The following steps describes installing an SSL certificate in Airwave with Subject Alternate Names.Installing a certificate which can be accessed by different (alternate) DNS names, need a CSR (Certificate Signing Request) created with alternate DNS names.
Environment : AMP Version 8.0 and previous AMP versions till 7.2.x
Installing a valid SSL (Secure Sockets Layer) certificate on AMP is a 3-step process: I. Create a CSR (Certificate Signing Request) file II. Send the CSR to a third-party Certificate Authority (CA) III. Install the certificate you receive from the CA on your AirWave server I. CREATE A CERTIFICATE SIGNING REQUEST (CSR) --------------------------------------- For a generic SSL certificate request (CSR), openssl doesn't require much fiddling. Since we're going to add a SAN or two to our CSR, we'll need to add a few things to the openssl conf file. You need to tell openssl to create a CSR that includes x509 V3 extensions and you also need to tell openssl to include a list of subject alternative names in your CSR.1. Find the file openssl.cnf on your server. On most systems it's located in one of these two directories: /usr/share/ssl/ /etc/pki/tls/ 2. Edit openssl.cnf using nano, vi or the text editor of your choice. # nano /etc/pki/tls/openssl.cnf -OR- # nano /usr/share/ssl/openssl.cnf 3. In the [req] section, this is the section that tells openssl what to do with certificate requests (CSRs). Within that section should be a line that begins with req_extensions. We'll want that to read as follows:[req]distinguished_name = req_distinguished_namereq_extensions = v3_reqThis tells openssl to include the v3_req section in CSRs. If the req_extensions line is not present, add the same in above format exactly.4. Go to the section named [ req_distinguished_name ]: [ req_distinguished_name ] countryName = US stateOrProvinceName = California 0.organizationName = Aruba Networks, Inc. organizationalUnitName = AirWave Wireless commonName = my_amp.airwave.com emailAddress = firstname.lastname@example.org 5. Replace the information for Aruba/AirWave with your company's information. 6. Under the [ req_attributes ] section update the challengePassword. [ req_attributes ] challengePassword = A challenge password 7. Now we'll go own down to the v3_req section and make sure that it includes the following:[ v3_req ]# Extensions to add to a certificate requestbasicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName = @alt_names[alt_names]DNS.1 = my_amp.airwave.comDNS.2 = helpdesk.example.orgDNS.3 = systems.example.netIP.1 = 192.168.1.1IP.2 = 192.168.69.14Note : In alt_names, make sure to add the CN name as one of the DNS entries in the list. The reason is, once alt_names are added to the CSR, The browsers look for the SAN (Subject Alternate Names), So we need to add the CN (Common Name) again in the alt_names section as one DNS entry.8. Save the file. NOTE: In the example below we create a directory named ssl-certs under /var/airwave/custom to store the new certificate request and private key. We recommend storing them here because the /var/airwave/custom directory and all of its subdirectories are included in the nightly backup file in case you need to restore your certificate at some point. This is also the directory where you should save the certificate you get back from the CA (see Step III below). 9. Create ssl-certs directory under /var/airwave/custom: # mkdir /var/airwave/custom/ssl-certs 10. Run openssl to create a new private key and CSR in the ssl-certs directory: # openssl req -nodes -newkey rsa:2048 -keyout /var/airwave/custom/ssl-certs/newcert_private.key -out /var/airwave/custom/ssl-certs/newcert.csr II. REQUEST A CERTIFICATE FROM A VALID CERTIFICATE AUTHORITY ------------------------------------------------------------ Any certificate authority (such as Verisign, Thawte, InstantSSL) can fulfill your request. When you're prompted for a CSR provide the contents of the newcert.csr file you generated in step 8 above. If you receive a bunch of certificates from them, you probably want the one that's described as a base64-encoded x509 certificate. III. YOU'VE RECEIVED YOUR CERTIFICATE, HOW DO YOU INSTALL IT? ------------------------------------------------------------- This example assumes that you've named your certificate newcert.crt. You can name it anything you want. IMPORTANT NOTE FOR FAILOVER: The instructions below are fine for AMPs and Master Console. On Failover, instead of storing the certificates in /var/airwave/custom/ssl-certs/, they should be stored somplace that isn't affected by backup/restore operations, like /home/some_user, and the soft links should point to the files there.)1. Save the certificate as /var/airwave/custom/ssl-certs/newcert.crt 2. Concatenate your certificate and private key into one file, to be used by pound. Add a new line to the end of the certificate to ensure that the two files don't get jumbled together during the concatenation. # echo -e "" >> /var/airwave/custom/ssl-certs/newcert.crt # cat /var/airwave/custom/ssl-certs/newcert.crt /var/airwave/custom/ssl-certs/newcert_private.key > /var/airwave/custom/ssl-certs/pound.crt 3. Modify the symbolic (soft) links in the default directories to point to your new certificate and private key files: # ln -sf /var/airwave/custom/ssl-certs/newcert.crt /etc/httpd/conf/ssl.crt/server.crt # ln -sf /var/airwave/custom/ssl-certs/newcert_private.key /etc/httpd/conf/ssl.key/server.key # ln -sf /var/airwave/custom/ssl-certs/pound.crt /etc/httpd/conf/ssl.pem
4. If you are getting the certificate signed by an internal CA, you would have to import the root CA certificate into the java trust store for visualRF to work correctly. To do that you need to execute the commands below:
# keytool -import -noprompt -trustcacerts -alias <give a name to identify the CA in the keytool> -file <path/of the /cert/in/airwave/server> -keystore /usr/java/jre1.8.0_72/lib/security/cacerts -storepass changeit
[root@airwave tmp]# keytool -import -noprompt -trustcacerts -alias chaincert-lab -file /var/airwave/custom/ssl-certs/airwave-CertChain.crt -keystore /usr/java/jre1.8.0_72/lib/security/cacerts -storepass changeit
Certificate was added to keystore
[root@airwave tmp]# keytool -list -keystore "/usr/java/jre1.8.0_72/lib/security/cacerts" | grep chain
Enter keystore password: changeit
chaincert-lab, May 2, 2016, trustedCertEntry,
Once done, restart the Visual RF Engine.
1. Once the CSR is created, you can verify if the CSR has the Subject Alternate Names by the below command#openssl req -text -noout -in san_domain_com.csrYou should see some output like below. Note the Subject Alternative Name section:Certificate Request:Data:Version: 0 (0x0)Subject: C=US, ST=Texas, L=Fort Worth, O=My Company, OU=My Department, CN=server.exampleSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)Modulus (2048 bit): blahblahblahExponent: 65537 (0x10001)Attributes:Requested Extensions: X509v3Basic Constraints: CA:FALSEX509v3 Key Usage: Digital Signature, Non Repudiation, Key EnciphermentX509v3 Subject Alternative Name: DNS:my_amp.airwave.com, DNS:kb.example.com, DNS:helpdesk.example.comSignature Algorithm: sha1WithRSAEncryptionblahblahblah 2. Check the SSL configuration file to make sure the paths to your certificate and private key files are correct. The default file locations should be specified. These paths will point to the symbolic links you set up in step III.2 above that in turn point to the new certificate and private key files in the /var/airwave/custom/ssl-certs/ directory. NOTE: The ssl.conf file is overwritten during upgrades, so if you were to specify the path directly to the certificate and key files themselves, you would have to edit the ssl.conf file each time you upgraded the server. # nano /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
is there any new guide for the CLI-Light Versions AirWave Management Platform 22.214.171.124 and above? As the normal CLI is not available anymore, the import Certificate way is quite strange.. I cannot find the documentation about this new "feature"
Thank you Laurent!
It seems in Airwave 8.2.x the file order changed, here's what I had to do in order to make Poung accept the file.
Here's the right order for the /etc/httpd/conf/ssl.pem file (works in Airwave 126.96.36.199):
-----BEGIN CERTIFICATE-----<<<Your Server Certificate>>>-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----<<<Your private key >>>-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----<<<Your Intermediate Trust Autority Level Certificate>>>-----END CERTIFICATE----------BEGIN CERTIFICATE-----<<<Your Trust Autority Top Level Certificate>>>-----END CERTIFICATE-----
Restart Pound service by typing :/etc/init.d/pound restart
I wondered if that was the issue too. We're running 188.8.131.52, and I see that 184.108.40.206 is available. I'm not clear on how to upgrade though. This makes it sound really simple, but it doesn't recognize the start_amp_upgrade command.
After failing to get our certificate working with these instructions, the ones above did the trick.
However, when we navigate to the Airwave interface, we still get a red exclamation point. Clicking this, I see the following (in Chrome):
Obsolete Connection Settings
The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (AES_128_CBC with HMAC-SHA1).
How can we fix this?
Has this changed now in 8.2?
We've been facing an issue with the way "pound" (the reverse proxy that handle SSL for Airwave Server) handle Certificate file.
It seems the order in wich certificates and the private key is really important for pound to start.
Else you get this error :
Starting Pound: starting.../etc/pound.cfg line 14: SSL_CTX_use_PrivateKey_file failed - aborted
In order to fix this, we had to verifiy the composition of the ssl.pem file (and especially the order):
Here's the right order for the /etc/httpd/conf/ssl.pem file (works in Airwave 220.127.116.11) :
<<<Your Server Certificate>>>
-----BEGIN RSA PRIVATE KEY-----
<<<Your private key >>>
-----END RSA PRIVATE KEY-----
<<<Your Trust Autority Top Level Certificate>>> (tips : most CA use 4096 RSA keys, so this should be the longest certificate ;)
<<<Your Intermediate Trust Autority Level Certificate>>>
Restart Pound service by typing :
And you're done !
Laurent Asselin, Jean-Charles Bervoet and Regis Deroff.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.