Blog Entry

(View Disclaimer)

Hello all, my name is Nadeem Ahmad Nazeer. Over the past year and half I have been leading the development efforts for Novell Data Synchronizer Mobility Pack.

Today I am going to cover information regarding SSL Certificate management in the Mobility Pack. I will also discuss SSL protocol and Cipher configuration.

The Mobility Pack is bundled with 1) WebAdmin 2) Config Engine 3) Sync Engine 4) GroupWise Connector 5) Mobility Connector services. These services run as separate process and communicate with each other over a secure connection. The internal self signed certificates are generated and installed for communication between datasync services and connectors. There are two certificates you should know about 1) WebAdmin 2) Mobility Connector. The WebAdmin certificate is presented when you connect to admin interface via web browser (as user or as the admin) and the Mobility connector certificate is presented when a user connects to the mobility server via a device.

Replacing the WebAdmin certificate:

Because of security concerns some companies like to use certificate signed by trusted authorities. This is a recommended practice. The webadmin certificate is stored in the /var/lib/datasync/webadmin directory:

   server.pem

Replace the above file with the certificate from a trusted authority. Make sure the certificate file is in PEM format. If its in binary format you can convert it using the following openssl command:

  openssl x509 -inform DER -outform PEM -in certificate.crt -out server.pem

Replacing the Mobility Certificate:

If you picked the self-signed certificate option during the install, the mobility installer will create two certificates in the /var/lib/datasync/device directory:

   mobility.pem
   mobility.cer

In our internal deployment we found that some devices have issues with self-signed certificate. The issues ranged from devices giving warnings to devices not being able to accept the certificate. The self-signed certificate is issued to "DataSync MobilityPack" rather than to the specific hostname. Some devices require that a self-signed certificate be associated with a specific hostname.
In any case, it is highly recommended to get certificate signed by a trusted authority. When you request your certificate ask for it in PEM format which contains the key and the certificate. If they are in binary format you can convert them to PEM format using the following openssl command:

  openssl x509 -inform DER -outform PEM -in certificate.crt -out certificate.pem

You can also convert the key file using following openssl command.

  openssl rsa -outform PEM -in key.key -out key.pem

Once you have both the certificate and the key file converted combine them into one mobility.pem file. It should look like this:

	-----BEGIN RSA PRIVATE KEY-----
		(certificate  contents)
	-----END RSA PRIVATE KEY-----
	
	-----BEGIN CERTIFICATE-----
		(certificate  contents)
	-----END CERTIFICATE-----
If you are using a certificate chain make sure they are all in the mobility.pem file. The format of the file should look like this:.
	-----BEGIN RSA PRIVATE KEY-----
		(certificate contents)
	-----END RSA PRIVATE KEY-----
	
	-----BEGIN CERTIFICATE-----
		(Primary certificate contents)
	-----END CERTIFICATE-----
	-----BEGIN CERTIFICATE-----
		(Intermediate certificate contents)
	-----END CERTIFICATE-----
	-----BEGIN CERTIFICATE-----
		(root certificate contents)
	-----END CERTIFICATE-----

Configuring the SSL version and Ciphers for Mobility Connector:

If you are concerned with the SSL v2 and weak ciphers that are setup by default, then you can turn them off by editing the connector configuration file using the webadmin interface (Goto home page click on the mobility connector ? Edit XML Source). The default settings for the Mobility connector are to accept all SSL versions and all ciphers. For customization, add the following tags between the <custom> beginning tag and the </custom> end tag:

<sslMethod>value</sslMethod>
<sslCiphers>list</sslCiphers>

The values for sslMethod are 1 (SSLv2), 2 (SSLv3), 3 (all the protocol) and 4 (TLSv1). In the current release only a single value is supported.

Obtain the installed cipher list by running the following command:

  openssl cipher protocol (e.g. openssl cipher -sslv3)

You can enter any number of cipher from this list. Here is a sample configuration:

<sslCiphers>DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA</sslCiphers>
      <sslMethod>4</sslMethod>

The above configuration disables all the weak ciphers and enables the TLSv1 protocol.

Back to Dean:

Thanks Nadeem for all of the great information. Let the team know if you have questions about how to best secure your mobility server and devices.

Dean

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.