Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM 6.8 Database Certificate SAN Validation

This thread has been viewed 31 times

  • 1.  CPPM 6.8 Database Certificate SAN Validation

    Posted Mar 29, 2020 02:16 PM

    Hello all,  I opened TAC case #5346209868 because I believe there may be a bug in the way that ClearPass 6.8.3 and 6.8.5 validates the publisher database certificate when attempting to join a subscriber to the cluster.  I know that the database certificate needs a subject alternate name referring to the IP address of the publisher.  The issue that I have is that per RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile the certificate should be able to take an IP: based SAN.  When I generated certificates for use for ClearPass databases, I kept getting errors until I made the IP Address a DNS: based SAN.  I believe that ClearPass should allow the IP address based SAN as well.



  • 2.  RE: CPPM 6.8 Database Certificate SAN Validation

    EMPLOYEE
    Posted Mar 29, 2020 10:58 PM

    Hi,

     

    The database certificate is validated based on the SAN >> DNS entry carrying the server IP address, this is by design. You are correct about the IP based SAN in general, but for the ClearPass database certificate, follow SAN >> DNS >> "local node IP address".

     

    Note - The IP address that you enter in SAN >> DNS for database certificate should be of local node IP. 

     

     



  • 3.  RE: CPPM 6.8 Database Certificate SAN Validation

    Posted Mar 30, 2020 04:49 AM

    this is not a bug

     

    it must be public cert  if not you can disable this check from the cli

     

    you can follow this doc

     

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=36443

     

     



  • 4.  RE: CPPM 6.8 Database Certificate SAN Validation

    Posted Mar 30, 2020 08:03 AM

    Okay, so let's assume I can find a public CA to issue a SAN as an IP address. GlobalSign, for example, states that I cannot use an IP address in a DNS field for SAN it needs to be in an IP field so I am back to my original request to have ClearPass enhanced to validate an IP type SAN as well as a DNS type SAN for a database certificate.



  • 5.  RE: CPPM 6.8 Database Certificate SAN Validation

    EMPLOYEE
    Posted Mar 30, 2020 04:48 PM

    The Database certificate requires SAN >> DNS:<local node IP> and does not work with SAN >> IP:<IP address> as per the current design. I do agree that public CAs won't support DNS with IP addresses, but the current design requires it. Please consider signing the database certificate using an internal PKI instead of public CA for now. 

     

    @KellyKnowles wrote:

    Okay, so let's assume I can find a public CA to issue a SAN as an IP address. GlobalSign, for example, states that I cannot use an IP address in a DNS field for SAN it needs to be in an IP field so I am back to my original request to have ClearPass enhanced to validate an IP type SAN as well as a DNS type SAN for a database certificate.

     Future releases might move to FQDN in database cert instead of IP. But  I suggest filing an RFE for this requirement.



  • 6.  RE: CPPM 6.8 Database Certificate SAN Validation

    EMPLOYEE
    Posted Mar 30, 2020 11:41 AM

    You can only bypass the validation of the https/ssl certificate while joining the subscriber from CLI. The database certificate should contain SAN >> DNS:<local node IP> to join a subscriber even with -V.

     

    @GoAruba wrote:

    this is not a bug

     

    it must be public cert  if not you can disable this check from the cli

     

    you can follow this doc

     

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=36443