Network Management

Totally new here and was just tasked to perform work on our AirWave management server and am, unfortunately, not familiar with the product. We are currently running AirWave Management Platform 8.2.3 and were directed to tighten server security ASAP. One of the remediation requests is to limit the SSL Ciphers, which would normally be configured in Apache's ssl.conf.

Noticed, however, that this file does not exist on our server and that Apache does not appear to have mod_ssl installed. Could you please let know the correct steps to take to limit the SSL Ciphers? The following ciphers are no longer permitted in our server configurations:

DHE-RSA-AES256-SHA256, AES256-SHA256, DHE-RSA-AES128-SHA256, AES128-SHA256

Scanned previous posts and saw that the Apache configuration on the AirWave server is taboo but am still wondering in mod_ssl could be installed and configured on the server. It does not appear that ClearPass is installed or running on our server.

Our other task is to replace any self-signed web server certificates with a certificate chain for our environment. Question is if we can replace the default server certificate/key or is this cert required for Airwave functionality?  Thanks!

A few things going on here, let me see if I can answer these by topic:

CIPHERS

We use TLS to handle the UI.  So you're looking at TLS 1.0 1.1 and 1.2.  With these, the default is TLS 1.2 only.  There's a toggle on AMP Setup -> General -> Additional AMP services expansion -> "Disable TLS 1.0 and 1.1" which is defaulted to 'Yes'.

The ciphers you described have more of an impact for SSH which is in /etc/ssh/ssh_config.  If this is your goal, you might look into 8.2.4 or newer where we added a toggle for FIPS enable at the CLI level - this sets it to only the Federal certified ciphers.  Once you upgrade past 8.2.4, this will be a toggle in the AMPCLI Security menu, enabling FIPS ciphers requires a reboot.

APACHE mod_ssl

While you could do things in the background in 8.2.3 like installing mod_ssl, it is not advised since it's not a tested / supported change - so proceed at your own risk, but grab a nightly backup before you do (from the UI: System -> Backups page.

Also, any changes you make in the background now will be hard to get to / maintain when you eventually upgrade since 8.2.3 is 2 years old.  8.2.6 is the current general release with a patch update expected mid April.  In releases 8.2.4 and newer - the root shell is gone and there's now the limited AMPCLI shell.

CLEARPASS

Clearpass and AirWave are 2 separate software products that live in their own install instances.

SSL certs

When you do upgrade, the AMPCLI menu makes the SSL cert change process easier as it gives you the option to load your own SSL cert, or generate a CSR to load in an official signed cert.

If you go the SSL cert, then we're expecting a cert that meets: "The file must be in PKCS12 format with ".pfx" or ".p12" filename extension and should contain both the private key and the certificate."  The cert should be a bundle of the key, CA, and all the intermediates in the chain.

If you go the CSR route, then it will just be the PEM formatted cert with a *.crt extension.

Thanks for explanation, Rob.

Sorry I didn't reply sooner but was out of the office for the remainder of last week.

Our server is limited to TLS 1.2 but still serves the undesireable ciphers, so it looks like there;s no way around an upgrade to at least 8.2.4 for the Federal certified ciphers only.

We will need to go with a CSR through our Agency, which will result in a stand-alone CRT (SSLCertificateFile in Apache ssl.conf) but I'm still unclear if/where/how we could configure the path to our certificate chain file (SSLCertificateChainFile in Apache's ssl.conf).

Sounds like we're mixing up certs here.

Server side cert

The AMPCLI menu items are for server side certificates.

1) SSL cert that works for approved internal SSL certs (if the network is configured to allow it).  This bundled cert might have a chain, but this chain is not the same path a CSR cert would have to go through.

2) The CSR cert that is signed by a CA usually includes the intermediates, and shouldn't require a separate SSL chain.  The browser checks if the cert is generated by an approved CA before giving you the 'secure connection' lock icon.  Or you add the CA as a trusted source to your browser key store.

Client authentication cert

Are you using certs to authenticate the AMP GUI logins?  If so, then the cert bundle for this action should be uploaded into AMP Setup -> Authentication -> toggle Enable Cert Auth, then paste your PEM encoded chain in the provided input field.  Note that if you toggle the 2nd toggle to require cert to auth, then only users with the valid cert will have access to the AMP GUI.