3.3 Configuring Secure Communication

This section provides information about the following:

3.3.1 Secure email Communication

If you want to configure email server with secure connection, see step 11 in the Standard Installation section under Installing the Change Guardian Server of the Traditional Change Guardian Server Installation.

3.3.2 Using Trusted Certificates Authority

This section provides the following information:

Using CA Signed Certificates

You can replace the self-signed certificate with a certificate signed by a well-known CA, such as VeriSign, Thawte, or Entrust. You can also replace the self-signed certificate with a certificate digitally signed by a less common CA, such as a CA within your company or organization.

NOTE:There are many well-known CAs and identifying which CAs are most commonly used varies with country.

This section provides information about various certificates used in Change Guardian and instructions about configuring the TLS/SSL certificates to get them digitally signed by a CA:

Web Server Certificate

The web server certificate is used for the following purposes:

  • With web browsers to connect to the Change Guardian Main interface.

  • Establish trust relationships for the REST API calls between Change Guardian instances. For example, it is used when configuring Data Federation

Javos and Agent Manager

The Javos and Agent Manager certificates are used for the following purposes:

  • Javos certificates are used for accepting connections from Change Guardian Agents.

  • Agent Manager certificates are used for communicating Change Guardian agents with Agent Manager.

Configuring the TLS/ SSL Certificates for Web Server

Configuring the TLS/SSL certificates involves the following steps:

Generating a Certificate Signing Request

To obtain a digitally signed certificate, you must first generate a certificate signing request (CSR), which is presented to the CA. To generate one or more CSRs, perform the following steps on the Change Guardian server:

  1. Log in to the Change Guardian server as the novell user.

  2. Create a certificate pair by using the following command:

    /opt/novell/sentinel/jdk/jre/bin/keytool -genkey -alias webserver -validity <days> -storetype JKS -keyalg RSA -keysize 2048 -storepass password -keypass password -keystore .webserverkeystore.jks -dname "CN=<certificate_common_name>,OU=<organization_unit>, O=<organization>, L=<city or town>, ST=<state>, C=<country>" -ext san=dns:<domain_name> && /opt/novell/sentinel/jdk/jre/bin/keytool -certreq -alias webserver -file .webserverkeystore.csr -keystore .webserverkeystore.jks -storepass password -ext san=dns:<domain_name>

The above command generates a CSR using the PKCS#10 format. The certificate signing requests are now saved in the specified file.

Getting the CSR Signed by the CA

  1. Submit the CSRs to the CA for signature.

  2. Obtain the signed certificate files from the CA.

The details of how this is done depend on the CA. For more information, consult your CA.

systemctl restart

Copy the files that contains the digital certificates signed by the CA to the Change Guardian server. If the files are signed by an enterprise or organizational CA rather than a well-known CA, you must copy the CA's self-signed root certificate to the Change Guardian server. You must import the intermediate, root, and signed certificates.

You can specify the desired alias names for the intermediate and root certificates. However, the signed certificate must be imported with the same alias that was used while creating a certificate pair, which is webserver. The default keystore password is password. If you have changed the keystore password, specify the changed password.

To import the certificate files to the Change Guardian server:

  1. Log in to the Change Guardian server as the novell user.

  2. Back up the default self-signed certificate:

    cp /etc/opt/novell/sentinel/config/.webserverkeystore.jks /etc/opt/novell/sentinel/config/.webserverkeystore.jks_bkp

  3. Copy the CA signed certificate to the Sentinel server:

    cp <CA_signed_certificate> /etc/opt/novell/sentinel/config/.webserverkeystore.jks

  4. Import the intermediate certificate:

    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias <alias_name> -file /opt/cert/intermediate.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass <keystore_password>

  5. Import the root certificate:

    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias <alias_name> -file /opt/cert/root.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass <keystore_password>

  6. Import the signed certificate:

    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias webserver -file /opt/cert/signedcert.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass <keystore_password>

  7. (Optional) Verify whether all the certificates are imported successfully:

    /opt/novell/sentinel/jdk/jre/bin/keytool -list -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks

  8. Restart Change Guardian:

    systemctl restart sentinel.service

    rcsentinel restart (6.3.1 or before)

Configuring the TLS/ SSL Certificates for Javos and Agent Manager

You can use CA-signed certificates in place of the self-signed certificates provided by Change Guardian.

To replace the self-signed certificates on the server:

  1. Log in to the Change Guardian server as root.

  2. Switch user to novell.

  3. Backup of the existing certs folder, which is located at /opt/netiq/cgutils/certs.

  4. Create a new certs folder at /opt/netiq/cgutils/.

  5. Copy the CA-signed certificates to /opt/netiq/cgutils/certs.

  6. Change the permission of the certs folder:

    chmod 700 /opt/netiq/cgutils/certs

  7. Rename the CA-signed certificate files as below:

    • cgca-cert.pem: Root CA certificate

    • cgca-pk.pem: Private key

    • cgca-pk.pem.pass: Private key password

  8. Change the ownership of the CA-signed files:

    chown novell:novell /opt/netiq/cgutils/certs/*

  9. Go to the /opt/netiq/cgutils/bin directory and run the following command:

    ./cg_cert_setup.sh

    The required certificates are created in the /opt/netiq/cgutils/certs/ directory.

  10. Verify that the new certificates have the new CA name in the issuer field:

    • openssl x509 -in amsca-cert.pem -noout -text

    • openssl x509 -in javosca-cert.pem -noout -text

  11. Go to the /opt/netiq/ams/ams/bin directory, and run the following commands:

    ./ams_cert_setup.sh --setup --profile=ams_new_profile_name

    ./ams_cert_setup.sh --enable --profile=ams_new_profile_name

    NOTE:Consider not changing default profile names and create profile with a new name.

  12. Confirm that the profile is enabled:

    ./ams_cert_setup.sh --show

  13. Go to the /opt/netiq/cg/javos/bin/ directory and run the following commands:

    ./javos_cert_setup.sh --setup --profile=javos_new_profile_name

    ./javos_cert_setup.sh --enable --profile=javos_new_profile_name

  14. Confirm that the profile is enabled:

    ./javos_cert_setup.sh --show

  15. (Conditional) If the Change Guardian server is in FIPS mode, run the following commands:

    ./opt/netiq/ams/ams/bin/convert_to_fips.sh

    ./opt/netiq/cg/javos/bin/convert_to_fips.sh

  16. (Optional) To test if the certificates are replaced successfully, remotely deploy an agent and generate an event.