.1 Providing the Access Information

To enable third party employees to establish connections to target systems, the CRD

Portal operator has to issue a CRD session ticket and provide the required information to

the CRD user.

The following information has to be provided to the CRD user:

• Begin and end of the CRD session.

• Maximum number of concurrent connections.

• Name of the CRD users who are authorized to activate the CRD session. That

name corresponds with a public key on the CRD Portal.

• Ticket ID: 16-digit number (hexadecimal).

• Allowed protocols: RDP, Telnet, SSH, SCP, X2Go or NX.

• Allowed target systems: IP addresses or names of the allowed target systems.

• Login credentials: credentials to login with, on specific target systems if no

automatic login is configured.

• CRD Portal address: public IP address or name of the CRD Portals.

• company name: this name is used for connecting to the CRD Portal with SSH.

• SSH port of the CRD Portals: default is 3022.

Using these parameters CRD users are now enabled to establish SSH connections to the

CRD Portal. Authentication method is always the CRD user’s private key.

Hint 2: To allow communication with the CRD Portal with SSH, the CRD user’s

public key has to be transmitted to the CRD Portal operator in order to

enable a SSH authentication.

3.2 Installation and Settings before Starting

The following pieces of programs are needed to run CRD Console:

• CRDConsole-.jar

CRD Console needs a working directory for saving session configurations and settings.

This directory will be created automatically in the home directory of the current user and



has the name „.CRDconsole“. For example for a Windows user “erwin” it would look like

this:

C:\Dokuments and Settings\erwin\.CRDconsole

For a Windows-7 user ”erwin“ for instance:

C:\Users\erwin\.CRDconsole

For a Linux user ”erwin“ for instance:

~erwin/.CRDconsole

This working directory also contains the log file and the known_hosts file.

The file CRDConsole-.jar as a standalone program can be moved to any

directory on the computer. Double clicking starts CRD Console if the extension jar is

associated with java. Alternatively the command „java –jar CRDConsole-

.jar“ can be used.

By default CRD Console starts in English. The menu “Settings” “Language“ provides a

language switch.

Figure 3-1: Switch to German

To be able to open this manual with the help menu in the CRD Console, copy this manual

as a PDF named „Console.pdf“ into the working directory.



3.3 Conversion of Existing Sessions

3.3.1 Since Console version 3.0

This chapter describes the conversion of session files from a CRD Console older than

version 3.0. If this is your first use of CRD Console, if a conversion has been performed

already or if there are no session files to convert this chapter can be skipped.

On starting CRD Console with version 3.0 or higher, session files from older versions (cfg

format) can automatically be converted to a new format (xml). The following dialog

appears:

Figure 3-2: Convert Existing Session Files

Confirming with “Yes” automatically converts the existing session files and starts CRD

Console. As normal all sessions will appear in the session list. Conversion does no

changes to the session content and is strongly recommended, because otherwise the

saved sessions cannot be used anymore. For backup purposes the old session files are

not deleted but moved to a folder „old“. The following two figures illustrate the conversion

of session files, which are contained in the „sessions“ folder:

Figure 3-3: "sessions" Folder before Conversion

Figure 3-4: "sessions" Folder after Conversion



Declining with “No” will skip conversion and hence no sessions will appear inside the

session list. The conversion dialog will appear again on starting CRD Console next time.

3.3.2 Since Console version 3.4.6

This chapter describes the conversion of session files from a CRD Console older than

version 3.4.6. If this is your first use of CRD Console, if a conversion has been performed

already or if there are no session files to convert this chapter can be skipped.

On loading a session file that has been saved with an older Console (before 3.4.6 but not

before 3.0) the following dialog appears:

Figure 3-5 conversion dialog

If you confirm this dialog by clicking “yes” the session file will be converted and loaded into

the console. The conversion has no effect to the session information and should be

processed to be able to keep working with the saved session file. For safety reasons a

backup of the older session file will be created in the folder “sessions_backup”.

If you reject the conversion by clicking “no” the session file will not be converted and not

loaded into the console.

3.4 Overview

The following figure explains the CRD Console user interface after starting:



Figure 3-6: CRD Console Main Window

- Import session files - Exit program

Connection parameters to the CRD portal

Clear text fields of the current tab

- Language - Loglevel - Clear all text fields - Default path - Proxy settings -Terminal settings

Save current connection parameters under a specified name

Load connection parameters from a previously saved and now selected session

Delete the selected session

- Release and license information - Manual

Name of the current session

List of saved sessions

File browser for key selection

- Key management - SCP downloads/uploads list - Active connections list

Establish connection

Connection parameters to the target system

Indicator for accessibleness of the gateway

import ticket date from clipboard



3.5 Session Management

For your convenience, frequently used connection parameters can be saved (as you

might know from Putty). Set a name in the text field “Name of session” and click “Save”.

The name then appears in the list of saved sessions. Using double click or “Load” loads

the saved parameters again and fills the text field accordingly.

Saving connection parameters can be used for creating templates. For example a

template may contain connection parameters to a CRD Portal, leaving the target system

text fields clear. This template can then be used for different target systems having the tab

“CRD gateway” already filled out.

Saving can also be applied to complete connection settings so that on loading this session

the connection can be opened immediately.

Using the “Delete” button deletes the selected session from the list (deletes the file as

well).

To perform changes on session filles, first load your session (click the “Load” button or

double click the session in the session list), then apply changes and save again. Saving

under the same name will overwrite the existing session file. Saving under a new name

will create a new session file.

Saved session files will be stored in the default path (see 3.9.5). If this is your first start of

CRD Console the “sessions” folder in the working directory will be set as default path.

SessionFiles will be named accordingly to the session name and the file extension ‘xml’.

Please note chapter 3.3 Conversion of Existing Sessions.



3.6 Import Sessions

3.6.1 Main Menu

Since version 3.1 CRD Console allows for importing session files, this option is included in

the main menu “CRD Console“.

Figure 3-7: Menu “CRD Console“

The menu item “Load connection data from file” opens a file browser to choose an xml file.

If this file is a valid CRD Console session file, all text fields will be filled properly. The

temporary session name is the file path. This way a CRD Portal operator could send xml

files that already contain all required information and simply can be loaded to the CRD

Console.

This function can also be used for sharing session files among CRD users.

After importing the session file, the session is not yet saved to the own list of sessions. By

typing a valid name instead of the file path the imported session can be saved and added

to the list of sessions.

Please note chapter 3.3 Conversion of Existing Sessions.



3.6.2 Import Ticket

The button “Import Ticket” imports session data from the clipboard. This data may be the

path to a session file or an encoded text which represents the ticket data in an encrypted

format. Usually you will find this text within the email notification for new tickets. If the

clipboard is empty, a file dialog will be opened for selecting a session file as described in

chapter 3.6.1 Main Menu. The list of existing session files has a context menu called

"Paste". This menu has the same function as the "Import Ticket" button.

If the contents of the clipboard cannot be read, a corresponding error message will be

displayed.

Abbildung 3-8: Import Ticket

3.6.3 Drag & Drop

You may also import a session file by dragging it with your mouse from a file browser or

an email client (e.g. Outlook) into the session list of the CRD Console. By releasing the

mouse button the session file will be imported as it is described in chapter 3.6.1 Main

Menu.



Abbildung 3-9: import per drag & drop

3.7 Protocols per netelement

To increase usablility since version 2.4.16 of the CRD portal session files additionally

contain information about allowed protocols on netelements. Those session files can only

be loaded since version 3.4.6 of the CRD console. The protocol selection list will be

restricted for each netelement accordingly to the protocol definition in the session file.

If you manually change the ip address of the portal or the ip address of a netelement or

the ticket number the protocol selection list will be reset so that all available protocols are

seletable. The CRD portal rejects connection request for protocols that are not allowed for

the particular netelement.

3.8 Key Handling

3.8.1 Generate a RSA Key

For communicating with a CRD Portal, a key pair has to be generated. Authentication on

the CRD Portal always bases on challenge-response procedure with asymmetric keys.

The public key has to be transmitted to the CRD Portal operator, while the private key

always stays with the CDR user.



The CRD Console menu item “Extras” “RSA key” “Generate RSA key” allows for the

generation of key pairs.

Figure 3-10: Menu “RSA/DSA key”

The following dialog appears:

Figure 3-11: Key Generation

Choose a valid file path (including file name) for the private key and enter this path on the

form tag “Key name”. The button “…” opens a file browser.

Hint 3: Always keep the private key protected and prevent others from reading.

Choose a private directory and never a publicly available area!

The comment should be an unambiguous description of the key that contains owner and

function of the key. This eases assignments.

Always protect the key with a passphrase! CRD Console puts a warning in case of

insecure passphrases. The passphrase should be not shorter than 8 letters containing

characters from at least two of the following groups:

• capital letters

• small letters



• numbers

• special characters

After the successful generation the following dialog appears:

Figure 3-12: Public Key

Besides the private key file, a file with the public key (extension “.pub”) has been created.

The content of this file is the same as in the text area. This public key and the displayed

fingerprint should be transmitted to the CRD Portal operator. In order to ensure the correct

public key (protection of integrity) gets imported it is necessary to use a secure channel

(e.g. encrypted email) for transmission. The fingerprint helps to detect whether or not the

public key was manipulated.

To increase security and prevent others from manipulating both, public key and

fingerprint, the fingerprint must be transmitted using a separate way of communication

(e.g. fax, letter, telephone).

3.8.2 Show/Delete RSA Keys

The menu item “Extras” “RSA key” “Show or delete RSA key” allows for viewing or

deleting generated keys. Fingerprint and public key get calculated again.



Figure 3-13: Show and Delete Keys

Hint 4: If your private key was compromised (read, copied or manipulated by

others), immediately notify the CRD Portal operator! Delete your private

key and redo key generation procedure.

3.8.3 Changing Passphrase of RSA Keys

The menu item “Extras” “RSA key” “Change RSA passphrase” allows for changing

the passphrase of a private key. This has no effect on the key information itself and the

public key remains unchanged.

Hint 5: For security reasons passphrases should be changed frequently.

3.9 Settings

The menu “Settings” provides different CRD Console settings.

Figure 3-14: Settings Menu

Settings get saved in conf/settings.xml in the CRD Console working directory. Next

time starting CRD Console saved settings will get loaded and applied automatically.



3.9.1 First application launch

The first time the application is launched, a wizard will be displayed to assist the user in

setting the global configurations language and private RSA-key. The first page displays

the language selection, where the language is preconfigured with the system-locale. The

language can be switched between German and English. Cancel will quit the wizard and

start the CRD Console application.

Figure 3-15: Wizard page 1 language selection

At the second wizard-page a selection between an available RSA-keypair (yes) or

generating a new RSA-keypair (no) can be made.



Figure 3-16 Wizard page 2 selecting RSA-key option

When a RSA-keypair is available, at wizard page 3 the location of the keyfile can be

selected by using the “…”-button.



Figure 3-17 Wizard page 3 selecting the private RSA-key

When at page 2 the generation of a new RSA-keypair is selected, the wizard page from

Figure 3-18 will be displayed, to configure the generation-settings. By pressing Generate

the keypair will be generated and saved under the configured key name.



Figure 3-18 Wizard page 3 generating a RSA-keypair

When the wizard is closed by Save, the entered configuration data language and RSA-

keypair will be configured in the application and the CRD-console will be launched.

3.9.2 Language

Choose between German and English.

3.9.3 Log level

Errors, warnings, info messages and debugging messages get appended to the log file

CRDConsole.log in the working directory. To prevent large file sizes, the log file gets

deleted every time on starting CRD Console.

If CRD Console was started on command line („java –jar“) log messages will appear

on the command line as well.

The menu item “Log Level” provides levels between ‘ALL’ and ‘FATAL’. Those levels

determine the rate and level of detail of the log messages (falling from ‘ALL’ to ‘FATAL’).

‘ALL’ writes all messages. This mode can be helpful when searching for the reason of a

certain behavior of the CRD Console. However in normal operations those many

messages are not of interest and may slow down a bit.

Default log level is ‘INFO’.



3.9.4 Proxy

CRD Console provides the possibility of establishing connections via a SOCKS proxy. The

menu item “Proxy…” opens the proxy settings dialog.

Figure 3-19: Proxy Settings

Provide host (DNS or IP address), port (default is 1080) and SOCKS version. When using

SOCKS version 5, the proxy server also requires authentication with a username and a

password. Confirming with “OK” initiates the CRD Console to send all future connection

requests to the proxy server. Before applying this setting, the CRD Console tries to

establish a TCP socket connection to the host and port to check if host and port are

reachable. This may take a while.

Deleting the host text field removes the entire proxy settings.

3.9.5 Change default Path

Settings of the default path for accessing templates and key files are provided by an

special dialog.

Figure 3-20: Change default Path

By selecting the button „…“ an selection dialog will be opened. All settings will be saved

by pushing the „OK“ button. If pushing the „Cancel“ button or the “X” button on right edge

of dialog window no settings will be saved.



3.9.6 Terminal

Two dialogs for changing settings for the terminal are offered via this menu item. "Change

color" and „Lines of scroll back".

3.9.6.1 Change color

This dialog allow users to set the background color and/or to set the font color for the

terminal. Font color also named as foreground color.

Figure 3-21: Dialog Change color

Default values for font color is white and for background color is black. The text fields are

only for displaying the selected color. The button to the right of the text field opens the

dialog "Color selection". Changed colors will be used in terminal immediately.

Figure 3-22: Dialog Color selection



With the OK button in the "Change Color" dialog, changed values will be saved into local

configuration file on User PC and close the dialog.

Cancel, will close the dialog without changing or save value into local configuration file . If

you select front and background colors alike and start a new terminal connection, default

colors values will be recovered black, white on the terminal.

3.9.6.2 Lines of scroll back

With this dialog, the number of lines displayed in the terminal can be changed with

scrollback. Minimum value is 1, maximum value is 99.999. The minimum displayed lines

in the terminal depend on the window size. For example, The terminal window large

enough for ten lines, with a changed value of 1 still 10 lines are displayed in the terminal.

Changed count of scroll back lines will be used in terminal instantly.

Figure 3-23: Dialog Lines of scroll back

Default value for number of lines for scrollback is 1000. With “OK” changed value will be

saved into local configuration file and close the dialog. The Cancel button will close the

dialog without saving.



3.10 Establishing Connections

3.10.1 Portal configuration

Make sure all required fields in the tab “CRD gateway” are filled. Choose either IP address

or DNS name of the CRD Portal. Use the button “…” to browse for the private key file.

Default port is 3022.

With CRD gateway accessibleness, the accessibility of the gateway is represented by the

traffic light colors.

red -- gateway is not available

yellow – checking connection to gateway

green – connection to the gateway has been established

The following figure shows an example:

Figure 3-24: Tab "CRD gateway"

3.10.2 Connecting to a netelement

Please note chapter 3.7 Protocols per netelement.

3.10.2.1 Establish a SSH Connection

The tab “Net element” contains all information on the target system of Deutsche Telekom

AG. Choose between IP address or logical name (internal identifier) and provide the ticket

ID that was given to you by a CRD operator. Choose “ssh” as protocol.

The ticket ID is a 16 character hexadecimal number. Avoid typos (e.g. space at the end).

The following figure shows an example:



Figure 3-25: Tab "Net element"

After all parameters are inserted they can be saved for a quick reuse. Enter a name in the

text field “Name of session” and click “Save”. This name will now appear in the list of

saved sessions. Double clicking or selecting and “Load” will load the parameters again.

To start the connection click “Open Connection”. If this is the first time connection to this

CRD Portal the following dialog appears:

Figure 3-26: Remote Host Authentication

Ask the CRD operator for the SSH server host key fingerprint. This is to make sure you

can check if you talk to the “right” CRD Portal and prevent Man-in-the-middle attacks.

Click “Always” if you trust and want this fingerprint to be added to the CRD_known_hosts

(in the working directory). That will make this dialog never come up again.

Click “Yes” if you temporarily trust. This will open the connection but not add the

fingerprint to the known hosts list. That will make this dialog come up again next time.

Click “No” if you distrust this fingerprint. This will cancel the connection and the dialog will

come up again next time. Choose this option if the fingerprint differs from the one the CRD

operator has published. If that is the case it might indicate a Man-in-the-middle attack.

See the glossary for more information on the known_host file.

The next dialog requests the private key passphrase.



Figure 3-27: Passphrase Dialog for SSH/Telnet

If all your data inserted are valid and comply with a CRD session ticket, a SSH terminal

emulator opens. This terminal (GSI-SSHTerm) already displays the SSH connection to the

target system. The emulator software is comprised by the CRD Console but is executed

as a separate java process.

Sometimes the emulator program might hang. This is a known bug. The window remains

black and does not react on clicks or keys. These windows can be closed with the menu

item “Extras” “Show active connections” where all active connections are listed and can

be killed separately. You can as well kill the process manually with its PID.

There are different types of logins on the target system. The type of login is specified in

the CRD session ticket by the CRD operator.

• UserID / password:

The CRD operator must provide the login credentials to the CRD user who logs in

himself.

• Automated login:

The CRD Portal is in charge of automatically logging the CRD user in. So on

opening connections the CRD user is already logged in and does not need to know

any credentials.



The following figure gives an overview of the terminal emulator:

Figure 3-28: SSH Terminal Emulator

Protocol used (SSH/Telnet)

Ticket ID used

Target system (of Deutsche Telekom AG) connected to

CRD Portal connected to

Own company name

Connection state

SSH inputs / outputs



The emulator program allows for the selection of text blocks with the left mouse key and

copy & paste via the context menu (right mouse key):

Figure 3-29: Select and Copy & Paste

“Clear” clears all outputs. “Refresh” refreshes the display.

The window can be resized arbitrarily. Contents (e.g. man pages, vi editor …) should

adapt automatically.

Hint 6: Keep in mind that all activities are being recorded and CRD operators can

monitor live connections at any time.

To terminate the connection, type “exit”. The state will switch to “disconnected” and the

window can be closed.

There can be multiple connections (to the same or to different target systems)

concurrently open. Click “Open Connection” again to start another SSH connection.

However the maximum number of concurrently open connections is limited by the CRD

session ticket.

See the chapter “Error Handling” if errors occur.

3.10.2.2 Establish a Telnet Connection

Telnet connections are very similar to SSH connections (see above). Choose “telnet” in

the tab “Net element”.

The same terminal emulator as for SSH is used also for Telnet.

See the chapter “Error handling” if errors occur.



3.10.2.3 Establishing a graphical connection

For remote desktop connections with a graphical user interface, the console is using

“Virtual Network Computing”, also called VNC-connections. For this type of connections

the TurboVNC implementation is used. TurboVNC can compress 3D and video workloads

significantly better than standard VNC implementations. TurboVNC connections can be

established to netelements with the protocols RDP, NX and X2Go. The documentation of

TurboVNC is not part of this manual. Only CRD-specific differences to the standard

implementation will be described. With the F8-key a context menu in the viewer is

displayed.

Figure 3-30: Contextmenu VNC-Viewer



3.10.2.4 Establish a RDP Connection

Fill in all data as described for SSH connections. Choose “rdp” as protocol. This will open

a new tab “VNC settings”.

Figure 3-31: Tab “VNC settings” for RDP

In “VNC settings” the preferred window size can be chosen from a set of window sizes.

This gives the opportunity to adapt the window size to your screen size. Clicking “Clear

input” for this tab restores the default window size (1280x1024) again. The window size

can be any listed entry and does not get checked by the CRD Portal.

On “Open Connection” the next dialog requests the private key passphrase.

Figure 3-32: Passphrase Dialog for RDP/NX

Hit Enter to confirm or hit ESC to cancel.

If all your data inserted are valid and comply with a CRD session ticket, a VNC viewer

opens. The display already shows your RDP session on the target system. The VNC

viewer software is comprised by the CRD Console but is executed as a separate java

process.

There are different types of logins on the target system. The type of login is specified in

the CRD session ticket by the CRD operator.

• UserID / password:

The CRD operator must provide the login credentials to the CRD user who logs in

himself.

• Automated login:



The CRD Portal is in charge of automatically logging the CRD user in. So on

opening connections the CRD user is already logged in and does not need to know

any credentials.

The following figure gives an overview of the VNC viewer:

Figure 3-33: RDP Session

Hint 7: The entire RDP session is being recorded by the CRD Portal and CRD

operators can monitor live connections at any time.

Hint 8: On changing to full screen mode all other windows and task bars on this

screen will be hidden. The window frame and button panel of the VNC

viewer disappears, too. With the key combination Strg+Alt+Shift+F or

context menu (F8) Fullscreen a switch between full screen and

windowed screen is possible. On pressing the Windows key on the

keyboard the Windows desktop appears where other windows can be

accessed again. By logging off from the target system the VNC viewer

automatically closes (and full screen mode with it).

Terminating RDP sessions should always be done by logging off from the target system.

If terminating is done by closing the window or clicking “Disconnect” the Windows login on

the target system remains active. That means that all programs of the RDP user keep

Fullscreen Display refresh Protocol, resolution, IP netelement and ticket-id

Send ctrl/alt to the remote deksotp

Send Ctrl-Alt-Del to the remote desktop

Remote windows desktop of the target system

Force disconnect

Send the windows key to the remote desktop



running (Windows session is locked). It depends on the Windows system and its

configuration, if RDP users always get a new session or if they are able to resume

sessions. A locked session can also mean that other users cannot logon.

In general multiple RDP sessions can be open at the same time (if the session ticket

allows that).

Hint 9: For standard Windows systems (other than Terminal Servers) only one

RDP session can be performed at a time. The moment when another

user tries to log on with the same credentials he overtakes the active

RDP session while the original user gets disconnected.


3.10.2.5 Establish a NX Connection

NX connections are very similar to RDP connections (see above). Choose “nx” in the tab

“Net element”.

In the tab “VNC settings” you can change the window size and select a desktop

environment. You can choose between "Gnome" and "KDE". The default selection is

"Gnome".

Figure 3-34: Tab “VNC settings” for NX

The same VNC viewer as for RDP is used for NX.

The following figure gives an overview of the VNC viewer with a NX connection:



Figure 3-35: NX authentication

As specified in the session ticket, login can be performed by the CRD user or

automatically by the CRD Portal. Figure 3-35 shows the login window in case the CRD

user has to log in with credentials.

If login is successful the graphical desktop environment (e.g. Gnome or KDE) of the target

system appears. The following figure gives an impression.



Figure 3-36: NX Session with desktop

In case there are already active NX connections to this target system, after the login a list

of active connections is displayed. The following figure shows the screen that occurs in

case there is already one active NX connection.



Figure 3-37: Active NX Sessions

That table lists active NX connections by session name (NX internal ID), type (e.g. Gnome

or KDE), geometry, state and more. The following actions can be performed:

• Refresh: Refresh this list.

• Resume: Resume the selected NX connection. In case another CRD user is

connected with this session, he gets disconnected. Programs and windows on the

target system keep running.

• Terminate: Terminate the selected NX connection. In case another CRD user is

connected with this session, he gets disconnected and all programs and windows

get closed.

• New: Start a new NX session. Active connections remain unchanged. Depending

on the NX server the number of maximum connections may be limited.

• Cancel: Cancel your current connection. Active connections remain unchanged.


3.10.2.6 Establish a X2GO Connection

X2GO connections are established very similarly to NX connections (see chapter

3.10.2.5). In the tab “Net element” you have to choose “x2go”.



In the tab “VNC settings” you can change the window size and select a desktop

environment. You can choose between “Mate”, "Gnome" and "KDE". The default selection

is "Mate".

If your private RSA/DSA key is encrypted with a passphrase you will be asked to enter it

when the connection is being opened. (see chapter 3.10.2.3)

Figure 3-38 shows the login screen for X2GO connections. If you can see this screen the

connection has already been established successfully.

Figure 3-38: X2GO login screen



3.10.2.7 Establish a SCP Connection for Uploading Files

SCP supports uploading of files from a local computer to a remote UNIX system.

Fill in all data as explained before and choose „scp (local => remote)“ as protocol. This

opens a new tab “SCP settings”.

Figure 3-39: SCP Protocol Selection

This new tab allows for providing source and destination of the file transfer.

Figure 3-40: SCP for Uploading

Click the button „…“ to open a file browser for choosing the source file.

Hint 10: Folders cannot be copied. Pack a folder to an archive in order to copy it.

Hint 11: Only one single file can be copied at a time. Pack multiple files to

archives in order to copy them together.



Hint 12: If the file size changes while this file is being copied (e.g. log files),

copying will be performed for the size the file had at the beginning of

copying and end with an error. This is because the CRD Console wants

to copy the whole file but the CRD Portal only awaits the number of bytes

transmitted at the beginning of copying.

The second text field allows for specifying the destination directory. Please, note the

following:

• Provide an existing directory in UNIX notation. Non existing directories will not be

created.

• Do not include a file name at the end. Copying and renaming is not possible.

• Base directory is the home directory of the UNIX user associated with the private

key. Paths can be given relative to the base directory.

• Use slashes (/) instead of backslashes (\).

• Do not finish with a slash at the end (e.g. not: „folder1/folder2/“).

• Maximum path length is 200 characters.

• You might not have the rights to write files to directories other than your home

directory (e.g. „/etc“).

• Existing files with the same name will be overwritten without questioning!

You might be familiar with the SCP syntax (“scp localfile target:destination”)

where destination is what is expected in this second text field.

Some examples:

• To copy a file to the home directory, type the following:

. (alternatively the absolute path can be used: „/home/erwin“)

• To copy a file into a folder in the home directory, type the following:

./folder (alternatively „folder“ or „/home/erwin/folder“ works, too)

For renaming, copying, moving or execution of the copied file on the target system use a

SSH connection in addition.

By clicking “Open Connection” copying gets started (as for the other protocols the private

key passphrase has to be provided). This opens the window “SCP connections” which can

be opened via “Extras” “Show scp connections”, too. It contains a list of all active and

finished SCP connections with various pieces of information.



Figure 3-41: SCP Connections Window

Hint 13: All file transfers are being recorded by the CRD Portal.


File size Upload or download (this: upload)

State Time stamp of starting copying

Cancel copying (only possible for active connections)

Source file name on the local computer

Remove all entries (does no change to connections)



3.10.2.8 Establish a SCP Connection for Downloading Files

SCP allows for downloading of remote files from the target system to the local computer.

Choose „scp (remote => local)“ as protocol. This opens the new tab “SCP settings”:

Figure 3-42: SCP for Downloading

Type the path of the file to download from the target system in the first text field. Please,

note the following:

• Provide an existing file in UNIX notation.

• Copying of remote directories is not possible. To copy a directory pack it to an

archive (access via CRD SSH connection) or copy each file separately.

• Base directory is the home directory of the UNIX user associated with the private

key. Paths can be given relative to the base directory.

• Use slashes (/) instead of backslashes (\).

• Do not finish with a slash at the end (e.g. not: „folder1/folder2/“).

• Maximum path length is 200 characters.

• You might not have the rights to read certain system files.

You might be familiar with the SCP syntax (“scp target:remotefile

destination”) where remotefile is what is expected in this first text field.

Some examples:

• To download the „.bash_history“ file of the remote user on the target system,

type the following:

./.bash_history (or „.bash_history“ or „/home/erwin/.bash_history“)



• To copy the file „authorized_keys“ from the „.ssh“ folder of the home

directory, type the following:

./.ssh/authorized_keys (or „.ssh/authorized_keys“ or …)

For the second text field click the button “…” to open a file browser for choosing a local

destination directory. If a file with the same name already exists there, a question dialog

appears.


3.11 Starting CRD Console with Command Line Arguments

Starting CRD Console from a command line (“java –jar CRDConsole-

.jar“) allows for adding arguments to start CRD Console with a certain

setting. Supported arguments will be listed with argument --help. (call: “java –jar

CRDConsole-.jar –-help”).

The argument –-notab changes the layout from tab layout to the original default layout

(one box below the other).

The argument –-session can be used to fit the CRD Console for automatically open a

specific connection when starting. Pass the name of the session to start. This session

name must exist in the list of saved session. For example Figure 3-6 shows a session with

name “ssh-session-jumpserver”. To open this connection when starting CRD Console, call

“java –jar CRDConsole-.jar –-session ssh-session-

jumpserver”.

The arguments –-notab and –-session can be combined.



4 Error Handling

The following table contains possible errors that may occur using CRD Console and counter measures:

Error Measure

CRD Console does not start. Call ”java –jar CRDConsole-.jar“

from command line and analyze the outputs.

Make sure java (version 1.7) is installed and available.

Check for the correct IP address (or DNS name) in the

tab “CRD gateway”. Check network connectivity. Try to

ping the address. Try a telnet to the port (default 3022).

If ping and telnet are successful and the error occurs

again, SSH authentication at the CRD Portal probably

fails. Check for the correct private key file. Contact the

CRD operator.



The connection was not permitted from portal.

The end date of the ticket was exceeded.

The ticket was actively terminated by the administrator

on the portal.

The ticket is not yet active.



The selected protocol is wrong or is not

supported by the target system or the target system is

not available.

The target system is not valid for this ticket. Check the

entered data in tab “Net element”.

The protocol is not valid for this ticket. Check

the entered value on tab “Net element”.

The target system is not responding or the protocol is

wrong. Please check the ip address and the protocol on

the tab "Net element".



The count of connections permitted to the target system

was exceeded.

The used user is not included in the ticket.



The path of your private RSA-key file, stored in the

global configuration, is wrong or the file does exist.

Choose a location for your private RSA-key file!

Check in tab “CRD-gateway” in the field private RAS-

Key the entry or check the private RSA-key.



Authentication at CRD Portal is successful but the portal

refuses the connection to the target system.

Check for correct data in the tab “Net element” and

make sure it complies with the ticket information given

to you by the CRD operator.

Please note: CRD operators may terminate sessions or

deactivate tickets at any time. Contact the CRD

operator.

Saved sessions are not available (empty list). Make sure CRD Console has access to the working

directory. Read chapters 3.2 and 3.3. If necessary copy

session files manually into the ”sessions“ folder and

restart CRD Console.

Make sure the “conf“ folder in the working directory

(“.CRDconsole“) contains the file “sessions.xsd“.

This file should be copied automatically on starting CRD

Console and is comprised by the archive CRDConsole-

.jar.

Restart CRD Console.

The selected session cannot be loaded. Open the xml

file and check if the file has been edited by others (or

other programs). Compare with session files which

work.

If the file cannot be fixed, delete this session and try to

insert all data manually. Try saving the parameters as a



new session.

In case CRD Console is started via command line (or

with a script) make sure the “java –jar” command

does not refer to other directories.

Instead of “java –jar folder/CRDConsole-

.jar” call “cd folder; java –jar

CRDConsole-.jar”.

Contact the CRD operator if this error occurs again.

Try again. Check network connectivity. Check if other

protocols (e.g. SSH) work instead.

Especially check the UNIX file path (in SCP settings) for

syntax errors. Read chapters 3.10.2.6 and 3.10.2.8.

Consider your limited read/write permissions on the

target system.



operator.

Authentication at CRD Portal is successful but the portal

refuses the connection to the target system.

Check for correct data in the tab “Net element” and

make sure it complies with the information given to you

by the CRD operator.





operator.

The terminal emulator (GSI-SSHTerm) hangs and does not react anymore. Close the window and try again. If the window cannot be

closed, close the window via “Extras” “Show active

connections” with the “cancel” button.

Alternatively kill the related java process or just ignore

the window.

First terminate all active connections before closing

CRD Console. “Extras” “Show active connections”

gives a list of all active connections. They can be

terminated there, too.

Alternatively java processes can be killed by their PID.

Hint 14: The menu “Settings“ ”Log level“ allows for increasing the log level. Apply “ALL” to miss no message. Analysis can be

helpful for finding the reason of a CRD Console related problem. The log file CRDconsole.log is located inside the

working directory („.CRDconsole“) of CRD Console. This file gets removed on every start of the CRD Console.



5 Technical Support

For technical issues, please contact the following hotline:

+49 421 5155 8103

STTS SM keyword: CRD-Portal, 3rd-Party Hotline.



6 Glossary

Term Description

Working directory Directory where CRD Console saves settings, sessions, known_hosts file and log file.

The directory is named .CRDConsole and gets created on the first start

of CRD Console in the user’s home directory.

Example Windows XP: C:\Dokuments and Settings\erwin\.CRDconsole

Example Windows 7: C:\Users\erwin\.CRDconsole

Example Linux: /home/erwin/.CRDconsole

CRD Controlled Remote Diagnosis. Firewall-like client-server architecture for managing, authorizing, supervising and recording maintenance connections from external companies.

CRD Portal Also: CRD gateway. CRD server that checks incoming connection request for validity and compliance with a session ticket. Performs the actual connection to the target system and records all connections. Provides live monitoring for CRD operators.

CRD session Time slot in which third party employees (CRD users) can access internal target systems.

CRD session ticket Also: session ticket. Base for a CRD session which defines the limitations of accesses. Has an unambiguous identifier (ticket ID).

CRD operator Also: CRD admin. Person (or institution) that is in charge of the internal target systems of Deutsche Telekom AG and runs the CRD Portal for providing access to third parties for maintenance purposes.

CRD user Also: third party employee. Employee of an external company to maintain internal target systems of Deutsche Telekom AG. User of the CRD Console.

DNS name Domain Name System. Name associated with an IP address.

extTerminal Computer of the CRD user.

known_hosts file File which contains all SSH server which are known. Identifier is a public SSH host key, which the server presents to the client on the beginning of every SSH connection. When a SSH client tries a first connection to a server, the user can decide whether or not to permanently trust this server ( host key will be added to known_hosts).

If a presented host key suddenly differs from the one in known_hosts, this might indicate a Man-in-the-middle attack!

The CRD Console’s known_hosts file is in the working directory and named “CRD_known_hosts”.

Target system Also: net element. Computer of Deutschen Telekom AG which is subject to maintenance by third party companies and therefore protected by a CRD Portal. This system can also be a jump server that allows further jumps to actual target systems. However in terms of CRD it is the



system the CRD user requests access for.

NX Graphical client-server application for remote controlling UNIX systems (with graphical desktops like Gnome or KDE). Developed by NoMachine. Bases on SSH.

OpenSSH BSD licensed open source implementation of SSH.

RDP Remote Desktop Protocol. Windows specific protocol for remote controlling Windows computers. Developed by Microsoft.

SCP Secure Copy. Protocol and client program for copying files over a network, using SSH tunnels.

SOCKS Internet protocol that routes network packets between a client and server through a proxy server.

Short for „SOCKet Secure“

SSH Secure Shell. Protocol and client program for remote controlling UNIX systems on command line over a secure channel.

SSH tunnel Encrypted data stream between SSH client and server that can be used for securely transfer other data streams (e.g. files, unencrypted protocols, …)

Telnet TCP based network protocol for remote controlling UNIX systems (especially routers and switches) over an unencrypted channel.

Ticket ID 16 character hexadecimal number that identifies a CRD session ticket.

TightVNC VNC client-server program which provides a highly efficient compression of the graphical data stream.

VNC Virtual Network Computing. Client-server program for remote controlling computers with a graphical user interface. Used for graphical protocols between CDR user and CRD Portal.

CRD PortalManual for Third Party Employees (CRD User)Credits

Table of ContentsTable of Images1 Introduction and Boundary2 Overview2.1 Task of CRD2.2 Functionality2.3 Connection Establishment2.4 Software Requirements2.5 License

3 Working with CRD Console3.1 Providing the Access Information3.2 Installation and Settings before Starting3.3 Conversion of Existing Sessions3.3.1 Since Console version 3.03.3.2 Since Console version 3.4.6

3.4 Overview3.5 Session Management3.6 Import Sessions3.6.1 Main Menu3.6.2 Import Ticket3.6.3 Drag & Drop

3.7 Protocols per netelement3.8 Key Handling3.8.1 Generate a RSA Key3.8.2 Show/Delete RSA Keys3.8.3 Changing Passphrase of RSA Keys

3.9 Settings3.9.1 First application launch3.9.2 Language3.9.3 Log level3.9.4 Proxy3.9.5 Change default Path3.9.6 Terminal3.9.6.1 Change color3.9.6.2 Lines of scroll back

3.10 Establishing Connections3.10.1 Portal configuration3.10.2 Connecting to a netelement3.10.2.1 Establish a SSH Connection3.10.2.2 Establish a Telnet Connection3.10.2.3 Establishing a graphical connection3.10.2.4 Establish a RDP Connection3.10.2.5 Establish a NX Connection3.10.2.6 Establish a X2GO Connection3.10.2.7 Establish a SCP Connection for Uploading Files3.10.2.8 Establish a SCP Connection for Downloading Files

3.11 Starting CRD Console with Command Line Arguments

4 Error Handling5 Technical Support6 Glossary

crd portal · crd portal - manual for third party employees (crd user) manual_crduser.docm page 6...

Documents