7.2 Distribution Security Using Encryption

Policy and Distribution Services provides the option to encrypt a Distribution to prevent unauthorized access to its contents when the Distribution is sent outside your secured network. There is usually no need to encrypt Distributions that are sent within your secured network.

Encrypting Distributions is a two-step process:

  1. Select the Encrypt check box in the Distribution’s properties in ConsoleOne and select the level of encryption (strong or weak).

  2. Manually create and copy the encryption security certificate files between the Distributor and Subscriber servers.

    IMPORTANT:For security, you should use a physical medium, such as a diskette, to transfer the certificate between network servers.

Thereafter, the Distribution is sent as an encrypted Distribution.

To understand Distribution encryption, review the following:

7.2.1 Creating and Copying Encryption Certificates

RSA PKIs provide the security process used for encrypted Distributions.

Encryption certificates are created from Certificate Signing Request (.csr) files. Every Subscriber server contains a .csr file that can be used as a template for creating an encryption certificate for a particular Distributor.

The encryption certificates (.cer) are used by the Subscribers to ensure secure transmission of an encrypted Distribution. If you pass the .cer file over the wire, the Distribution’s encryption key could be compromised. Therefore, you must manually copy the encryption security certificates to ensure that the encryption key contained in the certificate files is kept secure.

IMPORTANT:Do not manually copy a certificate by using a file browser, because that uses transmission lines and can be compromised. Instead, copy the certificate to an external media, such as a floppy diskette, and transport it physically between the Distributor and Subscriber servers.

To use encryption certificates with Subscribers, you must have previously resolved certificates and sent an non-encrypted Distribution to each Subscriber.

For information on resolving certificates, see Section 7.1.6, Resolving Certificates.

Figure 7-3 illustrates the process of manually copying the encryption certificates:

Figure 7-3 Manually Copying Entryption Certificates

The Distributor signs the .csr to create the encryption .cer file, which is manually copied from the Distributor to the Subscriber to replace the current non-encryption .cer file on the Subscriber server.

The encryption certificate is required for extracting a Distribution. If a Subscriber is only acting as a parent Subscriber to pass the encrypted Distribution on to Subscribers who have subscribed to the Distribution’s Channel, the parent Subscriber does not need to have the encryption certificate on its server.

To create certificates for an encrypted Distribution:

  1. Determine the Distribution you want encrypted.

  2. Determine the Distributor that owns this Distribution.

  3. Determine which Subscribers should receive the encrypted Distribution.

  4. Resolve certificates for the selected Distributor to the selected Subscribers, then send a non-encrypted Distribution from that Distributor to the Subscribers.

    For information on resolving certificates, see Section 7.1.6, Resolving Certificates.

  5. Access the file systems of this Distributor and these Subscribers.

  6. Copy every .csr certificate file contained in the following directory from each Subscriber to the same path on the Distributor:

    \zenworks\pds\ted\security\csr

    This path begins with whatever you used for installing ZENworks Server Management.

    The Certificate Signing Request (.csr) is used to create the encryption certificate file.

  7. In ConsoleOne, right-click the Distributor object, click Sign CSR Files, select the .csr files to be signed, click Sign, click OK on the Success dialog box, then click Close.

    You can select multiple .csr files to be signed at the same time.

    This creates the Certificate (.cer) files in the same Distributor’s directory as the .csr files you copied from the Subscribers. You will have one .cer file for each .csr file.

    You can also perform this step using iManager:

    1. Select Remote Web Console.

    2. Select or provide the Distributor’s IP address.

    3. In the Available Services drop-down box, select Tiered Electronic Distribution.

    4. Select the Security tab, then click the Sign CSR link.

  8. For each target Subscriber, do the following:

    1. Copy the Subscriber server’s corresponding .cer files from the following location on the Distributor’s file system:

      \zenworks\pds\ted\security\csr

      to the following path on the Subscriber’s own server’s file system:

      \zenworks\pds\ted\security

      Each .cer file contains its Subscriber server’s name.

    2. Rename the .cer files that you just copied to the Subscriber server to have the Distributor’s DNS name instead of the Subscriber’s.

  9. Send the encrypted Distribution.

WARNING:Under the following scenario, the encryption certificates you just created can be overwritten before they are used:

1. Changes are made to the Channel, Subscribers, or Distribution involved with the encrypted Distribution.

2. This causes the prompt for copying certificates to be displayed.

3. If you reply with Yes before the encrypted Distribution has been sent and received by the Subscribers:

    a. The encryption .cer file is overwritten on each Subscriber with a non-encryption .cer file.

    b. The Subscribers cannot decrypt the Distribution when it is received, because the .cer file was overwritten with a .cer file that does not contain the encryption keys.

After the encrypted Distribution has been sent once to each Subscriber, the encryption .cer file is moved into the .keystore file on the Subscriber server’s file system so that it cannot be overwritten. Thereafter, you can reply with Yes to copy certificates when this scenario occurs.

7.2.2 Sending an Encrypted Distribution

After an encryption certificate has been established on a Subscriber server, Figure 7-4 illustrates the process for sending encrypted Distributions:

Figure 7-4 Sending Encrypted Distributions

The only Subscribers that need to receive the encryption key are those that are extracting the Distribution. Therefore, parent Subscribers and Subscribers in the Distributor’s routing hierarchy do not need to receive the encryption key if they are not extracting the Distribution.

7.2.3 Extracting an Encrypted Distribution

Before an encrypted Distribution can be extracted on a Subscriber server, the Subscriber must receive the encryption key. Figure 7-5 illustrates how the key is sent:

Figure 7-5 Sending Encryption Keys

Each Distribution has its own encryption key sent.