This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to configure Unix-based (AIX, HP-UX, Linux, MacOS, Solaris) Managed Devices to communicate over HTTPS (SSL/TLS)

Summary

This KB article deals with: How to configure Unix-based (AIX, HP-UX, Linux, MacOS, Solaris) Managed Devices to communicate over HTTPS (SSL/TLS).

Synopsis

In some instances it is require to allow Unix-based systems (AIX, HP-UX, Linux, MacOS, Solaris) to communicate over HTTPS (SSL/TLS) using a certificate when uploading and downloading inventory and polices among other actions.

Discussion

The following steps should allow the configuration of trusted certificates for use with the above managed devices:

- Obtain a copy of all root Certificate Authority (CA) certificates

that are used by your HTTPS web servers. For most organisations, this

will be a single certificate. The certificate should be saved using

the PEM format.

- The PEM format certificates should be base-64 encoded plain text

surrounded by a "BEGIN CERTIFICATE" header and an "END CERTIFICATE"

footer. That is for example:

-----BEGIN CERTIFICATE-----

MIIDiTCCAnGgAwIBAgIQWO/IibrLpZ5Hts3u3xH7TzANBgkqhkiG9w0BAQUFADAR

MQ8wDQYDVQQDEwZ0ZncyazMwHhcNMTAxMTI1MDEyMDM4WhcNMTUxMTI1MDEyODA1

......

wXvMSERKsNsJ6FwwXFGA3HBrRLTHzqzsfUlUAbV+SBm/FSFkuWsy4QWAuJCbnCnv

c3ClFHXqwaIq9UWvO5FR5kD4gK9LZOUY4B7tLTQmpJScFSiPZrIBa1cQ5uWl

-----END CERTIFICATE-----

- The collection of one or more root CA certificates should be concatenated

together into a single file.

- Copy this root CA certificate file as "/var/tmp/mgsft_rollout_cert" before

installing the Managed Devices client.

- During installation of the client, the "/var/tmp/mgsft_rollout_cert" file

will be copied to "/var/opt/managesoft/etc/ssl/cert.pem".

- If the Managed Devices client is already installed, then the certificate

file may be directly copied to "/var/opt/managesoft/etc/ssl/cert.pem".

- Ensure that all CA certificates within a certificate chain up to the

root CA include a reference to a downloadable Certificate Revocation

List (CRL). The reference to the CRL must be described using the X509v3

extensions "X509v3 CRL Distribution Points". The CRL must be downloadable

using the HTTP protocol and must be in DER format (a binary file).

Additional configuration options:

CheckServerCertificate - Check the server certificate's existence, name,

validity period, and issuance by a trusted certificate authority (CA).

This can be configured using "MGSFT_HTTPS_CHECKSERVERCERTIFICATE" with

"true" or "false" in the mgsft_rollout_response file.

This setting lives under the [ManageSoft\Common] section as

CheckServerCertificate in "/var/opt/managesoft/etc/config.ini".

CheckCertificateRevocation - Additionally check that the server certificate

has not been revoked. Already supported on Windows.

This can be configured using "MGSFT_HTTPS_CHECKCERTIFICATEREVOCATION"

with "true" or "false" in the mgsft_rollout_response file.

This setting lives under the [ManageSoft\Common] section as

CheckCertificateRevocation in "/var/opt/managesoft/etc/config.ini".


Additional Information

Additional information on the configuring SSL certificates for Windows and other Managed Devices can be found in the Preferences for Managed Devices Guide.

‎Mar 08, 2013 04:57 AM

Labels:
Was this article helpful? Yes No
No ratings
0 Kudos
Version history
Last update:
‎Mar 08, 2013 04:57 AM
Updated by: