RDS Directry Synchrnizatin SSL Guide Sftware Versin 3.1.1 Fr Windws, Linux and UNIX perating systems August 4, 2009 RepliWeb, Inc., 6441 Lyns Rad, Ccnut Creek, FL 33073 Tel: (954) 946-2274, Fax: (954) 337-6424 E-mail: inf@repliweb.cm, Supprt: http://supprt.repliweb.cm
Cpyright 2009 RepliWeb Inc., All Rights Reserved The infrmatin in this manual has been cmpiled with care, but RepliWeb, Inc. makes n warranties as t its accuracy r cmpleteness. The sftware described herein may be changed r enhanced frm time t time. This infrmatin des nt cnstitute a cmmitment r representatin by RepliWeb and is subject t change withut ntice. The sftware described in this dcument is furnished under license and may be used and/r cpied nly in accrdance with the terms f this license and the End User License Agreement. N part f this manual may be reprduced r transmitted, in any frm, by any means (electrnic, phtcpying, recrding r therwise) withut the express written cnsent f RepliWeb, Inc. Windws and Windws XP are trademarks f Micrsft Crpratin in the US and/r ther cuntries. UNIX is a registered trademark f Bell Labratries licensed t X/OPEN. Any ther prduct r cmpany names referred t in this dcument may be the trademarks f their respective wners. Please direct crrespndence r inquiries t: RepliWeb, Inc. 6441 Lyns Rad Ccnut Creek, Flrida 33073 USA Telephne: (954) 946-2274 Fax: (954) 337-6424 Sales & General Infrmatin: Dcumentatin: Technical Supprt: Website: inf@repliweb.cm dcs@repliweb.cm http://supprt.repliweb.cm http://www.repliweb.cm ii
Table f Cntents 1. SECURITY... 1 2. OVERVIEW... 2 3. SSL INTRODUCTION... 3 CONFIDENTIALITY... 3 INTEGRITY... 3 AUTHENTICATION... 3 4. SSL TERMINOLOGY... 4 PUBLIC KEY CRYPTOGRAPHY... 4 DIGITAL CERTIFICATES... 4 CERTIFICATE AUTHORITY... 5 SSL HANDSHAKE... 5 5. SSL 3.1.1 IN RDS... 6 GUI... 7 CLI... 10 USING RDS DEFAULTS... 11 6. COMMON SSL CONFIGURATIONS... 12 CONTROLLER AUTHENTICATING CONSOLE... 12 Cnsle authenticatin... 12 MUTUAL CONTROLLER-SATELLITE AUTHENTICATION... 16 Cntrller Settings (Client)... 16 Satellite Settings (Server)... 17 CONTROLLER AUTHENTICATING CONSOLES & SATELLITES... 21 Cnsle-Cntrller Cmmunicatin... 22 Cntrller-Satellite Cmmunicatin... 25 7. MULTIPLE TRUSTED CERTIFICATE AUTHORITIES... 29 USING A MULTIPLE APPROVED CA FILES... 29 USING A MULTIPLE APPROVED CA PATH... 30 iii
1. Security RDS security mechanisms allw using the Internet and Internet-based VPNs and WANs as an efficient replicatin channel, withut the cncerns f data lss, pilferage r malicius impersnatin. RDS uses SSL end-t-end, making integratin with ther systems seamless. RDS allws authenticated and encrypted data transfer f valuable digital assets between hsts. All access is denied by default, unless specifically permitted and is granular t the file level. Trusted IP addresses, subnets, users and schedules are supprted, as well as the ttal annymity f user/passwrd/directry infrmatin frm ne hst t anther, thus allwing fr secure transprt between untrusted netwrks. This authenticatin prxy mechanism adds a layer f autnmy t B2B cntent replicatin, enabling hsts that d nt trust each ther t synchrnize massive cntent stres withut having t divulge anything beynd the machine name r IP address, virtual user and virtual passwrd. 1
2. Overview RDS ffers the fllwing SSL features: Three certificate authenticatin levels: Certificate level/cmmn Name/Nne A chice f strng encryptin ciphers Private key-phrase prtectin NOTE: SSL is enabled fr jbs using the WAN r LFA transprt engines. When using SSL, all traffic in the jb, such as snapsht generatin and files transfer, is encrypted. SSL cmmunicatin is supprted bth fr Cnsle Cntrller cmmunicatin and Cntrller Satellite cmmunicatin. In a typical SSL sessin, the Server presents its digital certificate t the Client and the Client, in turn, presents the Server with its wn digital certificate. T successfully negtiate an SSL cnnectin, the Client and the Server must authenticate each ther. This type f authenticatin is referred t as mutual authenticatin. Bth the Client and the Server are required t have digital certificates frm trusted certificate authrities. When using mutual authenticatin, bth the Server and the Client need private keys and digital certificates that represent their identity. This type f authenticatin restricts access t trusted clients nly. Figure 1 SSL Tplgy Using RDS fr Cnsle Cntrller with SSL cmmunicatin, the Cnsle is the Client and the Cntrller is the Server. Fr Cntrller Satellite SSL cmmunicatin (during a replicatin prcess), the Cntrller is the Client and the Satellite is the Server. NOTE: Using SSL cnnectin fr bth Cnsle Cntrller and Cntrller Satellite, the Cntrller needs t be cnfigured twice: nce as an SSL Server and nce as an SSL Client. 2
3. SSL Intrductin SSL 3.1.1 prtcl prtects yur data against tampering and prvides the fllwing security features: Cnfidentiality Integrity Authenticatin Cnfidentiality Cnfidentiality is the ability t keep cmmunicatins secret frm parties ther than the intended recipient. It is achieved by encrypting data with strng algrithms. The SSL prtcl prvides a secure mechanism that enables tw cmmunicating parties t negtiate the strngest algrithm they bth supprt and t agree n the key with which t encrypt the data. Integrity Integrity is a guarantee that the data being transferred has nt been mdified in transit. The same handshake mechanism, which allws the tw parties t agree n algrithms and keys, als allws the tw ends f an SSL cnnectin t establish shared data integrity secrets, which are used t ensure that when data is received any mdificatins will be detected. Authenticatin Authenticatin is the ability t ascertain with whm yu are speaking. By using digital certificates and public key security, RDS client and server applicatins can each be authenticated t the ther. This allws the tw parties t be certain they are cmmunicating with smene they trust. The SSL prtcl prvides secure cnnectins by allwing tw applicatins cnnecting ver a netwrk cnnectin t authenticate the ther's identity and by encrypting the data exchanged between the applicatins. When using the SSL prtcl, the target always authenticates itself t the initiatr. Encryptin makes data transmitted ver the netwrk intelligible nly t the intended recipient. An SSL cnnectin begins with a handshake during which the applicatins exchange digital certificates, agree n the encryptin algrithms t use, and generate encryptin keys used fr the remainder f the sessin. The SSL prtcl uses public key encryptin fr authenticatin. 3
4. SSL Terminlgy Public Key Cryptgraphy Public-key cryptgraphy - als knwn as asymmetric cryptgraphy - uses a pair f keys that wrk tgether t fulfill ne r bth f the fllwing functins: Encrypt and decrypt infrmatin Sign and verify digital signatures One key is freely distributed (the public key) while the ther key (the private key) is kept secret. The sender uses the public key t encrypt messages t the recipient. The recipient uses his r her private key t decrypt messages frm the sender. Similarly, the sender may use his r her private key t sign a digital signature. The recipient uses his r her public key t verify the authenticity f the sender s signature. The private key will nly wrk with its crrespnding public key. Digital Certificates Digital certificates are electrnic dcuments used t uniquely identify entities ver netwrks such as the Internet. A digital certificate securely binds the client/server identity, as verified by a trusted third party knwn as a certificate authrity (CA), t a particular public key. The cmbinatin f the public key and the private key prvides a unique identity t the wner f the digital certificate. Digital certificates prvide cnfirmatin that a specific public key des in fact belng t the sender. A recipient f a digital certificate can use the public key cntained in the digital certificate t verify that a digital signature was created with the crrespnding private key. If the verificatin is successful, the recipient can be certain that the crrespnding private key belngs t the subject named in the digital certificate, and that the digital signature was created by that particular subject. A digital certificate typically includes a variety f infrmatin, such as: The name f the subject (hlder, wner) and ther identificatin infrmatin required t uniquely identifying the subject, such as the hstname f the nde using the digital certificate (in the Cmmn Name field), r an individual's email address. The subject's public key. The name f the certificate authrity that issued the digital certificate. A serial number. The validity perid (r lifetime) f the digital certificate (defined by a start date and an end date). 4
SSL Terminlgy Certificate Authrity Digital certificates are issued by a Certificate Authrity (CA). Any trusted third-party rganizatin r cmpany that is willing t vuch fr the identities f thse t whm it issues digital certificates and public keys can be a certificate authrity. When a certificate authrity creates a digital certificate, the certificate authrity signs it with its private key, t ensure the detectin f tampering. The certificate authrity then returns the signed digital certificate t the requesting subject. The subject can verify the digital signature f the issuing certificate authrity by using the public key f the certificate authrity. The certificate authrity makes its public key available by prviding a digital certificate issued frm a higher-level certificate authrity attesting t the validity f the public key f the lwer-level certificate authrity. Thus, digital signatures establish the identities f cmmunicating entities, but a digital signature can be trusted nly t the extent that the public key fr verifying the digital signature can be trusted. SSL Handshake The SSL handshake establishes the encrypted cnnectin. This is accmplished in part by mutual authenticatin whereby the client authenticates itself t the server and the server authenticates itself t the client. Authenticatin invlves digital certificates, which emply public-key encryptin techniques. During the SSL handshake, the server and client exchange a symmetric sessin key. The sessin key itself is encrypted using public-key techniques, s nly the intended recipient can decrypt it. 5
5. SSL 3.1.1 in RDS RDS uses OpenSSL t enable Encryptin and Authenticatin fr: Cnsle Cntrller cmmunicatin effective fr RDS Cnsle Cntrller, RTM Cnsle RTM Organizer and RTM Cnsle RTM Hst. Cntrller Satellite cmmunicatin effective fr WAN transfer replicatin jbs. SSL sessins can be cnfigured using RTM GUI and Manage / Cntrller r Manage / Cnsle SSL Settings n the Cnsle GUI user interfaces. NOTE: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle n each f the Cntrllers and Satellites, and nt ver the netwrk. 6
SSL 3.1.1 in RDS GUI NOTE: Only users with Administrative Grup Privileges n the Cntrller may cnfigure SSL settings. Cnnecting t a UNIX Cntrller, use rt r rt-like users (UID and GID 0); cnnecting t a Windws Cntrller, use a member f the Administratr grup n the Cntrller. Figure 2 SSL Cnfiguratin NOTE: Use default certificate and key prvided with RDS t cnfigure and test SSL cmmunicatin. Hwever, fr prductin envirnment, it is recmmended t use certificates prvided by a Certificate Authrity (CA). Internal Tabs Select ne f the 4 end-pints t cnfigure. Cnsle (Client) Cnfigure the Client in a Cnsle Cntrller cmmunicatin. Cntrller / RTM Organizer / RTM Hst (Server) Cnfigure the Server in a Cnsle Cntrller cmmunicatin. 7
SSL 3.1.1 in RDS Cntrller (Client) Cnfigure the Client in a Cntrller Satellite replicatin prcess cmmunicatin. Satellite (Server) Cnfigure the Server in a Cntrller Satellite replicatin prcess cmmunicatin. Lcal Certificate Specify hw the machine being cnfigured intrduces itself in the Authenticatin stage. Use Files Specify the Certificate and Key file names t be used. If unchecked default certificate, private key and private key phrase will be used. If checked, the fllwing will be used: Certificate Specify the full path t the CA Certificate file. Private Key Specify the full path t the private key file. Private Key Phrase Specify the passwrd t read the private key file. The key phrase is kept encrypted and hidden. NOTE: The Private Key Phrase is kept encrypted fr each Windws Lgin user separately. Other Side Authenticatin Specify hw the machine being cnfigured verifies the ther side in the Authenticatin stage. Authenticate Using Select the authenticatin type that will take place: Certificate Authenticate the ther end using a certificate Certificate + Name Authenticate the ther end by using a certificate and the Cmmn name written in certificate. Server / Client Cmmn Name When using authenticatin by name this name will be expected in the ther end s certificate. Nne D nt authenticate the ther end. The SSL sessin will use encryptin but nt authenticatin. This ptin is nly available in Cnsle Cntrller cmmunicatin. NOTE: Authenticating the ther side using Certificate r Certificate + Name, the ther side has t have the Lcal certificate / Use Files ptin checked. Use Apprved CA If unchecked - default certificate, private key and private key phrase will be used. If checked, the fllwing will be used: CA File Specify the full path t a file cntaining trusted certificate authrities inf 8
SSL 3.1.1 in RDS CA Dir Specify the full path t a directry cntaining trusted certificate authrities files. Encryptin Select the encryptin type t use during the SSL sessin. Optins are: DES DES (Data Encryptin Standard) applies a 56-bit key t each 64- bit blck f data. 3DES Triple DES RC2 RC2 (Rivet s Cipher 2) is a variable key-size blck cipher. RC4 RC4 is a variable key-size blck cipher with a key size range f 40 t 128 bits. It is faster than DES and is exprtable with a key size f 40 bits. Use Server Defaults The encryptin type is selected by the server autmatically. NOTE: Encryptin can be set in Client side nly. 9
SSL 3.1.1 in RDS CLI Using the CLI, use the apprpriate qualifier t specify SSL usage: Cnsle Cntrller cmmunicatin: -cntrller_ssl -ncntrller_ssl Specify t RDS that all cmmunicatin t the Cntrller will be ver SSL. Cntrller Satellite cmmunicatin effective fr WAN transfer replicatin and replicatin jbs. -ssl -nssl qualifier in the submit cmmand. Specify t RDS that all cmmunicatin with the Satellites will be ver SSL. NOTE: The CLI cannt be used t set SSL prperties. This can nly be perfrmed using the GUI. 10
SSL 3.1.1 in RDS Using RDS Defaults Sample key files and certificates are lcated in the fllwing default directries: Windws: ~\RepliWeb\RDS\Cnfig\SSL UNIX: ~/repliweb/rds/cnfig/ssl/ The files are: Client certificate Client private key file Server certificate Server private key file Trusted CA (RepliWeb) certificate Key Phrases fr default private keys are: Client private key phrase Server private key phrase Cmmn Names: Client Cmmn Name Server Cmmn Name rds_client_cert.pem rds_client_key.pem rds_server_cert.pem rds_server_key.pem trusted_ca_cert.pem rdsclient rdsserver RDSClient RDSServer Default Certificates directry is lcated in: Windws: ~\RepliWeb\RDS\Cnfig\SSL\Cert UNIX: ~/repliweb/rds/cnfig/ssl/cert These directries may be used fr using Multiple Apprved CA Path ptin. They cntain the files (Windws) and Links (UNIX) required fr this ptin. NOTE: Key Phrases and Cmmn Names are case sensitive. 11
6. Cmmn SSL Cnfiguratins This chapter explains in detail what prperties need t be set fr cmmn SSL cnfiguratins. Cntrller Authenticating Cnsle In this cnfiguratin the Cntrller authenticates all Cnsles cnnecting t it. Figure 3 Cntrller Authenticating Cnsle The cnfiguratin settings steps are as fllws: 1. Set Cnsle and Cntrller SSL fr Cnsle Authenticatin. 2. Test Cnsle cnnectin using SSL by pening the Cnsle GUI, and cnnecting t the Cntrller. Cnsle authenticatin Set Cnsle and Cntrller SSL fr Cnsle Authenticatin, and then verify settings by cnnecting t the Cntrller using the Cnsle GUI. Cnsle Settings (Client) 1. On the Cnsle machine create a directry which wuld include the fllwing files: Certificate file identifying the Cnsle (Client). Private Key file that matches the Certificate file. 2. Using the Cnsle GUI, select the menu ptin Manage / Cnsle SSL Settings. This ptin can be perfrmed while the Cnsle is nt cnnected t any Cntrller (ffline). 3. If cnnected t a Cntrller, using the Cnsle GUI, select the Manage / Cntrller / SSL tab menu ptin: 12
Cmmn SSL Cnfiguratins a. T cnfigure the machine the Cnsle is currently running n, cnnect t lcalhst. b. T cnfigure a remte Cnsle, cnnect t the remte Cntrller n that machine Lcal Certificate the Cnsle (Client) will be authenticated using the fllwing: Check Use Files Brwse t the client Certificate and Private Key files cpied earlier. Enter Private key Phrase. Using the default RDS files, the key phrase is: rdsclient Other Side Authenticatin The Cnsle is nt authenticating the Cntrller, hence fields are left blank. Authenticate Using: Nne Leave Use Apprved CA unchecked. Encryptin: Select any value 4. Click Save. Cntrller Settings (Server) NOTE: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle n the Cntrller, and nt ver the netwrk. 1. On the Cntrller machine create a directry which wuld include the fllwing files: Trusted Certificate Authrity file 2. Using the Cnsle GUI, cnnect t the Cntrller, and select the menu ptin Manage / Cntrller / SSL Tab. 3. Select Cntrller (Server) sub-tab Lcal Certificate The Cntrller is nt being authenticated, hence Cntrller Authenticatin fields are left blank. Leave unchecked Use Files 13
Cmmn SSL Cnfiguratins Other Side Authenticatin the Cnsle (Client) will be authenticated using the fllwing: Authenticate Using: Certificate + Name Enter Client Cmmn Name. Using the default RDS files, the Client Cmmn Name is: RDSClient Check Use Apprved CA Brwse t the Trusted CA file. 4. Click Save. 14
Cmmn SSL Cnfiguratins Testing Cnsle Cntrller Cmmunicatin Test the SSL settings defined s far. Using the Cnsle GUI, cnnect t the Cntrller using SSL. Figure 4 Cnnecting using SSL When the cnnectin is apprved and the main Cnsle windw is pened, the SSL lck is displayed at the Cntrller Status bar at the bttm f the screen. Figure 5 Cnsle Cnnected with SSL 15
Cmmn SSL Cnfiguratins Mutual Cntrller-Satellite Authenticatin In this cnfiguratin the Cntrller and Satellite authenticate each ther during Replicatin jbs. Figure 6 Mutual Authenticatin The cnfiguratin settings steps are as fllws: 1. Set Cntrller SSL fr Satellite Authenticatin. 2. Set Satellite SSL fr Cntrller Authenticatin. 3. Test Cntrller - Satellite cmmunicatin using SSL by running an RDS jb. Cntrller Settings (Client) NOTE: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle n the Cntrllers, and nt ver the netwrk. 1. On the Cntrller machine create a directry which wuld include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Cntrller (Client). Private Key file that matches the Certificate file. 2. Using the Cnsle GUI, cnnect t the Cntrller, and select the menu ptin Manage / Cntrller / SSL Tab. 16
Cmmn SSL Cnfiguratins 3. Select Cntrller (Client) sub-tab Lcal Certificate the Cntrller (Client) will be authenticated using the fllwing: Check Use Files Brwse t the client Certificate and Private Key files cpied earlier. Enter Private key Phrase. Using the default RDS files, the key phrase is: rdsclient Other Side Authenticatin The Satellite (Server) will be authenticated using the fllwing: Authenticate Using: Certificate + Name Enter Client Cmmn Name. Using the default RDS files, the Client Cmmn Name is: RDSServer Check Use Apprved CA Brwse t the Trusted CA file. Encryptin: Select any value 4. Click Save. Satellite Settings (Server) NOTE: Using an Satellite nly machine, nly the RTM Cnsle can be used t Manage SSL settings fr that Satellite. If the Satellite machine als has the Cntrller cmpnent installed, then SSL settings fr that Satellite can be perfrmed thrugh the RDS Cnsle GUI cnnected t the Cntrller. NOTE: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle GUI n the Satellite, and nt ver the netwrk, using the RTM Cnsle. 1. On the Satellite machine create a directry which wuld include the fllwing files: Trusted Certificate Authrity file Certificate file identifying the Satellite (Server). 17
Cmmn SSL Cnfiguratins Private Key file that matches the Certificate file. 2. Using the RTM Cnsle, select the Satellite and Click n the Manage menu ptin. 3. Select Satellite (Server) sub-tab Lcal Certificate the Satellite (Server) will be authenticated using the fllwing: Check Use Files Brwse t the server Certificate and Private Key files cpied earlier. Enter Private key Phrase. Using the default RDS files, the key phrase is: rdsserver Other Side Authenticatin - The Cntrller (Client) will be authenticated using the fllwing: Authenticate Using: Certificate + Name Enter Client Cmmn Name. Using the default RDS files, the Client Cmmn Name is: RDSClient Check Use Apprved CA Brwse t the Trusted CA file. 4. Click Save. 18
Cmmn SSL Cnfiguratins Testing Cntrller Satellite Cmmunicatin Test the SSL settings defined s far. 1. Using the Cnsle GUI, cnnect t the Cntrller. 2. Define an Uplad jb frm the Cntrller t the Satellite. 3. In the Perfrmance Tab, select t use WAN r LFA transprt engines and check the Use SSL ptin. Make sure the jb actually transfers data. NOTE: SSL is nt available when using LAN transprt engine. Figure 7 Jb Definitin with SSL 19
Cmmn SSL Cnfiguratins The General Reprt shuld indicate that SSL was used during the transfer stage: 12:27:18 Starting files transfer t target Using WAN Transfer Engine Using SSL authenticatin and encryptin 20
Cmmn SSL Cnfiguratins Cntrller Authenticating Cnsles & Satellites In this cnfiguratin the Cntrller authenticates all Cnsles and all Satellites cnnecting t it, and the Cnsle and Satellites authenticate the Cntrller. The Cntrller plays a duplicate rle here, nce as a Server (in a Cnsle Cntrller cmmunicatin), and nce as a Client (in a Cntrller Satellite cmmunicatin). Figure 8 Cntrller Authenticating Cnsle & Satellites; Cnsle & Satellites Authenticating the Cntrller The cnfiguratin settings steps are as fllws: 1. Set Cnsle and Cntrller SSL fr Cnsle-Cntrller Cmmunicatin. 2. Test Cnsle cnnectin using SSL by pening the Cnsle GUI, and cnnecting t the Cntrller. 3. Set Cntrller and Satellite SSL fr Cntrller-Satellite Cmmunicatin. 4. Test Satellite cmmunicatin using SSL by running an RDS jb using the WAN transfer engine. 21
Cmmn SSL Cnfiguratins Cnsle-Cntrller Cmmunicatin Set Cnsle and Cntrller SSL prperties, and then verify settings by cnnecting t the Cntrller using the Cnsle GUI. Cnsle Settings (Client) 1. On the Cnsle machine create a directry which wuld include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Cnsle (Client). Private Key file that matches the Certificate file. 2. Using the Cnsle GUI, select the menu ptin Manage / Cnsle SSL Settings. This ptin can be perfrmed while the Cnsle is nt cnnected t any Cntrller (ffline). 3. If cnnected t a Cntrller, using the Cnsle GUI, select the menu ptin Manage / Cntrller / SSL tab: a. T cnfigure the machine the Cnsle is currently running n, cnnect t lcalhst. b. T cnfigure a remte Cnsle, cnnect t the remte Cntrller n that machine Lcal Certificate the Cnsle (Client) will be authenticated using the fllwing: Check Use Files Brwse t the client Certificate and Private Key files cpied earlier. Enter Private key Phrase. Using the default RDS files, the key phrase is: rdsclient Other Side Authenticatin The Cnsle is nt authenticating the Cntrller, hence fields are left blank. Authenticate Using: Certificate + Name Enter Server Cmmn Name. Using the default RDS files, the Client Cmmn Name is: 22
Cmmn SSL Cnfiguratins RDSServer Check Use Apprved CA Brwse t the Trusted CA file. Encryptin: Select any value 4. Click Save. Cntrller Settings (Server) NOTE: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle n the Cntrller, and nt ver the netwrk. 1. On the Cntrller machine create a directry which wuld include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Cntrller (Server). Private Key file that matches the Certificate file. 2. Using the Cnsle GUI, cnnect t the Cntrller, and select the menu ptin Manage / Cntrller / SSL Tab. 3. Select Cntrller (Server) sub-tab Lcal Certificate The Cntrller is nt being authenticated, hence Cntrller Authenticatin fields are left blank. Leave unchecked Use Files Other Side Authenticatin the Cnsle (Client) will be authenticated using the fllwing: Authenticate Using: Certificate + Name Enter Client Cmmn Name. Using the default RDS files, the Client Cmmn Name is: RDSClient Check Use Apprved CA Brwse t the Trusted CA file. 4. Click Save. 23
Cmmn SSL Cnfiguratins Testing Cnsle Cntrller Cmmunicatin Test the SSL settings defined s far. Using the Cnsle GUI, cnnect t the Cntrller using SSL. Figure 9 Cnnecting using SSL When the cnnectin is apprved and the main Cnsle windw is pened, the SSL lck is displayed at the Cntrller Status bar at the bttm f the screen. Figure 10 Cnsle Cnnected with SSL 24
Cmmn SSL Cnfiguratins Cntrller-Satellite Cmmunicatin Set Cntrller and Satellite SSL prperties, and then verify settings by running a replicatin jb frm the Cntrller t the Satellite using WAN Transfer Engine with SSL. Cntrller Settings (Client) NOTE: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle n the Cntrllers, and nt ver the netwrk. 1. On the Cntrller machine create a directry which wuld include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Cntrller (Client). Private Key file that matches the Certificate file. 2. Using the Cnsle GUI, cnnect t the Cntrller, and select the menu ptin Manage / Cntrller / SSL Tab. 3. Select Cntrller (Client) sub-tab. Lcal Certificate The Satellite is nt authenticating the Cntrller, hence Cntrller Authenticatin fields are left blank. Leave unchecked Use Files Other Side Authenticatin The Satellite (Server) will be authenticated using the fllwing: Authenticate Using: Certificate + Name Enter Client Cmmn Name. Using the default RDS files, the Client Cmmn Name is: RDSServer Check Use Apprved CA Brwse t the Trusted CA file. Encryptin: Select any value 4. Click Save. 25
Cmmn SSL Cnfiguratins Satellite Settings (Server) NOTE: Using a Satellite nly machine, nly the RTM Cnsle can be used t Manage SSL settings fr that Satellite. If the Satellite machine als has the Cntrller cmpnent installed, then SSL settings fr that Satellite can be perfrmed thrugh the RDS Cnsle GUI cnnected t the Cntrller. NOTE: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle GUI n the Satellite, and nt ver the netwrk, using the RTM Cnsle. 1. On the Cnsle machine create a directry which wuld include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Satellite (Server). Private Key file that matches the Certificate file. 2. Using the RTM Cnsle, select the Satellite and Click n the Manage menu ptin. Lcal Certificate the Satellite (Server) will be authenticated using the fllwing: Check Use Files Brwse t the server Certificate and Private Key files cpied earlier. Enter Private key Phrase. Using the default RDS files, the key phrase is: rdsserver Other Side Authenticatin The Satellite is nt authenticating the Cntrller, hence fields are left blank. Authenticate Using: Certificate + Name Enter Client Cmmn Name. Using the default RDS files, the Client Cmmn Name is: RDSClient Check Use Apprved CA Brwse t the Trusted CA file. 3. Click Save. 26
Cmmn SSL Cnfiguratins Testing Cntrller Satellite Cmmunicatin Test the SSL settings defined s far. 1. Using the Cnsle GUI, cnnect t the Cntrller. 2. Define an Uplad jb frm the Cntrller t the Satellite. 3. In the Perfrmance Tab, select t use WAN r LFA transprt engines and check the Use SSL ptin. Make sure the jb actually transfers data. NOTE: SSL is nt available when using LAN transprt engine. Figure 11 Jb Definitin with SSL 27
Cmmn SSL Cnfiguratins The General Reprt shuld indicate that SSL was used during the transfer stage: 12:27:18 Starting files transfer t target Using WAN Transfer Engine Using SSL authenticatin and encryptin 28
7. Multiple Trusted Certificate Authrities Installing a trusted CA (Certificate Authrity) certificate n a system means that the system nw cmpletely trusts that CA in terms f authenticatin. If there are multiple authrities t trust, all certificates shuld be stred in ne place: either put all files in the same path with ne authrity certificate in each file, r put all certificate files in ne directry. OpenSSL will search the multiple certificates t verify that the currently used authrity exists, and therefre can be trusted. A typical certificate lks like: -----BEGIN CERTIFICATE----- MIICgTCCAeCAQAwDQYJKZIhvcNAQEEBQAwgYgxCzAJBgNVBAYTAklMMQ8wDQYD gdxenh1kxr5o7xb1+d5jbjzypgve -----END CERTIFICATE----- Using a Multiple Apprved CA Files Yu can stre multiple certificates multiple apprved CA in a single file. 1. Using a text editr, append all certificates int ne file. Make sure that each certificate is cpied in full, including the lines: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- 2. Using the RDS Cnsle, in the Manage / SSL Tab f the cnfigured cmpnent: Check Use Apprved CA Select the File ptin. Brwse t the file cntaining all certificates. 3. Click Save. 29
Multiple Trusted Certificate Authrities NOTE: Whenever the certificate changes, being replaced, the trusted CA file has t be updated. Using a Multiple Apprved CA Path Multiple Certificates can be stred in a single directry. In this case, OpenSSL is lking fr certificates by Hash Values, and nt by file names. NOTE: T use this ptin, a UNIX machine must be used with OpenSSL installed. The certificates can be stred n a Windws machine at the end f the prcess, but the hashing utility can be activated n UNIX nly. 1. Cpy all Apprved CA Files t a UNIX machine t a single flder /cert_dir. 2. Run a utility called c_rehash t create hash keys t all apprved CA certificate files in cert_dir by perfrming: > cd /cert_dir > ls l -rwxr-xr-x 1 rt rt --wxrw--wt 1 rt rt 928 Jul 26 09:21 trusted_ca_cert.pem 1314 Jul 29 06:31 trusted_ca_cert_sl.pem > c_rehash 3. Verify that a link was created fr each f the CA files. Link names are in a hexadecimal frmat. > ls l lrwxrwxrwx 1 rt rt 22 Jul 29 08:53 50d59a91.0 -> trusted_ca_cert_sl.pem lrwxrwxrwx 1 rt rt 19 Jul 29 08:53 58c1d707.0 -> trusted_ca_cert.pem -rwxr-xr-x 1 rt rt 928 Jul 26 09:21 trusted_ca_cert.pem --wxrw--wt 1 rt rt 1314 Jul 29 06:31 trusted_ca_cert_sl.pem 4. This flder is nw ready t be used. If the CA files are required n a Windws machine, perfrm the fllwing steps: i. Create a directry with the CA files stred in it. ii. Cpy each CA file (in the same directry) and name the cpy with the apprpriate hash value frm the UNIX machine. iii. In this example we will nw have 4 files in the directry 50d59a91.0 identical t trusted_ca_cert_sl.pem 58c1d707.0 identical t trusted_ca_cert.pem 30
Multiple Trusted Certificate Authrities 5. Using the RDS Cnsle, in the Manage / SSL Tab f the cnfigured cmpnent: Check Use Apprved CA Select the Path ptin. Brwse t the flder cntaining all certificates. 6. Click Save. NOTE: RDS is installed with a default Certificates directry is lcated in: Windws: ~\RepliWeb\RDS\Cnfig\SSL\Cert UNIX: ~/repliweb/rds/cnfig/ssl/cert These directries may be used fr using Multiple Apprved CA Path ptin. They cntain the files (Windws) and Links (UNIX) required fr this ptin. Fr additinal infrmatin, cntact us at supprt.repliweb.cm 31