Application notes for supporting third-party certificate in Avaya Aura System Manager Issue 0.1

Similar documents
Configuring SSL in OBIEE 11g

SSL Certificate Generation

Cisco Prime Central Managing Certificates

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

How to Implement Two-Way SSL Authentication in a Web Service

Configuring Avaya Aura Communication Manager and Avaya Call Management System Release 16.3 with Avaya Contact Center Control Manager Issue 1.

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

Exchange Reporter Plus SSL Configuration Guide

Browser-based Support Console

Chapter 1: How to Configure Certificate-Based Authentication

Configuring TLS Security for Cloudera Manager

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Microsoft Exchange 2010 and 2007

IBM Security QRadar Vulnerability Manager Version User Guide

Wildcard Certificates

Adeptia Suite 6.2. Application Services Guide. Release Date October 16, 2014

CA Nimsoft Unified Management Portal

RHEV 2.2: REST API INSTALLATION

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Application Notes for Metropolis ProfitWatch Hotel Call Accounting with Avaya IP Office Issue 1.0

CHAPTER 7 SSL CONFIGURATION AND TESTING

Introduction to Mobile Access Gateway Installation

NSi Mobile Installation Guide. Version 6.2

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Scenarios for Setting Up SSL Certificates for View

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Installing and Configuring vcloud Connector

ECA IIS Instructions. January 2005

Installing and Configuring vcloud Connector

IIS 6.0SSL Certificate Deployment Guide

Generating an Apple Push Notification Service Certificate

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

SolarWinds Technical Reference

Universal Content Management Version 10gR3. Security Providers Component Administration Guide

Patching the Windows 2000 Server Operating System on S8100 Media Servers, IP600 Communications Servers, & DEFNITY ONE Communications Systems

Secure IIS Web Server with SSL

Implementation notes on Integration of Avaya Aura Application Enablement Services with Microsoft Lync 2010 Server.

System Administration Training Guide. S100 Installation and Site Management

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

Certificate technology on Pulse Secure Access

PowerChute TM Network Shutdown Security Features & Deployment

Configuring the Avaya B179 SIP Conference Phone with Avaya Aura Communication Manager and Avaya Aura Session Manager Issue 1.0

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

ADFS Integration Guidelines

Certificate technology on Junos Pulse Secure Access

Abstract. These Application Notes provide information for the setup, configuration, and verification of this solution.

SafeNet KMIP and Google Cloud Storage Integration Guide

Sophos Mobile Control Installation guide. Product version: 3

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

Using LDAP Authentication in a PowerCenter Domain

Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.4

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Configuring the JBoss Application Server for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Configuring the NetBackup 7.7 Cloud Connector for use with StorReduce

Application Notes for Configuring Dorado Software Redcell Enterprise Bundle using SNMP with Avaya Communication Manager - Issue 1.

VMware vcenter Server 5.5 Deploying a Centralized VMware vcenter Single Sign-On Server with a Network Load Balancer

User's Guide. Product Version: Publication Date: 7/25/2011

Obtaining SSL Certificates for VMware Horizon View Servers

How to Implement Transport Layer Security in PowerCenter Web Services

SonicWALL SRA Virtual Appliance Getting Started Guide

Avaya Video Conferencing Manager Deployment Guide

CA Nimsoft Service Desk

Application Notes for Configuring MUG Enterprise Interceptor with Avaya Proactive Contact - Issue 1.0

Microsoft IIS 4 Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Integrating EJBCA and OpenSSO

VMware vrealize Operations for Horizon Security

Marriott Enrollment Server for Web User Guide V1.4

HTTPS Configuration for SAP Connector

Use Enterprise SSO as the Credential Server for Protected Sites

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

Maximum Availability Architecture

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

Deep Freeze and Microsoft System Center Configuration Manager 2012 Integration

Hyperoo 2.0 A (Very) Quick Start

CA NetQoS Performance Center

Customizing SSL in CA WCC r11.3 This document contains guidelines for customizing SSL access to CA Workload Control Center (CA WCC) r11.3.

LDAP User Guide PowerSchool Premier 5.1 Student Information System

VMware vrealize Operations for Horizon Security

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. August 2014 Phone: Publication: , Rev. C

Director and Certificate Authority Issuance

Application Notes for Microsoft Office Communicator Clients with Avaya Communication Manager Phones - Issue 1.1

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

StoneGate SSL VPN Technical Note Adding Bundled Certificates

IBM Security QRadar Version Vulnerability Assessment Configuration Guide IBM

Managing Identities and Admin Access

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Installation and Administration Guide. BlackBerry Web Desktop Manager for Microsoft Exchange. Version: 1.0 Service Pack: 1

Universal Management Service 2015

CLOUD SECURITY FOR ENDPOINTS POWERED BY GRAVITYZONE

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé

Abstract. Avaya Solution & Interoperability Test Lab

Tutorial for Avaya 4600 and 9600 Series IP Telephones Push and Browser Applications Setup

Transcription:

Application notes for supporting third-party certificate in Avaya Aura System Manager 6.1 - Issue 0.1 Abstract This application note lists the steps required for supporting third-party certificates in Avaya Aura System Manager Web interface. Since other systems, such as Avaya Aura Session Manager, communicate with System Manager on the same port this note also covers provisioning of the third-party trusted certificate to such systems. 05/10/11 2011 Avaya Inc. All Rights Reserved. 1 of 13

Table of Contents 1. INTRODUCTION... 3 2. SOFTWARE VALIDATED... 3 3. CONFIGURING SYSTEM MANAGER... 3 4. CONFIGURING SESSION MANAGER... 6 5. CONFIGURING PRESENCE SERVICES... 7 6. CONFIGURING CS1K... 8 7. CONFIGURING INTERNET EXPLORER 7.0... 8 8. CONFIGURING FIREFOX 3.5... 9 9. VERIFICATION STEPS... 9 10. IMPORTING SUBORDINATE CA CERTIFICATE IN PKCS#12 CONTAINER 10 10.1. OPENSSL COMMAND FOR CREATING THE PKCS#12 FILE WITH IDENTITY CERTIFICATE AND SUBORDINATE CA CERTIFICATE.... 10 10.2. VERIFY THE OUTPUT CERTIFICATE... 11 10.3. IMPORT A ROOT OR SUBORDINATE CA CERTIFICATE TO AN EXISTING KEYSTORE... 11 11. CONCLUSION... 12 12. ADDITIONAL REFERENCES... 12 05/10/11 2011 Avaya Inc. All Rights Reserved. 2 of 13

1. Introduction This application note lists the steps required for installing and using third-party certificate in Avaya Aura System Manager Web Interface. Since other systems, such as Avaya Aura Session Manager, communicate with System Manager on the same port this note also covers provisioning of the third-party trusted certificate to Session Manager, Presence, and CS1000. The note requires following high level steps to be performed for installing and using third-party certificate for System Manager Web interface. You must replace System Manager Web Server Certificate with third-party certificate. You must update internal services/client s/managed elements truststores with third-party root and subordinate CA certificate. 2. Software validated The following equipment and software is used for the verification: Equipment Dell PowerEdge 2950 Software Avaya Aura System Manager 6.1 Service Pack 1 Avaya Aura System Platform: 6.0.3.0.1 IBM x3650 ESX Avaya Aura Session Manager 6.1.1.0.611005 Internet Explorer 7.0 Firefox 3.5 3. Configuring System Manager 1. Prerequisites A certificate is provisioned with the System Manager hostname as CN and signed by the third-party Certificate Authority (CA). The third-party certificate is in a PKCS#12 container with the corresponding private key. This certificate and the corresponding private key will replace the System Manager Web SSL Certificate and Key. See Section 10. In cases where a hierarchy of subordinate CA(s) is present, the PKCS#12 container also includes all the subordinate CA certificates. See Section 10. The third-party root CA certificate is required. In cases where a hierarchy of subordinate CA(s) is present, subordinate CA certificates are required. You have created a backup of the installed System Manager template. Store the backup on an external device. For more information on creating a backup of the installed System Manager data, see System Manager 6.1 GA Release Notes from the Avaya Support Web site. 05/10/11 2011 Avaya Inc. All Rights Reserved. 3 of 13

2. Replace the System Manager Web Server identity certificate with the thirdparty certificate using the System Manager console. 1. On the System Manager console, under Elements, click Application Management. 2. Click System Manager in the left navigation pane. 3. On the Manage Elements page, select System Manager and click More Actions > Configure Identity Certificates. 4. On the Identity Certificate page, select Container TLS Service. 5. On the Identity Certificate page, click Replace. 6. On the Replace Identity Certificate page, click Import third party PCKS # 12 file and perform the following: a. Enter the file name in the Please select a file field. b. Enter the password in the Password field. c. Click Retrieve Certificate. The Certificate Details section displays the details of the certificate. d. Click Commit to replace the certificate with the imported thirdparty certificate. Figure 1: System Manager Identity Certificates 3. (i) Add the third-party root CA certificate and the subordinate CA certificate(s), incase a hierarchy of subordinate CA(s) is present, to System Manager trusted certificate stores. 05/10/11 2011 Avaya Inc. All Rights Reserved. 4 of 13

Note: System Manager manages different applications. These applications use different trusted certificate stores. You must perform 3(i) and 3(ii) to update the System Manager trusted certificate stores. Add certificate to System Manager trusted certificate store 1 using System Manager console. 1. On the System Manager console, under Elements, click Application Management. 2. Click System Manager in the left navigation pane. 3. On the Manage Elements page, select System Manager and click More Actions > Configure Trusted Certificates. 4. On the Trusted Certificate page, click Add 5. On Add Trusted Certificate page, select Select Store Type to add trusted certificate as All. 6. On Add Trusted Certificate page, select Import from file. 7. On Add Trusted Certificate page, browse to the third-party root CA certificate for Please select a file. 8. On Add Trusted Certificate page, click Retrieve Certificate. 9. On Add Trusted Certificate page, click Commit. Figure 2: System Manager Trusted Certificates Perform the nested steps for root CA certificate and for subordinate CA certificates incase a hierarchy of subordinate CA(s) is present. 3. (ii) Add certificate to System Manager trusted certificate store 2 through System Manager SSH using the root user. 05/10/11 2011 Avaya Inc. All Rights Reserved. 5 of 13

Note: For details on how to log in to System Manager SSH, see System Manager 6.1 Security Guide from the Avaya Support Web site. 1. Gain access to System Manager through SSH as a root user. 2. Copy the root CA certificate and the subordinate CA certificate to a temporary folder or the $SPIRIT_HOME/security folder on the System Manager server. 3. Run the following command: # cd $SPIRIT_HOME/security # keytool -import -file <RootCA-CRT-file-path> -keystore <spirittrust.jks> -storepass <avaya123> -alias <alias-name> 4. Repeat 3 for all subordinate CA certificates. # keytool -import -file <SubordinateCA-CRT-file-path> -keystore spirit-trust.jks -storepass avaya123 -alias <alias-name> Note: The alias name should be unique for all the CA certificates. 5. Restart the Spirit Agent service by running the following command: # service spiritagent restart For more details on Keytool command, see Section 10. Perform above steps for root CA certificate and for subordinate CA certificates, incase a hierarchy of subordinate CA(s) is present. 4. Restart JBoss at System Manager server through SSH using the root user. 1. Access System Manager through SSH as a root user and run the following command: #service jboss restart 4. Configuring Session Manager You can perform the steps in this section based on the deployment environment. Perform the steps included in this section if the deployed environment contains Session Manager, Branch Session Manager, or Personal Profile Manager (PPM). Note: You must perform the steps for each Session Manager server in the deployed environment. 1. Add the third-party root CA certificate and the subordinate CA Certificate(s), incase a hierarchy of subordinate CA(s) is present, to the Session Manager trusted certificate store using the System Manager console. 05/10/11 2011 Avaya Inc. All Rights Reserved. 6 of 13

1. On the System Manager console, under Elements, click Inventory. 2. Click Manage Elements in the left navigation pane. 3. On the Manage Elements page, select a Session Manager entity and click More Actions > Configure Trusted Certificates. 4. On the Trusted Certificate page, click Add. 5. On Add Trusted Certificate page, select Select Store Type to add trusted certificate as All. 6. On Add Trusted Certificate page, select Import from file. 7. On Add Trusted Certificate page, browse to the third-party root CA certificate for Please select a file. 8. On Add Trusted Certificate page, click Retrieve Certificate. 9. On Add Trusted Certificate page, click Commit. 2 Restart service at Session Manager Server. 1. On the System Manager console, under Elements, click Session Manager. 2. Click Session Manager > Dashboard > Shutdown System > Reboot. 5. Configuring Presence Services You can perform the steps in this section based on the deployment environment. Perform the steps included in this section on Presence server if the deployed environment contains Presence server. Note: You must perform the steps for each Presence server in the deployed environment. 1. Add the third-party root CA certificate and the subordinate CA Certificate(s), incase a hierarchy of subordinate CA(s) is present, to Presence server through SSH using root user. 1. Access Presence SSH as a root user. 2. Run the following command to add a certificate: # sh $PRES_HOME/presence/bin/prescert addtrusted pem <pem-filepath> [ alias <alias-name> ] Above Command adds a trusted certificate to the JKS keystore and trust PEM file. You must perform the command for adding Root CA and Subordinate CA certificates. 3. Add third-party root CA and subordinate CA certificate to the SAL Agent trust store at Presence server $SPIRIT_HOME/ security/spirit-trust.jks. Run the keytool command to add a certificate: 05/10/11 2011 Avaya Inc. All Rights Reserved. 7 of 13

#keytool -import alias <keyname> -file <ca-crt.pem> -keypass <password> -keystore <$SPIRIT_HOME/security/spirit-trust.jks> - storepass <avaya123> For more details on Keytool command, see Section 10. 4. Restart Presence Services by running the following command: #sh $PRES_HOME/presence/bin/stop.sh #sh $PRES_HOME/presence/bin/start.sh 6. Configuring CS1K You can perform the steps in this section based on the deployment environment. Perform the steps included in this section on CS1K server if the deployed environment contains CS1K server. Note: You must perform the steps for each CS1K server in the deployed environment. 1. Add the third-party root CA certificate and the subordinate CA certificate(s), incase a hierarchy of subordinate CA(s) is present, to CS1K server through System Manager console. You need to push the root CA certificate to CS1K members registered with System Manager. Update the trust list for each member by choosing the members (Certificate endpoints) and perform the following steps. 1. On the System Manager console, under Users, click Administrators. 2. Click Security > Certificates in the left navigation pane. 3. On the Certificate Management page, select Certificate Endpoints. Select the radio button associated with the CS1K endpoint. 4. On the Certificate Management page, click Add under Certificate Authorities. 5. On the Add a CA to the Service page, specify Friendly Name and the certificate content. 6. On the Add a CA to the Service page, click Submit. 2. Restart the CS1K Server for the changes to take effect. 7. Configuring Internet Explorer 7.0 The section lists steps for installing root CA certificate as a trusted root CA in the browser. 1. Launch an Internet Explorer 7.0 browser. 2. On the Tools menu, click Internet Options, and then click the Content tab. 05/10/11 2011 Avaya Inc. All Rights Reserved. 8 of 13

3. Click Certificates. 4. Click the Trusted Root Certification Authorities tab for the type of certificates you want to install. This tab lists only self-signed certificates in the root store. When the root certificate of a CA is listed in this category, you are trusting content from sites, people, and publishers with credentials issued by the CA. 5. To add other certificates to the list, click Import. Use the Certificate Manager Import Wizard to guide you through the process of adding a certificate. 6. To configure the Intended Purpose, select the filter for the types of certificates that you want to display in the list. Click Advanced. Note: In cases where a hierarchy of subordinate CA(s) is present, add the subordinate CA certificates to the browser tab Intermediate Certification Authorities on the Certificates window. 8. Configuring Firefox 3.5 The section lists steps for installing root CA certificate as a trusted root CA in the browser. 1. Launch a Firefox 3.5 browser. 2. Click Options from the Tool menu. 3. Click the Advanced button. 4. Select the Encryption pane. 5. Click the View Certificates button. 6. Click the Authorities tab. 7. Click the Import button. 8. Navigate to the CA certificate and import the certificate. Note: In cases where a hierarchy of subordinate CA(s) is present, add the subordinate CA certificate to the browser. 9. Verification steps Validate the certificate prompt on the System Manager console matches the third-party certificate by matching the fingerprint. Firefox 3.5 1. On the Firefox 3.5 browser, open the System Manager URL. 2. Click the lock icon at the lower-right of the browser. 3. On the security information window, click the Security tab. Click View Certificate. 4. Match the SHA1 fingerprint with the certificate fingerprint. 5. To view the certificate fingerprint, log in to System Manager. 05/10/11 2011 Avaya Inc. All Rights Reserved. 9 of 13

1. On the System Manager console, click Elements > Application Management. 2. On the Manage Elements page, select System Manager and click More Actions > Configure Identity Certificates. 3. On the Identity Certificate page, select Container TLS Service. 4. On the Identity Certificate page, click View. Internet Explorer 7.0 1. On the Internet Explorer 7.0 browser, access System Manager URL. 2. A security alert prompt will be displayed. 3. On the security prompt window, click View Certificate. 4. Match the thumbprint with the certificate fingerprint. 5. To view the certificate fingerprint, log in to System Manager. 1. On the System Manager console, click Elements > Application Management. 2. On the Manage Elements page, select System Manager and click More Actions > Configure Identity Certificates. 3. On the Identity Certificate page, select Container TLS Service. 4. On the Identity Certificate page, click View. 10. Importing Subordinate CA Certificate in PKCS#12 Container 10.1. Openssl command for creating the PKCS#12 file with identity certificate and subordinate CA certificate. For System Manager Web SSL Certificate and Key, the third-party certificate requires to be in a PKCS#12 container with the corresponding private key. If a hierarchy of subordinate CA(s) is present, then the PKCS#12 container should also include all the subordinate CA certificates. Tool used: openssl - OpenSSL command line tool openssl pkcs12 [-export] [-in filename] [-inkey filename] [-certfile filename] [-out filename] The pkcs12 command creates and parses the PKCS#12 files, also referred to as PFX files. Option -export You can use this option to specify that a PKCS#12 file will be created rather than parsed. 05/10/11 2011 Avaya Inc. All Rights Reserved. 10 of 13

-out filename -in filename -inkey filename -certfile filename You can use this option to specify the file name to write the PKCS#12 file to. Standard output is used by default. You can use this option to specify the file name to read the certificates and the private keys from, standard input by default. They must all be in the PEM format. The order does not matter but one private key and its corresponding certificate should be present. If additional certificates are present, they are also included in the PKCS#12 file. You can use this option to specify the file to read the private key from. If not present, then a private key must be present in the input file. You can use this option to specify the file name to read the additional certificates from. 10.2. Verify the output certificate You can verify that the generated PKCS#12 certificate contains the third-party certificate and the subordinate CA certificates. openssl pkcs12 [-in filename] [-info] Option -in filename -info You can use this option to specify the file name of the PKCS#12 files to be parsed. Standard input is used by default. You can use this option to get additional information about the PKCS#12 file structure, algorithms used, and iteration counts. 10.3. Import a root or subordinate CA certificate to an existing keystore keytool import {-trustcacerts} {-alias alias} {-file cert_file} [-keypass keypass] {-keystore keystore} [-storepass storepass] Option -alias alias Every entry, be it a Key Entry or a Trusted Certificate, in a key store is uniquely identified by a user-defined ALIAS string. You can use this option to specify the ALIAS to use when referring to an entry in the key store. Unless specified otherwise, a default value of `mykey' 05/10/11 2011 Avaya Inc. All Rights Reserved. 11 of 13

-file cert_file -keypass keypass -keystore keystore -storepass storepass shall be used when this option is omitted from the command line. You can use this option to designate a file to use with a command. When specified with this option, the value is expected to be the fully qualified path of a file accessible by the File System. Depending on the command, the file may be used as input or as output. When this option is omitted from the command line, `STDIN' is used as the source of input, and `STDOUT' is used as the output destination. You can use this option to specify the password protecting the certificate file. You can use this option to specify the location of the key store to use. You can use this option to specify the password protecting the key store. If this option is omitted from the command line, you must provide a password. Note: For detail reference of openssl pkcs12 commands, see http://www.openssl.org/docs/apps/pkcs12.html#. For most common Java Keytool Keystore commands, see http://www.sslshopper.com/articlemost-common-java-keytool-keystore-commands.html 11. Conclusion You should now be able to connect to the System Manager Web interface using the third-party certificate that was provisioned. 12. Additional References See product documentation for Avaya products at http://support.avaya.com. Avaya Aura System Manager 6.1 Release Notes, November, 2010 Avaya Aura System Manager 6.1 Security Guide, January, 2011 05/10/11 2011 Avaya Inc. All Rights Reserved. 12 of 13

2011 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, directly to the System Manager Support at imsmsupport@avaya.com. 05/10/11 2011 Avaya Inc. All Rights Reserved. 13 of 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information