Novell is now a part of Micro Focus

Configuring Cenergy with SSL


Applies to:

  • Cenergy

Issue:

By default, Cenergy allows client agents to communicate with the Command Server over HTTP using standard port 80. In some situations additional security may be desired to validate client systems and protect data being transmitted from server to client and vice versa.

Resolution:

Without any loss in functionality, Cenergy servers can be configured to support Secure Sockets Layer (SSL), the industry standard for protecting web communications. The SSL security protocol provides data encryption to protect the confidentiality and integrity of your data, as well as client- and server-level authentication.

Enabling SSL for your Cenergy installation involves the following:

  • Obtaining SSL certificates
  • Installing SSL certificates on your Cenergy servers
  • Enabling Cenergy servers to use SSL
  • Configuring Cenergy agents to use SSL

Obtaining SSL Certificates

Prior to enabling SSL on a Cenergy server, you need to obtain a certificate issued by an SSL Certificate Authority such as Verisign. If you have multiple Cenergy servers (Command and Relay) you may want to obtain a certificate and enable SSL on all servers. Otherwise, you'll need to insure that the agents configured to use SSL are only communicating with SSL-enabled servers.

To obtain a certificate you must first generate a pair of keys (private and public) and a Certificate Signing Request (CSR). The server you are requesting the certificate for must have a valid name that can be registered to an individual SSL certificate. If you have agents connecting through the Internet, it is strongly suggested that you register valid Internet DNS names for your servers.

To generate a CSR, follow the instructions from your server software. If you are running Microsoft IIS, follow these steps:

  1. From the Windows Control Panel, select Administrative Tools.
  2. Select Internet Information Services
  3. Open the Properties window for the web site you are generating the CSR for. You can do this by right-clicking on the name of the web site (Default Web Site) and selecting Properties from the menu.
  4. On the Directory Security tab, click on the Security Certificate button to launch the Web Server Certificate Wizard.
  5. Select "Create a new certificate" and click on Next.
  6. Select "Prepare the request now but send later" and click on Next.
  7. On the Name and Security Settings screen,
    1. Enter a name for the certificate. This name is for your records and should be easily identifiable, especially if you are working with multiple domains.
    2. Select a bit length for the encryption keys. If your server is 128-bit you can generate up to 1024-bit keys. Servers that are 40-bit can generate up to 512-bit keys. We recommend using the default of 1024 if it is available.
    3. Click Next.
  8. Enter the legal name of your organization. (Note: You will need to provide Proof of Organization to the Certificate Authority, therefore, it is important to use the legal name under which your organization is registered.) Use the Organizational Unit field to differentiate between divisions within your organization. Click Next.
  9. On the Your Site's Common Name screen, enter the fully qualified domain name or valid Internet DNS name. (Note: Do NOT include the http:// or https:// in your domain name or use IP addresses.) Click Next.
  10. Enter your Country, State/Province, and City/Locality.
  11. On the Certificate Request File Name Screen, enter a filename and path to save your CSR.
  12. Verify that the information is correct on the Request File Summary screen. If you need to change something, click Back to the appropriate screen, otherwise click Next and Finish.

Once you have generated a CSR you can obtain a certificate from an SSL Certificate Authority. There are several ways to do this, but one of the easiest is to apply online. (Visit www.verisign.com to apply online with Verisign.)

Installing SSL Certificates on your Cenergy Servers

After you obtain a certificate you need to install it on the appropriate Cenergy server. If you are running Microsoft IIS, do the following:

  1. Repeat steps 1 to 4 above to launch the Web Server Certificate Wizard.
  2. Select "Process the pending request and install the certificate" and click on Next.
  3. Enter the path and filename of your certificate and click on Next.
  4. Verify the information is correct and click Next to confirm your Certificate has been installed.
  5. Restart the Cenergy server to complete your Certificate installation.

Enabling Cenergy Servers to use SSL

  1. Go to the Web site properties and ensure the SSL port contains the number 443 (it should default to this number automatically).

    Note: You may change the port number if desired, however, you'll need to configure your client agents to use the same port and you will need to verify that your intermediate routers can support routing of SSL packets on ports other than 443.

  2. Verify that you can reach the Cenergy Download Center at both https:///ma2000 and http:///ma2000.
  3. From your Cenergy Console, follow these steps to make sure any Relay Rules are advertising the DNS names and not the NetBIOS names or IP addresses of your Relay Servers:
    1. From the Tools menu, select Options and go to the Server tab.
    2. Select the Advertise Server Addresses in DNS format and click OK.
    3. Switch to the Architecture view.
    4. For each server, right-click Select Properties and enter the DNS name in the Name field.
    5. Once you have finished updating all of the server names, ensure that the Relay Rules in the View window are showing the new names.
  4. At this point your system should be fully configured to support SSL as well as non-SSL enabled clients. Double check that your agents are still functioning properly before moving on the next step.

Configuring Cenergy Agents to use SSL

Once everything is configured on the server-side, you are ready to create an agent configuration package to enable SSL on your remote clients. To do this, create a new PC Task Package and follow the steps outlined below:

  1. Select the Agent Configuration command to open the Agent Settings window.
  2. In the Primary Command Server dialog, enter the DNS name in the Server Name field and click on the Advanced button.
  3. Select Connect using the Secure Sockets Layer (SSL) option. Ensure the port (default is 443) is the same as the port on your server and click OK.
  4. Click OK to exit the Agent Settings window.
  5. Add the Unload Agent command to the end of the package. Be sure to select the "Restart agent after unloading" option for this command.

Your package is now complete and is ready to send to your first test system. Once the Agent Configuration task package completes, send other packages to the client and fully test your environment.

Important:

Testing your system before sending the new Agent Configuration task package to all clients is critical. If your system isn't properly configured, your agents will lose their connectivity with the Command and Relay Servers. There isn't a way to recover from this remotely. Your agents must be configured to connect to the same server name that was used to register the certificate, otherwise they will not be able to connect via SSL.


Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates