Managing the Security Console

Although the default Security Console settings should work for a broad range of network environments, you can change settings to meet specific scanning requirements.

Click Administer next to Console on the Administration page to launch the Security Console Configuration panel.

Viewing general configuration settings

On the General page, you can view the version and serial numbers for the instance of the Security Console that you are using.

Changing the Security Console Web server default settings

The Security Console runs its own Web server, which delivers the user interface.

To change the Security Console web server default settings:

  1. On the Administration page, click Console > Web Server.
  2. Enter a new number for the access port.
  3. Enter a new session time-out. This value is the allowed number of seconds of user inactivity after which the Security Console times out, requiring a new logon.
  4. Enter new numbers for initial request and maximum request handler threads, if necessary. It is recommended that you consult Technical Support first. In this context, threads refer to the number of simultaneous connections that the Security Console will allow. Typically a single browser session accounts for one thread. If simultaneous user demand is high, you can raise the thread counts to improve performance. The Security Console will increase the thread count dynamically if required, so manual increases may be unnecessary.
  5. Enter a new number for failed logon threshold if desired. This is the number of failed logon attempts that the Security Console permits before locking out the would-be user.
  6. Click Save.

Use the restart command to apply your changes

To apply the changes, restart the Security Console. You can use the 'restart' command with the Command Console

Managing the HTTPS certificate

The application provides a self-signed X.509 certificate, which is created during installation. It is recommended that you replace it with a certificate that is signed by a trusted certifying authority (CA).

The signed certificate must be based on an application-generated CSR. The application does not allow you to import an arbitrary key pair or certificate that you generated.

To manage certificates and generate a new certificate signing request (CSR):

  1. On the Administration page, click Console > Web Server.
  2. Click Manage Certificate. The Security Console displays a box titled Manage Certificate.
  3. Click Create New Certificate.
  4. Enter the information and click Create.
  5. Click Create CSR now. You can click Later to come back to this step and continue the process at another time.
  6. Copy the generated CSR and send it to your CA.
  7. Click Import Certificate on the Manage Certificate dialog after it is signed by your CA.
  8. Paste it in the text box and click Import.
  9. Click Save to save the new Security Console information. The new certificate name appears on the Web Server page.

Setting the Subject Alternative Name field

IMPORTANT

Consoles using externally signed (CA/non-CA) must have a SAN field. If the certificate is self signed, it does not require a SAN field.

This process can be completed with the following steps:

  1. In your installation directory, check the keystores folder for a file called nscweb.ks:
1
<install-dir>/nsc/keystores/nscweb.ks

If the file does not exist, browse to the "Manage Certificate" window, located in the Administration tab > "Global and Console Settings" window > Administer > Web Server tab > Manage Certificate button. Select Create New Certificate.

  1. Enter the SAN information and click Create. Another dialogue box will appear.

  2. Click Create CSR Now.

NOTE

In order to complete the next step successfully, make sure you have execute permission on /opt/rapid7/Nexpose/_jvm1.8.0_232/bin/keytool, and verify with your network administrator that assigning execute permissions for this binary is acceptable.

This can be done by running as administrator on Windows or issuing a chmod +x command on the Linux file from the command line.

  1. Select your operating system.

To set the subject alternative name field in Linux operating systems, follow these steps:

  1. Open a command prompt as an administrator on the host machine.
1
cd [install_dir]/rapid7/nexpose/_jvm1.8.0_232/bin
  1. Log in via SSH into the Security Console server and run the following as root:
1
./keytool -certreq -alias nscweb -sigalg sha512WithRSA -keystore /opt/rapid7/nexpose/nsc/keystores/nscweb.ks -storepass 'r@p1d7k3y$t0r3' -ext san='dns:samplehostname.com,ip:127.0.0.1' -file filename.csr

The console.csr file can be sent to a CA to be signed.

This directory requires superuser elevation:

<install-dir>/_jvm1.8.0_232/bin/keytool -certreq \

To set the subject alternative name field in Windows operating systems, follow these steps:

  1. Open a PowerShell window as an administrator on the host machine and navigate to the following directory:
1
Set-Location "C:\Program Files\Rapid7\Nexpose\_jvm1.8.0_232\bin"

Review the directory

You may have to edit the directory if you did not use the standard install directory. Also, ensure the directory that you've selected is correct as some installations have a different version of the JVM than 1.8.0_232.

  1. Run as admin.
1
.\keytool.exe -certreq -alias nscweb -sigalg sha512WithRSA -keystore "c:\Program Files\rapid7\nexpose\nsc\keystores\nscweb.ks" -storepass 'r@p1d7k3y$t0r3' -ext san="dns:samplehostname.com,ip:127.0.0.1" -file filename.csr
  1. You must change the DNS and IP address in the command with the appropiate DNS and IP address for your console (san="dns:samplehostname.com,ip:127.0.0.1).

Review the directory

You may have to edit the directory in the command if you did not use the standard install directory.

  1. Once the filename.csr is generated, send it to the Certificate Authority (CA) to be signed, then load into InsightVM.

NOTE

The CA should take the SAN data in your CSR and add it to the certificate when signed. This is not automatically added through the CSR, so it is recommended to verify this ahead of time in order to make sure the CA added the SAN data during the signing process.

  1. Check the signed certificate returned by your CA to make sure the SAN is present:
1
openssl x509 -text -noout -in SignedCert.crt

The details should contain something similar to the following:

1
X509v3 extensions:
2
X509v3 Issuer Alternative Name:
3
DNS:samplehostname.com, IP Address:127.0.0.1
  1. Import the signed certificate (a PEM file) into the InsightVM UI:

Changing default Scan Engine settings

The Security Console communicates with distributed Scan Engines over a network to initiate scans and retrieve scan results. If you want to obtain scan status information more quickly or reduce bandwidth or resource consumption required for Security Console to Scan Engine communication, you can tune various settings on the Scan Engines page of the Security Console Configuration panel.

Configuring Security Console connections with distributed Scan Engines

The Security Console establishes connections with distributed Scan Engines to launch scans and retrieve scan results. This communication can be disrupted by low network bandwidth, high latency, or situations in which Scan Engines are performing high numbers of simultaneous scans. If any of these conditions exist in your environment, you may want to consider increasing connection settings on the Scan Engines configuration page:

It is recommended that you consult with Technical Support before tuning these settings.

  • The Connection timeout setting controls how long the Security Console waits for the creation of a connection with a distributed Scan Engine.
  • The Response timeout setting controls how long the Security Console waits for a response from an Scan Engine that it has contacted.

To configure these settings, take the following steps:

  1. Go to the Scan Engines page in the Security Console Configuration panel.
  2. Click the Administration tab.
  3. On the Administration page, click manage for the Security Console.
  4. Click Scan Engines in the Security Console Configuration panel.
  5. Adjust the Connections settings.
  6. Edit the value in the Connection timeout field to change the number of milliseconds that elapse before a connection timeout occurs.
  7. Edit the value in the Response timeout field to change the number of milliseconds that elapse before the Security Console no longer waits for a response from an Scan Engine.
  8. Click Save in the top bar of the panel to save the changes.
  9. Restart the Security Console so that the configuration changes can take effect.

Because millisecond values can be difficult to read, a time value that is easier to read appears to the right of each value field. As you change either timeout value, note how the equivalent value changes.

Allocating threads for monitoring scans

The Security Console allocates a thread pool for retrieving scan status information. You can adjust the number of threads, which corresponds to the number of scan status messages that the Security Console can retrieve simultaneously. For example, if you increase the number of distributed Scan Engines and the number of scans running simultaneously, you can increase the threads in the pool so that the Security Console can retrieve more status messages at the same time.

It is recommended that you consult with Technical Support before tuning these settings.

Keep in mind that retrieval time is subject to network conditions such as bandwidth and latency. Whenever the number of active threads in use exceeds the overall number of threads in the pool, the Security Console removes unused scan status threads after specific time interval. If you notice an overall decrease in the frequency of scan status messages, you may want to consider increasing the timeout value.

  1. Click the Administration tab and click Scans > Engine Pools.
  2. Click Scan Engines in the Security Console Configuration panel.
  3. Adjust the Scan Status settings.
  4. Edit the value in the Thread idle timeout field to change the number of milliseconds that elapse before the Security Console removes unused scan threads.
  5. Edit the value in the Thread pool size field to change the number of threads in the pool for monitoring scan status.
  6. Click Save in the top bar of the panel to save the changes.
  7. Restart the Security Console so that the configuration changes can take effect.

Because millisecond values can be difficult to read, a time value that is easier to read appears to the right of each value field. As you change either timeout value, note how the equivalent value changes.

Retrieving incremental scan results from distributed Scan Engines

The Security Console communicates with Scan Engines over a network to retrieve scan results. By default, the Security Console retrieves scan results from distributed Scan Engines incrementally, displaying results in the Web interface as it integrates the data, rather than retrieving the full set of results after each scan completes. This allows you to view scan results as they become available while a scan is in progress.

Incremental retrieval modulates bandwidth usage throughout the scan. It also makes it unnecessary for the Security Console to retrieve all the data at the end of the scan, which could cause a significant, temporary increase in bandwidth usage, especially with large sets of data.

The Scan Engines page of the Security Console Configuration panel displays a check box for incremental retrieval of scan results. It is selected by default. Do not disable this option unless directed to do so by Technical Support.

Running in maintenance mode

Only global administrators are permitted to run the application in maintenance mode.

Maintenance mode is a startup mode in which the application performs general maintenance tasks and recovers from critical failures of one or more of its subsystems. During maintenance mode, you cannot run scans or reports. Available functions include logging, the database, and the Security Console Web interface.

The application automatically runs in maintenance mode when a critical internal error occurs.

When the application is running in maintenance mode, you see the page /admin/maintenance/index.html upon logging on. This page shows all available maintenance tasks and indicates the current status of the task that is being performed. You cannot select a new task until the current task is completed. Afterward, you can switch tasks or click Restart to return to normal operating mode.

To work in Maintenance mode:

  1. Click the Administration tab.
  2. On the Administration page, click Database > Maintenance.

The Security Console displays the Maintenance Mode page.