Documentation Retina CS: Using Strong Certificates November 2012 www.beyondtrust.com BeyondTrust 2173 Salk Avenue Carlsbad, California 92008 Phone: +1 818-575-4000
2012 Beyond Trust. All Rights Reserved. Warranty This document is supplied on an "as is" basis with no warranty and no support. This document contains information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of BeyondTrust. Limitations of Liability In no event shall BeyondTrust be liable for errors contained herein or for any direct, indirect, special, incidental or consequential damages (including lost profit or lost data) whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material. The information contained in this document is subject to change without notice. No trademark, copyright, or patent licenses are expressly or implicitly granted (herein) with this white paper. For the latest updates to this document, please visit: http://www.beyondtrust.com Disclaimer All brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. BeyondTrust is not associated with any other vendors or products mentioned in this document. Using Strong Certificates 2 2012. BeyondTrust Software, Inc.
Table of Contents Introduction... 4 Requirements... 4 Configure the Registry... 4 Remove Existing Certificates... 5 Generate a Strong Certificate... 7 Generate new SSL certificate for IIS... 8 Updating SSRS... 9 Import the Certificates... 9 About BeyondTrust Software... 10 Using Strong Certificates 3 2012. BeyondTrust Software, Inc.
Introduction To apply strong certificates in Retina CS (or REM), run through the procedures in this guide. Configure the Registry (Retina CS or REM host) Remove Existing certificates (Retina CS or REM host) Generate a Strong Certificate (Retina CS or REM host) Generate a new SSL Certificate for IIS Import the Certificates ( target computers) Requirements Ensure the following requirements are met before proceeding: Windows XP targets need Service Pack 3 installed. Windows 2003 Server need Microsoft KB938397 applied. If you are using REM 1505 appliances, ensure the KB is applied. Configure the Registry Configure the registry for generating 1024/2048 bit certificates. By default the certificates are generated with a public key on 512 bits. 1. Run the regedit tool. 2. Go to LOCAL_MACHINE\Software\eEye\EMS for 32 bit systems or LOCAL_MACHINE\Software\Wow6432Node\eEye\EMS for 64 bit systems 3. Create a DWORD (32 bit) value named UseStrongCerts. 4. Set UseStrongCerts to: 1 for 1024 bit certs 2 for 2048 bit certs Using Strong Certificates 4 2012. BeyondTrust Software, Inc.
Remove Existing Certificates Remove old certificates (eeyeemsclient, eeyeemsserver, eeyeemsca) from the certificates store. 1. Run the mmc tool. 2. Go to File->Add/Remove Snap-in. 3. Add the Certificates Snap-in using Computer account on the Local Computer. 4. Remove client and server certificates from Personal store. Using Strong Certificates 5 2012. BeyondTrust Software, Inc.
5. Remove the eeyeemsca certificate from Trusted Root Certification Authorities. Using Strong Certificates 6 2012. BeyondTrust Software, Inc.
Generate a Strong Certificate 1. Start the Retina CS configuration Tool. 2. Click the Certificate management link and generate a client certificate. Note: The password must be the same password that you use for Central Policy. 3. Click OK. 4. Confirm the certificate is created in the Certificate Manager snap-in. Using Strong Certificates 7 2012. BeyondTrust Software, Inc.
The Public key should be RSA (2048 Bits) or RSA (1024 Bits). Generate new SSL certificate for IIS You can generate a new SSL certificate for IIS using the Retina CS configuration tool. Clients with the patch will not be able to view the Retina CS website if IIS is bound with an SSL certificate with a key length of less than 1024 bits. Note: If you are using an SSL certificate for IIS that was signed by a third-party source (such as Thawte or VeriSign) and that certificate has a key length of less than 1024 bits, then you need to obtain a new certificate from your third-party source. 1. Run the Retina CS Configuration Tool (Start Menu->eEye Digital Security->Retina CS). 2. Select Certificate Management. 3. Select SSL certificate from the list, and then click OK. 4. The client certificate will then need to be exported and re imported on each agent. Using Strong Certificates 8 2012. BeyondTrust Software, Inc.
Updating SSRS If SSRS is on the same server as Retina CS and you are not using a custom SSL certificate. UVM20 and UVM50 would apply. 1. Run the Reporting Services Configuration Manager. 2. Select Web service URL. 3. In the Report Server Web Service Site identification section change the SSL certificate dropdown so that the SSL certificate that matches your machine name is selected. 4. Press the Apply button. Import the Certificates Note: The client certificate is copied to the following directory on the Retina CS server: C:\Program Files (x86)\common Files\eEye Digital Security\Shared Services Host\Certificates Run the following procedure on the target (client) computer. 1. Copy the EmsClientCert.pfx from the server to the target computer. 2. Delete any existing certificates (like you did on the server). 3. Run the REM Client Configuration tool (Start Menu->eEye Digital Security->Tools). 4. Import the EmsClientCert.pfx certificate using Client Configuration Tool (if the events were configured before go to the Certificates tab, if not the run the wizard). To verify that the certificate was imported correctly and the communication works click the Test Connection button on the Receiver Tab. Alternatively, you can remotely deploy certificates to multiple targets if you are running Blink (PowerBroker for Endpoint Protection Platform). Run the script eeyescript-updaterem.vbs located in the <BlinkDir>\Scripts directory. See KB000945 - http://www.eeye.com/support/knowledge-base/article.aspx?id=kb000945. Using Strong Certificates 9 2012. BeyondTrust Software, Inc.
About BeyondTrust Software BeyondTrust is the global leader in securing the perimeter within to mitigate internal threat and the misuse of privileges. BeyondTrust offers consistent policy-driven, role-based access control, monitoring, logging, and reporting to protect internal assets from the inside out. The company s products empower IT governance to strengthen security, improve productivity, drive compliance, and reduce expense across physical, virtual, public, private, and hybrid cloud environments. With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity Management (PIM) solutions for heterogeneous IT environments. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers include eight of the world's 10 largest banks, seven of the world's 10 largest aerospace and defense firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities. The company is privately held, and headquartered in Carlsbad, California, with offices in the greater Los Angeles area, greater Boston area, Washington DC, as well as EMEA offices in London, UK. For more information, visit beyondtrust.com. Using Strong Certificates 10 2012. BeyondTrust Software, Inc.