Client Certificates for Version 6.4
Publication info 2011 Nexsan Technologies Canada Inc. All rights reserved. Published by: Nexsan Technologies Canada Inc. 1405 Trans Canada Highway, Suite 300 Dorval, QC. H9P 2V9. CANADA Telephone: 514.683.1020 Fax: 514.683.1554 www.nexsan.com Assureon Installation Guide Certificates Version 6.4 Publication date: August 24, 2011 Trademarks Assureon is a registered trademark of Nexsan Technologies. SATABlade, SATABoy and SATABeast are trademarks of Nexsan Technologies. Microsoft, Microsoft Windows, Microsoft Internet Explorer, Microsoft SQL Server, and Microsoft Visual Studio.NET are registered trademarks of Microsoft Corporation. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or by any information storage and retrieval system, without prior permission in writing from Nexsan Technologies. The information in this manual is believed to be correct at the time of publication. However, Nexsan Technologies makes no warranty, express or implied, about the accuracy of the information and reserves the right to revise this document or make changes to the products described herein at any time without notice and without obligation. Nexsan Technologies is not liable for any loss of data, damage to databases or other software, or any other losses arising from the use of this manual. 2
Certificates Contents About this guide...4 Audience...4 How to use this guide...4 Prerequisites...4 Overview...5 Create User Certificate...6 Export the user certificate to file.cer file...8 Export the user certificate to file.pfx file...11 Install and Configure User Certificate on client...14 Configure Assureon Client Service to use the certificate...16 Map User Certificate...18 Set Organization Security (ADAM only)...19 3
About this guide This guide contains detailed information on configuring the Assureon client to use certificate authentication. Audience This guide is intended for end-users who with to use digital certificates (which includes ADAM) as their authentication mechanism. Do NOT perform the procedures described in this manual if the customer is using the Windows Trust authentication or anonymous access security mechanisms. How to use this guide This guide is intended to be performed from beginning to end. Prerequisites To perform the procedures described in this guide, you will need an Assureon system where the Windows operating system and Assureon have been installed. In addition, you will need an Assureon client to have been installed. 4
Certificates Overview If a customer is planning to use the digital certificate or ADAM security models, the Assureon client must be configured to use digital certificates. The steps are as follows: Create User certificate and export it (in 2 formats) Map certificates to Assureon users Install certificates on client machines Map certificates to organizations (ADAM only) 5
Create User Certificate A user certificate is used by Assureon to authenticate clients to the server. The user certificate is created on F001 and exported and installed on the client machine. It is also copied and mapped on all Assureon front-ends. If a server goes down, the user can still be authenticated. To create and install a user certificate: 1. On the primary Assureon server (F001), launch IE and point to https://localhost/certsrv to request a user certificate from the Certification Authority. Be careful to use https and not http. 2. If prompted, enter the domain\assureonadmin user and password. 3. Click Request a certificate, then advanced certificate request. 4. Click Create and submit a request to this CA. 5. In the Identifying Information section, specify the following Name for the certificate: Nexsan Authentication Certificate FSWcomputerName. For the other fields, use the customer information. 6. For Type of Certificate Needed, select Client Authentication Certificate. 7. For Key Options, verify that the following are selected: Create new key set CSP: Microsoft Enhanced RSA and AES Cryptographic Provider Key Usage: Both Automatic key container name Key Size: 1024 Mark keys as exportable 8. For Additional Options, verify and specify the following: Request Format: CMC Hash Algorithm: sha1 Friendly Name: type: Nexsan Authentication Certificate FSWcomputerName. This name will appear when selecting the certificate from Assureon Client Services. 9. Click Submit. The Web Access Confirmation dialog is displayed. 10. Click Yes. The Certificate Issued page appears. 11. Click Install this certificate. A Web Access Confirmation dialog is displayed. 6
Certificates 12. Click Yes to install the certificate. The certificate is installed. 7
Export the user certificate to file.cer file The.cer file is used for mapping. 1. Still in IE, click Tools, Internet Options, Content tab, Certificates. The Certificates dialog appears. 2. In the Personal tab, click on the user certificate you just created and click Export. The Welcome to the Certificate Export Wizard appears. 8
Certificates 3. Click Next. The Export Private Key dialog appears. 4. Select No, do not export the private key and click Next. The Export File Format dialog appears. 9
5. Select the DER encoded binary X.509 (.CER) option and click Next. The File to Export dialog appears. 6. Specify a file name and the Assureon Installers location, for example, \\localhost\installers\fswcomputername, and click Next. The Completing the Certificate Export wizard dialog appears. 7. Click Finish. The Export was successful message appears. 8. Click OK. 10
Certificates Export the user certificate to file.pfx file The.p7b file is used for installing the exported certificate on another computer. 1. In the Certificates dialog, click on the user certificate you created and click Export. The Welcome to the Certificate Export Wizard appears. 2. Click Next. The Export Private Key dialog appears. 3. Select Yes, export the private key and click Next. The Export File Format dialog appears. 11
4. Select both the Personal Information Exchange PKCS #12 (.PFX) and Include all certificates in the certification path if possible options. 5. Click Next. The Password dialog appears. 6. Specify a password and click Next. 12
Certificates 7. The File to Export dialog appears. Specify a file name and the Assureon Installers location, for example, \\localhost\installers\fswcomputername, and click Next. The Completing the Certificate Export wizard dialog appears. 8. Click Finish. The Export was successful message appears. 9. Click OK. 10. Close the Certificates dialog. 11. Click OK to close the Internet Options dialog. 13
Install and Configure User Certificate on client To use certificates between the Assureon client and server, the certificate must be installed and configured on the client. Install certificate on client 1. Login to the client as the user who will be running the Assureon client services. The certificate must be installed under the same account or else the certificate cannot be loaded. If you are using ADAM, login as the user who installed ADAM. 2. Launch Windows Explorer and access the Installers folder on the server. 3. Copy the.pfx file certificate you created on page 11 to the client. 4. Right-click the.pfx file and chose Install PFX. The Welcome to the Certificate Import Wizard dialog appears. 5. Click Next. The File to Import dialog appears. 14
Certificates 6. The correct file is already selected, so click Next. 7. Type the password. The only option that should be selected is Include all extended properties. Click Next. 8. Certificate Store dialog appears. Keep the default and click Next. 15
9. The Completing the Certificate Import Wizard dialog appears. Click Finish. A Security Warning appears. 10. Click Yes to install the certificate. The import was successful message appears. 11. Click OK. Configure Assureon Client Service to use the certificate 1. On the client machine, right-click the Client Service Taskbar icon and select Options. 2. Click the Authentication tab. 16
Certificates 3. Select the Use Client Certificate option and then select the Client Certificate called Nexsan Authentication Certificate from the list. 4. Click OK. 5. When prompted to restart the Assureon Client Services (called FSW Monitor, Assureon FSW Service and Assureon Events Manager), click Yes. 6. If you get a warning, click OK. 17
Map User Certificate User certificates must be mapped to an Assureon user account in order to access archived files. For example, a certificate mapped to User1 who is a member of the FSOrganizations, Org1.AssureonUsers and Org1.Assureon.Class1 Assureon security groups will have access to the files stored using the Class1 classification. Perform this procedure on all front-end servers: 1. Copy the.cer file in the installers folder on F001 to the server. 2. Launch the Assureon System Administration console, and click Advanced, IIS Administration. 3. In the Certificate Mapping area, click Browse and open the user certificate file (.cer) you copied from the F001 installers folder. 4. Type a Mapping Name, and then specify a user and password that is a member of one or more Assureon Active Directory classifications. Typically, if files are stored and read by an application, such as an email archive, the AssureonEdge account is used. Note: include the domain name in the Account field. 5. Click Add. The mapping is added to the table. 18
Certificates Set Organization Security (ADAM only) If you are using the ADAM security model, you must also map a certificate to an organization. On F001 and F101 (if applicable) only: 1. Launch the Assureon System Administration console, and click Advanced, IIS Administration. 2. In the Certificate Mapping area, use your mouse to select the certificate serial number you want to associate to an organization. 3. Press Ctrl-C to copy the serial number. 4. In the System Administration console, click the Organization Security tab. The Organization Security page is displayed. 5. Select an Organization. 6. Click in the Certificate Serial Number box and press Ctrl-V to paste the serial number. 7. Click Add. The table is refreshed with the new mapping. 19