Share:|

[2018-09-28 EDIT] : Since this post was written, new certificate management features have been added. Thus, this is of historical interest only. For new versions, please consult:

 

Appliance certificates - BMC Discovery 11.3 - BMC Documentation

 

===

 

In this post, I will cover a topic of interest for customers who want to increase the security of their appliance/proxy communications.

 

The communications between appliance and Windows proxy are secured by SSL certificates. A default installation ships with default self-signed certificates which provide encrypted communication and disallow casual snooping of data on the wire. However, these defaults are the same on all installed appliances, and so for the highest security and integrity customers may want to generate their own certificates.

 

We currently provide some documentation here: http://discovery.bmc.com/confluence/display/90/System+communications but I recently ran through the steps on my test server, so the following illustrates the process I followed for that example and the reason for those steps.

 

I'd be interested to hear your feedback - is it helpful (or confusing)? Do you view this as an important security configuration, or are you satisfied with the default configuration?

 

Thanks,

Nick

 

INITIAL

 

Stop tideway service on the appliance

Stop Proxy service(s)

 

Remove (backup) from the appliance: appliance_key_01.pem and ca_01.pem in /usr/tideway/etc

Remove (backup) from the proxy: slave_key_01.pem and ca_01.pem in C:\Program Files\BMC Software\ADDM Proxy\runtime\<Proxy type>\etc

 

APPLIANCE CERTIFICATE

 

Create a private key and Certificate Signing Request (CSR):

 

openssl req -newkey rsa:2048 -keyout appliance_key.pem -out appliance_req.pem -days 3650

 

You will be prompted for information shown below as my example. Note the PEM password cannot be changed from that shown here. The certificate expiry time can be changed from the default; I used 10 years but for production certificates, 1 to 5 years is more typical. 2k RSA is the minimum key length you should choose.

 

PEM pass phrase: Passw0rd

Country Name: UK

State or Province Name (full name) []:London

Locality Name (eg, city): London

Organization Name (eg, company): BMC Software Ltd

Organizational Unit Name (eg, section): ADDM Support

Common Name: ADDMAppliance.bmc.com

Email Address: support@bmc.com

A challenge password:

An optional company name: BMC Software Ltd

 

Send appliance_req.pem to a Certification Authority (CA) for signing. Your organisation may have an internal CA, which will verify and sign the request. [See CA Authorization Note below]. If you want to create your own CA using OpenSSL, see here.

Receive the signed certificate back from the CSR, say newcert.pem.

 

NOTE: if the CA returns a signed certificate in binary DER format, it must be converted to PEM format:

openssl x509 -inform DER -outform PEM -in newcert.der -out newcert.pem

 

OmniOrb requires the private key and certificate to be in the same file, with only the BASE 64 encoded data between BEGIN/END markers. Thus, concatenate the data like this:

cat appliance_key.pem >> /usr/tideway/etc/appliance_key_01.pem

awk '/-----BEGIN CERTIFICATE-----/, $NF ~ /-----END CERTIFICATE-----/' newcert.pem >> /usr/tideway/etc/appliance_key_01.pem

 

Note the filesystem permissions on appliance_key_01.pem, give it contains a private key, and thus contains sensitive data.

 

PROXY (AD example here)

 

Create a proxy key and CSR:

 

openssl req -newkey rsa:2048 -keyout slave_key.pem -out slave_req.pem -days 3650

PEM pass phrase: Passw0rd

Country Name: UK

Locality Name (eg, city): London

State or Province Name (full name) []:London

Organization Name (eg, company): BMC Software Ltd

Organizational Unit Name (eg, section): ADDM Support

Common Name: ADDMProxy.bmc.com

Email Address: support@bmc.com

A challenge password:

An optional company name:

An optional company name: BMC Software Ltd

 

Send slave_req.pem to the CA for signing. Receive the signed certificate back from the CSR, say newcert.pem.

 

OmniOrb requires the private key and cert to be in the same file, with only the BASE 64 encoded data between BEGIN/END markers:

cat slave_key.pem >> slave_key_01.pem

awk '/-----BEGIN CERTIFICATE-----/, $NF ~ /-----END CERTIFICATE-----/' newcert.pem >> slave_key_01.pem

 

Move slave_key_01.pem to the proxy at C:\Program Files\BMC Software\ADDM Proxy\runtime\Active Directory\etc

Can also be copied to C:\Program Files\BMC Software\ADDM Proxy\etc to be used for future proxies that are created from the Proxy Manager UI.

 

CA CERT

 

Obtain the CA public certificate in PEM format as ca_01.pem (eg for an OpenSSL CA, from /etc/pki/CA/cacert.pem)

 

Copy to Proxy under C:\Program Files\BMC Software\ADDM Proxy\runtime\Active Directory\etc\ca_01.pem

Can also be copied to C:\Program Files\BMC Software\ADDM Proxy\etc to be used for future proxies that are created.

Copy to the appliance, as /usr/tideway/etc/ca_01.pem

 

FINAL

 

Start tideway service on the appliance

Start Proxy service

Sit back and have a nice cup of tea.

 

--

 

IMPORTANT NOTE: CA Authorisation

 

The proxies and appliances that talk to each other only check that the certificates they receive have been signed by the CA they trust. No validation is done on any information within certificate such as CN. Thus, your only mechanism to secure the communications is to have a separate CA for each group of appliances/proxies you want to allow to communicate. Conversely, consider if you use were to use a corporate CA that signs any certificates submitted to it - that would allow anyone else in your organization with access to that CA process (or an existing certificate granted for some other purpose) from standing up an applaiance and communicating with your appliances/proxies.

 

Probably not what you want.