Novell Documentation: ZENworks 6.5 - Distribution Security Using Signed Certificates and Digests

Distribution Security Using Signed Certificates and Digests

There are two features of Tiered Electronic Distribution that deal with security:

Certificates (required): Security certificates are issued by each Distributor to all Subscribers receiving its Distributions to validate whether Distributions are from a trusted source, or have been tampered with. This security is automatically used by Policy and Distribution Services for all Distributions. However, there are actions you might need to take to get Policy and Distribution Services to create and process the certificates.

In order for a Subscriber to accept its first Distribution from a Distributor, it must have a certificate from that Distributor in its ...\security directory. After receiving its first Distribution from the Distributor, the certificate is first stored in the .keystore file, then the certificate is deleted from the ...\security directory.

The .keystore file is a repository of signed certificates from the various Distributors who send Distributions to the Subscriber. In other words, it provides the Subscriber with an accumulation of trusted sources for its Distributions.

You can view the content of the .keystore file in Novell iManager.

For information on security certificates for encrypted Distributions, see Distribution Security Using Encryption.
Digests (optional): You can have digests created for each Distribution at the time it is built. The digest provides an MD5 checksum for the Subscriber to compare against to determine whether a Distribution has been tampered with after it left the Distributor.

Digests also detect corruption in a Distribution's package. In the case of corruption, the Subscriber renames the distfile.ted Distribution file to distfile.corrupt and the Distribution is rebuilt and sent the next time the Channel's schedule fires.

The following sections provide more information on understanding, creating, and using certificates and digests:

Understanding Digests

Important points about digests:

Digests can be created for each Distribution at the time it is built. The digest is used by the Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.
Digests detects corruption in a Distribution's package. In the case of corruption, the Subscriber renames the distfile.ted Distribution file to distfile.corrupt and the Distribution is rebuilt and sent the next time the Channel's schedule fires.
The Digest option is available for all Distribution types. The Digest check box is displayed on the General tab of the Distribution object's properties.
A digest adds to the build time. Factors that can affect build time using digests are CPU and hard drive speeds, amount of RAM, server workload, and so on.

Understanding Certificate Usage in Policy and Distribution Services

A certificate is a security mechanism used by Policy and Distribution Services to ensure that the Distribution received by a Subscriber was actually sent by the Distributor owning that Distribution. Because configuration information can also be sent to the Subscriber, it ensures that the configuration information has been sent from a known Distributor and that the data has not changed.

All Subscribers must receive a valid security certificate from each Distributor that sends Distributions to them. Without a matching certificate, a Subscriber cannot receive Distributions from the Distributor.

The following illustrates the process of using certificates with Distributions:

Before a Distribution is sent, certificates must be resolved. This ensures that the Distribution received by a Subscriber was actually sent by the Distributor owning that Distribution.

For information on resolving certificates, see Resolving Certificates.

After certificates have been resolved, the following illustrates how the Subscriber uses the certificate to ensure it is receiving a valid Distribution:

Important Points about Certificates

Certificates are issued by each Distributor to all Subscribers receiving Distributions from that Distributor. In order for a Subscriber to accept Distributions from a Distributor, it must have received a certificate from that Distributor.
For security, certificate key pairs are created by the Distributor.
The public key is written to the Distributor server's file system, which self-signs a certificate and stores it in Novell eDirectory^TM.
The private key is stored in the Distributor object's properties and is used for encryption.
The Subscriber software does not need to be running on the Subscriber server to have certificates copied to the server.
The association of Distributions (owned by a Distributor) and Subscribers to a Channel determines which Subscribers should receive certificates from which Distributors.
- A Distributor sends certificates to all Subscribers that subscribe to Channels where the Distributor has Distributions.
- A Subscriber requests certificates from all Distributors that have Distributions in Channels to which it subscribes.
A certificate can be passed from a Distributor to a Subscriber under the following circumstances:
- When a Subscriber is initially subscribed to a Channel and you click OK to apply the changes.
- When you right-click a Subscriber Object and select Resolve Certificates. The Subscriber then requests certificates from all Distributors that it receives Distributions from.
- When a Distribution is listed in a Channel and you click OK to apply the changes.
- When you right-click a Distributor Object and select Resolve Certificates. The Distributor sends certificates to all Subscribers that it sends Distributions to.
  For information on resolving certificates, see Resolving Certificates.
- When you add a Distribution or a Subscriber to a Channel. When you click OK, the Resolve Certificates? dialog box is displayed. If you answer Yes, certificates are sent by all Distributors who have Distributions associated with that Channel to all Subscribers subscribed to that channel.
- Manually copying a certificate file to a transfer medium (such as a diskette or local drive), then to the \zenworks\pds\ted\security directory on a server.
Basically, any time the relationship changes between the Subscribers, Channels, or Distributions, a certificate can be passed.
If a Distributor object is deleted and re-created to point to the same server, all certificates on the subordinate Subscribers become invalid. Certificates must be deleted from the Subscriber's \security directory, then the Distributor must send the new certificates to those Subscribers.
ConsoleOne copies the certificate files to Subscriber servers. Therefore, the client software on the workstation running ConsoleOne must have access to the Subscriber servers' file systems. For Windows Subscriber servers, the Domain and Workgroup rights on the workstation must be set up to facilitate automatic certificate copying. Otherwise, a 1204a error is given.

ConsoleOne User Rights and Certificate Copying

The administrator using ConsoleOne^® must have sufficient rights to the Subscriber server in order for a certificate to be copied to that server when the administrator resolves certificates in ConsoleOne. This is because when you use ConsoleOne to configure a Subscriber object to receive the Distributions from a particular Channel, the Distributors owning the Distributions in that Channel must send certificates to the Subscriber's server.

For NetWare^® Subscribers, the ConsoleOne user automatically has sufficient rights by virtue of being able to configure the Subscriber object.

For Windows Subscribers, administrator rights for the ConsoleOne user must be set up in Windows by selecting Active Directory Users and Computers, or selecting Local Users and Groups.

Certificate File Locations

Certificates are stored in the \zenworks\pds\ted\security directory on NetWare and Windows Subscriber servers, or in the /var/opt/novell/zenworks/zfs/pds/ted/security directory on Linux and Solaris servers.

WARNING: Make sure the ...\security directory is a non-public directory. This directory should not be read by anyone other than an administrator. The .keystore file is in the ...\security\private directory and is by default hidden from non-administrative users.

Certificates are usually named after the fully qualified DNS name of the Distributor server, such as Distributor_Server001.Distributions.ZENworks.Novell.com.cer or Distributor_Server001.Distributions.ZENworks.Novell.com.csr. The TCP/IP address of the server would be used for .csr files if a DNS name could not be resolved. The certificate would then be named using its IP address, such as 155.55.155.55.csr.

Resolving Certificates

IMPORTANT: ConsoleOne copies the certificate files to Subscriber servers. Therefore, the client software on the workstation running ConsoleOne must have access to the Subscriber servers' file systems. For Windows Subscriber servers, the Domain and Workgroup rights on the workstation must be set up to facilitate automatic certificate copying. Otherwise, a 1204a error is given.

When you are automatically presented with the option in ConsoleOne to resolve certificates, determine the following to know whether to select Yes or No:

If the Distributor currently has Distributions associated with this Channel, and all Subscribers currently subscribed to the Channel have previously received a certificate from this Distributor, select No.
If this is the first Distribution added to this Channel by the Distributor, or a Subscriber has been newly added to the Channel, select Yes (to resolve certificates).
This copies the security certificates from the Distributor to the Subscribers subscribed to the Channel.
If the server is a Linux or Solaris Subscriber that does not have a drive mapped to it (such as through using Samba) from the workstation you are using to resolve certificates, see Manually Copying Certificates for Non-Encrypted Distributions.

A prompt to copy a certificate is usually displayed when you have added:

A Channel to a Distribution
A Distribution to a Channel
A Subscriber to a Channel
A Channel to a Subscriber

To initiate resolving certificates:

In ConsoleOne, right-click the Distributor object, then click Resolve Certificates.
Make sure the Copy Certificates Automatically to Subscribers option is selected, then click OK.

This copies the new certificate to each Subscriber so that it can receive Distributions from this Distributor, as long as the workstation where you are running ConsoleOne can contact all of the Subscriber servers. If you are prompted for a location to copy the certificates, you must have a drive mapped to the destination server.

Handling Invalid Certificates

A Subscriber cannot receive Distributions from a Distributor when the Distributor's certificate has become invalid. A Subscriber cannot receive encrypted Distributions when the Subscriber's encryption certificate has become invalid. For information on encryption certificates, see Distribution Security Using Encryption.

A Distributor's certificate can become invalid when the DNS name or IP address of the Distributor has been changed. However, if your Distributor is configured to use DNS (the recommended addressing method), IP address changes on the Distributor do not invalidate its certificate. Also, if DNS addressing is being used, changes in a Subscriber's DNS name or IP address do not prevent the Subscriber from receiving Distributions.

However, a Subscriber's encryption certificate can become invalid when the DNS name or IP address of the Subscriber is changed, in which case a new encryption certificate needs to be created.

The following applies for DNS name changes where DNS is your installed addressing method, or for IP address changes where IP address is your installed addressing method:

Distributor DNS Name or IP Address Is Changed

Because the Distributor identifies itself to Subscribers by its server's DNS name or IP address, if you change the identifier being used on the Distributor server, Subscribers do not recognize the Distributor as a valid source for Distributions.

Changing the DNS name or IP address of a Distributor causes the certificate created by the Distributor to be invalid for all Subscribers that have received the certificate from this Distributor. Therefore, the Distributor must send new certificates to all Subscribers receiving Distributions from that Distributor.

To re-create and resolve the Distributor's certificate, do the following in order:

Modify the Distributor Server's Identification Attributes

You must first modify the Network Address attribute on the Other tab in the Distributor and Subscriber objects' properties.

If the server is using the DNS Name attribute to identify itself, do the following:

In ConsoleOne, right-click the Distributor object, click Properties, then select the Other tab.
Click the + symbol to the left of the NetWork Address.
Select the icon to the left of the field you want to modify.

A Browse button is displayed to the right.
Click the Browse button.
If you are modifying the DNS Name field, click the drop-down list at the top of the box where Type 13 is displayed.
Change the value from Type 13 to IP, then change IP back to Type 13.

This resets the value to now recognize the new DNS name.
Click the Browse button to the right of the NetAddress field in the lower portion of the box.
Select Servers DNS Name (on the right side of the box), then change it to the new name.
Click OK to return to the Other tab.
Click OK to finish.

If the server is using the IP Address attribute to identify itself, do the following:

In ConsoleOne, right-click the Distributor object, click Properties, then select the Other tab.
Click the + symbol to the left of the NetWork Address.
Select the icon to the left of the field you want to modify.

A Browse button is displayed to the right.
Click the Browse button.

The IP address is displayed in the lower portion of the dialog box.
Change the IP address to the new one.
Click OK to return to the Other tab.
Click OK to finish.

Continue with Create and Send New Certificates.

Create and Send New Certificates

On the Distributor server, shut down the Distributor Agent:
NetWare: At the ZENworks Server Management console prompt, enter exit.
Windows: In the Services dialog box, stop the Novell ZENworks Service Manager service.

For information on stopping and starting agents, see "Starting and Stopping Server Management Services" in the Novell ZENworks 6.5 Server Management Installation Guide.
In the \zenworks\pds\ted\security\private directory on the Distributor server, delete the .keystore file.

This file contains the Distributor's certificate.
In the \zenworks\pds\ted\security\csr directory on the Distributor server, delete the .csr file that has a name that matches either the old DNS name or the old IP address.
Restart the Distributor Agent.

A new certificate and .keystore file are automatically created for the Distributor.
To send new certificates to all Subscribers that receive Distributions from the Distributor selected in Step 1:
1. To resolve certificates, in ConsoleOne, right-click the Distributor object, then click Resolve Certificates.
  
  IMPORTANT: ConsoleOne copies the certificate files to Subscriber servers. Therefore, the client software on the workstation running ConsoleOne must have access to the Subscriber servers' file systems. For Windows Subscriber servers, the Domain and Workgroup rights on the workstation must be set up to facilitate automatic certificate copying. Otherwise, a 1204a error is given.
2. Make sure the Copy Certificates Automatically to Subscribers option is selected, then click OK.
This copies the new certificate to each Subscriber so that it can receive Distributions from this Distributor, as long as the workstation where you are running ConsoleOne can contact all of the Subscriber servers. If you are prompted for a location to copy the certificates, you must have a drive mapped to the destination server.

Subscriber DNS Name or IP Address Is Changed

Because the Distributor obtains the address of a Subscribers from the Subscriber's object in eDirectory, this information must be updated in the Subscriber object so that it can receive its Distributions.

Changing the DNS name or IP address of a Subscriber causes all encryption certificates contained on the Subscriber to be invalid. Subscribers can have one encryption certificate from each Distributor that sends it encrypted Distributions.

Subscribers can continue to receive non-encrypted Distributions, even if the DNS name or IP address is changed.

The following sections outline the steps to resolve DNS name or IP address changes:

Modify the Subscriber Server's Identification Attributes

You must first modify the Network Address attribute on the Other page in the Distributor and Subscriber objects' properties. To accomplish this, do the following as applicable.

If the server is using the DNS Name attribute to identify itself, do the following:

In ConsoleOne, right-click the Subscriber object, click Properties, then select the Other tab.
Click the + symbol to the left of the NetWork Address.
Select the icon to the left of the field you want to modify.

A Browse button is displayed to the right.
Click the Browse button.
If you are modifying the DNS Name field, click the drop-down list at the top of the box where Type 13 is displayed.
Change the value from Type 13 to IP, then change IP back to Type 13.

This resets the value to now recognize the new DNS name.
Click the Browse button to the right of the NetAddress field in the lower portion of the box.
Click Servers DNS Name (on the right side of the box), then change it to the new name.
Click OK to return to the Other tab.
Click OK to finish.

If the server is using the IP Address attribute to identify itself, do the following:

In ConsoleOne, right-click the Subscriber object, click Properties, then select the Other tab.
Click the + symbol to the left of the NetWork Address.
Select the icon to the left of the field you want to modify.

A Browse button is displayed to the right.
Click the Browse button.

The IP address is displayed in the lower portion of the dialog box.
Change the IP address to the new one.
Click OK to return to the Other tab.
Click OK to finish.

Resolve the New Certificates

To reproduce valid encryption certificates for the Subscriber, follow the instructions under Distribution Security Using Encryption.

Certificate and Private Key Directories

Certificates and private keys for Policy and Distribution Services are stored in the following locations in the .keystore file:

For the Distributor's private key on a NetWare Distributor server:
sys:\zenworks\pds\ted\security\private
For the Distributor's private key on a Windows Subscriber server:
c:\zenworks\pds\ted\security\private
For certificates received from Distributors on a NetWare Subscriber server:
sys:\zenworks\pds\ted\security

After the Distribution has been sent, the certificate is moved into the .keystore file.

Creating Security Certificates for Non-Encrypted Distributions

To create a certificate on a Distributor and copy it to its associated Subscribers:

On the server where a Distributor is installed, make sure its Distributor Agent is running (use zfs.ncf on a NetWare server, restart the Novell ZENworks Service Manager service on a Windows server, or enter /etc/init.d/novell-zfs start on a Linux or Solaris server).

This Java process creates the certificate and writes it to eDirectory.
Copy the certificate to each Subscriber using one of the following methods:
- If your Channels and Distributions are set up, right-click the Distributor object in ConsoleOne, click Resolve Certificates, then click OK. Make sure the Copy Certificates Automatically to Subscribers option is selected before clicking OK. This copies the new certificate to each Subscriber so that it can receive Distributions from this Distributor.
  For information on resolving certificates, see Resolving Certificates.
- If necessary, associate Subscribers with a Channel, create a Distribution for the Distributor, then associate the Distribution with a Channel. When you click OK, you are prompted to resolve the certificate. Respond to the query with Yes to resolve certificates for all Subscribers. The certificates are copied to all of the associated Subscribers. The Subscriber Java process does not need to be running on the Subscriber server; the server only needs to be up.
- Manually copy the Distributor's certificate to each Subscriber server's installation_path\zenworks\pds\ted\security directory (on Linux or Solaris, /var/opt/novell/zenworks/zfs/pds/ted/security). This method is necessary if you do not have a drive mapped to the Linux or Solaris server to the workstation you are using to resolve certificates.
- Right-click a Subscriber object, then click Resolve Certificates (repeat for each Subscriber object). This option might only be available if you answered No when prompted to copy security certificates.
The first two options are the easiest when there are many Subscribers receiving Distributions from one Distributor.
Because each Distributor creates its own security certificate, repeat Step 1 and Step 2 for each Distributor object in the tree.

Manually Copying Certificates for Non-Encrypted Distributions

To manually copy certificates to Subscribers using ConsoleOne:

Right-click a Distributor, Subscriber, or External Subscriber object, then click Resolve Certificates.

or

Click File, then click Resolve Certificates.
Select the Save Certificates to Disk option.
Provide a path for where to copy the certificate file, then click OK.

The certificate file that is copied to this path is named using the following syntax:
```
DNS_Name.cer
```
Copy the DNS_name.cer file from the path you gave to the Subscriber server's \zenworks\pds\ted\security directory (on Linux or Solaris, /var/opt/novell/zenworks/zfs/pds/ted/security).