Network Authentication - Client Certificates

Table of Contents

Overview

Client certificates allow the CommCell to authenticate connections between client computers and the CommServe. The authentication process reveals and confirms the identity of the client attempting to establish connections with the CommServe during installation.

Each client in the CommCell has a unique client certificate. By default, when a new client is installed on a CommCell, the installer uses built-in certificates to authenticate connections with the CommServe, and as soon as the connection is established, the client certificate is automatically created. Once created, all communications going to the client are authenticated by the certificate. This security enhancement "locks down" the client by avoiding third-party connections that lack valid certificates.

You can configure the CommServe to validate client certificates during installation and refuse connections from built-in certificates. The following sections describe the steps to enforce certificate authentication for new client installations and to manage client certificates.

Enforcing Authentication of Client Certificates during Installations

You can configure the CommServe to enter a "lockdown" mode, where client certificates are validated when installing new clients.

When installing a new client on a locked-down CommCell, you manually generate a temporary certificate to authenticate the installation. Once the temporary certificate is validated during installation, the permanent client certificate is automatically created.

This configuration is performed in two steps:

  1. Enable Client Certificate Authentication on the CommServe
  2. Create a Temporary Certificate for Client Installation

Enable Client Certificate Authentication on the CommServe

  1. On the CommCell Console ribbon, click the Home tab, then click Control Panel.
  2. In the Tools area, click Certificate Administration. The Certificate Administration dialog box opens.
  3. Select Yes for Force per-client certificate authentication on CommServe, then click OK.
  4. In the CommCell Browser, right-click your CommServe instance's name, then click All Tasks > Push Firewall Configuration.
  5. Click Continue to push the firewall configuration for the CommServe host, then click OK.
  6. To make any changes take effect immediately, or if the host you are logged into is an upgraded CommServe host, restart the services:
  1. Log on to the CommServe host, using an account that has administrative rights.
  2. Click the Start button, then point to All Programs.
  3. Click Commvault, then click Process Manager.
  4. Click the Services tab, then right-click All Services.
  5. Click Restart.

Create a Temporary Certificate for Client Installation

For a CommServe computer to be able to generate a temporary certificate for a client, it must first have a placeholder for that client. Use these steps to create a placeholder for a new Windows client, and then to generate the certificate to be used during installation.

  1. From the CommCell Browser, right click the Client Computers node and click New Client | File System | Windows.
  2. Provide the Client Name and Host Name of the new client computer and click Next.
  3. Review the client details and click Finish.

    The new client computer appears in the CommCell Browser, with a gray icon to indicate its placeholder status.

    If the client or the CommServe is behind a firewall, be sure to configure the firewall properties of these components and push the firewall configuration to the CommServe. See Firewall - Getting Started for the steps to configure the appropriate firewall connection.

  4. On the Home tab of the CommCell Console toolbar, click Control Panel.
  5. Click Certificate Administration.
  6. In the Certificate Administrator dialog box, click Temp Certificate.
  7. Select the name of the new client you created above from the Client Name list and click Create. The client certificate appears in the text box.
  8. Click Copy to Clipboard to copy the contents of the generated certificate into the Windows clipboard. Paste the contents into a new file, such as client1_cert.txt.

    • Store the temporary certificate file where the client can access it during software installation, such as a network share or portable drive.
    • Important: Once you close the Temporary Certificate dialog box, the certificate cannot be retrieved. Be sure to save the file containing the certificate that you copied.

  9. Click Close.
  10. In the Certificate Administration dialog box, the certificate for the new client is displayed with the "active" status in the list of client certificates. Click OK.
  11. Start the software installation process on the client computer.
    • When the installer requests the certificate to authenticate the new client identity, click Browse and locate the file containing the temporary certificate that you created.
    • Select the client name and host name that you provided during the configuration of the placeholder in Step 2.

Configuring the Automatic Renewal Period of Client Certificates

Client certificates are automatically renewed following the renewal period described below:

  • Certificates for clients are renewed every 6 months
  • The CommCell Certificate Authority (CA) is renewed every 5 years

You can change the renewal period for client certificates and the CA certificate using the following steps:

  1. From the CommCell Console ribbon, click the Home tab and then click Control Panel.
  2. Click Certificate Administration.
  3. In the Client Certificate Rotation Period box, specify the new renewal period (in months) for client certificates.
  4. In the CA Certificate Rotation Period box, specify the new renewal period (in years) for the CA certificate.
  5. Click OK.

    If you extended the rotation period for client certificates (e.g., from 6 months to 10 months), you may want to renew each client certificate using the Renew option to start the new rotation period with a new certificate.

Revoking a Client Certificate

Revoking a client's SSL certificate blocks all connections to that client until a new certificate is automatically generated for the client or manually renewed by the user. You can revoke certificates from the CommCell console, or the command line. The CommCell Console operation deletes one certificate at a time. The command line method deletes all certificates for the specified client in a single operation. Revoking certificates may be appropriate if you suspect the security of a client computer has been compromised.

From the CommCell Console

Revoke one SSL certificate from a client using these steps:

  1. From the CommCell Console ribbon, click the Home tab and then click Control Panel.
  2. Click Certificate Administration.
  3. In the list of all outstanding client certificates, select the certificate that you want to cancel and click Revoke.
  4. Click Yes to revoke the client certificate.
  5. Click OK.
  6. Click OK from the Certificate Administration dialog box.

From the Command Line

Revoke all SSL certificates from a client in one operation, through the command-line interface, using these steps:

  1. Download the revoke_certificate_template.xml file, saving it to the <Software_Installation_Directory>/Base folder on the computer where you will be running the command.
  2. Open a command window on that computer and change to the <Software_Installation_Directory>/Base folder.
  3. Execute this command, replacing <clientname> with the name of the client computer for which you want to revoke all certificates:

    qoperation execute -af revoke_certificate_template.xml -clientName <clientname>

Renewing a Revoked Certificate

By default, client certificates are automatically renewed every 6 months for clients and every 5 years for the CommCell Certificate Authority (CA). You can manually renew a certificate that has been revoked. However, If you revoked a certificate in a lockdown CommServe or when the client was offline, see Renew a Revoked Certificate in a Lockdown CommCell for the correct steps.

To renew the certificate for a client, use these steps:

  1. Ensure that the client computer is online and reachable from the CommServe.
  2. On the CommCell Console ribbon, click the Home tab, then click Control Panel.
  3. Click Certificate Administration.
  4. In the list of all outstanding client certificates, select the certificate that you want to renew and click Renew.
  5. Click Yes to confirm the renewal.

    The CommServe connects to the client computer and generates a new client certificate. This operation may take some minutes.

  6. Click OK.
  7. Click OK to close the Certificate Administration dialog box.

Renew a Revoked Certificate in a Locked Down CommCell

Revoked certificates are automatically renewed in CommCell environments that do not enforce certificate authentication. However, in the lockdown mode, a temporary certificate is needed to allow the CommServe to validate the identity of the client. This procedure also applies when you revoke a certificate while the client is offline.

Use the following steps to renew the client certificate by creating a temporary certificate:

  1. On the CommCell Console ribbon's Home tab, click Control Panel.
  2. Click Certificate Administration.
  3. From the Certificate Administration dialog box, click Temp Certificate.
  4. Select the name of the client with the revoked certificate from the Client Name list and click Create.

    The client certificate will be displayed in the dialog box.

  5. Click Copy to Clipboard to copy the contents of the generated certificate, and paste it into a new file named export.txt.
  6. Click Close.
  7. Copy the certificate file to the software_installation_directory/Base/Certificates folder of the client computer and restart the client services.

    From the Certificate Administration dialog box, the certificate for the client should be displayed with the "active" status in the list of client certificates. Click OK.

Configuring SSL for Authenticating CommCell Communications

By default, client computers use Secure Sockets Layer (SSL) to authenticate connections with other CommCell components, such as CommServe hosts or MediaAgents.

You can enforce or disable SSL authentication by configuring two global parameters. You can also enable SSL on upgraded clients by setting these parameters on them.

When finished making changes, see Putting SSL Parameter Changes into Effect, below.

  • CvSessionEnableSSL

    This parameter requires that client computers use SSL to authenticate connections with other clients. This configuration does not affect clients from previous software versions.

    By default, this parameter is set to 1 (enabled) in new CommCell groups. For upgraded CommCell groups, this parameter is not enabled. To enable the clients from an upgraded CommCell to use SSL, execute this command:

    qoperation execscript -sn SetKeyIntoGlobalParamTbl.sql -si CvSessionEnableSSL -si y -si 1

  • CvSessionForceSSL

    This parameter forces both new and upgraded client computers to use SSL for authentication. This parameter increases the CommCell security by denying any non-SSL connection, such as clients from previous releases. By default, this parameter is set to 0 (disabled) regardless if the CommCell is new or upgraded.

    Execute the following command to enable this parameter:

    qoperation execscript -sn SetKeyIntoGlobalParamTbl.sql -si CvSessionForceSSL -si y -si 1

    Note that when this parameter is enabled, clients using an older version of the software will not work in your CommCell group.

Putting SSL Parameter Changes into Effect

Changes to these parameters can take up to one hour to go into effect if you allow the normally scheduled processes to make it happen. If you need put any changes you have made into immediate effect, restart services on the CommServe host:

  1. Log on to the CommServe host, using an account that has administrative rights.
  2. Click the Start button, then point to All Programs.
  3. Click Commvault, then click Process Manager.
  4. Click the Services tab, then right-click All Services.
  5. Click Restart.