This appendix explains the HTTPS communication protocol used by Resource Coordinator VE and its security features.
Resource Coordinator VE uses HTTPS communication for the three cases shown in the figure below. Certificates are used for mutual authentication and for encrypting communication data.
Figure E.1 HTTPS Communication
Between the admin client and the admin server, or between the HBA address rename server and the admin server
The admin client and HBA address rename server automatically obtain a certificate from the admin server at each connection. This certificate is used to encrypt the communicated data.
Between the admin server and managed servers (communication with agents)
Certificates are created on both the admin server and managed servers when Resource Coordinator VE (manager or agent) is first installed. Certificates of other communication targets are stored at different timings, as described below (refer to "Certificate Creation Timing"). Those certificates are used for HTTPS communication based on mutual authentication.
When re-installing the manager, its agent certificates (stored on the admin server) are renewed. Because the renewed certificates differ from those stored on the agent side (on managed servers), agents are not able to communicate with the admin server. To avoid such communication issues, it is recommended to backup agent certificates (on the admin server) before uninstalling the manager, and restore them after re-installation. For details on how to backup and restore agent certificates on the admin server, refer to "3.1 Manager Uninstallation" and "2.1 Manager Installation" in the "ServerView Resource Coordinator VE Installation Guide".
Between the admin server and managed servers (communication with VM hosts), or between the admin server and VM management software [VMware]
The admin server obtains and stores certificates for each connection with a managed server (VM host) or VM management software. Those certificates are used to encrypt communications.
Certificate Creation Timing
Certificates are automatically obtained each time HTTPS connections are established. They are not stored on the admin server.
The certificates used for HTTPS communication are automatically exchanged and stored on the manager and agents on the following occasions:
When registering a managed server
Right after re-installing and starting an agent
Certificates are automatically obtained each time HTTPS connections are established. They are not stored on the admin server.
Types of Certificates
Resource Coordinator VE uses the following certificates.
The public keys included in the certificates are created using X.509-based RSA encryption. These keys are 1024 bits long.
The public keys included in the certificates are created using X.509-based RSA encryption. These keys are 2048 bits long.
The public keys included in the certificates are created using X.509-based RSA encryption. These keys are 1024 bits long.
Adding the Admin Server's Certificate to Client Browsers
Resource Coordinator VE automatically generates a unique, self-signed certificate for each admin server during manager installation. This certificate is used for HTTPS communication with admin clients.
Use of self-signed certificates is generally safe within an internal network protected by firewalls, where there is no risk of spoofing attacks and communication partners can be trusted. However, Web browsers, which are designed for less-secure networks (internet), will see self-signed certificates as a security threat, and will display the following warnings.
Warning dialog when establishing a connection
When opening a browser and connecting to the admin server for the first time, a warning dialog regarding the security certificate received from the admin server is displayed.
Address bar and Phishing Filter warning in Internet Explorer 7 or 8
The background color of the address bar will become red and the words "Certificate error" will be displayed on its right side.
Furthermore, the Phishing Filter may show a warning on the status bar.
The above warnings can be disabled by creating a certificate for the admin server's IP address or host name (FQDN) that is specified in the address bar's URL, and installing it to the browser.
On the admin server, a certificate for "localhost" is automatically created during installation of the manager.
When using other servers as admin clients, use the following procedure to install the admin server's certificate on each client.
Therefore, the certificate creation step in the following procedure can be skipped when using the admin server as an admin client. In that case, use "localhost" in the URL and proceed to step 2.
Create a certificate
Open the command prompt on the admin server.
Execute the following command to move to the installation folder.
[Windows]
>cd "Installation_folder\Manager\sys\apache\conf" <RETURN> |
[Linux]
# cd /etc/opt/FJSVrcvmr/sys/apache/conf <RETURN> |
After backing up the current certificate, execute the certificate creation command bundled with Resource Coordinator VE (openssl.exe).
When using the -days option, choose a value (number of days) large enough to include the entire period for which you plan to use Resource Coordinator VE. However, the certificate's expiration date (defined by adding the specified number of days to the current date) should not go further than the 2038/1/19 date.
Example
When the Manager is installed in the "C:\Program Files\Resource Coordinator VE" folder, and generating a certificate valid for 15 years (or 5479 days, using the -days 5479 option).
[Windows]
>cd "C:\Program Files\Resource Coordinator VE\Manager\sys\apache\conf" <RETURN> |
[Linux]
# cd /etc/opt/FJSVrcvmr/sys/apache/conf <RETURN> |
*1: Enter the IP address to be entered in the Web browser or the host name (FQDN).
Example
IP address: 192.168.1.1
Host name: myhost.company.com
Add the certificate to the Web browser.
Open the Resource Coordinator VE login screen following the instructions given in "5.3 RC Console".
When opening the RC console, enter the same IP address or host name (FQDN) as that used to generate the certificate in the previous step. Once the login screen is displayed, perform the following operations.
Open the [Certificate] dialog.
In Internet Explorer 6
Double-click the key mark displayed in the status bar.
In Internet Explorer 7 or 8
Open the "Certificate is invalid dialog" by clicking the "Certificate error" displayed in the address bar. This will open a "Certificate is not trusted" or " Certificate is invalid" message.
Click the "Display certificates" link displayed at the bottom of this dialog.
Confirm that the "Issued to" and "Issued by" displayed in the [Certificate] dialog are both set to the IP address or host name (FQDN) used to generate the certificate.
In the [Certificate] dialog, click <Install Certificate>.
The [Certificate Import Wizard] dialog is displayed.
Click <Next>>.
Select "Place all certificates in the following store" and click <Browse>.
The [Select Certificate Store] dialog is displayed.
Select the "Trusted Root Certification Authorities" and click <OK>.
Click <Next>>.
Check that "Trusted Root Certification Authorities" is selected and click <Finish>.
Restart the Web browser.
If multiple admin clients are used, perform this operation on each admin client.
Note
Enter the IP address or host name (FQDN) used to generate the certificate in the Web browser's URL bar. If the entered URL differs from that of the certificate, a certificate warning is displayed.
Example
A certificate warning is displayed when the following conditions are met.
The entered URL uses an IP address while the certificate was created using a host name (FQDN).
The admin server is set with multiple IP addresses, and the entered URL uses an IP address different from that used to generate the certificate.
