Security

last person joined: 11 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Certificate Issues/Questions

This thread has been viewed 9 times

  • 1.  Certificate Issues/Questions

    EMPLOYEE
    Posted Aug 26, 2013 12:45 AM

    !!!!First off there is a Tech Note coming on this!!!!

     

    I know there has been a lot questions on certs and what is recommended.

     

    Its never easy trying to put all the answer in a format that a person who has no experiences in certs can understand, but I will try my best here. 

     

    Lets See if I can get this in one shot.... :smileylol:

     

     

    With the previous release (6.1.2 Patch 2 and below) there is a limitation where If you are running in a cluster with auto promotion of a subscriber to publisher.

     

    Again this is for onboarding and Guest where the certificate FQDN comes in to question, CPPM looks at the address to see if it matches the cert CN and the servers FQDN and if it doesn't it will post the 

     

    "Onboard provisioning can not be performed at this host address. If you were redirected here, please contact a network administrator."

     

    For example:


    ====================================================================================================

    Wrong

     

    VIP: FQDN=cppm.server.com IP=10.80.x.100

    -----------------------------------------------------------------------------------------------------------------------------------------

    Server 1: FQDN=cppm1.server.com IP= 10.80.x.101

    Cert. CN=Server1FQDN

    SAN= DNS: Server1FQDN,DNS:VIPFQDN,DNS: Server1FQDN,DNS: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
    -----------------------------------------------------------------------------------------------------------------------------------------

    Server 2: FQDN=cppm2.server.com IP= 10.80.x.102

    Cert. CN=Server2FQDN

    SAN= DNS: Server2FQDN,DNS:VIPFQDN,DNS: Server1FQDN,DNS: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
    -----------------------------------------------------------------------------------------------------------------------------------------

    If you connect to the VIP and try to onboard you will get the error "Onboard provisioning can not be performed at this host address. If you were redirected here, please contact a network administrator."

     

    ====================================================================================================

    Right

     

    VIP: FQDN=cppm.server.com IP=10.80.x.100
    -----------------------------------------------------------------------------------------------------------------------------------------

    Server 1: FQDN=cppm1.server.com IP= 10.80.x.101

    Cert. CN=VIPFQDN

    SAN= DNS: Server1FQDN,DNS:VIPFQDN,DNS: Server1FQDN,DNS: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
    -----------------------------------------------------------------------------------------------------------------------------------------

    Server 2: FQDN=cppm2.server.com IP= 10.80.x.102

    Cert. CN=VIPFQDN

    SAN= DNS: Server2FQDN,DNS:VIPFQDN,DNS: Server1FQDN,DSN: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
    -----------------------------------------------------------------------------------------------------------------------------------------

     

    When a client looks at a certificate it will always read the SAN entries if they are included instead of the CN value, the current release of CPPM it will look at the CN value during the onboarding process. You can name the VIP the same FQDN as the Publisher if the cost of SAN entries come into play.

     

    ====================================================================================================

    As of 6.1.2 patch 3 and 6.2 that limitation no longer exists so you can now use the FQDN of each server as the CN so example one that is wrong you are now able to use.

     

    Below is an example where VIP FQDN is the same as the Publisher FQDN.

     

    VIP: FQDN=cppm.server.com IP=10.80.x.100

    -----------------------------------------------------------------------------------------------------------------------------------------

    Server 1: FQDN=cppm.server.com IP= 10.80.x.101

    Cert. CN=cppm.server.com (VIP FQDN)

    SAN= DNS: Server1FQDN,DNS:VIPFQDN,DNS: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
    -----------------------------------------------------------------------------------------------------------------------------------------

    Server 2: FQDN=cppm2.server.com IP= 10.80.x.102

    Cert. CN=Server2FQDN

    SAN= DNS: Server2FQDN,DNS:VIPFQDN,DNS: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
    -----------------------------------------------------------------------------------------------------------------------------------------

     

     

    A couple Notes:

     

    1. "make sure you set you DNS to point to the VIP. You will only be able to access the publisher by IP only or through the VIP."


    2. If you use the IP address for any reason make sure you also include them in the SAN entries. If you only use FQDN then disregard the IP: entries.