Configuring SSL Secured Communication for SEP sesam Backup Network

From SEPsesam
Jump to: navigation, search
Draft.png WORK IN PROGRESS
This page is a draft. Treat the information on this page with caution as it may be incomplete.
Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3 Tigon. For previous documentation version(s), check Documentation archive.

Copyright © SEP AG 1999-2017. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Overview

As of 4.4.3 Tigon, SEP sesam uses SSL (Secure Sockets Layer) protocol to authenticate identities, encrypt and securely transfer data. SSL requires certificates to authenticate clients and establish a secure and trusted communication channel between SBC (sesam backup client) and STPD (sesam Transfer Protocol Server), thus preventing unauthorized access from clients to STPD. SEP sesam backup environment is protected with self-signed certificates, based on OpenSSL. SEP sesam does not provide certificates by default; they have to be created by an administrator and copied to clients and RDSs in the backup network.

  1. Create self-signed root Certificate Authority (CA) on the SEP sesam Server
  2. Create server and client certificates on the SEP sesam Server and copy them to server and clients
  3. Generate and copy server certificate for each RDS
  4. Edit configuration file on each client and server or RDS

Directory structure for the SSL certificates

The following directory structure is used for storing the SSL certificates and related parameters:

What

Where

SEP sesam configuration files: sm.ini and stpd.ini

/var/opt/sesam/var/ini

Root SSL certificate and master key: rootCA.pem and rootCA.key

/var/opt/sesam/var/ini/ca

Generated client certificate and key: client.pem and client.key

/var/opt/sesam/var/ini/x.509

Generated server certificate and key: server.pem and server.key

/var/opt/sesam/var/ini/ssl

Steps

Creating self-signed root Certificate Authority (CA) on the SEP sesam Server

  1. On the SEP sesam Server, remove any old self-generated SSL keys from
  2. /var/opt/sesam/var/ini/ssl
    
  3. Then create directories /ca and /x.509 to store your keys and certificates.
  4. /var/opt/sesam/var/ini/ca
    /var/opt/sesam/var/ini/x.509
    
  5. To create the root certificate, run the sm_ssl_cert ca command line utility as shown:
  6.  /opt/sesam/bin/sms/sm_ssl_cert ca 
    

In the folder /var/opt/sesam/var/ini/ca, the process creates two files:

  • A master key, also known as rootCA.key; keep this key private as it is needed for generation of new server and client certificates and is the basis of trust for all your certificates.
  • Information sign.png Note
    After generating server and client keys, you should remove the rootCA.key from the server and keep it in a safe place.
  • A root SSL certificate rootCA.pem; it is used to verify existing server and client certificates. Make sure that the root CA has a long expiry date. Once it is expired, all certificates signed by it become invalid. This certificate must be present on all clients connecting to servers signed with the CA certificate.

Once you have created the CA certificate and key, you can create and sign certificates.

Creating server and client certificates on the SEP sesam Server

  1. First, you have to create the server certificate on the SEP sesam Server:
  2. /opt/sesam/bin/sms/sm_ssl_cert server --common-name=<hostname>
    

    where <hostname> must be the same as the name specified in the interface settings in GUI (Main Selection -> Components -> Topology -> Clients, <server_name> -> field Interfaces).

    You can also use the IP address for <hostname> or use an * (asterisk) in the hostname, e.g., *.serverdomain.com or 192.168.1.*. Multiple server or domain names must be separated by a comma, e.g.:

    /opt/sesam/bin/sms/sm_ssl_cert server --common-name=myserver,myserver.domain.com
    

    Once done, there are two new files in the folder /var/opt/sesam/var/ini/ssl:

    server.pem 
    server.key
    
  3. For each server, copy the files as follows:
    • copy rootCA.pem to /var/opt/sesam/var/ini/ca
    • copy client.pem to /var/opt/sesam/var/ini/x.509
    • copy client.key to /var/opt/sesam/var/ini/x.509
  4. Then, create the client certificate on the SEP sesam Server:
  5. /opt/sesam/bin/sms/sm_ssl_cert client 
    

    Optionally, you can create client.pem/client key with unique subject field by using:

    /opt/sesam/bin/sms/sm_ssl_cert client --oid={options}
    

    {options}: comma separated list of

       C:{country_name}             - country name
      CN:{common_name}              - common name
      DQ:{dn_qualifier}             - dn qualifier
      GN:{given_name}               - given name
      GQ:{generation_qualifier}     - generation qualifier
       I:{initials}                 - initials of some or all of an individual's names, but not the surname(s)
       L:{locality_name}            - locality name
       N:{name}                     - name
       O:{organization_name}:       - organization name
      OU:{organizational_unit_name} - organization unit name
       P:{pseudonym}                - pseudonym
      PC:{postalcode}               - postalcode
       S:{surname}                  - surname
       T:{title}                    - title
    

    Once done, there are two new files in the folder /var/opt/sesam/var/ini/x.509:

    client.pem 
    client.key 
    
  6. For each client, copy the files to it as follows:
    • copy rootCA.pem to /var/opt/sesam/var/ini/ca
    • copy client.pem to /var/opt/sesam/var/ini/x.509
    • copy client.key to /var/opt/sesam/var/ini/x.509

Generating and copying server certificates for each RDS

If you want your RDSs to have its own server certificate, you have to generate server certificate for each RDS. In this case, the SEP sesam Server and every RDS have its own server certificate signed with the same self-signed root CA. This configuration allows to back up a client either to SEP sesam Server or any RDS.

  1. To generate server certificate for each RDS, run the following command:
  2. /opt/sesam/bin/sms/sm_ssl_cert server --common-name=<RDS_hostname> --path=<RDS_server_certificate_path>
    
  3. Copy the generated server.pem and server.key files from <RDS_server_certificate_path> to each RDS into the folder /var/opt/sesam/var/ini/ssl.
  4. Copy rootCA.pem to each RDS into the folder /var/opt/sesam/var/ini/ca.

Edit configuration file on each client and server or RDS

On SEP sesam Client
  1. Locate the /var/opt/sesam/var/ini/sm.ini file on the SEP sesam Client. Open the sm.ini file using a text editor and set the following:
  2. [SBC_SSL]
    SBC_CLIENT_SSL_AUTH=1   #For client-side verification
    SBC_SSL_SERVER_VERIFY=1 #For server-side verification
    
  3. Once you have changed the settings, save your changes and restart the client for the changes to take effect.
On SEP sesam Server
  1. Locate the /var/opt/sesam/var/ini/stpd.ini file on the SEP sesam Server. Open the stpd.ini file using a text editor and set the following:
  2. [STPD_Server]
    STPD_HTTPS_USE_CLIENT_CERT=2 #Possible values: 0: Do not validate
                                                   1: Validate but show warning 
                                                   2: Validate and show error
    
  3. Once you have changed the settings, save your changes and restart the server for the changes to take effect.

See also

Authentication