Appendix B HTTPS Communications

This appendix explains the HTTPS communication protocol used by Resource Orchestrator and its security features.

Resource Orchestrator uses HTTPS communication for the three cases shown in the figure below. Certificates are used for mutual authentication and for encrypting communication data.

Figure B.1 HTTPS Communication

1. Between the Admin Client and the Admin Server, or Between the HBA address rename Server and the Admin Server

   The admin client and HBA address rename server automatically obtain a certificate from the admin server at each connection. This certificate is used to encrypt the communicated data.

2. Between the Admin Server and Managed Servers (Communication with Agents)

   Certificates are created on both the admin server and managed servers when Resource Orchestrator (manager or agent) is first installed. Certificates of other communication targets are stored at different timings, as described below (refer to "Certificate Creation Timing"). Those certificates are used for HTTPS communication based on mutual authentication.
   When re-installing the manager, its agent certificates (stored on the admin server) are renewed. Because the renewed certificates differ from those stored on the agent side (on managed servers), agents are not able to communicate with the admin server. To avoid such communication issues, it is recommended to backup agent certificates (on the admin server) before uninstalling the manager, and restore them after re-installation. When reinstalling, refer to "3.1 Manager Uninstallation" and "2.1 Manager Installation" of the "Installation Guide CE".

3. Between the Admin server and Managed servers (Communication with VM Hosts), or Between the Admin Server and VM Management Software [VMware]

   The admin server obtains and stores certificates for each connection with a managed server (VM host) or VM management software. Those certificates are used to encrypt communications.

   
   

Between the Admin Client and the Admin Server, or Between the HBA address rename Server and the Admin Server

Certificates are automatically obtained each time HTTPS connections are established. They are not stored on the admin server.

Between the Admin Server and Managed Servers (Communication with Agents)

The certificates used for HTTPS communication are automatically exchanged and stored on the manager and agents on the following occasions:

• When registering a managed server

• Right after re-installing and starting an agent

Between the Admin server and Managed servers (Communication with VM Hosts), or Between the Admin Server and VM Management Software [VMware]

Certificates are automatically obtained each time HTTPS connections are established. They are not stored on the admin server.

Resource Orchestrator uses the following certificates.

Between the Admin Client and the Admin Server, or Between the HBA address rename Server and the Admin Server

The public keys included in the certificates are created using X.509-based RSA encryption. These keys are 1024 bits long.

Between the Admin Server and Managed Servers (Communication with Agents)

The public keys included in the certificates are created using X.509-based RSA encryption. These keys are 2048 bits long.

Between the Admin server and Managed servers (Communication with VM Hosts), or Between the Admin Server and VM Management Software [VMware]

The public keys included in the certificates are created using X.509-based RSA encryption. These keys are 1024 bits long.

Resource Orchestrator automatically generates a unique, self-signed certificate for each admin server during manager installation. This certificate is used for HTTPS communication with admin clients.
Use of self-signed certificates is generally safe within an internal network protected by firewalls, where there is no risk of spoofing attacks and communication partners can be trusted. However, Web browsers, which are designed for less-secure networks (internet), will see self-signed certificates as a security threat, and will display the following warnings.

• Warning dialog when establishing a connection

  When opening a browser and connecting to the admin server for the first time, a warning dialog regarding the security certificate received from the admin server is displayed.

• Address bar and Phishing Filter warning in Internet Explorer 8 or 9

  The background color of the address bar will become red and the words "Certificate Error" will be displayed on its right side of the address bar of the login screen, the ROR console, and BladeViewer.
  Furthermore, the Phishing Filter may show a warning on the status bar.

When using Internet Explorer 8 or 9, the above warnings can be disabled by creating a certificate for the admin server's IP address or host name (FQDN) that is specified in the address bar's URL, and installing it to the browser.
On the admin server, a certificate for "localhost" is automatically created during installation of the manager.
When using other servers as admin clients, use the following procedure to install the admin server's certificate on each client.
Therefore, the certificate creation step in the following procedure can be skipped when using the admin server as an admin client. In that case, use "localhost" in the URL and proceed to step 2.

1. Create a certificate

   1. Open the command prompt on the admin server.

   2. Execute the following command to move to the installation folder.

      [Windows]

      >cd "Installation_folder\Manager\sys\apache\conf" <RETURN>

      [Linux]

      # cd /etc/opt/FJSVrcvmr/sys/apache/conf <RETURN>

   3. After backing up the current certificate, execute the certificate creation command bundled with Resource Orchestrator (openssl.exe).

      When using the -days option, choose a value (number of days) large enough to include the entire period for which you plan to use Resource Orchestrator. However, the certificate's expiration date (defined by adding the specified number of days to the current date) should not go further than the 2038/1/19 date.

      Example

      When the Manager is installed in the "C:\Fujitsu\ROR" folder, and generating a certificate valid for 15 years (or 5479 days, using the -days 5479 option)

      [Windows]

      >cd "C:\Fujitsu\ROR\Manager\sys\apache\conf" <RETURN> >..\..\..\bin\rcxmgrctl stop <RETURN> >copy ssl.crt\server.crt ssl.crt\server.crt.org <RETURN> >copy ssl.key\server.key ssl.key\server.key.org <RETURN> >..\bin\openssl.exe req -new -x509 -nodes -out ssl.crt\server.crt -keyout ssl.key\server.key -days 5479 -config openssl.cnf <RETURN> Loading 'screen' into random state - done Generating a 1024 bit RSA private key .................++++++ ................................++++++ writing new private key to 'ssl.key\server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []: <RETURN> State or Province Name (full name) []: <RETURN> Locality Name (eg, city) [Kawasaki]: <RETURN> Organization Name (eg, company) []: <RETURN> Organizational Unit Name (eg, section) []: <RETURN> Common Name (eg, YOUR name) [localhost]: IP_address or hostname (*1) <RETURN> Email Address []: <RETURN> >..\..\..\bin\rcxmgrctl start <RETURN>

      [Linux]

      # cd /etc/opt/FJSVrcvmr/sys/apache/conf <RETURN> # /opt/FJSVrcvmr/bin/rcxmgrctl stop <RETURN> # cp ssl.crt/server.crt ssl.crt/server.crt.org <RETURN> # cp ssl.key/server.key ssl.key/server.key.org <RETURN> # /opt/FJSVrcvmr/sys/apache/bin/openssl req -new -x509 -nodes -out ssl.crt/server.crt -keyout ssl.key/server.key -days 5479 -config /opt/FJSVrcvmr/sys/apache/ssl/openssl.cnf <RETURN> Generating a 1024 bit RSA private key .................++++++ ................................++++++ writing new private key to 'ssl.key/server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []: <RETURN> State or Province Name (full name) []: <RETURN> Locality Name (eg, city) [Kawasaki]: <RETURN> Organization Name (eg, company) []: <RETURN> Organizational Unit Name (eg, section) []: <RETURN> Common Name (eg, YOUR name) [localhost]: IP_address_or_hostname (*1) <RETURN> Email Address []: <RETURN> # /opt/FJSVrcvmr/bin/rcxmgrctl start <RETURN>

      *1: Enter the IP address to be entered in the Web browser or the host name (FQDN).

      Example

      IP address: 192.168.1.1
      Host name: myhost.company.com

2. Add the certificate to the Web browser

   Open the Resource Orchestrator login screen, referring to "7.1 Login".
   When opening the ROR console, enter the same IP address or host name (FQDN) as that used to generate the certificate in the previous step. Once the login screen is displayed, perform the following operations.

   1. Open the [Certificate] dialog.

      For Internet Explorer 8 and 9, open the "Certificate is invalid dialog" by clicking the "Certificate Error" displayed in the address bar. This will open an "Untrusted Certificate" or "Certificate Expired" message.
      Click the "View certificates" link displayed at the bottom of this dialog.

   2. Confirm that the "Issued to" and "Issued by" displayed in the [Certificate] dialog are both set to the IP address or host name (FQDN) used to generate the certificate.

   3. In the [Certificate] dialog, click <Install Certificate>.

      The [Certificate Import Wizard] dialog is displayed.

   4. Click <Next>>.

   5. Select "Place all certificates in the following store".

   6. Click <Browse>.

      The [Select Certificate Store] dialog is displayed.

   7. Select "Trusted Root Certification Authorities".

   8. Click <OK>.

   9. Click <Next>>.

   10. Check that "Trusted Root Certification Authorities" is selected.

   11. Click <Finish>.

   12. Restart the Web browser.

   If multiple admin clients are used, perform this operation on each admin client.

   Note

   Enter the IP address or host name (FQDN) used to generate the certificate in the Web browser's URL bar. If the entered URL differs from that of the certificate, a certificate warning is displayed.

   Example

   A certificate warning is displayed when the following conditions are met.

   • The entered URL uses an IP address while the certificate was created using a host name (FQDN)

   • The admin server is set with multiple IP addresses, and the entered URL uses an IP address different from that used to generate the certificate

   In environments where the admin server is Windows, and multiple IP addresses are used, when a login window with a different URL from the address bar's URL in which the IP address or host name (FQDN) is specified, the warning may not disappear.
   As a corrective action, set a higher priority for binding of the network adapter used on the admin LAN than for other network adapters.

   Example

   When changing the order of priority of network adapter binding in Microsoft(R) Windows Server(R) 2008 R2 Enterprise

   1. Click <Start>, and then click [Control Panel].

   2. When [Network and Internet] is displayed, click this item.
      When [Network and Internet] is not displayed, proceed to the next step without clicking.

   3. Click [Network and Sharing Center], and click [Change adapter settings] in the left side of the window.

   4. Click [Advanced Settings] in the [Advanced] menu.
      When [Advance settings] is not displayed, push the Alt key.

   5. From the list of [Connections] in the [Adapters and Bindings] tab, click the target network adapter, and the "Up" or "Down" buttons to change the order of priority of connections.

   6. Click <OK>.