Symantec Access Management

I'm having a very hard time following the CA Dir 14 admin guide concerning SSL.  I have 2 data DSA's that are replicating to each other and being used as a SiteMinder session store.  All is working well.  Now I want to enable SSL on those instances.  I am not using a router but a hardware load balancer for the policy servers to connect to.

I have run the 'dxcertgen certreq' command to get the cert request from the first server.  I then sent that to a 3rd party to get my certs back.  I would like to use a single cert for all data DSA's.  The confusing part starts with the admin guide doc.  

The section about using a single cert is at the beginning of the SSL discussion.  Mentions using the 'set ssl' and some file called 'config/ssld/personalities/generic.pem' but no mention on how to create that file, where it comes from, what it contains, etc...  and no mention on how to do any of this if you are using the management UI.  I don't want to get burnt by using command line tools only to have config overwritten by the management UI.

Is there some tech doc that has a step by step of how to get SSL working from start to finish, using a 3rd party cert (that will also include a cert chain), and using the management UI?  I wish the admin guide was written more as a step by step process.  It feels more like a reference guide to me.

Thanks

Samatnys

I hear your confusion and was in the same boat.

There are two ways you can generate SSL Certificates for DSA.

OPTION-1 : Using DXCERTGEN.

Using this method you'll end up with one Private Key / Public certificate per DSA.

OPTION-2 : Using an external third party tool like OpenSSL.

Using this method you'll end up with one Private Key / Public certificate which will be shared by all DSA's.

I prefer OPTION-2 as this is more manageable when it comes to deployment and renewals.

set ssl = {
    # generic DSA personality certificate
    cert-file = "config/ssld/personalities/generic.pem"
    # trusted root CA that signed DSA certificates
    ca-file = "config/ssld/trusted.pem"
    cipher = "ALL:!ADH:!DES:!EXPORT40:!MEDIUM:!RC4:!LOW:+SSLv2:@STRENGTH"
    protocol = tls
};
 

Steps for OPTION-2 :

1. Generate a Private Key (priv.key) and CSR (cert.csr) using OpenSSL.
2. Send the CSR to Certification Authority for Signature.
3. Retrieve the Public (Signed Certificate) Certificate (cert.pem) from Certification Authority.
4. Retrieve the Root Certificate (root.pem) from Certification Authority.
5. Put priv.key, cert.pem, root.pem on a single folder (anywhere where DSA OS user can access) where your DSA is running.
6. Now very important step (UNDOCUMENTED).
   1. Your Cert / Key has to be in PEM format i.e. BEGIN CERTIFICATE and END CERTIFICATE / BEGIN PRIVATE KEY and END PRIVATE KEY TAGS.
   2. We have to merge the KEY and CERT into one single file.
   3. e.g. "cat priv.key >> cert.pem". This command will append BEGIN PRIVATE KEY and END PRIVATE KEY to the end of cert.pem. Now you'll have both Cert and Key in one file.
7. Now go to $DXHOME/config/ssld
8. Make a copy of default.dxc to "sstore.dxc"
9. Create the entries as per table below.
10. Modify the server initialization file $DXHOME/config/server/server.dxi
11. Change the SSL section to source "../ssld/sstore.dxc".
12. Modify the knowledge file $DXHOME/config/knowledge and add "link-flags = ssl-encryption".
13. Restart your DSA.
14. Repeat the steps in all DSA.

set ssl = {
    # generic DSA personality certificate
    cert-file = "<PATH to Cert Dir where we dropped all files>/cert.pem"
    # trusted root CA that signed DSA certificates
    ca-file = "<PATH to Cert Dir where we dropped all files>/root.pem"
    # cipher = "ALL:!ADH:!DES:!EXPORT40:!MEDIUM:!RC4:!LOW:+SSLv2:@STRENGTH"
    # protocol = tls
    # fips = false
};
 

Additional Reference Links to consider in your overall design :

set force-encrypt-auth Command -- Force Users to Use SSL on Authenticated Binds - CA Directory - 14.0 - CA Technologies … 

set force-encrypt-anon Command -- Force Users to Use SSL on Anonymous Binds - CA Directory - 14.0 - CA Technologies Docu… 

Set Up Encryption - CA Directory - 14.0 - CA Technologies Documentation 

set dsa Command -- Define the Knowledge Settings of a DSA - CA Directory - 14.0 - CA Technologies Documentation 

Thanks Hubert.  I was hoping you would answer as it looked like you had struggled with this in the past.

You pasted the section I was talking about regarding using a single cert for multiple DSA's.  What is generic.pem?  Something I create?  What does it contain?  That section is severely lacking in any pertinent information.  Basically I want to merge what you wrote for option 2 and how to use a single cert.  And if I do all that work, how will the management UI know about any of this?  I am not a fan of the management UI keeping a local copy of the config and overwriting any command line work that might have been done.

Thanks

Sam

Samatnys

generic.pem is something we create using external method e.g. openssl.

generic.pem should contain the public cert and private key in the pem format.

Refer to the steps [Steps for OPTION-2] I listed in the above thread; where generic.pem is cert.pem, in the steps I listed. 

The steps I listed are for manual configuration using file based approach.

If you are using management UI, in the UI there is an option to mention the "cert-file".

You cannot use UI management and tinker manually at file level. We decided which approach we adopt and stick to that. 

Samatnys

Here I have bifurcated between Manual and UI based approach for Option-2.

Steps for OPTION-2 (MANUAL APPROACH - File Based Approach) :

1. Generate a Private Key (priv.key) and CSR (cert.csr) using OpenSSL.
2. Send the CSR to Certification Authority for Signature.
3. Retrieve the Public (Signed Certificate) Certificate (cert.pem) from Certification Authority.
4. Retrieve the Root Certificate (root.pem) from Certification Authority.
5. Put priv.key, cert.pem, root.pem on a single folder (anywhere where DSA OS user can access) where your DSA is running.
6. Now very important step (UNDOCUMENTED).
   1. Your Cert / Key has to be in PEM format i.e. BEGIN CERTIFICATE and END CERTIFICATE / BEGIN PRIVATE KEY and END PRIVATE KEY TAGS.
   2. We have to merge the KEY and CERT into one single file.
   3. e.g. "cat priv.key >> cert.pem". This command will append BEGIN PRIVATE KEY and END PRIVATE KEY to the end of cert.pem. Now you'll have both Cert and Key in one file.
7. Now go to $DXHOME/config/ssld
8. Make a copy of default.dxc to "sstore.dxc"
9. Create the entries as per table below.
10. Modify the server initialization file $DXHOME/config/server/server.dxi
11. Change the SSL section to source "../ssld/sstore.dxc".
12. Modify the knowledge file $DXHOME/config/knowledge and add "link-flags = ssl-encryption".
13. Restart your DSA.
14. Repeat the steps in all DSA.

set ssl = {
    # generic DSA personality certificate
    cert-file = "<PATH to Cert Dir where we dropped all files>/cert.pem"
    # trusted root CA that signed DSA certificates
    ca-file = "<PATH to Cert Dir where we dropped all files>/root.pem"
    # cipher = "ALL:!ADH:!DES:!EXPORT40:!MEDIUM:!RC4:!LOW:+SSLv2:@STRENGTH"
    # protocol = tls
    # fips = false
};
   

Steps for OPTION-2 (Automated APPROACH - UI Based Approach) :

1. Generate a Private Key (priv.key) and CSR (cert.csr) using OpenSSL.
2. Send the CSR to Certification Authority for Signature.
3. Retrieve the Public (Signed Certificate) Certificate (cert.pem) from Certification Authority.
4. Retrieve the Root Certificate (root.pem) from Certification Authority.
5. Put priv.key, cert.pem, root.pem on a single folder (anywhere where DSA OS user can access) where your DSA is running.
6. Now very important step (UNDOCUMENTED).
   1. Your Cert / Key has to be in PEM format i.e. BEGIN CERTIFICATE and END CERTIFICATE / BEGIN PRIVATE KEY and END PRIVATE KEY TAGS.
   2. We have to merge the KEY and CERT into one single file.
   3. e.g. ,"cat priv.key >> cert.pem". This command will append BEGIN PRIVATE KEY and END PRIVATE KEY to the end of cert.pem. Now you'll have both Cert and Key in one file.
7. Login to Management UI.
8. Go to the DSA, SSL Tab. You'll see options for "Certificate File" and "CA File". Populate only these 2 fields.
9. Set the link-flag as ssl-encyption in DSA, Ext Knowledge tab.
10. Save the changes.
11. Restart DSA.

Thanks Hubert.  I've marked this correct even though I haven't gotten it all to work.  It's the end of the day and I'm pretty much done trying to figure this all out.  The end for me was when I tried to back it all out and realized the hard way that just by using non-default settings for the ssl settings turned ssl on.  I was under the impression there was some type of yes/no or true/false or flag for whether I wanted to use ssl or not.  The learning curve from ODSEE is going to be painful for me.  But I do appreciate all the help you've given me today.

Thanks

Sam