To install and enable inter-server communications security, do all of the following:
All servers to be participating in secure inter-server communications must have at least the Zen Web Server and XMLRPCServlet installed.
You must meet the following software prerequisites before installing inter-server communications security. Meeting these prerequisites includes installing or configuring software.
| Prerequisites | Explanation |
|---|---|
ZfS |
Policy and Distribution Services must be installed and running. For information on installing Policy and Distribution Services, see Installing Policy and Distribution Services on NetWare and Windows Servers. |
Tomcat* |
If you are using the ZenCSServlet gateway, Tomcat 3.3a must be installed, with or without Apache. This provides the servlet gateway. |
Zen Web Server (ZWS) |
Should be installed, configured correctly, and running. For information on installing the Zen Web Server, see Installing Web-Based Management for Policy and Distribution Services. For information on configuring the Zen Web Server for XMLPRC, see Configuring Other Related Components. |
ZenCSServlet |
Should be installed, configured correctly, and running somewhere on the network. Installing the ZenCSServlet is an option when you install ZfS Policy and Distribution Services Web components (see "Installing Web-Based Management for Policy and Distribution Services"Installing Web-Based Management for Policy and Distribution Services). It shares the same wizard option with XMLProxyServlet. For information on configuring ZenCSServlet, see Configuring ZenCSServlet to Work With the Zen Web Server or Configuring ZenCSServlet to Work With Tomcat. |
SSL for ZenCSServlet |
Only needed if you want to encrypt the username and password used by the ZenCSServlet. For information on configuring SSL for the Zen Web Server, see Configuring the Zen Web Server to Use SSL. |
XMLProxyServlet |
This servlet is not a prerequisite for inter-server communication security. If installed, it should be configured correctly and running somewhere on the network. The XMLProxyServlet is an option when you install ZfS Policy and Distribution Services Web components (see "Installing Web-Based Management for Policy and Distribution Services"). It shares the same wizard option with ZenCSServlet. For information on configuring XMLProxyServlet, see Configuring XMLProxyServlet to Work With the Zen Web Server or Configuring XMLProxyServlet to Work With Tomcat. |
For the CS servlet to sign a CSR, the requesting client must authenticate with a username and password. Because these are normally sent over the network in clear text, SSL should be used to keep this information secure.
You need to know the following information before running the Inter-Server Communications Security Installation Wizard:
This is the address or name of the server running the ZenCSServlet.
This is the port number to use when communicating with CS. If SSL is used, the port number will most likely be 443. If you are not using SSL, use port 8080 (the Tomcat port).
This allows the specified user access to the CS server's signing functionality. If authentication fails, this user will not be able to continue with the inter-server communications security installation.
This is the .KEYSTORE file you created for inter-server communications security when you configured the ZenCSServlet.
This information is used during SSL sessions to validate the CD server's SSL certificate. If the SSL certificate is not signed by a root CS, such as VeriSign, or it does not exist in the user's .KEYSTORE file, the user will be prompted during installation to trust this certificate and save it for future use. If the user declines, the installation will not proceed.
IMPORTANT: For NetWare® servers, DNS names cannot have underscores. We recommend that you use dashes instead of underscores as word separators.
During installation you will have three methods for obtaining valid IP addresses, one of which you can also use for obtaining DNS names. You can use one or all three of these methods to select your servers. The methods are:
You can use the multiple-character (*) or single-character (?) wildcards in any IP address field. Any numbers you enter will be exactly matched.
The * wildcard character can only be used by itself in a field, meaning any number from 0 to 255 is matched.
The ? wildcard character can be used in place of another number, meaning any number in that position between 0 and 9 is matched. However, the ? character cannot be used consecutively. For example, ?3, 3?, 3?3, ?3?, ?33, and 33? are all valid; ??3 and 3?? are not valid.
For example:
10.1?.10.*
could return the following IP addresses:
10.10.10.0 through 10.10.10.255
10.11.10.0 through 10.11.10.255
10.12.10.0 through 10.12.10.255
10.13.10.0 through 10.13.10.255
10.14.10.0 through 10.14.10.255
and so on.
The two 10s would be exactly matched, the 1? would match all numbers from 10 through 19, and the * would match all numbers from 0 through 255.
If you have unwanted IP addresses returned, during the installation process you will be able to remove selected IP addresses from the list that you built using wildcard characters.
Enter an IP address range (no wildcards). All servers having IP addresses within that range will be selected for adding to the list. This includes any servers accessible to the installation workstation you are using.
During installation, you will be able to remove unwanted IP addresses from the list that you built using a range.
You can create a delimited ASCII text file to contain specific IP addresses or DNS names. You can have both IP addresses and DNS names in the same file, as long as the DNS names are valid and the delimiter is valid for the whole file.
IMPORTANT: For NetWare servers, DNS names cannot have underscores. We recommend that you use dashes instead of underscores as word separators.
During the installation process, you will be able to remove selected addresses from the list that you imported.
You can use one of the following delimiter characters in the text file that lists your servers' addresses:
Note that the Inter-Server Communications Security Installation Wizard does not attempt to check whether the IP addresses you enter are valid. The wizard only builds a list of addresses for use when the wizard subsequently signs certificates for each machine matching an IP address. You must know which addresses are valid to prevent receiving certificate signing errors.
To install inter-server communications security,
Make sure you have fulfilled the prerequisites (see Prerequisites).
Start Tomcat if it is not running.
Make sure the ZenCSServlet is running.
This server must be running for validation of certificates and to authenticate the user during inter-server communications security installation.
In a text editor, enter your password information > print the password file > save the password file.
Note the path and filename for the password file. You will need to provide this information later. You will also need to provide the various passwords in later steps.
For more information on the password, see "Format of the Password File" in "Security for Inter-Server Communication Across Non-Secured Connections" in "Security in Policy and Distribution Services" in "Policy and Distribution Services" in the Administration guide.
Run the following executable from the ZENworks for Servers Program CD:
\ZFS\TEDPOL\SFILES\SECURITYINSTALL\SETUP.EXE
This will start the Inter-Server Communications Security Installation Wizard.
Review the information on the Welcome page > click Next.
If you agree with the Software License Agreement, click Accept > Next.
On the Certificate Signer Information page, fill in the fields from the information you previously gathered:
Certificate Signer IP/DNS Address: Enter the TCP/IP address or DNS name of the server running ZenCSServlet.
IMPORTANT: For NetWare servers, DNS names cannot have underscores. We recommend that you use dashes instead of underscores as word separators.
Certificate Signer Port: This is the port number to use when communicating with the CS. It will most likely be 443 if SSL is used. If you are not using SSL, use port 8080 (the Tomcat port).
Use SSL: By default, this check box is checked. Click to disable if you are not using SSL.
Certificate Signer Username: Enter the name of the user running the installation program. Installation will halt if the username cannot authenticate. The username/password combination grants the user access to the CS server's signing functionality.
Certificate Signer Password: Enter the password of the user running the installation program.
Path to the Keystore File: Enter the path and filename for the .KEYSTORE file. This is usually the CA certificate file used by SSL, found where VeriSign types of certificates are stored.
Keystore Password: Enter the password you previously defined when creating the .KEYSTORE file.
When finished with the Certificate Signer page, click Next.
If any information is invalid, you will not be able to proceed.
On the Target Server Identification page, click a radio button to use one of the following methods for selecting server IP addresses or DNS names:
Any server having an IP address matching the patterns you provide will be selected for adding to the list. This includes any servers accessible to the installation workstation you are using.
For information on these options, see Information to Know Before Beginning the Installation.
If you select List of Entries, browse for and select the delimited ASCII text file containing the list of IP addresses that you previously created > click the down arrow button for the File Delimiter field > select the character > click OK.
All of the addresses contained in the text file will be added.
Click Add To List to add your selected servers to the List of Machines With CSR Files To Sign.
If you see IP addresses in the list that you do not want included, select the IP addresses > click Remove. You can use the Ctrl and Shift keys to select multiple addresses for removal.
Repeat Step 10 and Step 11 as necessary for each method you use to add servers to the list.
You can use all three methods, one at a time.
Click Next when finished adding your servers' IP addresses to the list.
On the Selection Summary page, review the IP addresses and DNS names listed for correctness > click Next when finished.
To make changes, click Back.
IMPORTANT: After you click Next on the Summary page, you will not be able to come back to this page to make changes.
If you click Cancel here, the information you gathered on the Target Server Identification page will not be saved.
For servers where an error is encountered, the information will be listed in a log file so that you can rerun the wizard for those servers. To view the log file, click View Log on the Certificate Signing page.
On the Certificate Signing page, click the Pause On CSR Signing Errors check box to view detailed messages as signing errors are encountered.
This will cause the process to pause on an error. You can then click the View Log button to review the error information. The log also lists information for each success.
To begin signing the certificates on each listed server, click Finish.
Signing is done sequentially, one server at a time. The signing progress is displayed for each server.
One of three dialog boxes will be displayed during or at the conclusion of certificate signing:
Continue: This dialog box is displayed if the Pause On CSR Signing Errors option was checked and an error is encountered. The following options are available:
Success: This dialog box indicates that the signing session has completed without any problems. The following options are available:
Retry: This dialog box is displayed at the end of the signing session if there were errors. The following options are available:
IMPORTANT: If you click Cancel before all servers have had their certificates signed, the signing process will stop and not finish. However, the certificates for all servers processed so far will remain signed.
After all certificates have been signed, servers with a certificate signed by this CS will be able to communicate securely with each other across non-secured connections.