Source:Configuring SSL Secured Communication for SEP sesam Backup Network
Copyright © SEP AG 1999-2024. All rights reserved.
Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.
Overview
As of 4.4.3 Tigon, SEP sesam uses SSL (Secure Sockets Layer) protocol to authenticate identities, encrypt and securely transfer data. SSL requires certificates to authenticate clients and establish a secure and trusted communication channel between SBC (sesam backup client) and STPD (sesam Transfer Protocol Server), thus preventing unauthorized access from clients to STPD. SEP sesam backup environment is protected with self-signed certificates, based on OpenSSL. SEP sesam does not provide certificates by default; they have to be created by an administrator and copied to clients and RDSs in the backup network.
- Create self-signed root Certificate Authority (CA) on the SEP sesam Server
- Create server and client certificates on the SEP sesam Server and copy them to server and clients
- Generate and copy server certificate for each RDS
- Edit configuration file on each client and server or RDS
Directory structure for the SSL certificates
The following directory structure is used for storing the SSL certificates and related parameters:
What |
Where |
---|---|
SEP sesam configuration files: sm.ini and stpd.ini |
|
Root SSL certificate and master key: rootCA.pem and rootCA.key |
|
Generated client certificate and key: client.pem and client.key |
|
Generated server certificate and key: server.pem and server.key |
|
Steps
Creating self-signed root Certificate Authority (CA) on the SEP sesam Server
- On the SEP sesam Server, remove any old self-generated SSL keys from /var/opt/sesam/var/ini/ssl
- Then create directories /ca and /x.509 to store your keys and certificates. /var/opt/sesam/var/ini/ca /var/opt/sesam/var/ini/x.509
- To create the root certificate, run the
sm_ssl_cert ca
command line utility as shown:
/opt/sesam/bin/sms/sm_ssl_cert ca
In the folder /var/opt/sesam/var/ini/ca, the process creates two files:
- A master key, also known as rootCA.key; keep this key private as it is needed for generation of new server and client certificates and is the basis of trust for all your certificates.
- A root SSL certificate rootCA.pem; it is used to verify existing server and client certificates. Make sure that the root CA has a long expiry date. Once it is expired, all certificates signed by it become invalid. This certificate must be present on all clients connecting to servers signed with the CA certificate.
Note | |
After generating server and client keys, you should remove the rootCA.key from the server and keep it in a safe place. |
Once you have created the CA certificate and key, you can create and sign certificates.
Creating server and client certificates on the SEP sesam Server
- First, you have to create the server certificate on the SEP sesam Server: /opt/sesam/bin/sms/sm_ssl_cert server --common-name=<hostname> where <hostname> must be the same as the name specified in the interface settings in GUI (Main Selection -> Components -> Topology -> Clients, <server_name> -> field Interfaces). You can also use the IP address for <hostname> or use an * (asterisk) in the hostname, e.g., *.serverdomain.com or 192.168.1.*. Multiple server or domain names must be separated by a comma, e.g.: /opt/sesam/bin/sms/sm_ssl_cert server --common-name=myserver,myserver.domain.com Once done, there are two new files in the folder /var/opt/sesam/var/ini/ssl: server.pem server.key
- For each server, copy the files as follows:
- copy rootCA.pem to /var/opt/sesam/var/ini/ca
- copy client.pem to /var/opt/sesam/var/ini/x.509
- copy client.key to /var/opt/sesam/var/ini/x.509
- Then, create the client certificate on the SEP sesam Server: /opt/sesam/bin/sms/sm_ssl_cert client Optionally, you can create client.pem/client key with unique subject field by using: /opt/sesam/bin/sms/sm_ssl_cert client --oid={options} {options}: comma separated list of C:{country_name} - country name CN:{common_name} - common name DQ:{dn_qualifier} - dn qualifier GN:{given_name} - given name GQ:{generation_qualifier} - generation qualifier I:{initials} - initials of some or all of an individual's names, but not the surname(s) L:{locality_name} - locality name N:{name} - name O:{organization_name}: - organization name OU:{organizational_unit_name} - organization unit name P:{pseudonym} - pseudonym PC:{postalcode} - postalcode S:{surname} - surname T:{title} - title Once done, there are two new files in the folder /var/opt/sesam/var/ini/x.509: client.pem client.key
- For each client, copy the files to it as follows:
- copy rootCA.pem to /var/opt/sesam/var/ini/ca
- copy client.pem to /var/opt/sesam/var/ini/x.509
- copy client.key to /var/opt/sesam/var/ini/x.509
Generating and copying server certificates for each RDS
If you want your RDSs to have its own server certificate, you have to generate server certificate for each RDS. In this case, the SEP sesam Server and every RDS have its own server certificate signed with the same self-signed root CA. This configuration allows to back up a client either to SEP sesam Server or any RDS.
- To generate server certificate for each RDS, run the following command: /opt/sesam/bin/sms/sm_ssl_cert server --common-name=<RDS_hostname> --path=<RDS_server_certificate_path>
- Copy the generated server.pem and server.key files from <RDS_server_certificate_path> to each RDS into the folder /var/opt/sesam/var/ini/ssl.
- Copy rootCA.pem to each RDS into the folder /var/opt/sesam/var/ini/ca.
Edit configuration file on each client and server or RDS
- On SEP sesam Client
- Locate the /var/opt/sesam/var/ini/sm.ini file on the SEP sesam Client. Open the sm.ini file using a text editor and set the following: [SBC_SSL] SBC_CLIENT_SSL_AUTH=1 #For client-side verification SBC_SSL_SERVER_VERIFY=1 #For server-side verification
- Once you have changed the settings, save your changes and restart the client for the changes to take effect.
- On SEP sesam Server
- Locate the /var/opt/sesam/var/ini/stpd.ini file on the SEP sesam Server. Open the stpd.ini file using a text editor and set the following: [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2 #Possible values: 0: Do not validate 1: Validate but show warning 2: Validate and show error
- Once you have changed the settings, save your changes and restart the server for the changes to take effect.