Loading...

Network: Client Certificates

Table of Contents

Overview

Client certificates allow the CommCell to authenticate connections between client computers and the CommServe host. During the installation of a client computer, the authentication process reveals and confirms the identity of the client attempting to establish connections with the CommServe host.

Each client in the CommCell group has a unique client certificate. By default, when a new client is installed into a CommCell group, the installer uses built-in certificates to authenticate connections with the CommServe host, and as soon as the connection is established, the client certificate is automatically created. Once created, all communications going to the client are authenticated by the certificate. This security enhancement "locks down" the client by avoiding third-party connections that do not have valid certificates.

You can configure the CommServe host to validate client certificates during client installations and to refuse connections from built-in certificates. The sections on this page describe the steps needed to enforce certificate authentication for new client installations and to manage client certificates.

The following list provides additional information about client certificates:

  • SnapProtect encrypts client certificates using 2048-bit RSA and 3DES keys.
  • Client certificates authenticate all tunnel connections using the TLS 1.2 protocol.
  • SnapProtect provides certificate authorities (CA) through the CommServe host.
  • During the CommServe installation, the CommServe host receives a CommCell specific client certificate for SSL/TSL authentication.

Enforcing Authentication of Client Certificates during Installations

You can configure the CommServe instance to enter a "lockdown" mode. In this mode, client certificates are validated when installing new clients.

When installing a new client on a locked-down CommCell group, you manually generate a temporary certificate to authenticate the installation. Once the temporary certificate is validated during installation, the permanent client certificate is automatically created.

This configuration is performed in two steps:

  1. Enable Client Certificate Authentication on the CommServe
  2. Create a Temporary Certificate for Client Installation

Enable Client Certificate Authentication on the CommServe

  1. On the CommCell Console ribbon, click the Home tab, then Control Panel.
  2. In the CommCell area, click Certificate Administration.
  3. Select Yes for Force per-client certificate authentication on CommServe, then click OK.
  4. Close the Control Panel.
  5. In the CommCell Browser, right-click your CommServe instance's name, then click All Tasks > Push Firewall Configuration.
  6. Click Continue to push the firewall configuration for the CommServe host, then click OK.
  7. To put your changes into effect immediately, or if the host you are logged on to is an upgraded CommServe host, restart the services, as follows:
    1. Log on to the CommServe host, using an administrator account.
    2. Click Start > All Programs > Commvault > Process Manager.
    3. Click the Services tab, then right-click All Services > Restart.

Create a Temporary Certificate for Client Installation

For a CommServe computer to be able to generate a temporary certificate for a client, it must first have a placeholder for that client. Use these steps to create a placeholder for a new Windows client, and then to generate the certificate to be used during installation.

  1. From the CommCell Browser, right click the Client Computers node and click New Client > File System > Windows.
  2. Enter the Client Name and Host Name of the new client computer, then click Next.
  3. Review the client details and click Finish.

    The new client computer appears in the CommCell Browser, with a gray icon to indicate its placeholder status.

    If the client or the CommServe is behind a firewall, be sure to configure the firewall properties of these components, and push the firewall configuration to the CommServe. To configure the appropriate firewall connection, see Firewall Using Direct Connections.

  4. On the Home tab of the CommCell Console toolbar, click Control Panel > Certificate Administration > Temp Certificate.
  5. Select the name of the client you created above from the Client Name list and click Create. The client certificate appears in the text box.
  6. Click Copy to Clipboard, then paste the contents into a new file, such as client1_cert.txt.

    • Store the temporary certificate file where the client can access it during software installation, such as a network share or portable drive.
    • Important: Once you close the Temporary Certificate dialog box, the certificate cannot be retrieved. Be sure to save the file you copied the certificate into.

  7. Click Close.
  8. In the Certificate Administration dialog box, the certificate for the new client is displayed with the "active" status in the list of client certificates. Click OK.
  9. Start the software installation process on the client computer.
    • When the installer requests the certificate to authenticate the new client identity, click Browse and navigate to the file containing the temporary certificate that you created.
    • Select the client name and host name that you provided during the configuration of the placeholder in Step 2.

Configuring the Automatic Renewal Period of Client Certificates

Client certificates are automatically renewed, following the renewal period, described below:

  • Certificates for clients are renewed every 6 months
  • The CommCell Certificate Authority (CA) is renewed every 5 years

You can change the renewal period for client certificates and the CA certificate using these steps:

  1. From the CommCell Console ribbon, click the Home tab and then click Control Panel > Certificate Administration.
  2. In the Client Certificate Rotation Period box, enter the new renewal period (in months) for client certificates.
  3. In the CA Certificate Rotation Period box, enter the new renewal period (in years) for the CA certificate.
  4. Click OK.

    If you extended the rotation period for client certificates (for example, from 6 months to 10 months), you may want to renew each client certificate using the Renew option to start the new rotation period with a new certificate.

Revoking a Client Certificate

Revoking a client's SSL/TSL certificate blocks all connections to that client until a new certificate is automatically generated for the client or manually renewed by the user. You can revoke certificates from the CommCell console, or the command line. The CommCell Console operation deletes one certificate at a time. The command line method deletes all certificates for the specified client in a single operation. Revoking certificates may be appropriate if you suspect that the security of a client computer has been compromised.

From the CommCell Console

Revoke a certificate from a client using these steps:

  1. From the CommCell Console ribbon, click the Home tab, then Control Panel > Certificate Administration.
  2. In the list of outstanding client certificates, select the certificate that you want to cancel, then click Revoke.
  3. Click Yes to revoke the client certificate.
  4. Click OK repeatedly until all dialog boxes are closed.

From the Command Line

Revoke all certificates from a client in one operation, through the command-line interface, using these steps:

  1. Download the revoke_certificate_template.xml file, saving it to the software_installation_directory/Base folder on the computer where you will be running the command.
  2. Open a command window on that computer and change to the software_installation_directory/Base folder.
  3. Execute this command, replacing clientname with the name of the client computer for which you want to revoke all certificates:

    qoperation execute -af revoke_certificate_template.xml -clientName clientname

Renewing a Revoked Certificate

By default, client certificates are automatically renewed every 6 months for clients and every 5 years for the CommCell Certificate Authority (CA). You can manually renew a certificate that has been revoked. However, If you revoked a certificate in a locked-down CommServe host or when the client was offline, see Renew a Revoked Certificate in a Locked-Down CommCell for the correct steps.

To renew the certificate for a client, use these steps:

  1. Ensure that the client computer is online and reachable from the CommServe host.
  2. On the CommCell Console ribbon, click the Home tab, then click Control Panel > Certificate Administration.
  3. In the list of all outstanding client certificates, select the certificate that you want to renew and click Renew > Yes.

    The CommServe connects to the client computer and generates a new client certificate. This operation may take some minutes.

  4. Click OK repeatedly until all open dialog boxes are closed.

Renew a Revoked Certificate in a Locked-Down CommCell

Revoked certificates are automatically renewed in CommCell environments that do not enforce certificate authentication. However, in lockdown mode, a temporary certificate is needed to allow the CommServe to validate the identity of the client. This procedure also applies when you revoke a certificate while the client is offline.

Use these steps to renew the client certificate by creating a temporary certificate:

  1. On the CommCell Console ribbon's Home tab, click Control Panel > Certificate Administration > Temp Certificate.
  2. In the Client Name list, select the name of the client with the revoked certificate, then click Create. The client certificate appears.
  3. Click Copy to Clipboard, then paste the certificate content into a new file named export.txt.
  4. Click Close.
  5. On the client computer, copy the certificate file to the software_installation_directory/Base/Certificates folder (certificates folder with lower-case "c" on UNIX clients), and then restart the client services.
  6. In the Certificate Administration dialog box, confirm that the certificate for the client appears with a Status of Active. Click OK.

Configuring SSL for Authenticating CommCell Communications

By default, client computers use Secure Sockets Layer (SSL) to authenticate connections with other CommCell components, such as CommServe hosts or MediaAgents.

You can enforce or disable SSL authentication by configuring two global parameters. You can also enable SSL on upgraded clients by setting these parameters on them.

When finished making changes, see Putting SSL Parameter Changes into Effect, below.

  • CvSessionEnableSSL

    This parameter requires that client computers use SSL to authenticate connections with other clients. This configuration does not affect clients from previous software versions.

    By default, this parameter is set to 1 (enabled) in new CommCell groups. For upgraded CommCell groups, this parameter is not enabled.

    To enable the clients from an upgraded CommCell to use SSL:

    • On the CommServe computer, add the CvSessionEnableSSL additional setting with value 1.

      For instructions on adding the additional setting from the CommCell Console, see Add or Modify an Additional Setting.

      Refer to the following table for applicable values:

      Property Value
      Name CvSessionEnableSSL
      Category CommServDB.GxGlobalParam
      Type Integer
      Value Select one of the following values:

      1 - to allow the clients to use SSL for authenticating connections with other clients

      0 -  to prevent the clients from using SSL for authenticating connections with other clients

  • CvSessionForceSSL

    This parameter forces both new and upgraded client computers to use SSL for authentication. This parameter increases the CommCell security by denying any non-SSL connection, such as clients from previous releases. By default, this parameter is set to 0 (disabled) regardless if the CommCell is new or upgraded.

    To enable this parameter:

    • On the CommServe computer, add the CvSessionForceSSL additional setting with value 1.

      For instructions on adding the additional setting from the CommCell Console, see Add or Modify an Additional Setting.

      Refer to the following table for applicable values:

      Property Value
      Name CvSessionForceSSL
      Category CommServDB.GxGlobalParam
      Type Integer
      Value Select one of the following values:

      1 - allow client computers to use SSL for authentication

      0 -  to prevent the clients from using SSL for authentication

    Note: When this parameter is enabled, clients using an older version of the software will not work in your CommCell group.

Putting SSL Parameter Changes into Effect

Changes to these parameters can take up to one hour to go into effect if you rely on the normally scheduled processes. To put changes into immediate effect, restart the services on the CommServe host.

Follow these steps:

  1. Log on to the CommServe host as an administrator.
  2. Click Start > All Programs > Commvault > Process Manager.
  3. On the Services tab right-click All Services > Restart.