AirWave and Network Management

Reply
New Contributor
Posts: 3
Registered: ‎05-25-2010

How to install certificate?

After the AirWave platform server is setup, there is a warming about server certificate when someone tries to connect to server. That is: “Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.”

My questions are:
1. Do we need to get and install our own certificate on AMP? Or AMP has its own self signed certificate?
2. How to install the certificate on AMP server? Is there any instruction/tutorial about it?

Thanks a lot.
Moderator
Posts: 241
Registered: ‎09-12-2007

Re: How to install certificate?

This is precisely because AMP is using a self-signed certificate. You want to get your own and install it on the system.

Unfortunately I don't know how to do that but someone will come along who can tell us. :)
---
Jon Green, ACMX, CISSP
Security Guy
Aruba
Posts: 349
Registered: ‎04-14-2009

Instructions from knowledgebase

The instructions below come from this article in our knowledgebase (login required):

Installing a valid SSL (Secure Sockets Layer) certificate on AMP is a 3-step process:

I. Create a CSR (Certificate Signing Request) file
II. Send the CSR to a third-party Certificate Authority (CA)
III. Install the certificate you receive from the CA on your AirWave server


I. CREATE A CERTIFICATE SIGNING REQUEST (CSR)
---------------------------------------

1. Find the file openssl.cnf on your server. On most systems it's located in one of these two directories:

/usr/share/ssl/
/etc/pki/tls/

2. Edit openssl.cnf using nano, vi or the text editor of your choice.

# nano /etc/pki/tls/openssl.cnf

-OR-

# nano /usr/share/ssl/openssl.cnf

3. Go to the section named :


countryName = US
stateOrProvinceName = California
0.organizationName = Aruba Networks, Inc.
organizationalUnitName = AirWave Wireless
commonName = my_amp.airwave.com
emailAddress = some_user@airwave.com

4. Replace the information for Aruba/AirWave with your company's information.

5. Under the section update the challengePassword.


challengePassword = A challenge password

6. Save the file.

NOTE: In the example below we create a directory named ssl-certs under /var/airwave/custom to store the new certificate request and private key. We recommend storing them here because the /var/airwave/custom directory and all of its subdirectories are included in the nightly backup file in case you need to restore your certificate at some point. This is also the directory where you should save the certificate you get back from the CA (see Step III below).

7. Create ssl-certs directory under /var/airwave/custom:

# mkdir /var/airwave/custom/ssl-certs

8. Run openssl to create a new private key and CSR in the ssl-certs directory:

# openssl req -new -nodes -keyout /var/airwave/custom/ssl-certs/newcert_private.key -out /var/airwave/custom/ssl-certs/newcert.csr


II. REQUEST A CERTIFICATE FROM A VALID CERTIFICATE AUTHORITY
------------------------------------------------------------

Any certificate authority (such as Verisign, Thawte, InstantSSL) can fulfill your request. When you're prompted for a CSR provide the contents of the newcert.csr file you generated in step 8 above.


III. YOU'VE RECEIVED YOUR CERTIFICATE, HOW DO YOU INSTALL IT?
-------------------------------------------------------------

This example assumes that you've named your certificate newcert.crt. You can name it anything you want.

1. Save the certificate as /var/airwave/custom/ssl-certs/newcert.crt

2. Modify the symbolic (soft) links in the default directories to point to your new certificate and private key files:

# ln -sf /var/airwave/custom/ssl-certs/newcert.crt /etc/httpd/conf/ssl.crt/server.crt
# ln -sf /var/airwave/custom/ssl-certs/newcert_private.key /etc/httpd/conf/ssl.key/server.key

3. Restart the Apache web server:

# ra

Output from the above command should look like this:

Stopping httpd:
Starting httpd:

4. Wait a few moments for Apache to come back up, then login to your server's web UI to confirm that you can access the AMP using your new certificate.


TROUBLESHOOTING
-------------------------------------------------------------

Check the SSL configuration file to make sure the paths to your certificate and private key files are correct. The default file locations should be specified. These paths will point to the symbolic links you set up in step III.2 above that in turn point to the new certificate and private key files in the /var/airwave/custom/ssl-certs/ directory.

NOTE: The ssl.conf file is overwritten during upgrades, so if you were to specify the path directly to the certificate and key files themselves, you would have to edit the ssl.conf file each time you upgraded the server.

# nano /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
Super Contributor I
Posts: 289
Registered: ‎02-07-2013

Re: Instructions from knowledgebase

o.k. manages to install our new certicicate on our Airwave 7.7.4 system. Hoerver, I ususally  install any intermediate and root certificates as well just to make sure that the client doesn't have issues with not being able to validate the actual certifiicate.

 

Where do I install any CA files?

 

Rgds

alex

 

Occasional Contributor I
Posts: 7
Registered: ‎06-21-2010

Re: How to install certificate?

I followed all the steps described here but If I check the browser it still shows the self-signed cert.

How can I troubleshoot? the soft links are OK.

 

The dir /etc/httpd/conf.d does not have ssl.conf but ssl.conf.rpmsave. Is this the problem?

 

One other remark: during creation of the CSR you need to provide a password, shouldn't this be asked for upon importing the certificate?

 

 

New Contributor
Posts: 4
Registered: ‎03-28-2013

Re: How to install certificate?

Hi,

 

Got he same issue here (no ssl.conf), and we find a way to import our own certificate.

 

I'm using Airwave 7.7.8 and it seems the  SSL Certificate and Private key are now located in the same file : 

/etc/httpd/conf/ssl.pem

 

Starts by doing a backup :

cp /etc/httpd/conf/ssl.pem /etc/httpd/conf/ssl.pem.bak

 

Then overwrite the ssl.pem file by your own certificate file (.pem or .crt) :

cp my_cert_file.pem /etc/httpd/conf/ssl.pem

 

Then concatenate your private key (in cleartext, if your keyfile is password protected, you have to decryp it before) to your certificate.

cat my_private_key_file.key >> /etc/httpd/conf/ssl.pem

 

At this point, your ssl.pem file should look the same as the previous one (compare content using "cat" command).

 

When you're done, restart apache using "ra" command and waits (even if apache says OK, it could take 2 minutes or more to access the web server again).

 

Regards,

Laurent Asselin,  Jean-Charles Bervoet and Regis Deroff.

Exer Group

Occasional Contributor I
Posts: 7
Registered: ‎06-21-2010

Re: How to install certificate?

This worked for me:

 

Tested this procedure on version 7.5.5.

 

The following document describes installing an SSL certificate in all AirWave versions 7.2.4 and greater. 

Installing a valid SSL (Secure Sockets Layer) certificate on AMP is a 3-step process: 

I. Create a CSR (Certificate Signing Request) file 
II. Send the CSR to a third-party Certificate Authority (CA) 
III. Install the certificate you receive from the CA on your AirWave server 


I. CREATE A CERTIFICATE SIGNING REQUEST (CSR) 
--------------------------------------- 

1. Find the file openssl.cnf on your server. On most systems it's located in one of these two directories: 

/usr/share/ssl/ 
/etc/pki/tls/ 

2. Edit openssl.cnf using nano, vi or the text editor of your choice. 

# nano /etc/pki/tls/openssl.cnf 

-OR- 

# nano /usr/share/ssl/openssl.cnf 

3. Go to the section named [ req_distinguished_name ]: 

[ req_distinguished_name ] 
countryName = US 
stateOrProvinceName = California 
0.organizationName = Aruba Networks, Inc. 
organizationalUnitName = AirWave Wireless 
commonName = my_amp.airwave.com 
emailAddress = some_user@airwave.com 

4. Replace the information for Aruba/AirWave with your company's information. 

5. Under the [ req_attributes ] section update the challengePassword. 

[ req_attributes ] 
challengePassword = A challenge password 

5a. Change default_bits = 1024 to default_bits = 2048. Most CA’s don’t issue certificates with 1024 key length anymore.

6. Save the file. 

NOTE: In the example below we create a directory named ssl-certs under /var/airwave/custom to store the new certificate request and private key. We recommend storing them here because the /var/airwave/custom directory and all of its subdirectories are included in the nightly backup file in case you need to restore your certificate at some point. This is also the directory where you should save the certificate you get back from the CA (see Step III below). 

7. Create ssl-certs directory under /var/airwave/custom: 

# mkdir /var/airwave/custom/ssl-certs 

8. Run openssl to create a new private key and CSR in the ssl-certs directory: 

# openssl req -nodes -newkey rsa:2048 -keyout /var/airwave/custom/ssl-certs/newcert_private.key -out /var/airwave/custom/ssl-certs/newcert.csr 

II. REQUEST A CERTIFICATE FROM A VALID CERTIFICATE AUTHORITY 
------------------------------------------------------------ 

Any certificate authority (such as Verisign, Thawte, InstantSSL) can fulfill your request. When you're prompted for a CSR provide the contents of the newcert.csr file you generated in step 8 above. 

If you receive a bunch of certificates from them, you probably want the one that's described as a base64-encoded x509 certificate. 

III. YOU'VE RECEIVED YOUR CERTIFICATE, HOW DO YOU INSTALL IT? 
------------------------------------------------------------- 

This example assumes that you've named your certificate newcert.crt. You can name it anything you want. 

IMPORTANT NOTE FOR FAILOVER: The instructions below are fine for AMPs and Master Console. On Failover, instead of storing the certificates in /var/airwave/custom/ssl-certs/, they should be stored somplace that isn't affected by backup/restore operations, like /home/some_user, and the soft links should point to the files there.)

1. Save the certificate as /var/airwave/custom/ssl-certs/newcert.crt 

2. Concatenate your certificate and private key into one file, to be used by pound. Add a new line to the end of the certificate to ensure that the two files don't get jumbled together during the concatenation. 

# echo -e "\n" >> /var/airwave/custom/ssl-certs/newcert.crt 
# cat /var/airwave/custom/ssl-certs/newcert.crt /var/airwave/custom/ssl-certs/newcert_private.key > /var/airwave/custom/ssl-certs/pound.crt 

3. Modify the symbolic (soft) links in the default directories to point to your new certificate and private key files: 

# ln -sf /var/airwave/custom/ssl-certs/newcert.crt /etc/httpd/conf/ssl.crt/server.crt 
# ln -sf /var/airwave/custom/ssl-certs/newcert_private.key /etc/httpd/conf/ssl.key/server.key 
# ln -sf /var/airwave/custom/ssl-certs/pound.crt /etc/httpd/conf/ssl.pem 


4. Restart the Apache and pound web servers: 

# ra 
# service pound restart 

4. Wait a few moments for Apache to come back up, then login to your server's web UI to confirm that you can access the AMP using your new certificate. 


TROUBLESHOOTING 
------------------------------------------------------------- 

Check the SSL configuration file to make sure the paths to your certificate and private key files are correct. The default file locations should be specified. These paths will point to the symbolic links you set up in step III.2 above that in turn point to the new certificate and private key files in the /var/airwave/custom/ssl-certs/ directory. 

NOTE: The ssl.conf file is overwritten during upgrades, so if you were to specify the path directly to the certificate and key files themselves, you would have to edit the ssl.conf file each time you upgraded the server. 

# nano /etc/httpd/conf.d/ssl.conf 

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt 

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: