Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N 300-011-843 REV A01 January 14, 2011



Similar documents
Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

Generating an Apple Push Notification Service Certificate

Installing and Configuring vcenter Multi-Hypervisor Manager

RSA Security Analytics

Scenarios for Setting Up SSL Certificates for View

SolarWinds Technical Reference

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

LoadMaster SSL Certificate Quickstart Guide

Managing Multi-Hypervisor Environments with vcenter Server

Installing Management Applications on VNX for File

Secure IIS Web Server with SSL

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

CA NetQoS Performance Center

Setting Up SSL on IIS6 for MEGA Advisor

Obtaining SSL Certificates for VMware Horizon View Servers

CA Nimsoft Unified Management Portal

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION AND TROUBLESHOOTING

ESET SECURE AUTHENTICATION. API SSL Certificate Replacement

Browser-based Support Console

PROXY SETUP WITH IIS USING URL REWRITE, APPLICATION REQUEST ROUTING AND WEB FARM FRAMEWORK OR APACHE HTTP SERVER FOR EMC DOCUMENTUM EROOM

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

HTTPS Configuration for SAP Connector

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Obtaining SSL Certificates for VMware View Servers

HTTP Server Setup for McAfee Endpoint Encryption (Formerly SafeBoot) Table of Contents

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Configuring Security Features of Session Recording

Exchange 2010 PKI Configuration Guide

Certificate Management for your ICE Server

EMC Data Protection Search

Microsoft Exchange 2010 and 2007

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Installing and Configuring a Server Certificate for use by MailSite Fusion with TLS/SSL A guide for MailSite Administrators

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

MultiSite Manager. Using HTTPS and SSL Certificates

SQL Server 2008 and SSL Secure Connection

Wavecrest Certificate

HP Device Manager 4.7

Enable SSL for Apollo 2015

Technical Notes P/N Rev 01

Outlook Web Access Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

EMC ViPR Controller. Version 2.4. User Interface Virtual Data Center Configuration Guide REV 01 DRAFT

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Copyright 2013 EMC Corporation. All Rights Reserved.

Replacing Default vcenter Server 5.0 and ESXi Certificates

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

etoken Enterprise For: SSL SSL with etoken

Managing Web Server Certificates on idrac

CERTIFICATE-BASED SSO FOR MYDOCUMENTUM OUTLOOK WITH IBM TAM WEBSEAL

Symantec Managed PKI. Integration Guide for ActiveSync

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

RSA Security Analytics Netflow Collection Configuration Guide

RSA Security Analytics Netflow Collection Configuration Guide

Mobility Manager 9.0. Installation Guide

EMC ViPR Controller Add-in for Microsoft System Center Virtual Machine Manager

Connection and Printer Setup Guide

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Symantec AntiVirus Corporate Edition Patch Update

CERTIFICATE BASED SSO FOR MYDOCUMENTUM OUTLOOK WITH IBM TAM WEBSEAL

Certificate technology on Pulse Secure Access

Using Windows Administrative Tools on VNX

X.509 Certificate Generator User Manual

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

Certificate technology on Junos Pulse Secure Access

How to Install SSL Certificates on Microsoft Servers

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

Using Group Policy to Manage and Enforce ACL on VNX for File P/N REV A01 February 2011

Installation Guide. SafeNet Authentication Service

Deploying EMC Documentum WDK Applications with IBM WebSEAL as a Reverse Proxy

Enterprise Content Management System Monitor 5.1 Security Considerations Revision CENIT AG Brandner, Marc

Replacing VirtualCenter Server Certificates VMware Infrastructure 3

Docufide Client Installation Guide for Windows

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

HP Device Manager 4.6

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Clearswift Information Governance

How to: Install an SSL certificate

Active Directory Adapter with 64-bit Support Installation and Configuration Guide

IBM WEBSPHERE LOAD BALANCING SUPPORT FOR EMC DOCUMENTUM WDK/WEBTOP IN A CLUSTERED ENVIRONMENT

Run Archive Server for MDaemon in HTTPS

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Web Remote Access. User Guide

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

PowerChute TM Network Shutdown Security Features & Deployment

WHITE PAPER Citrix Secure Gateway Startup Guide

Generating SSH Keys and SSL Certificates for ROS and ROX Using Windows AN22

Domino Certification Authority and SSL Certificates

Microsoft IIS Integration Guide

RSA envision Windows Eventing Collector Service Deployment Overview Guide

Implementing an SSL security on AppliDis Servers running under Windows 2008 Server R2

EMC Celerra Network Server

DIGIPASS CertiID. Getting Started 3.1.0

CLIENT CERTIFICATE (EAP-TLS USE)

INSTALLING YOUR SSL CERTIFICATE ON THE FILEHOLD SERVER ON WINDOWS 2008 X64 ON IIS 7

Transcription:

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N 300-011-843 REV A01 January 14, 2011 This document contains information on these topics: Introduction... 2 Terminology... 2 HTTPS Concepts... 3 Obtaining an Appropriate X.509 Certificate... 4 Configuring the ESRS HTTPS Listener Service to Use the Appropriate X.509 Certificate... 7 Configuring ConnectHome to Verify the Server Identity... 11 Troubleshooting... 12 1

Introduction Introduction Terminology This technical note presents a method for securing the HTTPS connection between the ConnectHome feature on a Control Station and the EMC Secure Remote Support (ESRS) HTTPS Listener Service installed on a host system that is running Microsoft Windows. After you have installed and configured the two components and the connection is shown to be working (by using the default HTTPS configuration), you should provide the ESRS HTTPS Listener Service with an X.509 certificate that is specific to the system that is hosting the service. This action allows any ConnectHome client to verify the server identity. ESRS HTTPS Listener (EHL) Service HTTPS A component of the ESRS IP Client that accepts the HTTPS event notifications from a ConnectEMC client application that is running on an EMC device. HTTP Secure, also known as HTTP over SSL X.509 Certificate (also commonly referred to as an SSL Certificate ) PKI A form of identification in which a subject s name is bound to a public key. The signer of the certificate is asserting that the entity using the certificate is who (or what) they say they are. Public Key Infrastructure Certificate Authority The entity that verifies that the identifying information in an X.509 certificate is legitimate. 2

HTTPS concepts HTTPS concepts HTTPS protects the HTTP exchanges between two systems. Typically, this protection uses encryption to protect the traffic over the network and enables the client, which is the system initiating the exchange, to verify the identity of the server. You can use HTTPS without verifying the server s identity, but this leaves the exchange open to man-in-themiddle attacks. In order for a client system to verify the identity of the server, the server will present to a client an X.509 certificate that identifies the server and is associated with a private key to which only the server system should have access. This allows the HTTPS handshake process to use a challenge and response protocol in which the client system can verify that the server has the private key associated with the certificate and, to the extent that the certificate is trusted, be assured that it is communicating with the right server. Logically, three systems are involved in establishing a valid HTTPS connection. These are: The client system that initiates a connection. For the purposes of this technical note, this is the Control Station which is initiating a ConnectHome call. The server system that receives the connection and may be expected to verify its identity. The Certificate Authority (CA), which verifies that the information in the X.509 certificate used by the server is correct (that is, the server is what or who it says it is). The CA can be either an external signing authority or the server system itself. In the latter case, this results in a self-signed certificate. The server is essentially stating that it is what it says it is. Before any clients can verify the server s identity, the server must obtain a suitable X.509 certificate. This certificate is signed by some entity to verify the information is correct, even if that entity is the server itself. Once this certificate is in place and the client initiates a connection to the server, the server presents the client with this certificate. The client verifies that the information in the certificate agrees with what it expected (typically, that either the hostname or IP address match what it used to connect to the server) and then must decide how trustworthy the certificate is (who signed it and whether to believe that signing 3

Obtaining an appropriate X.509 certificate authority). The following sections describe how to obtain and install a suitable certificate on the EHL hosting system and how to configure the Control Station to accept it. Obtaining an appropriate X.509 certificate The following sections describe different methods for obtaining or generating an X.509 certificate. Environments with an internal Certificate Authority If you are installing the EHL service and the ConnectHome feature in an environment that has a Certificate Authority (CA) in place, then an established process should exist for generating a Certificate Signing Request (CSR) for the system hosting the EHL service. Follow this process to install the resulting signed certificate on the EHL hosting system using the site s documented process. The process for enabling the Control Station to recognize this authority is described in the section Configuring ConnectHome to verify the server identity. Where there is an appropriate certificate already installed To verify if an appropriate X.509 certificate is installed already on the system hosting the EHL service: 1. On the Windows system hosting the EHL service, start the Microsoft Management Console (MMC). From Start menu select Run. Enter mmc as the command to run. 2. Add the Certificates snap-in for the Local Computer (See the Windows system s online help for more detailed instructions). 4

Obtaining an appropriate X.509 certificate 3. In the list on the left-hand side of the screen, select: Certificates (Local Computer) Personal Certificates 4. In the right-hand pane, find the certificate that identifies the system by IP address or hostname. Be sure that the certificate has a corresponding private key. In the case where a suitable certificate is already in place, determine the signing authority (either a Certificate Authority or self-signed) and locate the corresponding public certificate so that the Control Station can verify the server s identity (discussed in section Configuring ConnectHome to verify the server identity). Using the Control Station to generate a self-signed X.509 certificate If the environment does not have a preferred method or mechanism for generating an X.509 certificate and a suitable certificate is not installed already, use the Control Station to generate a suitable certificate. Follow these steps: 1. Record either the IP address or the fully qualified hostname of the system hosting the EHL service. Record the form of the host ID that you will use for configuring ConnectHome. This example uses the following IP address: IP Address: 10.245.52.25 2. Log in to the Control Station using SSH. Any valid user account is 5

Obtaining an appropriate X.509 certificate acceptable; you do not need to be the root user. 3. Generate a self-signed X.509 certificate with a corresponding private key with the command (all on one line): openssl req x509 newkey rsa:1024 out mycert.pem keyout mykey.pem days 365 outform PEM This command creates a self-signed certificate (the subject and issuer are the same) and a corresponding key (mycert.pem and mykey.pem, respectively). This certificate has a key length of 1024 bits and is valid for one year. To have a larger key size, change the -newkey argument to rsa:2048. To change the length of time for which the certificate is valid, change the argument to the -days option. NOTE: It is important to protect the private key (mykey.pem). If this is compromised, the security of the HTTPS connection is compromised. 4. Type the following command (all on one line) to bundle the resulting certificate (mycert.pem) and associated private key (mykey.pem) into a PKCS #12 bundle that can be imported on the Windows system that is hosting the EHL service: Openssl pkcs12 export out mypkg.p12 in mycert.pem inkey mykey.pem 5. Transfer the resulting PKCS #12 file (mypkg.p12) to the Windows system that is hosting the EHL service. When transferring this file, remember to indicate that it is a binary file. You can delete the private key file mykey.pem from the Control Station once the transfer is complete. Retain a copy of the public certificate, mycert.pem, for later use. 6

Configuring the ESRS HTTPS Listener Service to use the appropriate X.509 certificate Configuring the ESRS HTTPS Listener Service to use the appropriate X.509 certificate The two steps required to configure the ESRS HTTPS Listener Service to use the appropriate certificate are: 1. Importing the X.509 certificate into the certificate store (if it s not already there). 2. Configuring the EHL service to use the new certificate. Importing an X.509 certificate and corresponding private key Once you have transferred the PKCS #12 file to the system hosting the EHL service, use the following steps to import the X.509 certificate: 1. Start the Microsoft Management Console (MMC). 2. Add the Certificates snap-in for the local computer. (See the online help for more detailed instructions.) 3. In the list on the left-hand side of the screen, select: Certificates (Local Computer) Personal Certificates 4. Right-click the Certificates folder, select All Tasks Import, and follow the prompts to import the PKCS#12 certificate bundle from its location. 5. Once the import has completed, double click on the resulting certificate. A dialog box similar to the following should appear. 7

Configuring the ESRS HTTPS Listener Service to use the appropriate X.509 certificate Note that the Issued to: and Issued by: entries are the same value. This indicates the certificate is self-signed. Next note that the certificate store considers the certificate to be untrusted. You should make the certificate trusted for this system by importing the public certificate into the Trusted Root Certification Authorities store. Do this by importing the PKCS#12 bundle into the certificate store again but into a different folder. The process is the same as outlined above except that in step 3, select Certificates (Local Computer) Trusted Root Certification Authorities Certificates. Once you have done this, the original certificate similar to the following should appear: 8

Configuring the ESRS HTTPS Listener Service to use the appropriate X.509 certificate Configuring the EHL Service to use the installed certificate Once a suitable certificate is installed in the certificate store, you must configure the EHL to use it. The following steps describe how to configure the EHL service to use the appropriate X.509 certificate: 1. In the Certificates snap-in, double-click the certificate (see step 5 in the previous procedure). 2. Select the Details tab and find the Thumbprint value. This should be a SHA 1 hash of the certificate and should look similar to the following: 9

Configuring the ESRS HTTPS Listener Service to use the appropriate X.509 certificate 3. Make a note of the thumbprint value. 4. In a Windows shell, go to the location where the esrshttps.exe is installed; for example: C:\Program Files\EMC\ESRS IP Client\Gateway\ESRSHTTPS 5. Run the command esrshttps.exe config. 6. In the dialog box that appears, make sure the following values are set as shown: Scheme = https IP Address = The IP address for the system hosting the EHL service. This value should be the same in the X.509 certificate. Port = 443 Root Dir: As appropriate for the ESRS IP Client installation location. In the example above, it would be: C:\Program Files\EMC\ESRS IP Client 10

Configuring ConnectHome to verify the server identity SSLHASH = The SHA 1 thumbprint value recorded in step 3 above. Enter this value without spaces and with the letters (if any) in UPPERCASE o DACEB92817329422A3C8A7421874EF1E8AFF67A3 o NOT da ce b9 28 17 32 94 22 a3 c8 a7 42 18 74 ef 1e 8a ff 67 a3 Your dialog box will look similar to the following (with some values specific to the site): 7. Click Save. 8. Verify that the esrshttps.exe.config file includes the correct values. If any values differ from what is expected, you can edit the config file directly. 9. Start (or restart) the EHL service. 10. Verify in the log file that the service started correctly using the supplied certificate. The log file lists the supplied SSLHash value that is being used and verifies that it was found in the certificate store. Configuring ConnectHome to verify the server identity The ConnectHome feature can verify the server identity of the EHL service host if the public certificate of the signing authority has been copied to the Control Station. If the EHL host is using a self-signed certificate, this would be the public certificate that is presented. If an internal CA signed the, then this would be the public certificate of the CA. In either case, make sure that the certificate is in PEM form. To point the ConnectHome feature to the right certificate, use the command: nas_connecthome modify https_ca_file 11

Troubleshooting Troubleshooting /path/to/cert/mycert.pem To enable verification of the EHL system address, use the command: nas_connecthome https_verify_server yes Once you have completed these two commands, verify the connection with the command: nas_connecthome test https If the HTTPS connection from the ConnectHome client to the EHL service is not working, consider the following: Verify that the connection was working before any certificate changes were made. In some environments, you may need to change internal firewall settings. Verify the information in the X.509 certificate that the EHL service is using. o o Is the IP address correct? Does the system hosting the EHL service have a static IP address? Is the value that the certificate has for the host the same as the one that the ConnectHome client is using? They should both have either the IP address or the hostname. Do not mix and match and do not supply both values in the X.509 certificate. Verify that the esrshttps.exe.config file has the information you expect. Be sure to verify the thumbprint. Look at the esrshttps.log file in the EHL log directory. It may indicate the system cannot locate the certificate or that the HTTPS port (443) is already in use by another service. If it is the latter, use a different port or stop the competing service. For instructions on changing the port, go to the EMC Online Support website (at http://support.emc.com) and locate the EMC Secure Remote Support IP Solutions Guide. Verify that the appropriate Certificate Authority public X.509 certificate is on the Control Station and configured correctly for the ConnectHome client. 12

Troubleshooting Copyright 2011 EMC Corporation. All Rights Reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. All other trademarks used herein are the property of their respective owners. 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information