9.3 Managing Certificates

Novell Audit utilizes SSL certificates to ensure that communications between a logging application and the Secure Logging Server are secure. By default, the Secure Logging Server utilizes an embedded root certificate generated by an internal Novell Audit Certificate Authority (CA). Likewise, by default, all Novell Audit Instrumentations utilize public certificates that are signed by the Secure Logging Server root certificate.

With Novell Audit 2.0.2, administrators can substitute the internal Novell Audit CA and embedded product certificates with certificates signed by their own enterprise CA. The introduction of support for third-party CAs helps ensure that Novell Audit is better integrated with your enterprise security infrastructure.

WARNING:Although the process of using certificates signed by external CAs is relatively simple, the consequences of failing to change all required components are serious. Logging applications might fail to communicate with your Secure Logging Server, so events will not be recorded.

To update your Novell Audit certificate infrastructure with a third-party certificate:

  1. Identify all Secure Logging Servers and logging applications and the servers where they are located.

  2. Use AudCGen to generate a CSR for the Secure Logging Server.

    For information on generating a CSR with AudCGen, see Creating Logging Application Certificates.

  3. Have the CSR signed by your enterprise CA.

    You might need to convert the returned certificate to a Base64-encoded .pem file.

  4. Shut down all Secure Logging Servers and logging applications.

  5. Delete and purge all application cache (lcache) files.

  6. In iManager, update the Secure Logging Certificate File and Secure Logging Privatekey File properties in the Secure Logging Server configuration to point to the new, signed root certificate key pair. For more information on the Secure Logging Server configuration, see Logging Server Object Attributes .

  7. Use AudCGen to generate new public certificates for each logging application.

    IMPORTANT:The certificate signed by your enterprise CA must be used as the authoritative root certificate.

    For information on generating logging application certificates, see Creating Logging Application Certificates.

  8. Update all logging applications so they use the public certificates signed by the Secure Logging Server’s root certificate key pair. For more information, see Enabling Logging Applications to Use Custom Certificates.

  9. Restart all Secure Logging Servers and logging applications.

After you update your Novell Audit certificate infrastructure with a third-party certificate, the only required maintenance is to update the third-party certificate when it expires.

9.3.1 The Novell Audit AudCGen Utility

The creation and signing of Novell Audit certificates must be managed using the Novell Audit AudCGen utility. The following table describes the AudCGen command parameters:

Table 9-1 AudCGen Command Parameters

Parameter

Description

–app:Application_Identifier

The logging application’s Application Identifier.

This is synonymous with the application name that appears in the application's corresponding .lsc file and must match the Application Identifier stored in the logging application’s Application object.

–appcert:path

The output path and filename for the logging application’s public certificate.

The default filename is app_cert.pem. The default path is platform-specific and can be changed using the –base parameter.

–apppkey:path

The output path and filename for the logging application's private key.

The default filename is app_pkey.pem. The default path is platform-specific and can be changed using the –base parameter.

–base

The base path used when reading from or writing to files.

The default path is platform-specific.

–bits:number

The number of encryption bits used during certificate creation.

Values of 384-4096 are accepted. The default value is 2048.

–cert:path

The path and filename to the public certificate used by the Novell Audit Secure Logging Server. The Secure Logging Server’s certificate key pair must be provided when generating a certificate key pair for a logging application.

The default filename is ca_cert.pem. The default path is platform-specific and can be changed using the –base parameter.

–csr:path

Create a Certificate Signing Request (CSR) to be signed by a third-party CA.

The default filename is app_csr.pem. The default path is platform-specific and can be changed using the –base parameter.

–f

Force overwrite.

AudCGen overwrites any existing certificates or private keys of the same name (for example, app_cert.pem or appp_key.pem) in the output directory.

This parameter is optional.

If you do not use the -f parameter and there is an existing file, AudCGen aborts creation of the certificate.

–pkey:path

The path and filename to the private key used by the Novell Audit Secure Logging Server (SLS). The SLS certificate key pair must be provided when generating a certificate key pair for a logging application.

The default filename is ca_pkey.pem. The default path is platform-specific and can be changed using the –base parameter.

–sn:number

This parameter creates a serial number for the generated certificate. This can be useful in maintaining and tracking your system’s certificates.

This parameter is optional.

–ss

Generate a self-signed root certificate key pair for the Novell Audit Secure Logging Server. This option uses the internal Novell Audit CA.

NOTE:Do not use this option if you want to use a certificate signed by a third-party CA.

–valid:number

Specifies the number of days for which the generated public certificate will be valid (in days).

The default value is 10 years.

–verify

Verify the certificate signing chain between the root certificate used by the Secure Logging Server and the logging application certificates.

NOTE:This option performs only partial verification when verifying third-party certificates. For additional information, see Validating Certificates.

9.3.2 Creating a Root Certificate for the Secure Logging Server

The certificate key pair used by the Secure Logging Server is the logging system's Certificate Authority (CA); that is, it is the trusted root certificate that is used to validate all other Novell Audit logging application certificates. By default, this certificate is self-signed. However, with the introduction of Novell Audit 2.0.2, you can use a certificate signed by a third-party CA.

The following sections review the process required to generate a self-signed root certificate and how to use a third-party root certificate for the Secure Logging Server.

Creating a Self-Signed Root Certificate for the Secure Logging Server

To generate a self-signed root certificate for the Secure Logging Server using the internal Novell Audit CA, use the following AudCGen command:

audcgen -ss [-cert:in_path] [-pkey:in_path] [-bits:number] [-f]

The -ss parameter creates a self-signed root certificate that can then be used to generate the certificate key pair for each logging application. For more information on this procedure, see Creating Logging Application Certificates.

Using a Third-Party Root Certificate for the Secure Logging Server

To use a certificate signed by a third-party CA, you must do the following:

  1. Use AudCGen to generate a CSR that can be signed by a third-party CA:

    audcgen -app:"Novell NSure Audit" -csr
    
  2. Take the resulting app_csr.pem file and submit it to a third-party CA for signature or sign it using your internal certificate server.

    IMPORTANT:The Novell Audit Secure Logging Server requires two Base64-encoded .pem files; one for the public certificate and one for the private key. Some CAs might generate files that require additional conversion steps.

  3. Configure the Secure Logging Certificate File and Secure PrivateKey File attributes on the Logging Server object to enable the Secure Logging Server to use the third-party certificate and private key. For more information, see Logging Server Object Attributes .

  4. Use the third-party certificate to generate the certificate key pair for each logging application. For more information on this procedure, see Creating Logging Application Certificates.

    IMPORTANT:Please note that if you use a third-party certificate, your logging applications will no longer be able to communicate with the Secure Logging Server using their default certificates. You must create a new certificate key pair for each logging application using AudCGen and the new root certificate key pair.

9.3.3 Creating Logging Application Certificates

The following command generates a public certificate and private key for your logging application:

audcgen -app:Application_Identifier -cert:in_path -pkey:in_path 
[-bits:number] [-serial:number] [-valid:number] 
[-appcert:out_path] [-apppkey:out_path] [-f] 

NOTE:This command is used to generate logging application certificates using either the internal Novell Audit CA or one signed by a third-party CA. Use the -cert and -pkey parameters to specify the root certificate used by your Secure Logging Server.

The following sample command creates a logging application certificate for a Novell eDirectory™ Instrumentation:

audcgen -app:eDirInst -cert:c:\ca_cert.pem -pkey:c:\ca_pkey.pem 
-f -bits:2048 -serial:12345 -appcert:c:\app_cert.pem 
-apppkey:c:\app_pkey.pem

Enabling Logging Applications to Use Custom Certificates

The process of forcing an instrumenting application to use a custom public certificate can vary by application. Please refer to the logging application's documentation for additional information.

To enable the Novell eDirectory Instrumentation to use a custom certificate key pair, the path and filename for the certificate and private key files must be as follows:

Table 9-2 Certificate and Key Paths and Filenames

Platform

Certificate Path and Filename

PrivateKey Path and Filename

NetWare®

sys:\system\dsicert.pem

sys:\system\dsipkey.pem

Windows

\windows_directory\dsicert.pem

\windows_directory\dsipkey.pem

Linux and Solaris

/etc/dsicert.pem

/etc/dsipkey.pem

To enable Novell NetWare Instrumentation to use a custom certificate key pair, the path and filename for the certificate and private key files must be \system\nwicert.pem and \system\nwipkey.pem.

The Novell Audit Instrumentation (NAudit) uses the Secure Logging Server root certificate and does not require replacement.

9.3.4 Validating Certificates

In Novell Audit, all certificates must be signed by the Secure Logging Server root certificate and they must contain an Application Identifier.

Use the following command to determine whether a certificate is valid:

audcgen -cert:in_path -pkey:in_path -verify -appcert:target_path

When you use the -verify command, AudCGen checks the integrity of the target certificate. It determines if the target certificate is derived from the Secure Logging Server root certificate (success or failure) and returns the logging application’s Application Identifier.

The following sample command verifies the certificate for a Novell eDirectory™ Instrumentation:

audcgen -cert:c:\ca_cert.pem -verify -appcert:c:\windows\dsicert.pem

NOTE:Novell Audit 2.0.2 verifies only the Secure Logging Server and logging application certificates. It does not verify any other certificates in the certificate chain.Consequently, if the third-party CA expires or invalidates the Secure Logging Server certificate, AudCGen will not identify the problem in the certificate chain and will still trust the Secure Logging Server root certificate and its associated logging application certificates.