Satyr Manual

The information in this documentation is subject to change without notice and describes only the product defined in the introduction of this documentation. This documentation is intended for the use of BalaBit's customers only for the purposes of the agreement under which the documentation is submitted, and no part of it may be reproduced or transmitted in any form or means without the prior written permission of BalaBit. The documentation has been prepared to be used by professional and properly trained personnel, and the customer assumes full responsibility when using it. BalaBit welcomes customer comments as part of the process of continuous development and improvement of the documentation.

The information or statements given in this documentation concerning the suitability, capacity, or performance of the mentioned hardware or software products cannot be considered binding but shall be defined in the agreement made between BalaBit and the customer. However, BalaBit has made all reasonable efforts to ensure that the instructions contained in the documentation are adequate and free of material errors and omissions. BalaBit will, if necessary, explain issues which may not be covered by the documentation.

BalaBit's liability for any errors in the documentation is limited to the documentary correction of errors. BALABIT WILL NOT BE RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS DOCUMENTATION OR FOR ANY DAMAGES, INCIDENTAL OR CONSEQUENTIAL (INCLUDING MONETARY LOSSES), that might arise from the use of this documentation or the information in it.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

The Zorp™ name and the Zorp™ logo are registered trademarks of BalaBit.

The BalaBit Shell Control Box™ name and the BalaBit Shell Control Box™ logo are registered trademarks of BalaBit.

The Syslog-NG™ name and the Syslog-NG™ logo are registered trademarks of BalaBit.

The BalaBit™ name and the BalaBit™ logo are registered trademarks of BalaBit.

Linux™ is a registered trademark of Linus Torvalds.

Debian™ is a registered trademark of Software in the Public Interest Inc.

Windows™ 95, 98, ME, 2000, XP are registered trademarks of Microsoft Corporation.

CryptoCARD™ is a registered trademark of CryptoCARD Corporation.

ClamAV™ and Clam AntiVirus™ are registered trademarks of Tomasz Kojm (http://clamav.net).

VirusBuster™ is a registered trademark of VirusBuster Ltd. (http://vbuster.hu).

Nod32™ is a registered trademark of ESET, LLC (http://www.eset.com).

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER

BalaBit is not responsible for any third-party Web sites mentioned in this document. BalaBit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaBit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

March 13, 2011

Revision History

Abstract

Developed by BalaBit, Zorp Authentication Agent (Satyr) is an authentication client, capable of cooperating with the Zorp firewall and the Zorp Authentication Server (ZAS) to identify the users initiating network connections. Zorp Authentication Agent enables the complete network traffic to be audited on the user level. This document has two main sections:

The first part introduces the use of the authentication agent to the users.

The second part is intended for the system administrators and describes the concepts of communication between Zorp and the authentication agent, as well as the installation and configuration of the software on Microsoft Windows and Debian GNU/Linux platforms.

Table of Contents

1. Using the Zorp Authentication Agent (Satyr)

1.1. Program settings (Windows)

2. Authentication and Zorp

2.1. Authentication on the network
2.2. Outband authentication with Zorp

3. Installing the Zorp Authentication Agent (Satyr)

3.1. Installation on Microsoft Windows platforms
3.2. Installation on Debian GNU/Linux platforms

4. Configuring Zorp Authentication Agent (Satyr)

4.1. Configuring on Microsoft Windows platforms
4.2. Configuration on Debian GNU/Linux platforms

1. Using the Zorp Authentication Agent (Satyr)

When the user launches an application that requires authentication (e.g.: a web browser, e-mail client, etc.) the Zorp firewall automatically displays the authentication client on the users screen.

Figure 1. The Zorp Authentication Agent

The displayed window shows the name of the service requiring authentication (intra_http in the above example), and — provided that the administrator enabled it — further details of the connection (e.g.: destination IP address). By selecting the Save session if done) checkbox (see Section 1.1, Program settings (Windows)) the authentication client stores the username and the password. That way the fields will be automatically filled for later authentications.
Enter your username and click Next.

Figure 2. Selecting authentication method

Select the authentication method to use from the Select authentication method combobox. The list displays only the methods enabled for the particular user.

If you have a username and a password, select Password authentication.

If you use Kerberos authentication, select GSSAPI authentication.

	Note
	When using Kerberos authentication the authentication client is not displayed if the automatic authentication feature is enabled. See Section 1.1, Program settings (Windows) for details.

To authenticate with an X.509 certificate, select X.509 certificate.

Figure 3. Entering the password

As a last step, you have to provide the information required for the selected authentication method. For password authentication enter your password.

Clicking Abort at any step stops the authentication.

After successful authentication (e.g.: if the password entered was correct) the window of the authentication client is closed and the connection to the target server is established. An error message is displayed if the authentication fails.

1.1. Program settings (Windows)

The authentication agent starts automatically after Windows boots, as indicated by its icon on the system tray. Right clicking on the icon displays a popup menu containing the following items:

Clicking the Preferences menu item displays the following dialog window:

Figure 4. Preferences
1. Automatic Kerberos authentication: This option has only any effect if Kerberos authentication is used. If this option is enabled, the authentication client will not appear, and the username provided during Windows login will be used.
2. Forget password: The authentication client can store the provided password for the provided period (in minutes). That way an unauthorized person cannot initiate network connections from unattended machines.
3. Forget password now: Immediately remove the stored password.
The About menu item displays information about the Zorp Authentication Agent, including its version number.
Clicking Exit quits the authentication agent that can be restarted from the Start menu (Start menu / Satyr Client / Satyr Client).

2. Authentication and Zorp

Zorp Authentication Agent (Satyr) is an authentication client, capable of cooperating with the Zorp firewall and the Zorp Authentication Server (ZAS) to identify the users initiating network connections. The authentication process and the related communication between the components is summarized below. See Chapter 18, Connection authentication and authorization of the Zorp Administrator`s Guide for details on this topic.

Authentication aims to determine the identity of the user. During the authentication process the user initiating the connection shares a secret (e.g.: a password) with the other party who verifies the user's.

Several procedures (so called authentication methods) exist for verifying the identity of the user:

The user knows a secret, e.g.: a password, PIN code, the response to a challenge, etc.
The user owns a device, e.g.: a hardware key, chipcard, SecurID token, etc.

Naturally, the above methods can be combined to implement strong two-factor authentication in sensitive environments.

2.1. Authentication on the network

The aim of network authentication is to authenticate the connections initiated by the users in order to ensure that only the proper users can access the services. Basically there is two types of authentication:

Inband: Authentication is performed by the application level protocol — the data traffic required for the authentication is part of the protocol. Inband authentication is used for example in the HTTP, FTP, or SSH protocols. The protocols usually support different authentication methods — these are usually described in the specifications of the protocol.
Outband: Authentication is performed in a separate data channel completely independent from the protocol of the accessed service. Outband authentication is realized by the combination of the Zorp Authentication Agent (Satyr), ZAS, and Zorp softwares. The advantage of outband authentication is that it can be used to authenticate any protocol, regardless of the authentication methods supported by the original protocol. That way strong authentication methods (e.g.: chipcards) can be used to authenticate protocols supporting only the weak username/password method (e.g.: HTTP).

2.2. Outband authentication with Zorp

Zorp implements outband authentication according to the following figure:

Figure 5. Outband authentication with Zorp

The procedure is as follows:

The client initiates a connection towards the server.
Zorp determines the service to be accessed based on the IP address of the client and the server. If authentication is required for the connection (an authentication policy is assigned to the service), Zorp initiates a connection towards the client using the Satyr protocol.
Depending on the authentication methods available (e.g.: for password based authentication), the dialog of the authentication agent is displayed on the client machine. The user enters his/her username that the authentication agent forwards to Zorp.
The Zorp firewall connects ZAS (the Zorp Authentication Server) and retrieves the list of authentication methods enabled for the particular user. Multiple authentication methods can be enabled for a single user (e.g.: x509, kerberos, password, etc.). The authorization of the user is also performed in this step, e.g.: the verification of the LDAP group membership.
Zorp returns the list of available methods to the client. The user selects a method and provides the information (e.g.: the password) required for the method.
The authentication agent sends the data (e.g.: the password) to Zorp, who forwards it to ZAS.
ZAS performs the authentication and notifies Zorp from the result (success/failure).
Zorp returns the result to the client and — if the authentication was successful - builds a connection towards the server. In case of a failed authentication it terminates the connection to the client.

3. Installing the Zorp Authentication Agent (Satyr)

This section describes the installation and configuration of the authentication agent on Microsoft Windows and Debian GNU/Linux platforms. The authentication agent has to be installed on every computer having access to authenticated services. The agent has two components:

Satyr Multiplexer: A daemon running in the background, accepting the connections coming from Zorp and verifying the SSL certificates of Zorp (if the communication is encrypted). In multi-user environment the Multiplexer displays the dialog of the Satyr Client on the desktop of the user initiating a connection requiring authentication.
Satyr Client: This application collects the information required for the authentication, e.g.: the username, authentication method, password, etc.

The installers automatically install both components. The components require approximately 5 MB of free hard disk space.

3.1. Installation on Microsoft Windows platforms

Zorp Authentication Agent (Satyr) supports the Windows 2000 and Windows XP operating systems. The installer is located in the \windows\satyr\ folder of the Zorp CD-ROM, its latest version is also available from the BalaBit website (http://www.balabit.hu).

Place the Zorp CD-ROM into the CD drive and start the satyr-setup.exe file located in the \windows\satyr\ folder.

Warning

Administrator privileges are required to install the application.
Select the language of the installer (English / Hungarian).
Figure 6. Accepting the EULA

After the installer starts, the End-User License Agreement is displayed, that can be accepted by clicking I agree. The installation can be aborted any the during the process by clicking Cancel.
Figure 7. Selecting the destination folder

Select the destination folder for the application and click Install. The default folder suggested by the installer is C:\Program Files\Satyr Client.
Figure 8. Copying the files

The installer copies the required files and registers a service called Satyr Multiplexer, which is started after the registration. Details about the copied files can be displayed by clicking Show details.

	Warning
Administrator privileges are required to install the application.

Figure 9. Importing the CA certificate

Optional step: If the authentication agent and Zorp communicate via an SSL-encrypted channel (recommended), the certificate of the Certificate Authority (CA) signing the certificates of the Zorp firewalls can be imported to the authentication agent. Click Browse, select the CA certificate to import, then click Close.

	Note
	The CA certificate has to be in DER format. It is not necessary to import the certificate during the installation, it can also be done later. For details about encrypting the agent-Zorp authentication see Section 4.1.3, Configuring SSL connections (Windows).

After the installer has completed the above steps, click Close.
The Zorp Authentication Agent (Satyr) logo is displayed on the system tray, indicating that the application is running. It is also started automatically after each Windows startup.

3.2. Installation on Debian GNU/Linux platforms

This section describes the installation of the Zorp Authentication Agent on Debian GNU/Linux operating systems.

3.2.1. Procedure – Upgrading apt

As a first step, the apt package manager hs to be upgraded to support HTTPS connections.
1. On Debian Sarge distribution add the following line to the /etc/apt/sources.list file:
  
  deb http://apt.balabit.com/zorp-gpl-os debian-sarge/apt-sarge sarge-backport
  
  On Debian Woody distribution add the following line to the /etc/apt/sources.list file:
  
  deb http://apt.balabit.com/zorp-gpl-os debian-woody/apt-woody woody-backport
2. Issue the following commands as root:
  
  apt-get update
  apt-get install apt
3. Download the CA certificate of the apt.balabit.com server from the following address:
  
  http://www.netlock.hu/index.cgi?ca=uzleti&lang=HU&tem=ANONYMOUS/kulcsjegyzok/adatok.tem
4. Select Save into file from the combobox located next to the button labeled Certificate Authority certificatethen click on the button. Save the index.cgi file (e.g.: into /tmp/index.cgi), rename it to balabit.crt and copy it into the /etc/ssl/certs directory. To accomplish this, issue the following command as root:
  
  cp /tmp/index.cgi /etc/ssl/certs/balabit.crt
  
  Note
  
  If this directory does not exist, install the openssl package by issuing the apt-get install openssl command as root.
5. Create a symlink called /etc/ssl/certs/5a5372fc.0 pointing to the /etc/ssl/certs/balabit.crt file:
  
  ln -s /etc/ssl/certs/balabit.crt /etc/ssl/certs/5a5372fc.0
6. Completing the above step concludes the updating of apt.
Install the authentication agent.
1. On Debian Sarge distribution add the following line to the /etc/apt/sources.list file:
  
  deb https://username:password@apt.balabit.com/zorp-os debian-sarge/3.0 common common-gpl \
  satyr common sarge-backport
  
  On Debian Woody distribution add the following line to the /etc/apt/sources.list file:
  
  deb https://username:password@apt.balabit.com/zorp-os debian-woody/3.0 common \
  common-gpl satyr common
  
  Note
  
  Replace username and password with your username and password received from BalaBit IT Security.
2. Issue the following commands as root:
  
  apt-get update
  apt-get install satyr
  
  The above commands install the satyr (Satyr client) and the satyr-mpxd (Satyr Multiplexer) packages.
3. The Multiplexer is automatically started after the installation. It can be stopped or started by issuing the /etc/init.d/satyr-mpxd command with the stop or start parameters, respectively.
4. The client is launched when X11 is started. It is important that it has to be started manually by running satyr-gtk.

4. Configuring Zorp Authentication Agent (Satyr)

4.1. Configuring on Microsoft Windows platforms

4.1.1. Registry entries

Some settings of Zorp Authentication Agent (Satyr) can be modified via the Windows Registry. Launch the registry editor by issuing the regedit command (either from a command prompt or via the Start menu / Run application menu item).

The parameters of the Zorp Authentication Agent are located under HKEY_LOCAL_MACHINE\SOFTWARE\BalaBit\Satyr.

The component column contains the name of the component related to the parameter. This component has to be restarted if a value is modified (i.e. the Satyr Multiplexer service for Multiplexer, the Satyr Client application for Client).

To restart the Multiplexer right click on the Satyr Multiplexer element of the Start menu / Settings / Control panel / Administrative Tools / Services list and select Restart.

The following settings are available from the registry:

Name	Description	Default value	Component
aliasfile	The name and path (e.g.: `C:\tmp\aliases`) of a text file. Using the information contained in this file, the Satyr Multiplexer can redirect the authentication of certain users to a different user in multiuser environments. E.g.: to redirect the connection authentication of the `Administrator` user to `MainUser` enter the following line: `Administrator: MainUser`.	1	Multiplexer
Automatic	Enables the automatic Kerberos authentication if set to `1`.	1	Client
Can Remember	The user can set the client to remember his/her password if set to `1`. This option is disabled if the value of this parameter is `0`.	1	Client
Details	The authentication agent displays the details of the connection in the popup dialog if this parameter is set to `1`. The following information is displayed: name of the application initiating the connection, IP address and port of the destination server, name of the Zorp service started, and the type of the connection (TCP/UDP). If the details are disabled, only the name of the service is displayed.	0	Client
Has Preferences	Enable the Preferences menu item in the local menu of the authentication agent (right click on the tray icon). The Preferences menu item is displayed only if this parameter is set to `1`.	1	Client
Forget Password Interval	Instructs the authentication agent to forget the stored password after the set period (in minutes). That way no unauthorized connections can be initiated from an unattended machine.	1	Client
Forget Password	The authentication agent can store the set password indefinitely if this parameter is set to `False`. Practically this sets the `Forget Password Interval` to infinite.	1	Client
LOG_CLIENT	The verbosity level of the authentication client, ranging from `0` (lowest) to `9`. Setting it to higher than `3` can result in very large log files, thus should be used only if needed (e.g.: for debugging purposes). The log files are stored in the `%SystemRoot%\Debug` folder (e.g.: `C:\Winnt\Debug`).	0	Client
LOG	The verbosity level of the Multiplexer, ranging from `0` (lowest) to `9`. Setting it to higher than `3` can result in very large log files, thus should be used only if needed (e.g.: for debugging purposes). The log files are stored in the `%SystemRoot%\Debug` folder (e.g.: `C:\Winnt\Debug`).	0	Multiplexer
SSL	The Multiplexer accepts only SSL-encrypted if this parameter is set to `1`.	1	Multiplexer

4.1.2. Command line parameters (Windows)

The version number of the client can be displayed from the command line via the satyr-client.exe --version command. The Satyr Multiplexer (satyr-mpxd.exe) has the following command-line options:

--install_service: Register the Satyr Multiplexer service.
--remove_service: Remove the Satyr Multiplexer service.
--start_service: Start the Satyr Multiplexer service.
--stop_service: Stop the Satyr Multiplexer service.

4.1.3. Configuring SSL connections (Windows)

Satyr Multiplexer and Zorp can communicate via an SSL-encrypted channel. For this, a certificate has to be available on the Zorp firewall that Zorp uses to authenticate the connection to the Multiplexer. The Multiplexer verifies this certificate using the certificate of the CA issuing Zorp's certificate, therefore the certificate of the CA has to be imported to the machine running the Zorp Authentication Agent.

	Note
	It is highly recommended to encrypt the communication between Zorp and the authentication agent, since without it anyone can connect to the Satyr Multiplexer, resulting in the authentication information obtained by unauthorized people. It is essential to use encryption when password authentication is used.

To enable encryption between Zorp and the authentication agent complete the following steps. See Chapter 14, Key and certificate management in Zorp in the Zorp Administrator`s Guide for the steps to be completed from ZMC.

4.1.3.1. Procedure – Encrypting the communication between Zorp and the authentication agent (Windows)

Create a CA (e.g.: Satyr_CA) using the Zorp Management Console (ZMC). This CA will be used to sign the certificates shown by the Zorp firewalls to the authentication agents.
Export the CA certificate into DER format.
Generate certificate request(s) for the Zorp firewall(s) and sign it with the CA created in Step 1.

Note

Every firewall should have its own certificate. Do not forget to set the firewall as the Owner host of the certificate.
Distribute the certificates to the firewalls.
Install the Zorp Authentication Agent (Satyr) application to the workstations and import to each machine the CA certificate exported in Step 2.

There are three ways to import the CA certificate:
1. Using the installer of the Zorp Authentication Agent.
2. Manually using the addcert and getcert programs (see Section Using the addcert and getcert programs).
3. Using the Microsoft Management Console (see Section Importing the CA certificate using Microsoft Management Console (MMC)).
Create the appropriate outband authentication policies in ZMC and reference them in the services of Zorp. See Chapter 18, Connection authentication and authorization in the Zorp Administrator`s Guide for details.

Using the addcert and getcert programs

To import the certificate of the CA complete the following steps.

.1. Procedure – Importing the CA certificate manually

The certificate can be imported using the addcert.exe program located in the installation folder of the Satyr client (C:\Program Files\Satyr client by default). The program can be started from a command prompt or via the Run application item of the Start menu. Supply the name and path of the DER-format certificate is as an input parameter. E.g.:

C:\Program Files\Satyr client\addcert C:\temp\Satyr_CA.crt

Note

Running addcert.exe requires administrator privileges.
Verify that the certificate has been successfully imported by running getcert.exe. Running getcert.exe lists the Subject of all imported certificates.
Restart the Satyr Multiplexer service.

Importing the CA certificate using Microsoft Management Console (MMC)

To import the certificate of the CA complete the following steps.

.1. Procedure – Importing the CA certificate using MMC

Start Microsoft Management Console by executing mmc.exe (Start menu Run application.

Note

Running mmc.exe requires administrator privileges.
Figure 10. Adding a snap-in

Click on the Add/Remove snap-in item of the File.
Figure 11. Adding certificates

Click Add, select the Certificates module, and click Add.
Figure 12. Selecting the service account

Select Service account in the displayed window and click Next.
Figure 13. Selecting the managed computer

Select Local menu and click Next.
Figure 14. Selecting the service

Select the Satyr Multiplexer service from the displayed list and click Finish.

With the above steps a snap-in module has been configured that enables to conveniently manage the certificates related to the Satyr Multiplexer.
Figure 15. Importing the CA certificate

Navigate to Certificates - Service (Satyr Multiplexer) \ satyr-mpxd \ Personal \ Certificates, and click Add.
Right-click on the Certificates) folder and from the appearing menu select All tasks / Import. The Certificate Import Wizard will be displayed. Click Next.
Figure 16. Selecting the certificate to import

Select the certificate to import (e.g.: C:/tmp/Satyr_CA.crt) and click Next.
Figure 17. Selecting the certificate store

Windows offers a suitable certificate store by default, so click Next.
Figure 18. Summary

Click Finish on the summary window and OK on the window that marks the successful importing of the certificate. The main window of MMC is displayed with the imported certificate.

Figure 19. The imported certificate
Figure 20. Restarting the Satyr Multiplexer

Restart the Satyr Multiplexer service. Navigate to Start menu / Settings / Control panel / Administrative Tools / Services and right-click in the Satyr Multiplexer element of the list. Select the Restart option.

4.1.4. Configuring X.509 certificate based authentication (Windows)

For authentication based on X.509 certificates the certificate and the private key of the user has to be deployed onto the workstation. Import the certificate of the user into his/her personal certificate store. This can be accomplished most easily via the Internet Explorer:

Start Internet Explorer from the Start menu or from a command prompt by running iexplore.exe.
From the Tools menu select Internet Options.
Figure 21. The certificates of the user

On the Contents tab click on Certificates.

Figure 22. The certificates of the user

The certificates of the user are displayed on the Personal tab. Click Import.

	Note
	Hardware keys and tokens (e.g.: Aladdin) having a suitable driver for Windows are also displayed in this store and can be used from the Zorp Authentication Agent.

Import the certificate using the Certificate Import Wizard.

4.2. Configuration on Debian GNU/Linux platforms

4.2.1. Command line parameters (Linux)

The graphical client (satyr-gtk) has the following command line parameters:

--help or -?: Display a brief help message.
--version or -V: Display version number and compilation information.
--automatic or -a: Enables automatic Kerberos authentication.
--no-syslog or -l: Send log messages to the standard output instead of syslog.
--verbose <verbosity> or -v <verbosity>: Set verbosity level to <verbosity>. Default the verbosity level is 3; possible values are 0-10.
--logtags; or -T: Prepend log category and log level to each message.

Satyr Multiplexer (satyr-mpxd) has the following command line parameters:

--help or -?: Display a brief help message.
--version or -V: Display the version number of satyr-mpxd
--no-syslog or -l: Send log messages to the standard output instead of syslog.
--verbose <verbosity> or -v <verbosity>: Set verbosity level to <verbosity>. Default the verbosity level is 3; possible values are 0-10.
--logtags; or -T: Prepend log category and log level to each message.
--aliasfile; or -a: The name (including full path) of a text file (e.g.: /tmp/aliases) used by Satyr Multiplexer to redirect the authentication requests of certain users to a different user in multiuser environments. E.g.: to redirect all authentication request of the root user to MainUser add the following line to the file: root: MainUser.
--log-spec; or -s: Set verbosity mask on a per category basis. Each log message has an assigned multi-level category, where levels are separated by a dot. For example, HTTP requests are logged under http.request. <spec> is a comma separated list of log specifications. A single log specification consists of a wildcard matching log category, a colon, and a number specifying the verbosity level of that given category. Categories match from left to right. E.g.: --logspec 'http.*:5,core:3'. The last matching entry will be used as the verbosity of the given category. If no match is found the default verbosity specified with --verbose is used.
--no-require-ssl; or -S: Disable the SSL encryption of the communication between Zorp and the Multiplexer.
--bind-address; or -b and, --bind-port; or -p: The IP address and the port the Multiplexer is accepting connections on.
--crt-dir; or -t: Path of the directory containing the certificate of the CA that issued the certificate of the Zorp firewall.
--crl-dir; or -r: Path of the directory containing the Certificate Revocation List (CRL) related to the above CA.

4.2.2. Configuring SSL-encrypted connections (Linux)

4.2.2.1. Procedure – Encrypting the communication between Zorp and the authentication agent (Linux)

Create a CA (e.g.: Satyr_CA) using the Zorp Management Console (ZMC). This CA will be used to sign the certificates shown by the Zorp firewalls to the authentication agents.
Export the CA certificate into PEM format.
Generate certificate request(s) for the Zorp firewall(s) and sign it with the CA created in Step 1.

Note

Every firewall should have its own certificate. Do not forget to set the firewall as the Owner host of the certificate.
Distribute the certificates to the firewalls.
Install the Zorp Authentication Agent (Satyr) application to the workstations and import to each machine the CA certificate exported in Step 2.

To import the CA certificate complete the following steps:
1. Create the /etc/satyr/ca directory:
  
  mkdir /etc/satyr/ca
2. Copy the certificate exported into PEM format in Step 2 into the /etc/satyr/ca directory.
3. Verify the hash of the CA certificate:
  
  openssl x509 -in /etc/satyr/ca/cacert.pem -hash -noout
4. Create a symlink to the certificate file using the hash received in the above step. Add the .0 suffix (or the next free suffix if .0 is already taken) to the file as an extension, e.g.:
  
  ln -s /etc/satyr/ca/cacert.pem /etc/satyr/ca/6d2962a8.0
5. Restart the Satyr Multiplexer daemon:
  
  /etc/init.d/satyr-mpxd restart
  
  The authentication client is now ready to accept encrypted connections from Zorp.
Create the appropriate outband authentication policies in ZMC and reference them in the services of Zorp. See Chapter 18, Connection authentication and authorization in the Zorp Administrator`s Guide for details.

4.2.3. Configuring X.509 certificate based authentication (Linux)

For authentication based on X.509 certificates the certificate and the private key of the user has to be deployed onto the workstation. Create a directory called .satyr in the home folder of the user and copy the certificate and private key of the user in PEM format into this directory. Use the cert.pem and key.pem filenames, or create symlinks with these names pointing to the certificate and the key file. The authentication agent will automatically use the certificate found in this directory.

	Note
	If this directory does not exist, install the `openssl` package by issuing the apt-get install openssl command as root.

	Note
	Replace username and password with your username and password received from BalaBit IT Security.

	Note
	Every firewall should have its own certificate. Do not forget to set the firewall as the Owner host of the certificate.

	Note
	Running `addcert.exe` requires administrator privileges.