Policy and Distribution Services uses signed certificates to validate whether Distributions are from a trusted source, or have been tampered with. This security is automatically used by Policy and Distribution Services for all Distributions. However, there are actions you might need to take to get Policy and Distribution Services to create and process the certificates.
Policy and Distribution Services also provides optional Distribution security with digests. A digest is used by the Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.
There are two features of TED that deal with security:
Certificates: Security certificates (required) are issued by each Distributor to all Subscribers receiving its Distributions. In order for a Subscriber to accept its first Distribution from a Distributor, it must have a certificate in its security directory from that Distributor. Thereafter, the certificate is stored in the .KEYSTORE file.
For information on security certificates for encrypted Distributions, see Distribution Security Using Encryption .
Digests: Digests (optional) can be created for each Distribution at the time it is built. The digest is used by the Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.
The following sections provide more information on understanding, creating, and using certificates and digests:
Important points about digests:
A certificate is a security mechanism used by Policy and Distribution Services to ensure that the Distribution received by a Subscriber was actually sent by the Distributor owning that Distribution. Because configuration information can also be sent to the Subscriber, it ensures that the configuration information has been sent from a known Distributor and that the data has not changed.
All Subscribers must receive a valid security certificate from each Distributor that sends Distributions to them. Without a matching certificate, a Subscriber cannot receive Distributions from the Distributor.
The following illustrates the process of using certificates with Distributions:
Before a Distribution should be sent, certificates must be resolved. This ensures that the Distribution received by a Subscriber was actually sent by the Distributor owning that Distribution.
After certificates have been resolved, the following illustrates how the Subscriber uses the certificate to ensure it is receiving a valid Distribution:
Important points about certificates:
Basically, any time the relationship changes between the Subscribers, Channels, or Distributions, a certificate can be passed.
Certificates are stored in the ZENWORKS\PDS\TED\SECURITY directory on each Subscriber's server.
WARNING: Make sure the ZENWORKS\PDS\TED\SECURITY directory is a non-public directory. This directory should not be read by anyone other than an administrator. The .KEYSTORE file is in the ZENWORKS\PDS\TED\SECURITY\PRIVATE directory and is by default hidden from non-administrative users.
Certificates are usually named after the fully-qualified DNS name of the Distributor server, such as Distributor_Server001.novell.com.cer or Distributor_Server001.novell.com.csr. The TCP/IP address of the server would be used for .CSR files if a DNS name could not be resolved. The certificate would then be named using its IP address, such as 155.55.155.55.csr.
A Subscriber cannot receive Distributions from a Distributor when the Distributor's certificate has become invalid. A Subscriber cannot receive encrypted Distributions when the Subscriber's encryption certificate has become invalid. For more information on encryption certificates, see Distribution Security Using Encryption .
A Distributor's certificate can become invalid when the DNS name or IP address of the Distributor has been changed. However, if your Distributor is configured to use DNS (the recommended addressing method), IP address changes on the Distributor will not invalidate its certificate. Also, if DNS addressing is being used, changes in a Subscriber's DNS name or IP address will not prevent the Subscriber from receiving Distributions.
However, a Subscriber's encryption certificate can become invalid when the DNS name or IP address of the Subscriber is changed, in which case a new encryption certificate needs to be created.
The following applies for DNS name changes where DNS is your installed addressing method, or for IP address changes where IP address is your installed addressing method:
Changing the DNS name or IP address of a Distributor causes the certificate created by the Distributor to be invalid for all Subscribers that have received the certificate from this Distributor. To re-create and resolve the Distributor's certificate, do the following:
On the Distributor server, shut down the Distributor Agent.
For information on stopping and starting agents, see Starting the Policy and Distribution Services Agents in Installing on NetWare and Windows Servers in Installing Policy and Distribution Services on NetWare and Windows Servers in the Installation guide; or, see Starting the Policy and Distribution Agents on UNIX and Stopping the Policy and Distribution Services Agents on UNIX in Installing Policy and Distribution Services on UNIX Servers in the Installation guide.
In the ZENWORKS\PDS\TED\SECURITY\PRIVATE directory on the Distributor server, delete the .KEYSTORE file.
This file contains the Distributor's certificate.
Restart the Distributor Agent.
A new certificate and .KEYSTORE file will be automatically created for the Distributor.
To resolve certificates: in ConsoleOne, right-click the Distributor object > click Resolve Certificates > click OK.
Make sure the Copy Certificates Automatically to Subscribers radio button is checked before clicking OK.
This will copy the new certificate to each Subscriber so that it can receive Distributions from this Distributor.
Changing the DNS name or IP address of a Subscriber causes all encryption certificates contained on the Subscriber to be invalid. Subscribers can have one encryption certificate for each Distributor that sends it encrypted Distributions.
Subscribers will continue to receive non-encrypted Distributions, even if the DNS name or IP address is changed.
To reproduce valid encryption certificates for the Subscriber, follow the instructions under Distribution Security Using Encryption .
Certificates and private keys for Policy and Distribution Services are stored in the following locations:
SYS:\ZENWORKS\PDS\TED\SECURITY\PRIVATE
C:\ZENWORKS\PDS\TED\SECURITY\PRIVATE
SYS:\ZENWORKS\PDS\TED\SECURITY
After the Distribution has been sent, the certificate is moved into the .KEYSTORE file.
Security certificates are not normally encrypted. The creation process for encryption certificates is different. For more information, see Distribution Security Using Encryption .
To create a certificate on a Distributor and copy it to its associated Subscribers:
On the server where a Distributor is installed, run its Java* process (use TED.NCF on a NetWare server, or restart the TED Distribution service on a Windows server).
This process creates the certificate and writes it into eDirectory.
Copy the certificate to each Subscriber using one of the following methods:
This method is the easiest when there are many Subscribers receiving Distributions from one Distributor.
Non-encrypted security certificates only need to be sent between a Distributor and Subscriber pair once. Thereafter, they will each use that certificate to verify Distributions.
IMPORTANT: Distributors cannot copy certificates to Linux* and Solaris* servers, or to any server where certain DNS configurations exist. Therefore, it would be best to have drives mapped on the workstation where you are using ConsoleOne to resolve certificates so that when prompted you can point to the correct destinations for the certificates.
Because each Distributor creates its own security certificate, repeat Step 1 and Step 2 for each Distributor object in the tree.
Where Subscribers receive Distributions from multiple Distributors, the Subscribers will have one certificate from each Distributor.
To manually copy certificates to Subscribers using ConsoleOne®, do any of the following:
A prompt to copy a certificate is usually displayed when you have added: