Security

 View Only
last person joined: 7 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass database certificate

This thread has been viewed 34 times
  • 1.  Clearpass database certificate

    Posted Aug 30, 2022 05:39 PM
    I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

    ------------------------------
    Kelly L
    ------------------------------


  • 2.  RE: Clearpass database certificate

    Posted Aug 31, 2022 08:16 AM
    Why did you replace the database certificate at all?  ClearPass comes with a self-signed certificate that is valid for, IIRC, five years.  Is this a compliance requirement for you to replace it?  If not, I would just re-generate a self-signed database certificate and make the validity period the maximum allowed by your organization's security policies.


  • 3.  RE: Clearpass database certificate

    Posted Aug 31, 2022 02:34 PM
    It's a requirement we are not allowed to use a self-signed certificate. I read the document you linked below in the last reply it goes though the HTTPS certificate although doesn't discuss the database cert. I read in another document that the database cert requires the SAN to include DNS: X.X.X.X IP address of each node is that still required in version 6.9.12? Public CA's don't allow IP address's in the SAN usually we only have DNS names in there.

    ------------------------------
    Kelly L
    ------------------------------



  • 4.  RE: Clearpass database certificate

    Posted Aug 31, 2022 02:41 PM
    Yes that is requirement to have the IP address in the SAN field or else validation will fail. Your options here are: used a self-signed certificate, find a public CA that will let you use RFC 1918 space, or use a certificate from an internal PKI you control. Since you are using a public certificate, yes you need to also be sure to update the certificate once per year.




  • 5.  RE: Clearpass database certificate

    Posted Aug 31, 2022 02:56 PM
    Does the HTTPS cert require the DNS:X.X.X.X  IP address of each node also only the database? We can use our internal PKI for the database.

    ------------------------------
    Kelly L
    ------------------------------



  • 6.  RE: Clearpass database certificate

    Posted Aug 31, 2022 03:19 PM
    Only if you manage ClearPass from the IP. If you always use the DNS name, then no.




  • 7.  RE: Clearpass database certificate

    Posted Aug 31, 2022 03:35 PM
    We use DNS not IP because the cert is used for Captive portal also.  I think a pre-shared-key would have been lot easier way to encrypt the communication between nodes.

    ------------------------------
    Kelly L
    ------------------------------



  • 8.  RE: Clearpass database certificate

    Posted Aug 31, 2022 03:49 PM
    There is a pre-shared key. It is the cluster/app-admin password. Database can contain sensitive information though and should be secured via TLS (the purpose of the database certificate). PSK is not a replacement for TLS




  • 9.  RE: Clearpass database certificate

    EMPLOYEE
    Posted Sep 01, 2022 04:23 AM
    For the HTTPS certificate, it is recommended to have that issued by a public trusted CA, and it is required in case you use guest/captive portal.

    The database certificate should be self-signed (recommended) or issued by a private CA, because as you mention public CAs don't issue certificates for RFC1918 IP addresses, and having the additional maintenance of changing the database certificate every year would result in more risk (expiration, operational burden) than it would solve, because these certificates are only used (and trusted) within the ClearPass cluster. You could even consider using self-signed certificates as the equivalent of a PSK in this use-case. According to this document you can see the database certificate is validated, just through the cluster membership and not through a PKI.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: Clearpass database certificate

    EMPLOYEE
    Posted Aug 31, 2022 08:30 AM
    Check this document on the database certificate. You should not need to re-join the subscribers, you will need to reboot each node after you replaced the certificate and the cluster will break if your certificates expire.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 11.  RE: Clearpass database certificate

    Posted Sep 15, 2022 10:25 PM

    Same here I wanted to add subscriber but failed due to verify cert trust thingy. I did add subscriber via CLI as well, same with you as workaround to ignore the verify trust.

    Found out it is solved when entering the SAN with correct syntax: (solved means after I correct the SAN syntax I am able to add subscriber via GUI)

    DNS:xxxxxxx,IP:xxxxxxxx
    or
    DNS:xxxxxx
    or
    IP:xxxxxxx

    Ref: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=45516