Set up SSL in Deployment Solution 7.5 Table of Contents Installing certificates... 2 Manually installing certificates... 2 Notification Server/Site Servers... 4 Import Certificate into IIS... 4 Set https bindings... 5 Configure SSL Settings... 6 Console Settings... 7 Targeted Agent Settings... 7 Package codebase Publishing... 8 Extract SSL Certificates Policies... 8 SSL Certificate Installation... 10 Notification Server... 10 Task Server... 10 Package Server... 10 Manual Installation... 11 Server type-specific install paths... 12 Preboot Configurations... 13 WinPE... 13 LinuxPE... 14 Recreate Preboot Configurations... 14 PXE... 15 Automation Folder... 15 Notification Server Alias... 16 SSL-Related Registry Keys... 16 Troubleshooting Resources... 17 General Deployment Solution Logging... 17 SSL Certificate Extraction... 17 Preboot Configurations... 17 1
Installing certificates Certificates will need to be installed on all computers that will be communicating over SSL in production. (It is very possible that the customer has done this already with their own purchased certificate.) The preferred method of installing the certificate throughout the environment is to use a Group Policy. The following is a step by step to install on a single machine. Manually installing certificates Obtain/locate the customer s SSL Certificate Personal Information Exchange (.pfx) file. This certificate will either have been purchased or generated by the customer for their servers and/or environment. Right-click on the pfx file and choose Install PFX This will bring up the Certificate Import Wizard. Input the path and password as necessary. 2
When prompted for Certificate Store, choose Place all certificates in the following store and Browse. Check Show physical stores, expand Trusted Root Certificate Authorities and select Local Computer, then click OK. Then click Next. Then Finish. It will notify you if the installation was successful. 3
Notification Server/Site Servers Several things will need to be configured on the Notification Server and Site Servers, mostly in IIS, in order to set up the Servers to use SSL communication. Import Certificate into IIS Open IIS Manager and select the root Server Name on the left side tree menu. In the center content window, open Server Certificates. The Server s Certificate should be listed there. If it is not, import it by, on the right sidebar, clicking Import, browsing to the.pfx file, and putting in the appropriate password. The newly imported certificate should now be shown listed on the Server Certificates pane. 4
If a.pfx certificate is not readily available, a self-signed certificate can be created on that server. On the right sidebar, click Create Self-Signed Certificate. Input a friendly name for the certificate on this server. The newly created self-signed certificate will be listed under Server Certificates. *Note: On the Site Servers, the name on the certificate must match the name of the server in order to allow correct communication between clients and that server.* Set https bindings Open IIS Manager and select Default Web Site. On the right sidebar, select Bindings. 5
In the Site Bindings dialog box, choose Add. Select https from the drop-down menu. Verify the port is set to 443. Under SSL certificate, select the appropriate certificate. Click OK, then click Close. *Complete the Targeted Agent Settings section before making the following changes to the SSL Settings on the NS to prevent blocking agent communication.* Configure SSL Settings Back on the Default Web Site page in IIS Manager, open SSL Settings. Check the Require SSL box, then click Apply in the right sidebar. It will notify you that The changes have been successfully saved. 6
Console Settings In the Management Console, the following settings need to be changed to get clients to correctly use SSL in their communications. These changes will only occur on the clients after they get an updated configuration. Targeted Agent Settings Open Targeted Agent Settings in the Management Console With a group selected on the left, open the Advanced tab. Check the Specify an alternate URL box, and change the Server Web: field to https. Click Save changes. Repeat the process for all affected/relevant groups. *Note: Deployment Pre-Boot Environment must be changed to allow WinPE/LinuxPE to communicate with the NS. 7
Package codebase Publishing Open Site Server Settings in the Management Console On the left tree menu, open Site Management >> Settings >> Package Settings >> Package Services Settings. Under Published Codebase Types, check the Publish IIS hosted codebases box and select the Publish HTTPS codebases radio button. Click Save changes. Extract SSL Certificates Policies Open All Settings in the Management Console 8
On the left tree menu, open Settings >> Agents/Plug-ins >> Deployment and Migration >> Windows (x64) >> Extract SSL Certificate (x64) Install and enable it (set to On ). Click Save changes. Repeat this with Windows (x86) >> Extract SSL Certificate (x86) Install 9
SSL Certificate Installation The Extract SSL Certificate policy configured in the console will run on the Notification Server, Task Servers, and Package Servers in the environment. File names and locations differ depending on the type of server to which they are installed. This installation should execute without any intervention. Below are instructions to verify it has run successfully, and to run manually if it has not. Notification Server On the Notification Server, the.pfx and xml files should be located in the <Program Files>\Altiris\Notification Server\NSCap\bin\Deployment\Certificates directory as shown. Task Server On a Task Server, the.pfx and xml files should be located in the <Program Files>\Altiris\Altiris Agent\Client Task Server\ServerWeb\Deployment\Certificates directory as shown. Package Server On a Package Server, the.pfx and xml files should be located in the <Program Files>\Altiris\Altiris Agent\Package Server Agent\Deployment_Cert\Certificates directory as shown. *Note: If a Server has multiple services, it will populate only one of these locations/sets of files, in the priority order of NS, TS, then PS. I.e., if a server is both a Task Server and Package Server, it will only have the Task Server-specific files installed to the Task Server-specific location. 10
Manual Installation Should the correct files not be present/installed on the server, a manual installation can be done using the following steps. On the server in question, check the Management Agent s Software Delivery tab for the Extract SSL Certificate policy. If it is present, double-click it and open the Download History tab. Click to open one of the listed source locations. If the Extract SSL Certificate policy is not present, or the policy has no source locations, follow the next step, otherwise, skip it. If the Extract SSL Certificate policy was not present, or the policy has no source locations, open \\<servername>\nscap\bin\deployment\installs\certificate\<x64 or x86> in Windows Explorer. Take the two files in the directory (from either of the steps above) and copy them to a local, non-package share location on the server. 11
In an Administrator: Command Prompt, run the executable file with the switch exportcert to install the appropriate certificate. Additional command windows may appear during the execution of this application. Verify that the certificate files were installed to the correct directory on for the roles of that server. The paths are again listed below. Server type-specific install paths Notification Server: <Program Files>\Altiris\Notification Server\NSCap\bin\Deployment\Certificates Task Server: <Program Files>\Altiris\Altiris Agent\Client Task Server\ServerWeb\Deployment\Certificates Package Server: <Program Files>\Altiris\Altiris Agent\Package Server Agent\Deployment_Cert\Certificates 12
Preboot Configurations Configuration files within the preboot environments also need to be set to direct Agent communication to use SSL protocols and ports when connecting to the Server(s). These should be changed automatically when SSL is enabled on the server and the appropriate SSL policies are enabled in the console. These configuration files should be changed without user intervention, but below are the locations this can be verified, as well as instructions to change them if needed. *Note: All the file locations listed below are located on the Notification Server. These are the Package Sources, and will be replicated to Site Servers as part of the normal Package Replication process. This can be expedited by forcing a Package update on all Site Servers. WinPE Open the PECTAgent.ini configuration file at <Program Files>\Altiris\Deployment\BDC\bootwiz\oem\DS\winpe\<x86 or x64>\base\program Files\Symantec\Deployment to check settings. Confirm the SMPPort value is set to 443 and the SMPProtocol value is set to https. If these are not set, change these values as need. *Note: Be sure the change the files in both x86 and x64 directories to make sure the WinPE files are changed for both architectures. 13
LinuxPE Using notepad or a simple text editor, open the.aex-agent-install-config configuration file at <Program Files>\Altiris\Deployment\BDC\bootwiz\oem\DS\Linux\x86\Base\tmp to check settings. Confirm the NSPort value is set to 443 and the NSProtocol value is set to https. If these are not set, change these values as need. Recreate Preboot Configurations These newly changed files will be built into all preboot configurations which are built going forward. If there are existing preboot configurations, they will need to be recreated in order to have those changed files be included. In the Management Console, open Settings >> Deployment >> Create Preboot Configurations 14
Select the preboot configuration to recreate, then click Recreate Preboot Configuration. A pop-up will confirm that a recreation has been initiated. PXE Once each Site Server has rebuilt the configuration on its server, it will be available for clients to PXE boot into. Automation Folder Once the automation folder has been recreated on the Notification Server, the newly built folder will need to be installed on the affected client machine(s). This can be done via policy by uninstalling, then the reinstalling on client machines or via task by pushing the installer package. 15
Notification Server Alias In some cases, the Notification Server will use an aliased name. This alias will be the name on the certificate and the DNS should be set up to resolve the aliased name correctly. As of the release of Deployment Solution 7.5 HF2, there is a known issue regarding this type of setup. For the most current information, please reference Knowledge Base Article TECH214199. SSL-Related Registry Keys Though these are related to Notification Server functionality in general and are probably changed already, the values should be confirmed for correct functionality. Verify that the following keys are set to the correct values: HKLM\SOFTWARE\Altiris\AIM\Configuration\NsConfiguration\NsWebSitePort = 443 HKLM\SOFTWARE\Altiris\AIM\Configuration\NsConfiguration\NsWebSiteSSL = True 16
Troubleshooting Resources In the event that files/installations/changes are not occurring correctly, the following are log files and file locations which may be useful in troubleshooting for resolution. General Deployment Solution Logging This log file tracks general Deployment Solution tasks and activity on a Server with Deployment components installed. This log file is created in <Program Files>\Altiris\Altiris Agent\Agents\Deployment\Logs by default. DSTasks.txt SSL Certificate Extraction These log files are created when the Extract SSL Certificate policy attempts to execute on the Notification Server, Task Server, and Package Server. This log file is created in C:\ by default. DSPluginInstall.log IISCertDeployVBS.txt Preboot Configurations When creating/recreating preboot configurations, Boot Disk Creator generates a log file. This log file is created in <Program Files>\Altiris\Deployment\Logs by default. Bootwiz.log 17