20.3. Configuring SSL Certificates for OpenPegasus

OpenLMI uses the Web-Based Enterprise Management (WBEM) protocol that functions over an HTTP transport layer. Standard HTTP Basic authentication is performed in this protocol, which means that the user name and password are transmitted alongside the requests.
Configuring the OpenPegasus CIMOM to use HTTPS for communication is necessary to ensure secure authentication. A Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificate is required on the managed system to establish an encrypted channel.
There are two ways of managing SSL/TLS certificates on a system:
  • Self-signed certificates require less infrastructure to use, but are more difficult to deploy to clients and manage securely.
  • Authority-signed certificates are easier to deploy to clients once they are set up, but may require a greater initial investment.
When using an authority-signed certificate, it is necessary to configure a trusted certificate authority on the client systems. The authority can then be used for signing all of the managed systems' CIMOM certificates. Certificates can also be part of a certificate chain, so the certificate used for signing the managed systems' certificates may in turn be signed by another, higher authority (such as Verisign, CAcert, RSA and many others).
The default certificate and trust store locations on the file system are listed in Table 20.2, “Certificate and Trust Store Locations”.

Table 20.2. Certificate and Trust Store Locations

Configuration OptionLocationDescription
sslCertificateFilePath/etc/Pegasus/server.pemPublic certificate of the CIMOM.
sslKeyFilePath/etc/Pegasus/file.pemPrivate key known only to the CIMOM.
sslTrustStore/etc/Pegasus/client.pemThe file or directory providing the list of trusted certificate authorities.

Important

If you modify any of the files mentioned in Table 20.2, “Certificate and Trust Store Locations”, restart the tog-pegasus service to make sure it recognizes the new certificates. To restart the service, type the following at a shell prompt as root:
systemctl restart tog-pegasus.service
For more information on how to manage system services in Red Hat Enterprise Linux 7, see Chapter 9, Managing Services with systemd.

20.3.1. Managing Self-signed Certificates

A self-signed certificate uses its own private key to sign itself and it is not connected to any chain of trust. On a managed system, if certificates have not been provided by the administrator prior to the first time that the tog-pegasus service is started, a set of self-signed certificates will be automatically generated using the system's primary host name as the certificate subject.

Important

The automatically generated self-signed certificates are valid by default for 10 years, but they have no automatic-renewal capability. Any modification to these certificates will require manually creating new certificates following guidelines provided by the OpenSSL or Mozilla NSS documentation on the subject.
To configure client systems to trust the self-signed certificate, complete the following steps:
  1. Copy the /etc/Pegasus/server.pem certificate from the managed system to the /etc/pki/ca-trust/source/anchors/ directory on the client system. To do so, type the following at a shell prompt as root:
    scp root@hostname:/etc/Pegasus/server.pem /etc/pki/ca-trust/source/anchors/pegasus-hostname.pem
    Replace hostname with the host name of the managed system. Note that this command only works if the sshd service is running on the managed system and is configured to allow the root user to log in to the system over the SSH protocol. For more information on how to install and configure the sshd service and use the scp command to transfer files over the SSH protocol, see Chapter 11, OpenSSH.
  2. Verify the integrity of the certificate on the client system by comparing its check sum with the check sum of the original file. To calculate the check sum of the /etc/Pegasus/server.pem file on the managed system, run the following command as root on that system:
    sha1sum /etc/Pegasus/server.pem
    To calculate the check sum of the /etc/pki/ca-trust/source/anchors/pegasus-hostname.pem file on the client system, run the following command on this system:
    sha1sum /etc/pki/ca-trust/source/anchors/pegasus-hostname.pem
    Replace hostname with the host name of the managed system.
  3. Update the trust store on the client system by running the following command as root:
    update-ca-trust extract

20.3.2. Managing Authority-signed Certificates with Identity Management (Recommended)

The Identity Management feature of Red Hat Enterprise Linux provides a domain controller which simplifies the management of SSL certificates within systems joined to the domain. Among others, the Identity Management server provides an embedded Certificate Authority. See the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide or the FreeIPA documentation for information on how to join the client and managed systems to the domain.
It is necessary to register the managed system to Identity Management; for client systems the registration is optional.
The following steps are required on the managed system:
  1. Install the ipa-client package and register the system to Identity Management as described in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
  2. Copy the Identity Management signing certificate to the trusted store by typing the following command as root:
    cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
  3. Update the trust store by running the following command as root:
    update-ca-trust extract
  4. Register Pegasus as a service in the Identity Management domain by running the following command as a privileged domain user:
    ipa service-add CIMOM/hostname
    Replace hostname with the host name of the managed system.
    This command can be run from any system in the Identity Management domain that has the ipa-admintools package installed. It creates a service entry in Identity Management that can be used to generate signed SSL certificates.
  5. Back up the PEM files located in the /etc/Pegasus/ directory (recommended).
  6. Retrieve the signed certificate by running the following command as root:
    ipa-getcert request -f /etc/Pegasus/server.pem -k /etc/Pegasus/file.pem -N CN=hostname -K CIMOM/hostname
    Replace hostname with the host name of the managed system.
    The certificate and key files are now kept in proper locations. The certmonger daemon installed on the managed system by the ipa-client-install script ensures that the certificate is kept up-to-date and renewed as necessary.
To register the client system and update the trust store, follow the steps below.
  1. Install the ipa-client package and register the system to Identity Management as described in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
  2. Copy the Identity Management signing certificate to the trusted store by typing the following command as root:
    cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
  3. Update the trust store by running the following command as root:
    update-ca-trust extract
If the client system is not meant to be registered in Identity Management, complete the following steps to update the trust store.
  1. Copy the /etc/ipa/ca.crt file securely from any other system joined to the same Identity Management domain to the trusted store /etc/pki/ca-trust/source/anchors/ directory as root.
  2. Update the trust store by running the following command as root:
    update-ca-trust extract

20.3.3. Managing Authority-signed Certificates Manually

Managing authority-signed certificates with other mechanisms than Identity Management requires more manual configuration.
It is necessary to ensure that all of the clients trust the certificate of the authority that will be signing the managed system certificates:
  • If a certificate authority is trusted by default, it is not necessary to perform any particular steps to accomplish this.
  • If the certificate authority is not trusted by default, the certificate has to be imported on the client and managed systems.
    1. Copy the certificate to the trusted store by typing the following command as root:
      cp /path/to/ca.crt /etc/pki/ca-trust/source/anchors/ca.crt
    2. Update the trust store by running the following command as root:
      update-ca-trust extract
On the managed system, complete the following steps:
  1. Create a new SSL configuration file /etc/Pegasus/ssl.cnf to store information about the certificate. The contents of this file must be similar to the following example:
    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
    [ req_distinguished_name ]
    C                      = US
    ST                     = Massachusetts
    L                      = Westford
    O                      = Fedora
    OU                     = Fedora OpenLMI
    CN                     = hostname
    Replace hostname with the fully qualified domain name of the managed system.
  2. Generate a private key on the managed system by using the following command as root:
    openssl genrsa -out /etc/Pegasus/file.pem 1024
  3. Generate a certificate signing request (CSR) by running this command as root:
    openssl req -config /etc/Pegasus/ssl.cnf -new -key /etc/Pegasus/file.pem -out /etc/Pegasus/server.csr
  4. Send the /etc/Pegasus/server.csr file to the certificate authority for signing. The detailed procedure of submitting the file depends on the particular certificate authority.
  5. When the signed certificate is received from the certificate authority, save it as /etc/Pegasus/server.pem.
  6. Copy the certificate of the trusted authority to the Pegasus trust store to make sure that Pegasus is capable of trusting its own certificate by running as root:
    cp /path/to/ca.crt /etc/Pegasus/client.pem
After accomplishing all the described steps, the clients that trust the signing authority are able to successfully communicate with the managed server's CIMOM.

Important

Unlike the Identity Management solution, if the certificate expires and needs to be renewed, all of the described manual steps have to be carried out again. It is recommended to renew the certificates before they expire.