Policy and Distribution Services provides the option to encrypt a Distribution to prevent unauthorized access to its contents when the Distribution is sent outside your secured network. There is usually no need to encrypt Distributions that are sent within your secured network.
Encrypting Distributions is basically a two-step process:
IMPORTANT: For security, you should use a physical medium, such as a diskette, to transfer the certificate between network servers.
Thereafter, the Distribution will be sent as an encrypted Distribution.
To understand Distribution encryption, review the following:
RSA PKIs provide the security process used for encrypted TED Distributions.
Encryption certificates are created from Certificate Signing Request (.CSR) files. Every Subscriber server contains a .CSR file that can be used as a template for creating an encryption certificate for a particular Distributor.
The encryption certificates (.CER) are used by the Subscribers to ensure secure transmission of an encrypted Distribution. If you pass the .CER file over the wire, the Distribution's encryption key could be compromised. Therefore, you must manually copy the encryption security certificates to ensure that the encryption key contained in the certificate files are kept secure.
IMPORTANT: Do not manually copy a certificate by using a file browser, because that uses transmission lines and can be compromised. Instead, copy the certificate to an external media, such as a floppy diskette, and transport it physically between the Distributor and Subscriber servers.
To use encryption certificates with Subscribers, you must have previously resolved certificates and sent an non-encrypted Distribution to each Subscriber.
For information on resolving certificates, see Resolving Certificates.
The following illustrates the process of manually copying the encryption certificates:
The Distributor signs the .CSR to create the encryption .CER file, which is manually copied from the Distributor to the Subscriber to replace the current non-encryption .CER file on the Subscriber server.
The encryption certificate is required for extracting a Distribution. If a Subscriber is only acting as a parent Subscriber to pass the encrypted Distribution on to Subscribers who have subscribed to the Distribution's Channel, the parent Subscriber does not need to have the encryption certificate on its server.
To create certificates for an encrypted Distribution:
Determine the Distribution you want encrypted.
Determine the Distributor that owns this Distribution.
Determine which Subscribers will be receiving the encrypted Distribution.
Resolve certificates for the selected Distributor to the selected Subscribers > send a non-encrypted Distribution from that Distributor to the Subscribers.
For information on resolving certificates, see Resolving Certificates.
Access the file systems of this Distributor and these Subscribers.
Copy every .CSR certificate file contained in the following directory from each Subscriber to the same path on the Distributor:
\ZENWORKS\PDS\TED\SECURITY\CSR
This path begins with whatever you used for installing ZfS.
The Certificate Signing Request (.CSR) is used to create the encryption certificate file.
In ConsoleOne, right-click the Distributor object > click Sign CSR Files > select the .CSR files to be signed > click Sign > click OK on the Success dialog box > click Close.
You can select multiple .CSR files to be signed at the same time.
This creates the Certificate (.CER) files in the same Distributor's directory as the .CSR files you copied from the Subscribers. You will have one .CER file for each .CSR file.
You can also perform this step using Novell iManager:
For each target Subscriber, do the following:
Copy the Subscriber server's corresponding .CER files from the following location on the Distributor's file system:
\ZENWORKS\PDS\TED\SECURITY\CSR
to the following path on the Subscriber's own server's file system:
\ZENWORKS\PDS\TED\SECURITY
HINT: Each .CER file contains its Subscriber server's name.
Rename the .CER files that you just copied to the Subscriber server to have the Distributor's DNS name instead of the Subscriber's.
Send the encrypted Distribution.
WARNING: Under the following scenario, the encryption certificates you just created can be overwritten before they are used:
1. Changes are made to the Channel, Subscribers, or Distribution involved with the encrypted Distribution.
2. This causes the prompt for copying certificates to be displayed.
3. If you reply with Yes before the encrypted Distribution has been sent and received by the Subscribers:
a. The encryption .CER file will be overwritten on each Subscriber with a non-encryption .CER file.
b. The Subscribers will not be able to decrypt the Distribution when it is received, because the .CER file was overwritten with a .CER file that does not contain the encryption keys.
After the encrypted Distribution has been sent once to each Subscriber, the encryption .CER file is moved into the .KEYSTORE file on the Subscriber server's file system so that it cannot be overwritten. Thereafter, you can reply with Yes to copy certificates when this scenario occurs.
After an encryption certificate has been established on a Subscriber server, the following illustrates the process for sending encrypted Distributions:
The only Subscribers that need to receive the encryption key are those that will be extracting the Distribution. Therefore, parent Subscribers and Subscribers in the Distributor's routing hierarchy do not need to receive the encryption key if they will not be extracting the Distribution.