Security

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------

Why did you replace the database certificate at all?  ClearPass comes with a self-signed certificate that is valid for, IIRC, five years.  Is this a compliance requirement for you to replace it?  If not, I would just re-generate a self-signed database certificate and make the validity period the maximum allowed by your organization's security policies.
Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------

It's a requirement we are not allowed to use a self-signed certificate. I read the document you linked below in the last reply it goes though the HTTPS certificate although doesn't discuss the database cert. I read in another document that the database cert requires the SAN to include DNS: X.X.X.X IP address of each node is that still required in version 6.9.12? Public CA's don't allow IP address's in the SAN usually we only have DNS names in there.

------------------------------
Kelly L
------------------------------

Original Message:
Sent: Aug 31, 2022 08:16 AM
From: Unknown User
Subject: Clearpass database certificate

Why did you replace the database certificate at all?  ClearPass comes with a self-signed certificate that is valid for, IIRC, five years.  Is this a compliance requirement for you to replace it?  If not, I would just re-generate a self-signed database certificate and make the validity period the maximum allowed by your organization's security policies.
Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------

Yes that is requirement to have the IP address in the SAN field or else validation will fail. Your options here are: used a self-signed certificate, find a public CA that will let you use RFC 1918 space, or use a certificate from an internal PKI you control. Since you are using a public certificate, yes you need to also be sure to update the certificate once per year.


Original Message:
Sent: 8/31/2022 2:34:00 PM
From: kell490
Subject: RE: Clearpass database certificate

It's a requirement we are not allowed to use a self-signed certificate. I read the document you linked below in the last reply it goes though the HTTPS certificate although doesn't discuss the database cert. I read in another document that the database cert requires the SAN to include DNS: X.X.X.X IP address of each node is that still required in version 6.9.12? Public CA's don't allow IP address's in the SAN usually we only have DNS names in there.

------------------------------
Kelly L
------------------------------

Original Message:
Sent: Aug 31, 2022 08:16 AM
From: Unknown User
Subject: Clearpass database certificate

Why did you replace the database certificate at all?  ClearPass comes with a self-signed certificate that is valid for, IIRC, five years.  Is this a compliance requirement for you to replace it?  If not, I would just re-generate a self-signed database certificate and make the validity period the maximum allowed by your organization's security policies.
Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------

Does the HTTPS cert require the DNS:X.X.X.X  IP address of each node also only the database? We can use our internal PKI for the database.

------------------------------
Kelly L
------------------------------

Original Message:
Sent: Aug 31, 2022 02:40 PM
From: Unknown User
Subject: Clearpass database certificate

Yes that is requirement to have the IP address in the SAN field or else validation will fail. Your options here are: used a self-signed certificate, find a public CA that will let you use RFC 1918 space, or use a certificate from an internal PKI you control. Since you are using a public certificate, yes you need to also be sure to update the certificate once per year.


Original Message:
Sent: 8/31/2022 2:34:00 PM
From: kell490
Subject: RE: Clearpass database certificate

It's a requirement we are not allowed to use a self-signed certificate. I read the document you linked below in the last reply it goes though the HTTPS certificate although doesn't discuss the database cert. I read in another document that the database cert requires the SAN to include DNS: X.X.X.X IP address of each node is that still required in version 6.9.12? Public CA's don't allow IP address's in the SAN usually we only have DNS names in there.

------------------------------
Kelly L

Original Message:
Sent: Aug 31, 2022 08:16 AM
From: Unknown User
Subject: Clearpass database certificate

Why did you replace the database certificate at all?  ClearPass comes with a self-signed certificate that is valid for, IIRC, five years.  Is this a compliance requirement for you to replace it?  If not, I would just re-generate a self-signed database certificate and make the validity period the maximum allowed by your organization's security policies.
Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------

Only if you manage ClearPass from the IP. If you always use the DNS name, then no.


Original Message:
Sent: 8/31/2022 2:56:00 PM
From: kell490
Subject: RE: Clearpass database certificate

Does the HTTPS cert require the DNS:X.X.X.X  IP address of each node also only the database? We can use our internal PKI for the database.

------------------------------
Kelly L
------------------------------

Original Message:
Sent: Aug 31, 2022 02:40 PM
From: Unknown User
Subject: Clearpass database certificate

Yes that is requirement to have the IP address in the SAN field or else validation will fail. Your options here are: used a self-signed certificate, find a public CA that will let you use RFC 1918 space, or use a certificate from an internal PKI you control. Since you are using a public certificate, yes you need to also be sure to update the certificate once per year.


Original Message:
Sent: 8/31/2022 2:34:00 PM
From: kell490
Subject: RE: Clearpass database certificate

It's a requirement we are not allowed to use a self-signed certificate. I read the document you linked below in the last reply it goes though the HTTPS certificate although doesn't discuss the database cert. I read in another document that the database cert requires the SAN to include DNS: X.X.X.X IP address of each node is that still required in version 6.9.12? Public CA's don't allow IP address's in the SAN usually we only have DNS names in there.

------------------------------
Kelly L

Original Message:
Sent: Aug 31, 2022 08:16 AM
From: Unknown User
Subject: Clearpass database certificate

Why did you replace the database certificate at all?  ClearPass comes with a self-signed certificate that is valid for, IIRC, five years.  Is this a compliance requirement for you to replace it?  If not, I would just re-generate a self-signed database certificate and make the validity period the maximum allowed by your organization's security policies.
Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------

We use DNS not IP because the cert is used for Captive portal also.  I think a pre-shared-key would have been lot easier way to encrypt the communication between nodes.

------------------------------
Kelly L
------------------------------

Original Message:
Sent: Aug 31, 2022 03:18 PM
From: Unknown User
Subject: Clearpass database certificate

Only if you manage ClearPass from the IP. If you always use the DNS name, then no.


Original Message:
Sent: 8/31/2022 2:56:00 PM
From: kell490
Subject: RE: Clearpass database certificate

Does the HTTPS cert require the DNS:X.X.X.X  IP address of each node also only the database? We can use our internal PKI for the database.

------------------------------
Kelly L

Original Message:
Sent: Aug 31, 2022 02:40 PM
From: Unknown User
Subject: Clearpass database certificate

Yes that is requirement to have the IP address in the SAN field or else validation will fail. Your options here are: used a self-signed certificate, find a public CA that will let you use RFC 1918 space, or use a certificate from an internal PKI you control. Since you are using a public certificate, yes you need to also be sure to update the certificate once per year.


Original Message:
Sent: 8/31/2022 2:34:00 PM
From: kell490
Subject: RE: Clearpass database certificate

It's a requirement we are not allowed to use a self-signed certificate. I read the document you linked below in the last reply it goes though the HTTPS certificate although doesn't discuss the database cert. I read in another document that the database cert requires the SAN to include DNS: X.X.X.X IP address of each node is that still required in version 6.9.12? Public CA's don't allow IP address's in the SAN usually we only have DNS names in there.

------------------------------
Kelly L

Original Message:
Sent: Aug 31, 2022 08:16 AM
From: Unknown User
Subject: Clearpass database certificate

Why did you replace the database certificate at all?  ClearPass comes with a self-signed certificate that is valid for, IIRC, five years.  Is this a compliance requirement for you to replace it?  If not, I would just re-generate a self-signed database certificate and make the validity period the maximum allowed by your organization's security policies.
Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------

There is a pre-shared key. It is the cluster/app-admin password. Database can contain sensitive information though and should be secured via TLS (the purpose of the database certificate). PSK is not a replacement for TLS


Original Message:
Sent: 8/31/2022 3:35:00 PM
From: kell490
Subject: RE: Clearpass database certificate

We use DNS not IP because the cert is used for Captive portal also.  I think a pre-shared-key would have been lot easier way to encrypt the communication between nodes.

------------------------------
Kelly L
------------------------------

Original Message:
Sent: Aug 31, 2022 03:18 PM
From: Unknown User
Subject: Clearpass database certificate

Only if you manage ClearPass from the IP. If you always use the DNS name, then no.


Original Message:
Sent: 8/31/2022 2:56:00 PM
From: kell490
Subject: RE: Clearpass database certificate

Does the HTTPS cert require the DNS:X.X.X.X  IP address of each node also only the database? We can use our internal PKI for the database.

------------------------------
Kelly L

Original Message:
Sent: Aug 31, 2022 02:40 PM
From: Unknown User
Subject: Clearpass database certificate

Yes that is requirement to have the IP address in the SAN field or else validation will fail. Your options here are: used a self-signed certificate, find a public CA that will let you use RFC 1918 space, or use a certificate from an internal PKI you control. Since you are using a public certificate, yes you need to also be sure to update the certificate once per year.


Original Message:
Sent: 8/31/2022 2:34:00 PM
From: kell490
Subject: RE: Clearpass database certificate

It's a requirement we are not allowed to use a self-signed certificate. I read the document you linked below in the last reply it goes though the HTTPS certificate although doesn't discuss the database cert. I read in another document that the database cert requires the SAN to include DNS: X.X.X.X IP address of each node is that still required in version 6.9.12? Public CA's don't allow IP address's in the SAN usually we only have DNS names in there.

------------------------------
Kelly L

Original Message:
Sent: Aug 31, 2022 08:16 AM
From: Unknown User
Subject: Clearpass database certificate

Why did you replace the database certificate at all?  ClearPass comes with a self-signed certificate that is valid for, IIRC, five years.  Is this a compliance requirement for you to replace it?  If not, I would just re-generate a self-signed database certificate and make the validity period the maximum allowed by your organization's security policies.
Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------

For the HTTPS certificate, it is recommended to have that issued by a public trusted CA, and it is required in case you use guest/captive portal.

The database certificate should be self-signed (recommended) or issued by a private CA, because as you mention public CAs don't issue certificates for RFC1918 IP addresses, and having the additional maintenance of changing the database certificate every year would result in more risk (expiration, operational burden) than it would solve, because these certificates are only used (and trusted) within the ClearPass cluster. You could even consider using self-signed certificates as the equivalent of a PSK in this use-case. According to this document you can see the database certificate is validated, just through the cluster membership and not through a PKI.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 31, 2022 03:34 PM
From: Kelly Levine
Subject: Clearpass database certificate

We use DNS not IP because the cert is used for Captive portal also.  I think a pre-shared-key would have been lot easier way to encrypt the communication between nodes.

------------------------------
Kelly L

Original Message:
Sent: Aug 31, 2022 03:18 PM
From: Unknown User
Subject: Clearpass database certificate

Only if you manage ClearPass from the IP. If you always use the DNS name, then no.


Original Message:
Sent: 8/31/2022 2:56:00 PM
From: kell490
Subject: RE: Clearpass database certificate

Does the HTTPS cert require the DNS:X.X.X.X  IP address of each node also only the database? We can use our internal PKI for the database.

------------------------------
Kelly L

Original Message:
Sent: Aug 31, 2022 02:40 PM
From: Unknown User
Subject: Clearpass database certificate

Yes that is requirement to have the IP address in the SAN field or else validation will fail. Your options here are: used a self-signed certificate, find a public CA that will let you use RFC 1918 space, or use a certificate from an internal PKI you control. Since you are using a public certificate, yes you need to also be sure to update the certificate once per year.


Original Message:
Sent: 8/31/2022 2:34:00 PM
From: kell490
Subject: RE: Clearpass database certificate

It's a requirement we are not allowed to use a self-signed certificate. I read the document you linked below in the last reply it goes though the HTTPS certificate although doesn't discuss the database cert. I read in another document that the database cert requires the SAN to include DNS: X.X.X.X IP address of each node is that still required in version 6.9.12? Public CA's don't allow IP address's in the SAN usually we only have DNS names in there.

------------------------------
Kelly L

Original Message:
Sent: Aug 31, 2022 08:16 AM
From: Unknown User
Subject: Clearpass database certificate

Why did you replace the database certificate at all?  ClearPass comes with a self-signed certificate that is valid for, IIRC, five years.  Is this a compliance requirement for you to replace it?  If not, I would just re-generate a self-signed database certificate and make the validity period the maximum allowed by your organization's security policies.
Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------

Check this document on the database certificate. You should not need to re-join the subscribers, you will need to reboot each node after you replaced the certificate and the cluster will break if your certificates expire.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------

Same here I wanted to add subscriber but failed due to verify cert trust thingy. I did add subscriber via CLI as well, same with you as workaround to ignore the verify trust.

Found out it is solved when entering the SAN with correct syntax: (solved means after I correct the SAN syntax I am able to add subscriber via GUI)

DNS:xxxxxxx,IP:xxxxxxxx
or
DNS:xxxxxx
or
IP:xxxxxxx

Ref: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=45516

Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate

I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing?  Do we have to re-join the subscribers each time we refresh the cert for the database?

------------------------------
Kelly L
------------------------------