Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Configuring OneSign® Active Directory Domains for SSL

advertisement 
Configuring the OneSign® Enterprise for SSL
Communication
Document Version:
Status:
Authors:
Date:
1.5
Live
Andrew Harrison and Anthony Dibble
10 Feb 2012
Imprivata, Inc.
Suite 16, Building 6
Croxley Green Business Park
Hatters Lane, Watford
England, UK
Phone: +44 (0)1923 226 759
www.imprivata.com
Configuring the OneSign® Enterprise for SSL Communication
Contents
Introduction .................................................................................................................................................. 3
Purpose of this document ......................................................................................................................... 3
Overview ................................................................................................................................................... 3
Appliance to Endpoint Communication ................................................................................................ 3
Appliance to LDAP Server Communication ........................................................................................... 3
Appliance-to-Endpoint Communication ....................................................................................................... 4
Context ...................................................................................................................................................... 4
Trusting the Self-Signed certificate ........................................................................................................... 4
Using the New User Welcome MSI ....................................................................................................... 4
Using Active Directory Group Policy ..................................................................................................... 4
Signing the OneSign® Certificate by a Trusted CA .................................................................................... 6
Windows Server .................................................................................................................................... 6
Windows Server Core............................................................................................................................ 8
Appliance-to-Directory Communication ..................................................................................................... 10
Context .................................................................................................................................................... 10
Purpose ................................................................................................................................................... 10
Default Behaviour Method ..................................................................................................................... 10
Preferred Method ................................................................................................................................... 11
To retrieve a copy of the root CA certificate ...................................................................................... 12
Importing the CA Certificate into OneSign ......................................................................................... 14
10 Feb 2012
Version 1.5
Page 2
Configuring the OneSign® Enterprise for SSL Communication
Introduction
Purpose of this document
This document outlines several means of optimising SSL communication with the OneSign appliance.
Whilst some of the detailed procedural descriptions are based around the use of Microsoft Certification
Authorities, the document is still highly relevant to customers using any kind of CA.
Overview
Appliance to Endpoint Communication
By default, OneSign uses a self-signed certificate to secure with SSL all browser based communications
to any of the OneSign user interfaces, and all agent-to appliance communications.
To avoid security warnings and improve responsiveness from the user interfaces and the OneSign agents
there are two options.
The first option is to ensure the self-signed certificate is trusted by the end users’ machines. To trust this
certificate it is necessary to place a copy in the local certificate store of all end users. A number of
methods for distributing this certificate are described herein.
Alternatively, many Enterprise environments now have their own certificate authorities (CAs), thus
providing the second option, which is to replace the self-signed certificate with a version signed by a
certificate authority already trusted by end users’ computers. This is a far more efficient mechanism,
making use of the chain of trust, or certification path, on which a Public Key Infrastructure (PKI) is based.
This saves having to install the appliance certificate locally at the user’s computer.
Completing the steps below will ensure that users who attempt to access the Appliance Admin, OneSign
Admin or SSPW enrolment/lookup user interfaces, do not receive an error regarding a non-trusted root
certificate in the browser window.
Appliance to LDAP Server Communication
When OneSign is configured to communicate to an LDAP server via SSL, a certificate must be uploaded
to OneSign’s trusted certificate store in order that OneSign is able to verify the authenticity of the LDAP
server.
Again, two options are available.
The first is to upload the certificates of every LDAP server with which OneSign might communicate.
The alternative – preferred – option is to upload the certificate of a Certification Authority responsible
for signing all of the LDAP servers’ certificates.
10 Feb 2012
Version 1.5
Page 3
Configuring the OneSign® Enterprise for SSL Communication
Appliance-to-Endpoint Communication
Context
This relates to the communication between
1. The appliance and a web browser – e.g. when connecting via one of the management User
Interfaces.
2. The appliance and any OneSign agent.
Trusting the Self-Signed certificate
This option must be used by customers without access to a certificate authority. The self-signed
certificate is trusted by adding it to the local ‘Trusted Root Certificate Authority’ certificate store. There
are various methods such as manually sending it and having end-users install & import the certificate,
installing the MSI provided under the New User Welcome OneSign screen or using Active Directory
Group Policy to deploy the certificate automatically.
The self-signed certificate appears as issued to “SSO Primary Appliance”.
Using the New User Welcome MSI
The New User Welcome screen is accessed by clicking “Install OneSign Agent” on the OneSign
Administrator UI Home tab. The agent MSI that can be downloaded by clicking “Click to begin the
OneSign Agent install process” is a simplified installer with no options and will install a standard
workstation agent. During installation, the self-signed certificate is added automatically to the Trusted
Root Certificate Authority store.
Using Active Directory Group Policy
You can use Group Policy to push out the self-signed certificate to any machine that requires it. Create
an OU or modify an existing OU where the machines in question reside and follow the steps below:
1. Open Group Policy Management Console.
2. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is
associated with the domain, site, or organizational unit whose users you want affected by the policy.
3. Right-click the GPO, and then select Edit. Group Policy Object Editor opens, and displays the current
contents of the policy object.
4. In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public
Key Policies\Trusted Root Certification Authorities.
10 Feb 2012
Version 1.5
Page 4
Configuring the OneSign® Enterprise for SSL Communication
Figure 1: Group Policy Management Editor
5. Click the Action menu, and then click Import.
6. Follow the instructions in the Certificate Import Wizard to find and import the relevant certificate.
7. Repeat steps 1 to 6 for each appliance in the OneSign Enterprise to ensure each client workstation
trusts the certificates from each appliance.
10 Feb 2012
Version 1.5
Page 5
Configuring the OneSign® Enterprise for SSL Communication
Signing the OneSign® Certificate by a Trusted CA
The preferred means for trusting the OneSign web SSL certificate is to generate a new certificate signed
by the customer’s own CA. This mechanism can be utilised by those customers with access to a trusted
Enterprise Certificate Authority. This CA can be internal – e.g. an Active Directory domain controller
running Certificate Services, or external – e.g. VeriSign. The key requirement is that the CA certificate is
trusted – i.e. already contained within one of the trusted CA certificate stores on the end user machines.
In high level terms, the process involves generating a Certificate Signing Request (CSR) on the OneSign
appliance, submitting this CSR to a CA, which creates and signs the requested certificate, then importing
this new certificate into the OneSign appliance. The detailed steps using a Microsoft CA depend on
whether a standard installation of Windows Server is used, or Windows Server Core.
Windows Server
NB. Domain Admin privileges will be necessary to carry out this procedure.
1. Log into OneSign® Appliance administrator and click the ‘Security’ tab.
Figure 2: OneSign Appliance Administrator Security Page
2. Click ‘View CSR’ and copy the entire text as stated. Be sure to include:
-----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----
10 Feb 2012
Version 1.5
Page 6
Configuring the OneSign® Enterprise for SSL Communication
Figure 3: View CSR
3. Access your Microsoft Enterprise Root Certificate Authority website (http://<ca-name>/certsrv).
Click on “Request a certificate” and hit “next”.
Figure 4: Microsoft Root Certification Authority Website
10 Feb 2012
Version 1.5
Page 7
Configuring the OneSign® Enterprise for SSL Communication
4. Click ‘submit an advanced certificate request.’
5. Click ‘Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit
a renewal request by using a base-64-encoded PKCS #7 file’
6. Paste the Certificate Request into the Saved Request box and select ‘Web Server’ from the
Certificate Template Dropdown menu. Remove spurious spaces after “-----BEGIN CERTIFICATE
REQUEST----- “, then click Submit.
NB: The ‘Web Server’ template will NOT be available in the Dropdown menu unless either: a)
you have domain administrative privileges or b) the security on the Web Server template has
been modified, within the Certificate Templates console, to allow the Enroll permission for the
specific type of user making the request.
7. Depending on how you have the authorisation setup you may need to manually approve it or it
may be auto-approved depending on the configuration. Once you are at the ‘Certificate Issued’
page change the format to ‘Base64 encoded’ and click on ‘Download CA cert’
8. Locate the ‘certnew.cer’ file, right click and open with WordPad or notepad. Copy ALL of the
characters.
9. Log back into OneSign® Appliance Administrator. Click on Security->SSL->Import Cert button
and paste the content obtained in the previous step and click “import”.
10. Reboot the appliance.
11. Upon reboot login to Appliance administrator, click on Security->SSL and review the ‘Issuer CA’
section and make sure the name corresponds with the CA that had signed the OneSign®
appliance CSR. When our certificate is self-signed, the issuer would read as “SSO Primary
Appliance”.
12. Repeat steps 1 to 11 for each appliance in the OneSign Enterprise to ensure each appliance
has a trusted certificate issued by the Trusted Root Certification Authority.
Windows Server Core
Windows Server Core is a new minimal server installation option for computers running on the Windows
Server 2008 operating system or later. Certificate Web Services are unavailable on Windows Server 2008
R2 Core, thus certificates must be request manually via the command line instead of via the Web
Services interface. An example procedure is as follows:
1. Copy the CSR from the OneSign appliance as per the first few steps of the “Windows Server”
instructions.
2. Paste this CSR into a .txt file – e.g. <appliancename>.txt
3. Copy the .txt file to the Microsoft Enterprise Root Certificate Authority server
4. Initiate a certificate request using the following command line, which submits the OneSign CSR
and requests a certificate using the Web Server template:
10 Feb 2012
Version 1.5
Page 8
Configuring the OneSign® Enterprise for SSL Communication

certreq –submit –attrib “CertificateTemplate:WebServer” <appliancename>.txt
<appliancename>.cer
5. Pick the required certificate server from the list – this should be the root CA.
6. The .cer file can then be opened with notepad or wordpad, and the characters copied and
pasted into the OneSign appliance as per the final few steps of the “Windows Server”
instructions.
7. The above procedure should be repeated for each OneSign appliance in the enterprise, so each
appliance has its own certificate.
10 Feb 2012
Version 1.5
Page 9
Configuring the OneSign® Enterprise for SSL Communication
Appliance-to-Directory Communication
Context
This relates to the communication between the appliance and a directory – specifically, when enabling
the “Use Secure Connection (SSL)?” setting within the OneSign User Interface screen, shown below.
Figure 5: Appliance-to-Directory SSL Communication
If OneSign is configured to communicate with more than one directory, the steps described must be
applied to each of the directory connections.
Purpose
This setting must be enabled in order for the Self Service Password Management feature to work.
This setting is also highly recommended as it prevents clear-text transmission of usernames, passwords
and synchronisation data between the OneSign appliance and the directory.
Default Behaviour Method
By default, when the “Use Secure Connection (SSL)?” setting is checked and then the settings saved,
OneSign retrieves the certificate of the LDAP server with which is configured to synchronise, and
displays this certificate as per the example in Figure 6.
10 Feb 2012
Version 1.5
Page 10
Configuring the OneSign® Enterprise for SSL Communication
Figure 6: Choosing to Trust an LDAP Server Certificate
Selecting “Yes” in answer to the question “Do you want to trust this certificate” adds the certificate to
the OneSign appliance’s trusted certificate store. When communicating with the specific LDAP server in
future, the certificate is verified, thus preventing impersonation of that specific LDAP server.
The disadvantage of using this method is that, in order to cater for the eventuality of an LDAP server
failing and OneSign needing to communicate with an alternative LDAP server, the certificates for every
LDAP server in the domain will need to be added, by sequentially changing the Host Name/Server field
and clicking Save, then answering Yes when the relevant certificate is presented.
To avoid this, use the preferred method.
Preferred Method
Figure 5 shows that next to the Directory Server Certificate Field are a Browse and an Upload button.
These can be used so that instead of OneSign automatically retrieving an LDAP server’s certificate when
Save is selected, a specific certificate can be uploaded.
10 Feb 2012
Version 1.5
Page 11
Configuring the OneSign® Enterprise for SSL Communication
Best practice is therefore to upload a copy of the root Certificate Authority’s certificate. Each LDAP
server’s certificate will have a chain of trust back to this CA certificate, therefore if the CA certificate is
trusted, all of the LDAP server certificates will be automatically trusted.
To retrieve a copy of the root CA certificate
1. Start the Certificate Authority management tool from the Start menu by typing certsrv.msc in
the Run dialog.
Figure 7: Starting the CA Management tool
2. The CA Management tool will appear as shown in the figure below.
Figure 8: The CA Management tool
10 Feb 2012
Version 1.5
Page 12
Configuring the OneSign® Enterprise for SSL Communication
3. Right click on the CA (in this example, on demo-AD-CA) and select Properties. The CA Properties
window will appear.
Figure 9: The CA Properties window
4. Click on View Certificate, and then select the Details tab
Figure 10: Certificate Details
10 Feb 2012
Version 1.5
Page 13
Configuring the OneSign® Enterprise for SSL Communication
5. Click the Copy to File button to start the Certificate Export Wizard, click Next, then select the
Base-64 encoded X.509 option.
Figure 11: The Certificate Export Wizard
6. Click Next again, and you will be prompted to choose a location to save the file. Select a location
and save the file.
Figure 12: Saving the file
7. Make a note of the location and name of the file.
Importing the CA Certificate into OneSign
1. In the OneSign Administrator UI, select the OneSign domains tab, as shown in Figure 5.
2. Browse to the location of the file containing a copy of your CA certificate, and click Upload.
3. You will be prompted whether you wish to trust this certificate, as shown in Figure 6. Select Yes.
4. OneSign now trusts your CA certificate, and therefore automatically trusts any subordinate
certificates.
10 Feb 2012
Version 1.5
Page 14
Related documents
Child Protection study day 12th June 2007
Child Protection study day 12th June 2007
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
PAFCPIC "We Care Abuloy"
PAFCPIC "We Care Abuloy"
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
Distance Education Program Application
Distance Education Program Application
Application For Issue Of A Certified Statement / Academic
Application For Issue Of A Certified Statement / Academic
Download
advertisement