Novell Documentation: ZENworks for Servers 3 - Distribution Security Using Signed Certificates and Digests

Distribution Security Using Signed Certificates and Digests

Policy and Distribution Services uses signed certificates to validate whether Distributions are from a trusted source, or have been tampered with. This security is automatically used by Policy and Distribution Services for all Distributions. However, there are actions you might need to take to get Policy and Distribution Services to create and process the certificates.

Policy and Distribution Services also provides optional Distribution security with digests. A digest is used by the Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.

There are two features of TED that deal with security:

Certificates: Security certificates (required) are issued by each Distributor to all Subscribers receiving its Distributions. In order for a Subscriber to accept its first Distribution from a Distributor, it must have a certificate in its security directory from that Distributor. Thereafter, the certificate is stored in the .KEYSTORE file.

For information on security certificates for encrypted Distributions, see Distribution Security Using Encryption .

Digests: Digests (optional) can be created for each Distribution at the time it is built. The digest is used by the Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.

The following sections provide more information on understanding, creating, and using certificates and digests:

Understanding Digests

Important points about digests:

Digests can be created for each Distribution at the time it is built. The digest is used by the Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.
The Digest option is available for all Distribution types. The Digest check box is displayed on the General tab of the Distribution object's properties.
A digest will add about 30% to the build time. Factors that can affect build time using digests are CPU and hard drive speeds, amount of RAM, server workload, and so on.

Understanding Certificate Usage in Policy and Distribution Services

A certificate is a security mechanism used by Policy and Distribution Services to ensure that the Distribution received by a Subscriber was actually sent by the Distributor owning that Distribution. Because configuration information can also be sent to the Subscriber, it ensures that the configuration information has been sent from a known Distributor and that the data has not changed.

All Subscribers must receive a valid security certificate from each Distributor that sends Distributions to them. Without a matching certificate, a Subscriber cannot receive Distributions from the Distributor.

The following illustrates the process of using certificates with Distributions:

Before a Distribution should be sent, certificates must be resolved. This ensures that the Distribution received by a Subscriber was actually sent by the Distributor owning that Distribution.

After certificates have been resolved, the following illustrates how the Subscriber uses the certificate to ensure it is receiving a valid Distribution:

Important Points about Certificates

Important points about certificates:

Certificates are issued by each Distributor to all Subscribers receiving Distributions from that Distributor. In order for a Subscriber to accept Distributions from a Distributor, it must have a certificate in its security directory from that Distributor.

For security, certificate key pairs are created by the Distributor.

The public key is written to the Distributor server's file system, which self-signs a certificate and stores it in Novell eDirectory^TM.

The Subscriber software does not need to be running on the Subscriber server to have certificates copied to the server.

A certificate can be passed from a Distributor to a Subscriber under two circumstances:
- When a Subscriber subscribes to a Channel and you click OK to apply the changes.
- When a Distribution is listed in a Channel and you click OK to apply the changes.
- When you resolve certificates from the menu option for the Distributor object.
Basically, any time the relationship changes between the Subscribers, Channels, or Distributions, a certificate can be passed.
If a Distributor object is deleted and re-created to point to the same server, all certificates on the subordinate Subscribers become invalid. Certificates must be deleted form the Subscriber's security subdirectory. Then the Distributor must send the new certificates to those Subscribers.

Certificate File Locations

Certificates are stored in the ZENWORKS\PDS\TED\SECURITY directory on each Subscriber's server.

WARNING: Make sure the ZENWORKS\PDS\TED\SECURITY directory is a non-public directory. This directory should not be read by anyone other than an administrator. The .KEYSTORE file is in the ZENWORKS\PDS\TED\SECURITY\PRIVATE directory and is by default hidden from non-administrative users.

Certificates are usually named after the fully-qualified DNS name of the Distributor server, such as Distributor_Server001.novell.com.cer or Distributor_Server001.novell.com.csr. The TCP/IP address of the server would be used for .CSR files if a DNS name could not be resolved. The certificate would then be named using its IP address, such as 155.55.155.55.csr.

Handling Invalid Certificates

A Subscriber cannot receive Distributions from a Distributor when the Distributor's certificate has become invalid. A Subscriber cannot receive encrypted Distributions when the Subscriber's encryption certificate has become invalid. For more information on encryption certificates, see Distribution Security Using Encryption .

A Distributor's certificate can become invalid when the DNS name or IP address of the Distributor has been changed. However, if your Distributor is configured to use DNS (the recommended addressing method), IP address changes on the Distributor will not invalidate its certificate. Also, if DNS addressing is being used, changes in a Subscriber's DNS name or IP address will not prevent the Subscriber from receiving Distributions.

However, a Subscriber's encryption certificate can become invalid when the DNS name or IP address of the Subscriber is changed, in which case a new encryption certificate needs to be created.

The following applies for DNS name changes where DNS is your installed addressing method, or for IP address changes where IP address is your installed addressing method:

Distributor DNS Name or IP Address Is Changed

Changing the DNS name or IP address of a Distributor causes the certificate created by the Distributor to be invalid for all Subscribers that have received the certificate from this Distributor. To re-create and resolve the Distributor's certificate, do the following:

On the Distributor server, shut down the Distributor Agent.

For information on stopping and starting agents, see Starting the Policy and Distribution Services Agents in Installing on NetWare and Windows Servers in Installing Policy and Distribution Services on NetWare and Windows Servers in the Installation guide; or, see Starting the Policy and Distribution Agents on UNIX and Stopping the Policy and Distribution Services Agents on UNIX in Installing Policy and Distribution Services on UNIX Servers in the Installation guide.

In the ZENWORKS\PDS\TED\SECURITY\PRIVATE directory on the Distributor server, delete the .KEYSTORE file.

This file contains the Distributor's certificate.

Restart the Distributor Agent.

A new certificate and .KEYSTORE file will be automatically created for the Distributor.

To resolve certificates: in ConsoleOne, right-click the Distributor object > click Resolve Certificates > click OK.

Make sure the Copy Certificates Automatically to Subscribers radio button is checked before clicking OK.

This will copy the new certificate to each Subscriber so that it can receive Distributions from this Distributor.

Subscriber DNS Name or IP Address Is Changed

Changing the DNS name or IP address of a Subscriber causes all encryption certificates contained on the Subscriber to be invalid. Subscribers can have one encryption certificate for each Distributor that sends it encrypted Distributions.

Subscribers will continue to receive non-encrypted Distributions, even if the DNS name or IP address is changed.

To reproduce valid encryption certificates for the Subscriber, follow the instructions under Distribution Security Using Encryption .

Certificate and Private Key Directories

Certificates and private keys for Policy and Distribution Services are stored in the following locations:

For the Distributor's private key on a NetWare^® Distributor server:
SYS:\ZENWORKS\PDS\TED\SECURITY\PRIVATE

For the Distributor's private key on a Windows* Subscriber server:
C:\ZENWORKS\PDS\TED\SECURITY\PRIVATE

For certificates received from Distributors on a NetWare Subscriber server:
SYS:\ZENWORKS\PDS\TED\SECURITY

After the Distribution has been sent, the certificate is moved into the .KEYSTORE file.

Creating Security Certificates for Non-Encrypted Distributions

Security certificates are not normally encrypted. The creation process for encryption certificates is different. For more information, see Distribution Security Using Encryption .

To create a certificate on a Distributor and copy it to its associated Subscribers:

On the server where a Distributor is installed, run its Java* process (use TED.NCF on a NetWare server, or restart the TED Distribution service on a Windows server).

This process creates the certificate and writes it into eDirectory.

Copy the certificate to each Subscriber using one of the following methods:
- Associate Subscribers with a Channel > create a Distribution for the Distributor > associate the Distribution with a Channel. When you click OK you will be prompted to resolve the certificate. Respond to the query with Yes to resolve certificates for all Subscribers. The certificates are copied to all of the associated Subscribers. The Subscriber Java process does not need to be running on the Subscriber server; the server only needs to be up.
  This method is the easiest when there are many Subscribers receiving Distributions from one Distributor.
  
  Non-encrypted security certificates only need to be sent between a Distributor and Subscriber pair once. Thereafter, they will each use that certificate to verify Distributions.
  
  IMPORTANT: Distributors cannot copy certificates to Linux* and Solaris* servers, or to any server where certain DNS configurations exist. Therefore, it would be best to have drives mapped on the workstation where you are using ConsoleOne to resolve certificates so that when prompted you can point to the correct destinations for the certificates.
- Manually copy the Distributor's certificate from the ZENWORKS\PDS\TED\SECURITY\PRIVATE directory to each Subscriber server's ZENWORKS\PDS\TED\SECURITY directory.
- Right-click a Subscriber object > click Resolve Certificates > repeat for each Subscriber object.

Because each Distributor creates its own security certificate, repeat Step 1 and Step 2 for each Distributor object in the tree.

Where Subscribers receive Distributions from multiple Distributors, the Subscribers will have one certificate from each Distributor.

Manually Copying Certificates for Non-Encrypted Distributions

To manually copy certificates to Subscribers using ConsoleOne^®, do any of the following:

Right-click a Distributor, Subscriber, or External Subscriber object > click Resolve Certificates.
Click File > Resolve Certificates.
Click OK on a property page > click Yes when prompted whether to copy a certificate for that object.
A prompt to copy a certificate is usually displayed when you have added:
- A Channel to a Distribution
- A Distribution to a Channel
- A Subscriber to a Channel
- A Channel to a Subscriber