Novell Audit utilizes SSL certificates to ensure that communications between a logging application and the Secure Logging Server are secure. By default, the Secure Logging Server utilizes an embedded root certificate generated by an internal Novell® Audit Certificate Authority (CA). Likewise, by default, the Identity Manager Instrumentation utilizes a public certificate that is signed by the Secure Logging Server root certificate. You can, however, configure Novell Audit to use certificates generated by an external CA.
The following sections review how to use custom certificates to secure the connection between Identity Manager and Novell Audit:
You can substitute the internal Novell Audit CA and embedded product certificates with certificates signed by your enterprise CA so you can integrate Novell Audit with your enterprise security infrastructure.
WARNING:Although the process of using certificates signed by external CAs is relatively simple, the consequences of failing to change all required components are serious. Logging applications might fail to communicate with your Secure Logging Server, so events will not be recorded.
To update your Novell Audit certificate infrastructure with a custom certificate:
Identify all Secure Logging Servers and Identity Manager servers where certificates are located.
Use AudCGen to generate a CSR for the Secure Logging Server.
For information on generating a CSR with AudCGen, see Creating Logging Application Certificates.
Have the CSR signed by your enterprise CA.
If necessary, convert the returned certificate to a Base64-encoded .pem file.
Shut down all Secure Logging Servers and Identity Manager servers.
Delete and purge all application cache (lcache) files.
In iManager, update the and properties in the Secure Logging Server configuration to point to the new, signed root certificate key pair. For more information on the Secure Logging Server configuration, see Logging Server Object Attributes
in the Novell Audit 2.0 Administration Guide.
Use AudCGen to generate a new public certificate for Identity Manager.
IMPORTANT:The certificate signed by your enterprise CA must be used as the authoritative root certificate.
For information on generating a certificate for Identity Manager, see Creating Logging Application Certificates.
Update the Identity Manager instrumentation so it uses the public certificate signed by the Secure Logging Server’s root certificate key pair. For more information, see Enabling the Identity Manager Instrumentation to Use a Custom Certificate.
Restart eDirectory™ or the Remote Loader.
After you update your Novell Audit certificate infrastructure with a custom certificate, the only required maintenance is to update the certificate when it expires.
IMPORTANT:There are many versions of the AudCGen utility. This section documents the most recent version of AudCGen available with Novell Audit 2.0.2 FP2. If you are using a different version of AudCGen, refer to the help file for that version.
The AudCGen utility must be used to create and sign Novell Audit certificates. The following table describes the AudCGen command parameters:
Table 5-1 AudCGen Command Parameters
|
Parameter |
Description |
|---|---|
|
app |
Generates a certificate key pair for instrumented applications. It creates the /app_cert.pem and /app_pkey.pem files. |
|
–appcert:filename |
The output path and filename for the logging application’s certificate. The default filename is app_cert.pem. The default path is platform-specific and can be changed using the –base parameter. |
|
–apppkey:filename |
The output path and filename for the logging application’s private key. The default filename is app_pkey.pem. The default path is platform-specific and can be changed using the –base parameter. |
|
–base |
The base path used when reading from or writing to files. The default path is platform-specific. |
|
–bits:RSA_key_size |
The number of encryption bits used during certificate creation. Values of 384-4096 are accepted. The default value is 1024. |
|
–cacert:filename |
The path and filename to the public certificate used by the Novell Audit Secure Logging Server. The Secure Logging Server’s certificate key pair must be provided when generating a certificate key pair for a logging application. The default filename is ca_cert.pem. The default path is platform-specific and can be changed using the –base parameter. |
|
–capkey:filename |
The path and filename to the private key used by the Novell Audit Secure Logging Server (SLS). The SLS certificate key pair must be provided when generating a certificate key pair for a logging application. The default filename is ca_pkey.pem. The default path is platform-specific and can be changed using the –base parameter. |
|
csr:filename |
Generates a Certificate Signing Request (CSR) for the Novell Audit Secure Logging Server that can be signed by a third-party CA. It also generates the certificate private key. The default CSR filename is ca_csr.pem. The default private key filename is ca_pkey.pem. The default path is platform-specific and can be changed using the –base parameter. |
|
–csrfile:filename |
The filename of the CSR for the Novell Audit Secure Logging Server. The default CSR filename is ca_csr.pem. |
|
–csrpkey:filename |
The filename of the private key used with the signed CSR for the Novell Audit Secure Logging Server. The default private key filename is ca_pkey.pem |
|
–f |
Force overwrite. AudCGen overwrites any existing certificates or private keys of the same name (for example, app_cert.pem or appp_key.pem) in the output directory. This parameter is optional. If you do not use the -f parameter and there is an existing file, AudCGen aborts creation of the certificate. |
|
–h|? |
Provides the AudCGen help screen. |
|
–name:application_identifier |
IMPORTANT:This parameter is required when creating certificates for logging applications like Identity Manager. The logging application’s application identifier. The application identifier is the application name that appears in the first line of the application's corresponding .lsc file. NOTE:This value matches the Application Identifier stored in Identity Manager’s Application object. For example, the first line of the LSC file for Identity Manager is #^Identity Manager^0003^DirXML^EN The application identifier is the name after the third carat in this line. The application identifier for Identity Manager is DirXML. |
|
–sn:number |
This parameter creates a serial number for the generated certificate. This can be useful in maintaining and tracking your system’s certificates. This parameter is optional. |
|
ss |
Generates a self-signed root certificate key pair for the Novell Audit Secure Logging Server. This option uses the internal Novell Audit CA. NOTE:Do not use this option if you want to use a certificate signed by a third-party CA. |
|
–valid:number |
Specifies the number of days for which the generated public certificate will be valid (in days). The default value is 10 years. |
|
–verbose |
Displays the contents of the certificates. |
|
verify |
Verify the certificate signing chain between the root certificate used by the Secure Logging Server and Identity Manager certificates. NOTE:This option performs only partial verification when verifying third-party certificates. For additional information, see Validating Certificates. |
The certificate key pair used by the Secure Logging Server is the logging system's Certificate Authority (CA); that is, it is the trusted root certificate that is used to validate all other Novell Audit logging application certificates. By default, this certificate is self-signed. However, you can use a certificate signed by a third-party CA.
The following sections review the process required to generate a self-signed root certificate and how to use a third-party root certificate for the Secure Logging Server.
To generate a self-signed root certificate for the Secure Logging Server using the internal Novell Audit CA, use the following AudCGen command:
audcgen ss [-cacert:filename] [-capkey:filename] [-bits:number] [-f]
For example:
audcgen ss -cacert:slscert.pem -capkey:slspkey.pem -bits:512 -f
The -ss parameter creates a self-signed root certificate that can then be used to generate the certificate key pair for each logging application. For more information on this procedure, see Creating Logging Application Certificates.
To use a certificate signed by a third-party CA, you must do the following:
Use AudCGen to generate a CSR that can be signed by a third-party CA:
The command syntax is as follows:
audcgen csr [-csrfile:filename] [-csrpkey:filename] [-bits:RSA_key_size]
For example:
audcgen csr -bits:512 -csrfile:slscsr.pem -csrpkey:slspkey.pem
Take the slscsr.pem file and submit it to a third-party CA for signature or sign it using your internal certificate server.
IMPORTANT:The Novell Audit Secure Logging Server requires two Base64-encoded .pem files; one for the public certificate and one for the private key. Some CAs might generate files that require additional conversion steps.
Configure the Secure Logging Certificate File and Secure PrivateKey File attributes on the Logging Server object to enable the Secure Logging Server to use the third-party certificate and private key.
For more information, see Logging Server Object Attributes
in the Novell Audit 2.0 Administration Guide.
Use the Secure Logging Server’s third-party certificate to generate the certificate key pair for each logging application.
For more information on this procedure, see Creating Logging Application Certificates.
IMPORTANT:If you use a third-party certificate, your logging applications will no longer be able to communicate with the Secure Logging Server using their default certificates. You must create a new certificate key pair for each logging application using AudCGen and the new root certificate key pair.
IMPORTANT:In Novell Audit, all logging application certificates must be signed by the Secure Logging Server root certificate and they must contain an Application Identifier.
The following command generates a public certificate and private key for your logging application:
audcgen app [cacert:filename] [-capkey:filename] [-appcert:filename] [-apppkey:filename] -name:application_identifier [-bits:RSA_key_size] [-sn:number] [-valid:number] [-f]
NOTE:This command is used to generate logging application certificates using either the internal Novell Audit CA or one signed by a third-party CA. Use the -cacert and -capkey parameters to specify the root certificate used by your Secure Logging Server.
The following sample command creates a logging application certificate for Identity Manager:
audcgen app -cacert:slscert.pem -capkey:slspkey.pem -appcert:IDMcert.pem -apppkey:IDMpkey.pem -name:DirXML -bits:512 -sn:123
To enable the Identity Manager Instrumentation to use a custom certificate key pair, the path and filename for the certificate and private key files must be as follows:
Table 5-2 Identity Manager Certificate and Key Paths and Filenames
NOTE:If you are using the pure Java remote loader (dirxml_jremote), the above noted locations will work. However, if dirxml_jremote is running on a non-UNIX-like platform, you must add the following to the Java invocation line in the dirxml_jremote script:
-Dnovell.dirxml.remoteloader.audit_key_directory=<directory_name>
In Novell Audit, all logging application certificates must be signed by the Secure Logging Server root certificate and they must contain an application identifier.
Use the following command to determine whether a certificate is valid:
audcgen -cacert:filename -capkey:filename -verify -appcert:filename
When you use the -verify command, AudCGen checks the integrity of the target certificate. It determines if the target certificate is derived from the Secure Logging Server root certificate (trusted) and returns the logging application’s application identifier.
The following sample command verifies the certificate for the Identity Manager Instrumentation:
audcgen -cacert:cacert.pem -capkey:capkey.pem -verify -appcert:c:\windows\dxicert.pem
NOTE:Novell Audit 2.0.2 verifies only the Secure Logging Server and logging application certificates. It does not verify any other certificates in the certificate chain. Consequently, if the third-party CA expires or invalidates the Secure Logging Server certificate, AudCGen does not identify the problem in the certificate chain and will still trust the Secure Logging Server root certificate and its associated logging application certificates.
If you generate a custom certificate and private key for the Identity Manager Instrumentation, it is important to protect them because the location and name of the custom certificates are hardcoded. The certificate and key files should only be accessible by the Identity Manager Instrumentation, which loads locally on the server.
The following sections review the steps to protect custom certificates on each Novell Audit server platform.
On NetWare, the custom certificates and private key files can be protected with file system trustees and inherited rights filters. The Identity Manager instrumentation uses sys:\system\dxipkey.pem as the private key.
To limit access to the private key files:
Grant the auditor user Object rights to the key files.
Using iManager, or any other management tool, implement an inherited rights filter on the key file.
It is not possible to filter the Supervisor inheritance on files in a file system. Users with Supervisor rights to sys:/system can still access the key files. Therefore, grant Supervisor access to objects and volumes sparingly.
On Windows, the custom certificate and private key files are also protected by file system trustees. The eDirectory instrumentation certificate files to protect are \windows_directory\dxicert.pem and \windows_directory\dxipkey.pem.
To limit access to the private key files:
Grant the auditor user full object rights to the key files.
Give the SYSTEM account read rights to the key files.
Do not allow inherited rights from any file to be propagated to the key files.
NOTE:The owner of a file can always change the rights. System administrators can take ownership of a file. Do not grant excessive numbers of users Administrator rights to the server.
On Linux and Solaris, the private key is stored in /etc/dxipkey.pem.
To limit access to the private key file:
Grant the root user rights to the file.
You can also grant rights to the auditor and the root group. Do not grant read rights to other users of the system.
Assign mode 0400 to the file; verify that the owner of the file is root.
If you have granted rights to the auditor and the root group, assign mode 0440 to the file.