Problem: MFDS acts as a web server and displays the Enterprise Server Administration web page. By default it is not set up for SSL secure access (i.e. a URL beginning with "https:"). How can a person set up SSL-secured access to MFDS from a local or remote browser without the browser showing a certificate error? Solution: A demonstration Certificate Authority is provided with the product for practice and proof of concept in setting up secure connections. After the concept is proven, end-users can design their own PKI (Public Key Infrastructure) and begin using an official CA in place of DemoCA. See the following link into the documentation, named "SSL and PKI Technology Primer": http://documentation.microfocus.com/help/topic/com.microfocus.eclipse.infocenter.visualcobol.eclipseux/GUID-7B2327C6-A987-49E1-B04C-10FBEE9CB5E3.html Step 1: Install DemoCA on the machine that will run Enterprise Server and MFDS. Installation is documented here: http://documentation.microfocus.com/help/topic/com.microfocus.eclipse.infocenter.enterprisedeveloper.eclipsewin/BKCKCKINTRS002.html Note: on Linux/UNIX the script "DemoCA_Setup.sh" must be run as root. Environment variables COBDIR and OPENSSL_CONF must be set before running DemoCA_Setup.sh. Set COBDIR to the location where the Micro Focus product is installed, for example: COBDIR=/opt/microfocus/VisualCOBOL export COBDIR (substitute the actual location if different than above). Set OPENSSL_CONF to $COBDIR/DemoCA before running DemoCA_Setup.sh. Enter: OPENSSL_CONF=$COBDIR/DemoCA export OPENSSL_CONF During installation you will be asked to specify the Common Name (CN). Specify the fully-qualified domain name (FQDN) of your machine (this may already appear as the default value). For example, enter "server1.yourcompany.com". Later when accessing the secure ES Admin web page you will have to use a URL that includes the FQDN. Step 2: Modify the file name "openssl.cnf" in the DemoCA install directory, changing this line: default_md = md5 to this: default_md = sha256 On Windows, use Administrator privileges to modify the file. For example, run Notepad as Administrator. On Linux/UNIX, use root privileges and an editor such as vi. Step 3: Run the re-install script. On Linux/UNIX this is named "reinstall_DemoCA.sh" in the directory where DemoCA was installed. Before running, set environment variables OPENSSL_CONF and SSLDIR to the directory where DemoCA was installed. Run as root with COBDIR set to where the Micro Focus product was installed. On Windows, run CMD (a command prompt) as Administrator. Change to the folder where DemoCA was installed. Set the environment variable OPENSSL_CONF to the file openssl.cnf, for example: set OPENSSL_CONF=C:\Program Files (x86)\Micro Focus\DemoCA\openssl.cnf Then run "reinstall_demoCA.cmd". When the screen says: writing new private key to 'private\CAkey.pem' Enter PEM pass phrase: Enter a phrase that you would remember, such as "srvrootpwd". Step 4: Run the "create_srv_req" script On Windows, this is named "create_srv_req.cmd". Run with Administrator privileges. On Linux/UNIX, the script is named "create_srv_req.sh". Run with COBDIR, OPENSSL_CONF, and SSLDIR set as above. When the script asks: Enter PEM pass phrase: enter srvrootpwd. On Windows, accept all the defaults for the Distinguished name. Make sure the Common Name specifies the FQDN (fully-qualified domain name). You do not need to specify a challenge password. Step 5: Run the "sign_srv" script. On Windows, this is "sign_srv.cmd". On Linux/UNIX it is "sign_srv.sh" If prompted for a passphrase, enter srvrootpwd Step 6: Access the ES Admin page using the URL http:// :86 , where FQDN is the Fully-Qualified Domain Name of the machine running MFDS. Configure MF Directory Server security with "Restrict administration access" and "Use encrypted connections". Specify a port number of your choosing. Select "Use custom server ID certificate". For Certificate, enter the full path and filename of the file srvcert.pem. For example, on Windows: C:\Program Files (x86)\Micro Focus\DemoCA\srvcert.pem Or for example on Linux/UNIX: /opt/microfocus/DemoCA/srvcert.prm depending on where DemoCA was installed. For Certificate passphrase: leave blank For Keyfile: enter the full path and filename of the file srvkey.pem For Keyfile passphrase: enter srvrootpwd Press Apply or OK. The screen will say: "(Specified SSL options pending...Directory Server restart required)". The secure options will go into effect when MFDS is re-started. Step 7: Set the environment variables MF_ROOT_CERT and MFDS_DNS_RESOLVE before re-starting MFDS On Windows, establish these environment variables at the system level. For example with Windows 7, use Control Panel > System and Security > System > Advanced System Settings > Environment variables: MF_ROOT_CERT=C:\Program Files (x86)\Micro Focus\DemoCA\private\CArootcert.pem (or the path to wherever DemoCA was installed) MFDS_DNS_RESOLVE=Y On Linux/UNIX, $COBDIR/bin/mfds is a shell script. Modify this script adding MF_ROOT_CERT and MFDS_DNS_RESOLVE=Y, for example: MF_ROOT_CERT=/opt/microfocus/DemoCA/private/CARootcert.pem export MF_ROOT_CERT MFDS_DNS_RESOLVE=Y export MFDS_DNS_RESOLVE Step 8: Re-start MFDS so it picks up the environment variables. On Windows, stop and re-start the MFDS service. The service is named mf_ccitcp2 and the description is "Micro Focus Directory Server". You can start and stop using Control Panel > Administrative Tools > View local services, or from a CMD prompt with Administrator privileges: net stop mf_ccitcp2 net start mf_ccitcp2 On Linux/UNIX, with root credentials, set the COBDIR environment variable to the install location of the MF product, for example: COBDIR=/opt/microfocus/VisualCOBOL export COBDIR (where /opt/microfocus/VisualCOBOL is the place you installed Visual COBOL). Invoke $COBDIR/bin/mfds -s to stop MFDS. Invoke $COBDIR/bin/mfds to re-start MFDS Step 9: Configure a browser, either local or remote, by importing CArootcert.pem from DemoCA as a Trusted Root Certificate Authority. You can use FTP to transfer CArootcert.pem to the machine where the browser is running. CArootcert.pem is in the "private" sub-folder of the DemoCA install directory. So on Windows, typically: C:\Program Files (x86)\Micro Focus\DemoCA\private\CArootcert.pem. On Linux/UNIX, CArootcert.pem is typically: /opt/microfocus/DemoCA/private/CARootcert.pem Step 10: Access the ES Admin page with the URL: http:// :86 Click "Log On". MFDS changes the URL to: https:// : /?page_000?action_LOGON Since MF Directory Server security was configured with "Restrict administration access", MFDS will require a login and password. Until you configure the credentials differently, the credentials are: User: SYSAD Password: SYSAD At that point, verify that you have access to the ES Administration screen, that the URL begins with "https:", and that the browser shows no certificate error. Successfully using DemoCA to prove the concept, shows that MFDS behaves correctly as a web server should behave, that is, MFDS cooperates with browsers such as Internet Explorer, Firefox, and Chrome in securing web connections. This demonstrates that MFDS does not have a bug in this area. At that point you are free to establish your company's security policies and design your own PKI, including your own Certificate Authority. DemoCA is not meant for use in production situations. See this documentation link named "Is the Demonstration CA a Real CA?": http://documentation.microfocus.com/help/topic/com.microfocus.eclipse.infocenter.enterprisedeveloper.eclipsewin/BKCKCKDECAUREA.html See also this documentation link named "Designing a PKI": http://documentation.microfocus.com/help/topic/com.microfocus.eclipse.infocenter.enterprisedeveloper.eclipsewin/BKCJCJDESI.html Subordinate to each Server on the ES Admin page, there is a button named "ES Monitor & Control", also known as ESMAC. The ESMAC button redirects to a new web page that allows observation and administration of individual Servers. After the ES Admin page has been configured for secure access, you may notice that it opens the ESMAC page using a URL of the form: http://10.150.99.13:9003/esmac/casrdo ... including "http" instead of "https:", and including an IP address instead of a FQDN. You may also notice that, when the user presses the Home button in ESMAC to try to return to the ES Admin page, ESMAC tries to use a URL of the form: https://10.150.99.13:1443 That is, a URL correctly specifying "https:" and the secure port, but with an IP address instead of the FQDN. When secure access is set up using certificates with the FQDN, this does not work, and the user cannot return to MFDS except by manually typing in a URL with the FQDN instead of the IP. The above problems are known limitations in the current architecture of the product. To work around the problem of returning from ESMAC to MFDS, copy the ESMAC URL, open a new browser session (or a new tab), paste the URL, and begin using ESMAC in a separate window than the ES Admin page. Then it will not be necessary to return from ESMAC to the ES Admin page. To set up secure access to both the ES Admin page and ESMAC, a person would have to create server certificates that work for both FQDN and IP address. An X.509v3 certificate can have any number of subjectAlternativeName extensions, and they have different types, including IP address. The Demo CA utility does not include a tool for generating such certificates. But a person who has moved beyond DemoCA and designed their own PKI, may have the expertise to create certificates such as X.509v3 that work with both FQDNs and IPs.
↧