Reset Search
 

 

Article

How to Install Dragon Signed Certificate

« Go Back

Information

 
TitleHow to Install Dragon Signed Certificate
Objective
Install Dragon Signed Certificate
Environment
  • Dragon 7.3.4
  • Dragon 7.4
  • Dragon 7.5
  • Dragon 8.x
Procedure
Although this procedure was originally written for Dragon 7.x, per engineering it is also valid for Dragon 8.x

Dragon Signed Certificate Installation Procedure

Dragon 7.3.4, 7.4, 7.5   09/20/2010

Dragon uses X.509 style certificates as follows:
  • To validate the authenticity of the EMS web services and as part of the process to acquire a key for the SSL encrypted traffic for the http traffic on port 9443.   This is primarily the Dragon Dashboard and Reporting applications.
  • As part of the process to acquire a key for the SSL encrypted EJB/JMS traffic between the EMS client and server.
More recently we also utilized certificates for the Dragon EMS High Availability feature and syslog-ng.   Netsight has also setup s-ldap authentication schemas using certificate authentication but we have yet to have a request for this for Dragon.

This outline replaces the existing instructions in the Dragon IPS guide (That identify how to install a self-signed certificate.) to install a customer provided signed certificate into the Dragon keystore.   The IPS guide may contain additional details not specified here and may be consulted as a reference.

There are three main sections in this document after the references and prerequisites.
  • A brief description of the certificate options that the customer has in relationship to Dragon.
  • The process of generating and installing a new dragon.keystore with a signed certificate.
  • A brief and generic outline on how to acquire a signed certificate.   If the customer already has a signed certificate, that certificate can be used, but it will likely not resolve the web browser certificate warning issue.   
The specific aspects on interfacing with the CA will vary from provider to provider.

References
  • Enterasys IPS Installation Guide, Chapter 7, Pages 7-2 and 7-3.
  • Netsight NAC Server Certificate Replacement Document
  • Netsight Certificate Chains Document

Prerequisites
  • Keytool – The keytool program ships as part of the Java VM on the EMS server installation.  It is used to view and to create JKS formatted keystores.  
  • OpenSSL - Because of limitations to the Keytool program which is shipped as part of the Dragon EMS server you will also need to install the openSSL tools.   OpenSSL can be downloaded and built on the EMS server quickly and simply.

Section 1: Possible Certificate Options
There are three possible certificate options that can be utilized, they are:
        1. The Enterasys default self signed certificate (ships with Dragon releases)
The EMS ships with an Enterasys generated self signed certificate that is used by the two purposes identified above and operates properly as installed.   
 
2. The Dragon 7.3.4 and 7.4 documentation describes how to generate a simple self signed certificate using   Keytool.   This self signed certificate can be installed on the EMS Server and a public version of the certificate can be generated and installed on the EMS client. 
 
A few notes on the existing Dragon IPS installation guide documentation on this:
  • The existing documentation creates two certificates in a new dragon.keystore, one named dragon and one named rmi+ssl.   It appears that only one certificate is needed and it can be named ‘dragon’.
  • Using the filename dragon.keystore and the default keystore password (drag0n1) is the easiest way to create these new keystores.    
  • The directions on page 7-4 of the Dragon IPS installation guide describe how to generate a public certificate in a keystore to be copied to the Dragon EMS client.  

        3. Customer provided signed certificate (provided by a signing authority)
The customer can provide their own signed certificate for use by Dragon.   The certificate will be provided by a certificate authority that is not provided by Dragon.    This could be a public provider like Verisign or goDaddy. or the customers own in-house CA.     
In order to eliminate the web browser certificate warnings, you will need to provide a properly formatted Common Name attribute of the certificate before the certificate has been signed/validated by the CA.    
This CN format is described in the directions below on how to create a certificate signing request for submission to the CA.   If this field is not specifically set as described, the certificate will still provide encryption security but will not resolve the browser warning issue.
Additionally, any root and intermediate certificates for the CA must be installed into the certificate store on the systems where you plan to browse to the 9443 port from.   This document does not describe how to install these certificates.

Section 2: Generating and installing keystores for the EMS server and client with a signed certificate

      1. Create a pkcs12 keystore file using the key and certificate supplied by your selected CA.
 
For a certificate signed by goDaddy the pkcs12 keystore create would look like:

openssl pkcs12 -export -chain -CAfile bundle.crt -in server.crt -inkey server.key -out
pkcs12.keystore -name dragon -passout pass:drag0n1

Where:
server.crt – the signed certificate returned from the te CA
server.key – the private key associated with the certificate
bundle.crt – root/intermediate certificates for the cert file returned from the CA
pkcs12.keystore – The resulting pkcs12 keystore

For a certificate signed by a Microsoft Certificate Authority the pkcs12 keystore create would look like:  (you must retrieve the .p7b certificate file from the Msoft CA, not the .cer file)

openssl pkcs7 -in certnew.p7b -out cacert.pem -inform DER -text -print_certs

Where:
certnew.p7b –  retrieved from the Microsoft CA after the certificate request was satisfied.
cacert.pem – the resulting pem encoded version of the pkcs7 file that is used in the next command.

openssl pkcs12 -export -in cacert.pem -inkey server.key -out pkcs12.keystore -name dragon -passout pass:drag0n1

Where:
Cacert.pem – pem file from the  CA or created locally, as in the previous openssl pkcs7 statement
server.key – the private key associated with the certificate

Other certificate authorities may provide the certificates in a different format and these commands must be modified to support their specific methodology.

2. Create a JKS formatted keystore file from the pkcs12 formatted file to install onto the EMS server.

keytool -v -importkeystore -srckeystore pkcs12.keystore -srcstoretype PKCS12
-srcstorepass drag0n1 -destkeystore dragon.keystore -deststoretype JKS
-deststorepass drag0n1

Where:
pkcs12.keystore – the pkcs12 keystore file created in step 1 above.
dragon.keystore – the resulting keystore to be installed on the EMS server in step 5 and to e used in step 3 to generate a dragon.keystore containing the public certificate to be installed on the EMS client.


3. Create the public certificate file to copy to the EMS client.

keytool  -export –keystore dragon.keystore -alias dragon -file ./rmi.cert

keytool  -import –alias dragon –keystore client.keystore –file ./rmi.cert

Where:
dragon.keystore – the keystore file created in step 2.
rmi.cert - a temporary certificate file used to copy the public certificate into the new keystore.
client.keystore – the resulting keystore to be renamed and installed on the EMS client.  See Step 5.

You will be asked for the password for this keystore. Use ‘drag0n1’ for the password for this keystore.

When asked if you trust this certificate answer ‘yes’.  

4. The dragon.keystore file created in step 2 should be used to replace the dragon.keystore file on the EMS Server located in /opt/dragon/enterprise-manager/server/default/conf.  The EMS must then be restarted using either dragon-stop and dragon-start or scripts/dragon-jboss stop and scripts/dragon-jboss start.

5. The client.keystore file created in step 3 should be renamed to dragon.keystore and used to replace the dragon.keystore file on the Ems client.   This file is located in the install directory of the EMS client.  
 
In a standard client install the dragon.keystore file to replace will be located in the ‘C:\Program Files\Enterasys\Dragon EMS Client’ directory.   

In a webstart client install this dragon.keystore file will be located in ‘C:\Documents and Settings\{user-name}\.dragon\client’.    

The signed certificate should now be installed properly on the EMS server and EMS client.  Validate that the EMS client connects and operates properly and that connecting to the Dragon web services now works as expected.

Section 3: Acquiring a signed certificate for use in Dragon
This section identifies how to acquire a signed certificate from a CA.    If you already have a signed certificate that you wish to use then this section can be ignored.

This section copied and (very slightly) modified from the following Enterasys NetSight document Replacing the Server Certificate on the NAC Appliance Portal Web Server.  Netsight Version 4.0  --- 8/12/2010.

Generating a Server Private Key and Server Certificate
If you have not been given a server private key and a server certificate to use, this section outlines creating and submitting a new private key and a certificate signing request (CSR).
You will need to:
  • Generate a server private key
  • Create a certificate signing request
  • Submit the request to a certificate authority

These steps will be used if you use a commercial certificate authority, an in-house certificate authority.

Generate a Server Private Key
Generate an unencrypted RSA private key pair. They key should be unencrypted so that user intervention is not required when starting the Apache server.

With OpenSLL, generate a password-encrypted PKCS#8-format server private key file named server.key as follows:
openssl genrsa 4096 | openssl pkcs8 -topk8 -out server.key

You will be prompted for a pass phrase. If the pass phrase is ever lost or forgotten, you will need to generate a new server private key and a new server certificate.

Create a Certificate Signing Request
Create a Certificate Signing Request (CSR) which can be submitted to a certificate authority (CA) in order to generate a server certificate.

With OpenSLL, generate a CSR file named server.csr as follows:
openssl req -new -key server.key -out server.csr
 
This command will prompt you for information that will appear in the certificate.  When you are prompted for a Common Name, specify the fully qualified host name of the NAC Appliance.
Common Name (eg, YOUR name) []:EmsServer.mycompany.com
 
Submit the Request to a Certificate Authority
The procedure to submit a CSR to a CA, and receive back a server certificate, varies with the service used.  Usually, it is done through a website. You will provide information, including the contents of the CSR. You will receive back a PEM-encoded server certificate which is then stored in a file.

The CA can be a commercial service, such as VeriSign. Or it can be an in-house CA, which generates certificates used internally by your enterprise.

Once you receive the resulting signed certificate from the certificate authority then follow the instructions provided to generate a dragon.keystore with the certificate and key files in section 2 of this document.







 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255