Monitoring, Management & Location Tracking

How to install your own certificate on AMP -- versions 7.2.4 and greater

Aruba Employee

The following document describes installing an SSL certificate in all AirWave versions 7.2.4 and greater. 

Installing a valid SSL (Secure Sockets Layer) certificate on AMP is a 3-step process: 

I. Create a CSR (Certificate Signing Request) file 
II. Send the CSR to a third-party Certificate Authority (CA) 
III. Install the certificate you receive from the CA on your AirWave server 


I. CREATE A CERTIFICATE SIGNING REQUEST (CSR) 
--------------------------------------- 

1. Find the file openssl.cnf on your server. On most systems it's located in one of these two directories: 

/usr/share/ssl/ 
/etc/pki/tls/ 

2. Edit openssl.cnf using nano, vi or the text editor of your choice. 

# nano /etc/pki/tls/openssl.cnf 

-OR- 

# nano /usr/share/ssl/openssl.cnf 

3. Go to the section named [ req_distinguished_name ]: 

[ req_distinguished_name ] 
countryName = US 
stateOrProvinceName = California 
0.organizationName = Aruba Networks, Inc. 
organizationalUnitName = AirWave Wireless 
commonName = my_amp.airwave.com 
emailAddress = some_user@airwave.com 

4. Replace the information for Aruba/AirWave with your company's information. 

5. Under the [ req_attributes ] section update the challengePassword. 

[ req_attributes ] 
challengePassword = A challenge password 

6. Save the file. 

NOTE: In the example below we create a directory named ssl-certs under /var/airwave/custom to store the new certificate request and private key. We recommend storing them here because the /var/airwave/custom directory and all of its subdirectories are included in the nightly backup file in case you need to restore your certificate at some point. This is also the directory where you should save the certificate you get back from the CA (see Step III below). 

7. Create ssl-certs directory under /var/airwave/custom: 

# mkdir /var/airwave/custom/ssl-certs 

8. Run openssl to create a new private key and CSR in the ssl-certs directory: 

# openssl req -nodes -newkey rsa:2048 -keyout /var/airwave/custom/ssl-certs/newcert_private.key -out /var/airwave/custom/ssl-certs/newcert.csr 

II. REQUEST A CERTIFICATE FROM A VALID CERTIFICATE AUTHORITY 
------------------------------------------------------------ 

Any certificate authority (such as Verisign, Thawte, InstantSSL) can fulfill your request. When you're prompted for a CSR provide the contents of the newcert.csr file you generated in step 8 above. 

If you receive a bunch of certificates from them, you probably want the one that's described as a base64-encoded x509 certificate. 

III. YOU'VE RECEIVED YOUR CERTIFICATE, HOW DO YOU INSTALL IT? 
------------------------------------------------------------- 

This example assumes that you've named your certificate newcert.crt. You can name it anything you want. 

IMPORTANT NOTE FOR FAILOVER: The instructions below are fine for AMPs and Master Console. On Failover, instead of storing the certificates in /var/airwave/custom/ssl-certs/, they should be stored somplace that isn't affected by backup/restore operations, like /home/some_user, and the soft links should point to the files there.)

1. Save the certificate as /var/airwave/custom/ssl-certs/newcert.crt 

2. Concatenate your certificate and private key into one file, to be used by pound. Add a new line to the end of the certificate to ensure that the two files don't get jumbled together during the concatenation. 

# echo -e "\n" >> /var/airwave/custom/ssl-certs/newcert.crt 
# cat /var/airwave/custom/ssl-certs/newcert.crt /var/airwave/custom/ssl-certs/newcert_private.key > /var/airwave/custom/ssl-certs/pound.crt 

3. Modify the symbolic (soft) links in the default directories to point to your new certificate and private key files: 

# ln -sf /var/airwave/custom/ssl-certs/newcert.crt /etc/httpd/conf/ssl.crt/server.crt 
# ln -sf /var/airwave/custom/ssl-certs/newcert_private.key /etc/httpd/conf/ssl.key/server.key 
# ln -sf /var/airwave/custom/ssl-certs/pound.crt /etc/httpd/conf/ssl.pem 


4. Restart the Apache and pound web servers: 

# ra 
# service pound restart 

4. Wait a few moments for Apache to come back up, then login to your server's web UI to confirm that you can access the AMP using your new certificate. 


TROUBLESHOOTING 
------------------------------------------------------------- 

Check the SSL configuration file to make sure the paths to your certificate and private key files are correct. The default file locations should be specified. These paths will point to the symbolic links you set up in step III.2 above that in turn point to the new certificate and private key files in the /var/airwave/custom/ssl-certs/ directory. 

NOTE: The ssl.conf file is overwritten during upgrades, so if you were to specify the path directly to the certificate and key files themselves, you would have to edit the ssl.conf file each time you upgraded the server. 

# nano /etc/httpd/conf.d/ssl.conf 

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt 

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Version history
Revision #:
2 of 2
Last update:
‎01-23-2015 10:03 AM
Updated by:
 
Labels (1)
Comments
Laurent_Asselin

Hi,

 

In AirWave 8, (at least in 8.0.6.1), the SSL Certificate use by ClearPass is handled by the "Pound" service and not by apache anymore (take a look at your /etc/httpd/conf/httpd.conf, you'll see the "include conf/ssl.conf" disabled.

 

Config file is here : /etc/pound.cfg

 

The token "Cert" below target the cert file

Cert "/etc/httpd/conf/ssl.pem"

 

This file seems to respect a specific order to be corretly taken into account

 

1. AirWave Cert

2. AirWave Private Key

3. Intermediate CA Cert (if any)

4. Root CA Cert 

 

Once done, restart Pound Process :

service pound restart 

 

Regards,

Laurent Asselin.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.