Distribution Security Using Signed Certificates and Digests
Policy and Distribution Services uses signed certificates to validate whether Distributions are from a trusted source, or have been tampered with. This security is automatically used by Policy and Distribution Services for all Distributions. However, there are actions you might need to take to get Policy and Distribution Services to create and process the certificates.
Policy and Distribution Services also provides optional Distribution security with digests. A digest is used by the Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.
There are two features of TED that deal with security:
Certificates: Security certificates (required) are issued by each Distributor to all Subscribers receiving its Distributions. In order for a Subscriber to accept its first Distribution from a Distributor, it must have a certificate in its security directory from that Distributor. After receiving its first Distribution from the Distributor, the certificate is then stored in the .KEYSTORE file. The content of the .KEYSTORE file can be viewed in iManager.
For information on security certificates for encrypted Distributions, see Distribution Security Using Encryption.
Digests: Digests (optional) can be created for each Distribution at the time it is built. The digest is used by the Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.
The following sections provide more information on understanding, creating, and using certificates and digests:
- Understanding Digests
- Understanding Certificate Usage in Policy and Distribution Services
- Important Points about Certificates
- ConsoleOne User Rights and Certificate Copying
- Certificate File Locations
- Resolving Certificates
- Handling Invalid Certificates
- Certificate and Private Key Directories
- Creating Security Certificates for Non-Encrypted Distributions
- Manually Copying Certificates for Non-Encrypted Distributions
Understanding Digests
Important points about digests:
- Digests can be created for each Distribution at the time it is built. The digest is used by the Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.
- The Digest option is available for all Distribution types. The Digest check box is displayed on the General tab of the Distribution object's properties.
- A digest will add about 30% to the build time. Factors that can affect build time using digests are CPU and hard drive speeds, amount of RAM, server workload, and so on.
Understanding Certificate Usage in Policy and Distribution Services
A certificate is a security mechanism used by Policy and Distribution Services to ensure that the Distribution received by a Subscriber was actually sent by the Distributor owning that Distribution. Because configuration information can also be sent to the Subscriber, it ensures that the configuration information has been sent from a known Distributor and that the data has not changed.
All Subscribers must receive a valid security certificate from each Distributor that sends Distributions to them. Without a matching certificate, a Subscriber cannot receive Distributions from the Distributor.
The following illustrates the process of using certificates with Distributions:
Before a Distribution should be sent, certificates must be resolved. This ensures that the Distribution received by a Subscriber was actually sent by the Distributor owning that Distribution.
For information on resolving certificates, see Resolving Certificates.
After certificates have been resolved, the following illustrates how the Subscriber uses the certificate to ensure it is receiving a valid Distribution:
Important Points about Certificates
- Certificates are issued by each Distributor to all Subscribers receiving Distributions from that Distributor. In order for a Subscriber to accept Distributions from a Distributor, it must have received a certificate from that Distributor.
- For security, certificate key pairs are created by the Distributor.
- The public key is written to the Distributor server's file system, which self-signs a certificate and stores it in Novell eDirectoryTM.
- The Subscriber software does not need to be running on the Subscriber server to have certificates copied to the server.
- The association of Distributions (owned by a Distributor) and Subscribers to a Channel determine which Subscribers should receive certificates from which Distributors.
- A Distributor will send certificates to all Subscribers that subscribe to Channels where the Distributor has Distributions.
- A Subscriber will request certificates from all Distributors that have Distributions in Channels to which it subscribes.
- A certificate can be passed from a Distributor to a Subscriber under the following circumstances:
- When a Subscriber is initially subscribed to a Channel and you click OK to apply the changes.
- When you right-click a Subscriber Object and select Resolve Certificates. The Subscriber will then request certificates from all Distributors that it will receive distributions from.
- When a Distribution is listed in a Channel and you click OK to apply the changes.
- When you right-click a Distributor Object and select Resolve Certificates. The Distributor will send certificates to all Subscribers that it sends distributions to.
For information on resolving certificates, see Resolving Certificates.
- When you add a Distribution and/or a Subscriber to a Channel. When clicking okay, the Resolve Certificates? dialog will be displayed. If you answer Yes, certificates will be sent by all Distributors who have Distributions associated with that Channel to all Subscribers subscribed to that channel.
- Manually copying a certificate file to a transfer medium (such as a diskette or local drive), then to the ZENWORKS\PDS\TED\SECURITY directory on a server.
Basically, any time the relationship changes between the Subscribers, Channels, or Distributions, a certificate can be passed.
- If a Distributor object is deleted and re-created to point to the same server, all certificates on the subordinate Subscribers become invalid. Certificates must be deleted from the Subscriber's security subdirectory. Then the Distributor must send the new certificates to those Subscribers.
- ConsoleOne copies the certificate files to Subscriber servers. Therefore, the client software on the workstation running ConsoleOne must have access to the Subscriber servers' file systems. For Windows Subscriber servers, the Domain and Workgroup rights on the workstation must be set up to facilitate automatic certificate copying. Otherwise, a 1204a error will be given.
ConsoleOne User Rights and Certificate Copying
The administrator using ConsoleOne® must have sufficient rights to the Subscriber server in order for a certificate to be copied to that server when the administrator resolves certificates in ConsoleOne. This is because when you use ConsoleOne to configure a Subscriber object to receive the Distributions from a particular Channel, the Distributors owning the Distributions in that Channel must send certificates to the Subscriber's server.
For NetWare® Subscribers, the ConsoleOne user automatically has sufficient rights by virtue of being able to configure the Subscriber object.
For Windows Subscribers, administrator rights for the ConsoleOne user must be set up in Windows:
Certificate File Locations
Certificates are stored in the ZENWORKS\PDS\TED\SECURITY directory on each Subscriber's server.
WARNING: Make sure the ZENWORKS\PDS\TED\SECURITY directory is a non-public directory. This directory should not be read by anyone other than an administrator. The .KEYSTORE file is in the ZENWORKS\PDS\TED\SECURITY\PRIVATE directory and is by default hidden from non-administrative users.
Certificates are usually named after the fully qualified DNS name of the Distributor server, such as Distributor_Server001.novell.com.cer or Distributor_Server001.novell.com.csr. The TCP/IP address of the server would be used for .CSR files if a DNS name could not be resolved. The certificate would then be named using its IP address, such as 155.55.155.55.csr.
Resolving Certificates
IMPORTANT: ConsoleOne copies the certificate files to Subscriber servers. Therefore, the client software on the workstation running ConsoleOne must have access to the Subscriber servers' file systems. For Windows Subscriber servers, the Domain and Workgroup rights on the workstation must be set up to facilitate automatic certificate copying. Otherwise, a 1204a error will be given.
When you are automatically presented with the option in ConsoleOne to resolve certificates, determine the following to know whether to click Yes or No:
- If the Distributor currently has Distributions associated with this Channel, and all Subscribers currently subscribed to the Channel have previously received a certificate from this Distributor, click No.
- If this is the first Distribution added to this Channel by the Distributor, or a Subscriber has been newly added to the Channel, click Yes (to resolve certificates).
This will copy the security certificates from the Distributor to the Subscribers that are subscribed to the Channel.
A prompt to copy a certificate is usually displayed when you have added:
- A Channel to a Distribution
- A Distribution to a Channel
- A Subscriber to a Channel
- A Channel to a Subscriber
To manually initiate resolving certificates:
-
In ConsoleOne, right-click the Distributor object > click Resolve Certificates.
-
Make sure the Copy Certificates Automatically to Subscribers radio button is checked > click OK.
This will copy the new certificate to each Subscriber so that it can receive Distributions from this Distributor, as long as the workstation where you are running ConsoleOne can contact all of the Subscriber servers. If you are prompted for a location to copy the certificates, you must have a drive mapped to the destination server.
Handling Invalid Certificates
A Subscriber cannot receive Distributions from a Distributor when the Distributor's certificate has become invalid. A Subscriber cannot receive encrypted Distributions when the Subscriber's encryption certificate has become invalid. For information on encryption certificates, see Distribution Security Using Encryption.
A Distributor's certificate can become invalid when the DNS name or IP address of the Distributor has been changed. However, if your Distributor is configured to use DNS (the recommended addressing method), IP address changes on the Distributor will not invalidate its certificate. Also, if DNS addressing is being used, changes in a Subscriber's DNS name or IP address will not prevent the Subscriber from receiving Distributions.
However, a Subscriber's encryption certificate can become invalid when the DNS name or IP address of the Subscriber is changed, in which case a new encryption certificate needs to be created.
The following applies for DNS name changes where DNS is your installed addressing method, or for IP address changes where IP address is your installed addressing method:
Distributor DNS Name or IP Address Is Changed
Because the Distributor identifies itself to Subscribers by it's server's DNS name or IP address, if you change the identifier being used on the Distributor server, Subscribers will not recognize the Distributor as a valid source for Distributions.
Changing the DNS name or IP address of a Distributor causes the certificate created by the Distributor to be invalid for all Subscribers that have received the certificate from this Distributor. Therefore, the Distributor must send new certificates to all Subscribers receiving Distributions from that Distributor.
To re-create and resolve the Distributor's certificate, do the following in order:
Modify the Distributor Server's Identification Attributes
You must first modify the Network Address attribute on the Other tab in the Distributor and Subscriber objects' properties.
If the server is using the DNS Name attribute to identify itself, do the following:
-
In ConsoleOne, right-click the Distributor object > click Properties > click the Other tab.
-
Click the + symbol to the left of the NetWork Address.
-
Click the icon to the left of the field you want to modify.
A Browse button will be displayed to the right.
-
Click the Browse button.
-
If you are modifying the DNS Name field, click the drop-down list at the top of the box where Type 13 is displayed.
-
Change the value from Type 13 to IP > then change IP back to Type 13.
This resets the value to now recognize the new DNS name.
-
Click the Browse button to the right of the NetAddress field in the lower portion of the box.
-
Click Servers DNS Name (on the right side of the box) > change it to the new name.
-
Click OK to return to the Other tab.
-
Click OK to finish.
If the server is using the IP Address attribute to identify itself, do the following:
-
In ConsoleOne, right-click the Distributor object > click Properties > click the Other tab.
-
Click the + symbol to the left of the NetWork Address.
-
Click the icon to the left of the field you want to modify.
A Browse button will be displayed to the right.
-
Click the Browse button.
The IP address will be displayed in the lower portion of the dialog box.
-
Change the IP address to the new one.
-
Click OK to return to the Other tab.
-
Click OK to finish.
Continue with Create and Send New Certificates.
Create and Send New Certificates
-
On the Distributor server, shut down the Distributor Agent:
NetWare: At the ZfS console prompt, enter EXITALL.
Windows: In the Services dialog, select to stop each of the ZfS services.
For information on stopping and starting agents, see "Starting the Policy and Distribution Services Agents" in "Installing on NetWare and Windows Servers" in "Installing Policy and Distribution Services on NetWare and Windows Servers" in the Installation guide; or, see "Starting the Policy and Distribution Agents on Linux or Solaris" and "Stopping the Policy and Distribution Services Agents on Linux or Solaris" in "Installing Policy and Distribution Services on Linux or Solaris Servers" in the Installation guide.
-
In the ZENWORKS\PDS\TED\SECURITY\PRIVATE directory on the Distributor server, delete the .KEYSTORE file.
This file contains the Distributor's certificate.
-
In the ZENWORKS\PDS\TED\SECURITY\CSR directory on the Distributor server, delete the .CSR file that has a name that matches either the old DNS name or the old IP address.
-
Restart the Distributor Agent.
A new certificate and .KEYSTORE file will be automatically created for the Distributor.
-
To send new certificates to all Subscriber that receive Distributions from the Distributor selected in Step 1:
-
To resolve certificates, in ConsoleOne, right-click the Distributor object > click Resolve Certificates.
IMPORTANT: ConsoleOne copies the certificate files to Subscriber servers. Therefore, the client software on the workstation running ConsoleOne must have access to the Subscriber servers' file systems. For Windows Subscriber servers, the Domain and Workgroup rights on the workstation must be set up to facilitate automatic certificate copying. Otherwise, a 1204a error will be given.
-
Make sure the Copy Certificates Automatically to Subscribers radio button is checked > click OK.
This will copy the new certificate to each Subscriber so that it can receive Distributions from this Distributor, as long as the workstation where you are running ConsoleOne can contact all of the Subscriber servers. If you are prompted for a location to copy the certificates, you must have a drive mapped to the destination server.
-
Subscriber DNS Name or IP Address Is Changed
Because the Distributor obtains the address of a Subscribers from the Subscriber's object in eDirectory, this information must be updated in the Subscriber object so that it can receive its Distributions.
Changing the DNS name or IP address of a Subscriber causes all encryption certificates contained on the Subscriber to be invalid. Subscribers can have one encryption certificate from each Distributor that sends it encrypted Distributions.
Subscribers can continue to receive non-encrypted Distributions, even if the DNS name or IP address is changed.
The following sections outline the steps to resolve DNS name or IP address changes:
Modify the Subscriber Server's Identification Attributes
You must first modify the Network Address attribute on the Other tab in the Distributor and Subscriber objects' properties. To accomplish this, do the following as applicable.
If the server is using the DNS Name attribute to identify itself, do the following:
-
In ConsoleOne, right-click the Subscriber object > click Properties > click the Other tab.
-
Click the + symbol to the left of the NetWork Address.
-
Click the icon to the left of the field you want to modify.
A Browse button will be displayed to the right.
-
Click the Browse button.
-
If you are modifying the DNS Name field, click the drop-down list at the top of the box where Type 13 is displayed.
-
Change the value from Type 13 to IP > then change IP back to Type 13.
This resets the value to now recognize the new DNS name.
-
Click the Browse button to the right of the NetAddress field in the lower portion of the box.
-
Click Servers DNS Name (on the right side of the box) > change it to the new name.
-
Click OK to return to the Other tab.
-
Click OK to finish.
If the server is using the IP Address attribute to identify itself, do the following:
-
In ConsoleOne, right-click the Subscriber object > click Properties > click the Other tab.
-
Click the + symbol to the left of the NetWork Address.
-
Click the icon to the left of the field you want to modify.
A Browse button will be displayed to the right.
-
Click the Browse button.
The IP address will be displayed in the lower portion of the dialog box.
-
Change the IP address to the new one.
-
Click OK to return to the Other tab.
-
Click OK to finish.
Resolve the New Certificates
To reproduce valid encryption certificates for the Subscriber, follow the instructions under Distribution Security Using Encryption.
Certificate and Private Key Directories
Certificates and private keys for Policy and Distribution Services are stored in the following locations in the .KEYSTORE file:
- For the Distributor's private key on a NetWare Distributor server:
SYS:\ZENWORKS\PDS\TED\SECURITY\PRIVATE
- For the Distributor's private key on a Windows Subscriber server:
C:\ZENWORKS\PDS\TED\SECURITY\PRIVATE
- For certificates received from Distributors on a NetWare Subscriber server:
SYS:\ZENWORKS\PDS\TED\SECURITY
After the Distribution has been sent, the certificate is moved into the .KEYSTORE file.
Creating Security Certificates for Non-Encrypted Distributions
To create a certificate on a Distributor and copy it to its associated Subscribers:
-
On the server where a Distributor is installed, make sure its Distributor Agent is running (use TED.NCF on a NetWare server, restart the Novell ZfS Distribution service on a Windows server, or enter /etc/init.d/zfs start on a UNIX server).
This Java process will create the certificate and write it into eDirectory.
-
Copy the certificate to each Subscriber using one of the following methods:
- If your Channels and Distributions are set up, in ConsoleOne, right-click the Distributor object > click Resolve Certificates > click OK. Make sure the Copy Certificates Automatically to Subscribers radio button is checked before clicking OK. This will copy the new certificate to each Subscriber so that it can receive Distributions from this Distributor.
For information on resolving certificates, see Resolving Certificates.
- If necessary, associate Subscribers with a Channel > create a Distribution for the Distributor > associate the Distribution with a Channel. When you click OK you will be prompted to resolve the certificate. Respond to the query with Yes to resolve certificates for all Subscribers. The certificates are copied to all of the associated Subscribers. The Subscriber Java process does not need to be running on the Subscriber server; the server only needs to be up.
- Manually copy the Distributor's certificate to each Subscriber server's installation_path\ZENWORKS\PDS\TED\SECURITY directory (on UNIX, usr/ZENworks/PDS/TED/Security).
- Right-click a Subscriber object > click Resolve Certificates (repeat for each Subscriber object). This option might only be available if you answered No when prompted to copy security certificates.
Note that the first two options are the easiest when there are many Subscribers receiving Distributions from one Distributor.
- If your Channels and Distributions are set up, in ConsoleOne, right-click the Distributor object > click Resolve Certificates > click OK. Make sure the Copy Certificates Automatically to Subscribers radio button is checked before clicking OK. This will copy the new certificate to each Subscriber so that it can receive Distributions from this Distributor.
-
Because each Distributor creates its own security certificate, repeat Step 1 and Step 2 for each Distributor object in the tree.
Manually Copying Certificates for Non-Encrypted Distributions
To manually copy certificates to Subscribers using ConsoleOne, do the following:
-
Right-click a Distributor, Subscriber, or External Subscriber object > click Resolve Certificates.
or
Click File > Resolve Certificates.
-
Click the Save Certificates to Disk radio button.
-
Enter a path for where to copy the certificate file > click OK.
The certificate file that is copied to this path will be named using the following syntax:
DNS_Name.CER
-
Copy the DNS_name.CER file from the path you gave to the Subscriber server's ZENWORKS\PDS\TED\SECURITY directory (on UNIX, usr/ZENworks/PDS/TED/Security).