GMS Securing GMS with SSL and Client Certificates Securing

GMS Securing GMS with SSL and Client Certificates Securing SonicWALL Global Management System with SSL and Client Certificates Overview The default GMS installation configures the Tomcat Web server for HTTP operation. Authentication to the GMS console is kept secure and confidential by means of application layer hashing rather than HTTPS (SSL). For networks requiring the additional security of SSL, it is simple to enable HTTPS by modifying the Tomcat configuration file, server.xml, and by obtaining or generating an X.509 server certificate. In environments with even more stringent security requirements, it is sometimes necessary to provide an additional layer of security beyond even SSL protected password authentication. To address the needs of such installations, this document will describe how to configure GMS (versions 2.5 and higher) to require client certificates for two-factor console authentication. The Client Certificate model requires that all users attempting to access the GMS console present a valid X.509 certificate issued by a Certificate Authority that is trusted by the GMS server. To achieve this level of trust, our model will have both the GMS server and all privileged users obtain their certificates from the same Certificate Authority (CA). Failure to present a valid, trusted client certificate will result in an SSL handshake failure, preventing the console session from being established. Once a valid client certificate has been presented, the GMS login console will be accessible over a secure SSL channel. The user, already certified by their X.509 certificate, will now be prompted to enter their GMS username and password for access. Requirements • • • GMS version 2.5 or higher Internet Explorer version 6.0 or higher (required to support the ActiveX controls of Microsoft Certificate Server’s Web interface) A valid client certificate must be installed on each workstation used to access the GMS console. A client certificate is stored in protected User Stores on the local machine, and is intended to be accessible only by the user who installed it, and only after successful authentication to the local machine. This document assumes that your organization has an established Certificate Authority. Setup is illustrated using Microsoft’s Certificate Server as an example, although other CAs can easily be substituted. For additional information on installing Microsoft Certificate Services, visit the following Microsoft references: Windows 2000 Server: http://support.microsoft.com/kb/231881/ Windows 2003 Stand-Alone: http://technet2.microsoft.com/WindowsServer/en/library/d6eab6a4a680-40b0-9fde-4978be14ebf41033.mspx?mfr=true Windows 2003 Enterprise: http://technet2.microsoft.com/WindowsServer/en/library/d6eab6a4-a68040b0-9fde-4978be14ebf41033.mspx?mfr=true • Creating and Installing Certificates To establish the trust described above, this document will take you through the following steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Import your CA certificate into the Java Trusted Store on your GMS console. Generate a Private Key on your GMS Server. Use the Private Key to generate a CSR (Certificate Signing Request). Submit the CSR to your Certificate Authority. Obtain the signed server certificate. Install the certificate on your GMS console. Modify your server.xml file to enable HTTPS, disable HTTP, and enable client certificates. Restart GMS for the setting to take effect. Request a client certificate for your user. Install the certificate on your management workstation. Login to GMS over HTTPS by presenting the client certificate. Import Your CA Certificate onto Your GMS Console 1. Begin by saving a local copy of your CA Certificate for import into GMS. Browse and authenticate to your certificate server’s Web interface, e.g. https://10.50.165.2/certsrv. 2. Select Download a CA certificate, certificate chain or CRL. 3. Select Base 64 as the encoding method, and click the Download CA certificate link. 4. Save the file to a locatable path, for example “D:\gms\SGMS4\etc\”. 2 Import the CA Certificate into the Java Trusted Store From the GMS console, open a command prompt and browse to the [path]\jre\bin directory of your GMS installation, for example, “D:\gms\SGMS4\jre\bin”. Note: The default password for the Java Trusted Store is “changeit”. To import the CA certificate, use the keytool command as shown in the following example: 1. Enter the following keytool command at the prompt (the command must be entered as a single continuous line): keytool -import -keystore D:\gms\sgms4\jre\lib\security\cacerts –file D:\gms\SGMS4\etc\AngstCA.crt -alias AngstCA 2. Enter the keystore password: changeit 3. The certificate contents are displayed: Owner: CN=mooseVMCA, DC=moosifer, DC=com Issuer: CN=mooseVMCA, DC=moosifer, DC=com Serial number: 10b8140210fe928d431fac3d74d4a959 Valid from: Mon May 01 09:39:47 MDT 2006 until: Sun May 01 09:47:15 MDT 2016 Certificate fingerprints: MD5: 7B:8E:97:D3:A4:78:39:3C:80:48:FE:CE:54:1D:D7:7A SHA1: C0:69:84:3C:38:F4:72:FF:73:6A:B3:95:59:9C:81:50:24:E0:67:33 4. At the prompt, type yes to import the certificate: Trust this certificate? [no]: yes Certificate was added to keystore The CA certificate is now in your Java Trusted Store. Create the GMS Server Private Key To create the Private Key for your GMS server, and to save it to (or to create) your store, use the example below to enter your information at the prompts (the first line must be entered as a single continuous line): 1. At the prompt, enter the following command all on one line: keytool -genkey -alias securegms -keyalg RSA -keysize 1024 -keystore D:\gms\SGMS4\etc\keystore -storetype JKS 2. Enter keystore password: password (select a strong password to protect your store) 3. What is your first and last name? (enter your own information in the fields that follow) [Unknown]: Sah Niqual Note: This is the name that will appear on your certificate; to avoid browser security warnings, you should use the same name as will be used to access your GMS console, for example “mygmsserver.mydomain.com” or “10.50.165.26”) 4. What is the name of your organizational unit? [Unknown]: Engineering 5. What is the name of your organization? [Unknown]: SonicWALL 6. What is the name of your City or Locality? [Unknown]: Sunnyvale 7. What is the name of your State or Province? [Unknown]: California 8. What is the two-letter country code for this unit? [Unknown]: US 9. Is CN=Sah Niqual, OU=Engineering, O=SonicWALL, L=Sunnyvale, ST=California, C=US correct? [no]: yes 3 10. Enter key password for (RETURN if same as keystore password): Your private key is created and entered into your Trusted Store. Generate the CSR You will now use that private key to generate a certificate request. Use the following as an example when entering your information (the first line must be entered as a single continuous line): 1. At the prompt, enter the following command all on one line: keytool -certreq -keyalg RSA -alias securegms -file D:\gms\SGMS4\etc\myCSR.csr -keystore D:\gms\SGMS4\etc\keystore 2. Enter keystore password: password (enter your previously chosen keystore password here) 3. This will create a file “D:\gms\SGMS4\etc\myCSR.csr”. Open it with notepad or some other editor and copy it to your clipboard. The content of the CSR should look like this: -----BEGIN NEW CERTIFICATE REQUEST----MIIBtTCCAR4CAQAwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT CVN1bm55dmFsZTESMBAGA1UEChMJU29uaWNXQUxMMRQwEgYDVQQLEwtFbmdpbmVlcmluZzETMBEG A1UEAxMKU2FoIE5pcXVhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhGbgx9IgMRzejmcY wH8TRhSib0uhcfDvhSZO/xLRb4OnITZT5Vnrgf6lnTX3wAs6B2qAwbUV4uqjlh2BDlj0D9AaGNL/ gJLKjQnuNZK3rHxsC3Gkf40kZUKE3puy0TrEVITWBbSCsliinYsy9/IfhCPzo3YkrhMCe1kYx2Ie FhECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAFcDrasPkG9Fwq7C7gqnZ95RsQF8cB/muMogsrB2 nwV054gYamUJPxXpoq+TAjI1hp6s94xmDLgZWPcE9sArwAn31L7to0SFRpuGbxxBk7BojAogem+V 7LSMMRMxVmoFJQIzPsDnA+OYDNoeBv/+Q4H7Md4olSRBQMFRV/ngZFOx -----END NEW CERTIFICATE REQUEST----- Submit the CSR to Your CA 1. Browse and authenticate to your certificate server’s Web interface, e.g. https://10.50.165.2/certsrv. 2. Click Request a certificate. 4 3. Click advanced certificate request. 4. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. 5. Paste the contents of your clipboard (the contents of the “D:\gms\SGMS4\etc\myCSR.csr” file, making sure there is no extra carriage return at the end) into the Saved Request text area. 6. For Certificate Template, select Web Server from the list. 7. Click Submit. 5 Download Base64 Encoded Certificate Chain The certificate will be issued, and you will be prompted to download it. 1. Select Base 64 Encoded. 2. Click Download certificate chain. 3. Save the file to a locatable path, for example “D:\gms\SGMS4\etc\myGMSCert.p7b”. Import the Signed Certificate into Your Server Keystore From the GMS console, return to a command prompt and navigate to the “D:\gms\SGMS4\jre\bin” directory. Enter your information according to the following example (the first line must be entered as a single continuous line): 1. At the prompt, enter the following command on a single line: keytool -import -alias securegms -keystore D:\gms\SGMS4\etc\keystore -file D:\gms\SGMS4\etc\myGMSCert.p7b 2. Enter keystore password: password (enter your previously chosen keystore password here) Top-level certificate in reply: Owner: CN=mooseVMCA, DC=moosifer, DC=com Issuer: CN=mooseVMCA, DC=moosifer, DC=com Serial number: 10b8140210fe928d431fac3d74d4a959 Valid from: Mon May 01 09:39:47 MDT 2006 until: Sun May 01 09:47:15 MDT 2016 Certificate fingerprints: MD5: 7B:8E:97:D3:A4:78:39:3C:80:48:FE:CE:54:1D:D7:7A SHA1: C0:69:84:3C:38:F4:72:FF:73:6A:B3:95:59:9C:81:50:24:E0:67:33 ... is not trusted. Install reply anyway? [no]: yes Certificate reply was installed in keystore The GMS server certificate is now imported to your Trusted Store. 6 Import the CA Certificate into Your Server Keystore From the GMS console command prompt, “D:\gms\SGMS4\jre\bin” directory, enter the following (the first line must be entered as a single continuous line): 1. At the prompt, enter the following command on a single line: keytool -import -alias AngstCA -keystore D:\gms\SGMS4\etc\keystore -trustcacerts -file D:\gms\SGMS4\etc\AngstCA.crt 2. Enter keystore password: password (enter your previously chosen keystore password here) Certificate already exists in system-wide CA keystore under alias Do you still want to add it to your own keystore? [no]: yes Certificate was added to keystore The CA server certificate is now imported to your Trusted Store. Modify server.xml to Enable HTTPS Use the following example to make changes to your server.xml file to enable HTTPS: Before (text to be deleted appears in red) After (text to be added/changed appears in green) Note: You may also change the TCP listening port from 8443 to some other available value, such as the HTTPS default 443 by modifying the “Connector port=” value. Be sure no other listening service (such as IIS or Apache) occupies the port you select or one or more services will fail. 7 Modify server.xml to Disable HTTP Use the following example to make changes to your server.xml file to disable HTTP: Before After (text to be added appears in green) --> Modify server.xml to Enable Client Certificates Use the following example to make changes to your server.xml file to enable client certificates: Before (text to be modified appears in red) After (text to be added/changed appears in green) 8 Stop and Restart your GMS Web Server to Activate Changes 1. To stop your GMS Web server from a command prompt, type: net stop "SGMS Web Server" You will see the message: The SGMS Web Server service was stopped successfully. 2. To restart your GMS Web server, type: net start "SGMS Web Server" You will see the messages: The SGMS Web Server service is starting.. The SGMS Web Server service was started successfully. Request a Client Certificate to Install on your Management Workstation Note: Before proceeding to this step, ensure that you are logged on to the local workstation as the user to whom you wish to issue this client certificate. 1. Browse and authenticate to your certificate server’s Web interface, e.g. https://10.50.165.2/certsrv. 2. Select Request a certificate. 3. Select User certificate. 9 4. Your identity will be automatically determined from your local credentials. Click Submit to process the request. Install the Client Certificate After you submit the certificate, informational messages about the certificate installation process are displayed. Click Yes on both alerts. The certificate is then installed into your local certificate store. 10 Log into Your GMS System Using HTTPS 1. Browse to https://your.server.ip.address:port (e.g. https://10.50.165.26:8443), you will be asked to present a client certificate. Select the Client Certificate that you just installed. 2. Click OK. Accept Browser Warning If you do not access your GMS system with the same name that you assigned to your GMS server certificate, your browser may issue a warning about a name mismatch. For example, Microsoft Internet Explorer 7 will present the following page: 1. Click Continue to this Website (not recommended) to accept the warning and continue. This warning can be avoided by using the same name to access your GMS console as was assigned to the GMS server certificate. 2. You may be prompted to present a client certificate again. 11 Complete HTTPS Login to GMS 1. Log into your GMS system with your usual credentials. 2. Upon logging in, you might be presented with a Java security message. Click Yes to continue. 3. If presented with a Java hostname mismatch, click Run to continue. This warning can be avoided by using the same name to access your GMS console as was assigned to the GMS server certificate. 12 Begin Your GMS Session You may now commence with your secure GMS management session. Document created: 8/7/06 Last updated: 9/19/07 13