7 Replies Latest reply on Aug 15, 2013 10:08 AM by dmease729

    Custom SSL cert for agent-server(secure) and client-server

    dmease729

      Hi,

       

      A recent audit has resulted in our team being asked to move away from the self signed certs used by ePO.  I can follow through KB72477 but as far as I can see this will result in the custom keys being used for only the console to application comms (access to ePO GUI) and the RSD client to server comms, as both use the same Tomcat service (as far as I can see).  With regards to the client to server comms, I am a bit unsure as to how the new keys would be communicated to the RSD agents however.
      The next question would be how to customise the agent to server secure comms, which uses Apache.  As the keys used are contained within the server settings 'edit security keys', and the 'new key' option does not allow the import of a key, rather just seems to create another self-signed key, I suspect that this may be more involved, but am not sure if I am overcomplicating things.

       

      I may be missing something obvious, but could somebody provide comment/thoughts on the above?

       

      cheers,

        • 1. Re: Custom SSL cert for agent-server(secure) and client-server
          dmease729

          Hi,

           

          As the client to server secure comms is also used by the Agent Handlers, I am assuming that the servers that are running the Agent Handlers only have to trust the signing CA.  Or is the validity of the certificate checked at all by the agent handlers?

          With regards to the agent to server secure comms, I could change the certificate used by Apache, however would this have a knock on effect with the agent communications, as I do not seem to be able to import SSL keys into the ePO server for this purpose, as mentioned above?

           

          I think Im going to raise an SR for this also!

          • 2. Re: Custom SSL cert for agent-server(secure) and client-server
            JoeBidgood

            Sorry for not seeing this one earlier...

             

            There's no way to change the cert used for agent/server comms, I'm afraid. The keys used by ePO (and referred to in the server settings) are distinct from the SSL certs - they're the agent/server key pairs from earlier versions of ePO that are still used so that non-ssl comms are still secure. You can administer these keys via the console, but there is no similar process for the apache certificates.

             

            Can I ask what it is you'd like to do, exactly, and the reason for wanting to avoid the self-signed certs? (Just to give me a better understanding...)

             

            Thanks -

             

            Joe

            • 3. Re: Custom SSL cert for agent-server(secure) and client-server
              dmease729

              Cheers Joe,  just got the same answer from support earlier today.  Basically, it goes like this:

               

              Pen Tester / Auditor: "OMG we have found self signed certificates used on this port!"

              Project: "... ... aaaaAAAAARRRRRGGGHHHHHHHHH"* <run around, bashing into things>

              Me: "I'll have a dig around" <comes to community / support>

               

              As it is not possible, I will simply communicate that back, and hopefully that will be the end of it.  I fear it may not be as we go down the path of needing to document how attackers can use this to their advantage, and what is in place and can be in place to mitigate those attacks.  The whole affair in my opinion is low low risk (and high level-of-work-required-for-would-be-attacker).

               

              *dramatic re-enactment.  In reality the whole affair was quite calm.  Just reenacting what I have seen to be the norm with these things.

              • 4. Re: Custom SSL cert for agent-server(secure) and client-server
                JoeBidgood

                No problem

                I've asked a senior colleague for their comments - it may be that there's something I'm missing. The problem I can see is that there's no way to distribute the new cert to exsiting agents short of importing the sitelist or redeploying all the agents, both of which are painful

                 

                Regards -

                 

                Joe

                • 5. Re: Custom SSL cert for agent-server(secure) and client-server
                  dmease729

                  Darn your helpfulness Joe, Darn it!

                   

                  I didnt think it would be possible even with the redistribution of the sitelist or redeploying the agents, as I had no way of importing the keys into ePO security keys for the redistribution.  Unless *if* the certs were amended, the sitelist and security keys were updated automatically (I am sure this is more simple than my brain is making out).  I will stick with the official support answer for now (not possible), but if you do happen to come across a feasible and supported path for this, let me know - My curiosity is piqued, and if indeed it is a possibility I need to present it to the project, no matter how much work is involved.  Then it can be somebody elses decision on whether to proceed or not :-D

                  • 6. Re: Custom SSL cert for agent-server(secure) and client-server
                    JoeBidgood

                    It's the import of the cert (not key )  that's the tricky part. We know that ePO can *recreate* the apache cert: it's something that we do very regularly to repair broken installations that have to be recovered after a disaster - but then you're left with redeploying the agents.

                    What we don't have a mechanism for is importing a different cert (as opposed to calling ePO's internal function to create a new one.)

                    At this point I would definitely go with "not possible", but if I don find out anything useful I'll let you know.

                     

                    Regards -

                     

                    Joe

                    • 7. Re: Custom SSL cert for agent-server(secure) and client-server
                      dmease729

                      Yes, quite right - typing a large number of emails can result in my words getting mixed up.  Im usually quite pedantic about that, and am also usually the one to correct (it avoids confusion later down the line) - tables have turned this time!