Application notes for supporting third-party certificate in Avaya Aura System Manager 6.1 - Issue 0.1 Abstract This application note lists the steps required for supporting third-party certificates in Avaya Aura System Manager Web interface. Since other systems, such as Avaya Aura Session Manager, communicate with System Manager on the same port this note also covers provisioning of the third-party trusted certificate to such systems. 05/10/11 2011 Avaya Inc. All Rights Reserved. 1 of 13
Table of Contents 1. INTRODUCTION... 3 2. SOFTWARE VALIDATED... 3 3. CONFIGURING SYSTEM MANAGER... 3 4. CONFIGURING SESSION MANAGER... 6 5. CONFIGURING PRESENCE SERVICES... 7 6. CONFIGURING CS1K... 8 7. CONFIGURING INTERNET EXPLORER 7.0... 8 8. CONFIGURING FIREFOX 3.5... 9 9. VERIFICATION STEPS... 9 10. IMPORTING SUBORDINATE CA CERTIFICATE IN PKCS#12 CONTAINER 10 10.1. OPENSSL COMMAND FOR CREATING THE PKCS#12 FILE WITH IDENTITY CERTIFICATE AND SUBORDINATE CA CERTIFICATE.... 10 10.2. VERIFY THE OUTPUT CERTIFICATE... 11 10.3. IMPORT A ROOT OR SUBORDINATE CA CERTIFICATE TO AN EXISTING KEYSTORE... 11 11. CONCLUSION... 12 12. ADDITIONAL REFERENCES... 12 05/10/11 2011 Avaya Inc. All Rights Reserved. 2 of 13
1. Introduction This application note lists the steps required for installing and using third-party certificate in Avaya Aura System Manager Web Interface. Since other systems, such as Avaya Aura Session Manager, communicate with System Manager on the same port this note also covers provisioning of the third-party trusted certificate to Session Manager, Presence, and CS1000. The note requires following high level steps to be performed for installing and using third-party certificate for System Manager Web interface. You must replace System Manager Web Server Certificate with third-party certificate. You must update internal services/client s/managed elements truststores with third-party root and subordinate CA certificate. 2. Software validated The following equipment and software is used for the verification: Equipment Dell PowerEdge 2950 Software Avaya Aura System Manager 6.1 Service Pack 1 Avaya Aura System Platform: 6.0.3.0.1 IBM x3650 ESX Avaya Aura Session Manager 6.1.1.0.611005 Internet Explorer 7.0 Firefox 3.5 3. Configuring System Manager 1. Prerequisites A certificate is provisioned with the System Manager hostname as CN and signed by the third-party Certificate Authority (CA). The third-party certificate is in a PKCS#12 container with the corresponding private key. This certificate and the corresponding private key will replace the System Manager Web SSL Certificate and Key. See Section 10. In cases where a hierarchy of subordinate CA(s) is present, the PKCS#12 container also includes all the subordinate CA certificates. See Section 10. The third-party root CA certificate is required. In cases where a hierarchy of subordinate CA(s) is present, subordinate CA certificates are required. You have created a backup of the installed System Manager template. Store the backup on an external device. For more information on creating a backup of the installed System Manager data, see System Manager 6.1 GA Release Notes from the Avaya Support Web site. 05/10/11 2011 Avaya Inc. All Rights Reserved. 3 of 13
2. Replace the System Manager Web Server identity certificate with the thirdparty certificate using the System Manager console. 1. On the System Manager console, under Elements, click Application Management. 2. Click System Manager in the left navigation pane. 3. On the Manage Elements page, select System Manager and click More Actions > Configure Identity Certificates. 4. On the Identity Certificate page, select Container TLS Service. 5. On the Identity Certificate page, click Replace. 6. On the Replace Identity Certificate page, click Import third party PCKS # 12 file and perform the following: a. Enter the file name in the Please select a file field. b. Enter the password in the Password field. c. Click Retrieve Certificate. The Certificate Details section displays the details of the certificate. d. Click Commit to replace the certificate with the imported thirdparty certificate. Figure 1: System Manager Identity Certificates 3. (i) Add the third-party root CA certificate and the subordinate CA certificate(s), incase a hierarchy of subordinate CA(s) is present, to System Manager trusted certificate stores. 05/10/11 2011 Avaya Inc. All Rights Reserved. 4 of 13
Note: System Manager manages different applications. These applications use different trusted certificate stores. You must perform 3(i) and 3(ii) to update the System Manager trusted certificate stores. Add certificate to System Manager trusted certificate store 1 using System Manager console. 1. On the System Manager console, under Elements, click Application Management. 2. Click System Manager in the left navigation pane. 3. On the Manage Elements page, select System Manager and click More Actions > Configure Trusted Certificates. 4. On the Trusted Certificate page, click Add 5. On Add Trusted Certificate page, select Select Store Type to add trusted certificate as All. 6. On Add Trusted Certificate page, select Import from file. 7. On Add Trusted Certificate page, browse to the third-party root CA certificate for Please select a file. 8. On Add Trusted Certificate page, click Retrieve Certificate. 9. On Add Trusted Certificate page, click Commit. Figure 2: System Manager Trusted Certificates Perform the nested steps for root CA certificate and for subordinate CA certificates incase a hierarchy of subordinate CA(s) is present. 3. (ii) Add certificate to System Manager trusted certificate store 2 through System Manager SSH using the root user. 05/10/11 2011 Avaya Inc. All Rights Reserved. 5 of 13
Note: For details on how to log in to System Manager SSH, see System Manager 6.1 Security Guide from the Avaya Support Web site. 1. Gain access to System Manager through SSH as a root user. 2. Copy the root CA certificate and the subordinate CA certificate to a temporary folder or the $SPIRIT_HOME/security folder on the System Manager server. 3. Run the following command: # cd $SPIRIT_HOME/security # keytool -import -file <RootCA-CRT-file-path> -keystore <spirittrust.jks> -storepass <avaya123> -alias <alias-name> 4. Repeat 3 for all subordinate CA certificates. # keytool -import -file <SubordinateCA-CRT-file-path> -keystore spirit-trust.jks -storepass avaya123 -alias <alias-name> Note: The alias name should be unique for all the CA certificates. 5. Restart the Spirit Agent service by running the following command: # service spiritagent restart For more details on Keytool command, see Section 10. Perform above steps for root CA certificate and for subordinate CA certificates, incase a hierarchy of subordinate CA(s) is present. 4. Restart JBoss at System Manager server through SSH using the root user. 1. Access System Manager through SSH as a root user and run the following command: #service jboss restart 4. Configuring Session Manager You can perform the steps in this section based on the deployment environment. Perform the steps included in this section if the deployed environment contains Session Manager, Branch Session Manager, or Personal Profile Manager (PPM). Note: You must perform the steps for each Session Manager server in the deployed environment. 1. Add the third-party root CA certificate and the subordinate CA Certificate(s), incase a hierarchy of subordinate CA(s) is present, to the Session Manager trusted certificate store using the System Manager console. 05/10/11 2011 Avaya Inc. All Rights Reserved. 6 of 13
1. On the System Manager console, under Elements, click Inventory. 2. Click Manage Elements in the left navigation pane. 3. On the Manage Elements page, select a Session Manager entity and click More Actions > Configure Trusted Certificates. 4. On the Trusted Certificate page, click Add. 5. On Add Trusted Certificate page, select Select Store Type to add trusted certificate as All. 6. On Add Trusted Certificate page, select Import from file. 7. On Add Trusted Certificate page, browse to the third-party root CA certificate for Please select a file. 8. On Add Trusted Certificate page, click Retrieve Certificate. 9. On Add Trusted Certificate page, click Commit. 2 Restart service at Session Manager Server. 1. On the System Manager console, under Elements, click Session Manager. 2. Click Session Manager > Dashboard > Shutdown System > Reboot. 5. Configuring Presence Services You can perform the steps in this section based on the deployment environment. Perform the steps included in this section on Presence server if the deployed environment contains Presence server. Note: You must perform the steps for each Presence server in the deployed environment. 1. Add the third-party root CA certificate and the subordinate CA Certificate(s), incase a hierarchy of subordinate CA(s) is present, to Presence server through SSH using root user. 1. Access Presence SSH as a root user. 2. Run the following command to add a certificate: # sh $PRES_HOME/presence/bin/prescert addtrusted pem <pem-filepath> [ alias <alias-name> ] Above Command adds a trusted certificate to the JKS keystore and trust PEM file. You must perform the command for adding Root CA and Subordinate CA certificates. 3. Add third-party root CA and subordinate CA certificate to the SAL Agent trust store at Presence server $SPIRIT_HOME/ security/spirit-trust.jks. Run the keytool command to add a certificate: 05/10/11 2011 Avaya Inc. All Rights Reserved. 7 of 13
#keytool -import alias <keyname> -file <ca-crt.pem> -keypass <password> -keystore <$SPIRIT_HOME/security/spirit-trust.jks> - storepass <avaya123> For more details on Keytool command, see Section 10. 4. Restart Presence Services by running the following command: #sh $PRES_HOME/presence/bin/stop.sh #sh $PRES_HOME/presence/bin/start.sh 6. Configuring CS1K You can perform the steps in this section based on the deployment environment. Perform the steps included in this section on CS1K server if the deployed environment contains CS1K server. Note: You must perform the steps for each CS1K server in the deployed environment. 1. Add the third-party root CA certificate and the subordinate CA certificate(s), incase a hierarchy of subordinate CA(s) is present, to CS1K server through System Manager console. You need to push the root CA certificate to CS1K members registered with System Manager. Update the trust list for each member by choosing the members (Certificate endpoints) and perform the following steps. 1. On the System Manager console, under Users, click Administrators. 2. Click Security > Certificates in the left navigation pane. 3. On the Certificate Management page, select Certificate Endpoints. Select the radio button associated with the CS1K endpoint. 4. On the Certificate Management page, click Add under Certificate Authorities. 5. On the Add a CA to the Service page, specify Friendly Name and the certificate content. 6. On the Add a CA to the Service page, click Submit. 2. Restart the CS1K Server for the changes to take effect. 7. Configuring Internet Explorer 7.0 The section lists steps for installing root CA certificate as a trusted root CA in the browser. 1. Launch an Internet Explorer 7.0 browser. 2. On the Tools menu, click Internet Options, and then click the Content tab. 05/10/11 2011 Avaya Inc. All Rights Reserved. 8 of 13
3. Click Certificates. 4. Click the Trusted Root Certification Authorities tab for the type of certificates you want to install. This tab lists only self-signed certificates in the root store. When the root certificate of a CA is listed in this category, you are trusting content from sites, people, and publishers with credentials issued by the CA. 5. To add other certificates to the list, click Import. Use the Certificate Manager Import Wizard to guide you through the process of adding a certificate. 6. To configure the Intended Purpose, select the filter for the types of certificates that you want to display in the list. Click Advanced. Note: In cases where a hierarchy of subordinate CA(s) is present, add the subordinate CA certificates to the browser tab Intermediate Certification Authorities on the Certificates window. 8. Configuring Firefox 3.5 The section lists steps for installing root CA certificate as a trusted root CA in the browser. 1. Launch a Firefox 3.5 browser. 2. Click Options from the Tool menu. 3. Click the Advanced button. 4. Select the Encryption pane. 5. Click the View Certificates button. 6. Click the Authorities tab. 7. Click the Import button. 8. Navigate to the CA certificate and import the certificate. Note: In cases where a hierarchy of subordinate CA(s) is present, add the subordinate CA certificate to the browser. 9. Verification steps Validate the certificate prompt on the System Manager console matches the third-party certificate by matching the fingerprint. Firefox 3.5 1. On the Firefox 3.5 browser, open the System Manager URL. 2. Click the lock icon at the lower-right of the browser. 3. On the security information window, click the Security tab. Click View Certificate. 4. Match the SHA1 fingerprint with the certificate fingerprint. 5. To view the certificate fingerprint, log in to System Manager. 05/10/11 2011 Avaya Inc. All Rights Reserved. 9 of 13
1. On the System Manager console, click Elements > Application Management. 2. On the Manage Elements page, select System Manager and click More Actions > Configure Identity Certificates. 3. On the Identity Certificate page, select Container TLS Service. 4. On the Identity Certificate page, click View. Internet Explorer 7.0 1. On the Internet Explorer 7.0 browser, access System Manager URL. 2. A security alert prompt will be displayed. 3. On the security prompt window, click View Certificate. 4. Match the thumbprint with the certificate fingerprint. 5. To view the certificate fingerprint, log in to System Manager. 1. On the System Manager console, click Elements > Application Management. 2. On the Manage Elements page, select System Manager and click More Actions > Configure Identity Certificates. 3. On the Identity Certificate page, select Container TLS Service. 4. On the Identity Certificate page, click View. 10. Importing Subordinate CA Certificate in PKCS#12 Container 10.1. Openssl command for creating the PKCS#12 file with identity certificate and subordinate CA certificate. For System Manager Web SSL Certificate and Key, the third-party certificate requires to be in a PKCS#12 container with the corresponding private key. If a hierarchy of subordinate CA(s) is present, then the PKCS#12 container should also include all the subordinate CA certificates. Tool used: openssl - OpenSSL command line tool openssl pkcs12 [-export] [-in filename] [-inkey filename] [-certfile filename] [-out filename] The pkcs12 command creates and parses the PKCS#12 files, also referred to as PFX files. Option -export You can use this option to specify that a PKCS#12 file will be created rather than parsed. 05/10/11 2011 Avaya Inc. All Rights Reserved. 10 of 13
-out filename -in filename -inkey filename -certfile filename You can use this option to specify the file name to write the PKCS#12 file to. Standard output is used by default. You can use this option to specify the file name to read the certificates and the private keys from, standard input by default. They must all be in the PEM format. The order does not matter but one private key and its corresponding certificate should be present. If additional certificates are present, they are also included in the PKCS#12 file. You can use this option to specify the file to read the private key from. If not present, then a private key must be present in the input file. You can use this option to specify the file name to read the additional certificates from. 10.2. Verify the output certificate You can verify that the generated PKCS#12 certificate contains the third-party certificate and the subordinate CA certificates. openssl pkcs12 [-in filename] [-info] Option -in filename -info You can use this option to specify the file name of the PKCS#12 files to be parsed. Standard input is used by default. You can use this option to get additional information about the PKCS#12 file structure, algorithms used, and iteration counts. 10.3. Import a root or subordinate CA certificate to an existing keystore keytool import {-trustcacerts} {-alias alias} {-file cert_file} [-keypass keypass] {-keystore keystore} [-storepass storepass] Option -alias alias Every entry, be it a Key Entry or a Trusted Certificate, in a key store is uniquely identified by a user-defined ALIAS string. You can use this option to specify the ALIAS to use when referring to an entry in the key store. Unless specified otherwise, a default value of `mykey' 05/10/11 2011 Avaya Inc. All Rights Reserved. 11 of 13
-file cert_file -keypass keypass -keystore keystore -storepass storepass shall be used when this option is omitted from the command line. You can use this option to designate a file to use with a command. When specified with this option, the value is expected to be the fully qualified path of a file accessible by the File System. Depending on the command, the file may be used as input or as output. When this option is omitted from the command line, `STDIN' is used as the source of input, and `STDOUT' is used as the output destination. You can use this option to specify the password protecting the certificate file. You can use this option to specify the location of the key store to use. You can use this option to specify the password protecting the key store. If this option is omitted from the command line, you must provide a password. Note: For detail reference of openssl pkcs12 commands, see http://www.openssl.org/docs/apps/pkcs12.html#. For most common Java Keytool Keystore commands, see http://www.sslshopper.com/articlemost-common-java-keytool-keystore-commands.html 11. Conclusion You should now be able to connect to the System Manager Web interface using the third-party certificate that was provisioned. 12. Additional References See product documentation for Avaya products at http://support.avaya.com. Avaya Aura System Manager 6.1 Release Notes, November, 2010 Avaya Aura System Manager 6.1 Security Guide, January, 2011 05/10/11 2011 Avaya Inc. All Rights Reserved. 12 of 13
2011 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, directly to the System Manager Support at imsmsupport@avaya.com. 05/10/11 2011 Avaya Inc. All Rights Reserved. 13 of 13