2011ArubaNetworksInc.
comodo 时间:2021-01-12 阅读:()
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SupportAdvisory:ArubaOSDefaultCertificateExpirationIssuedFebruary14,2011UpdatedApril8,2011Thisdocument,includingtheinformationitcontainsandtheprogramsmadeavailablethroughthelinksthatitincludes,isprovidedtoyouonan"asis"basis.
ARUBAANDITSSUPPLIERSDONOTWARRANTTHATSUCHINFORMATIONORTHEFUNCTIONSCONTAINEDINSUCHPROGRAMSWILLMEETYOURREQUIREMENTSORTHATTHEOPERATIONOFTHEPROGRAMSWILLBEUNINTERRUPTEDORERROR-FREE.
THEINFORMATIONANDPROGRAMSAREPROVIDEDTOYOUWITHNOWARRANTYOFANYKIND,EXPRESSORIMPLIED,INCLUDINGWITHOUTLIMITATION,ANYIMPLIEDWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENT.
INNOEVENTWILLARUBA,ITSSUPPLIERS,ORANYONEELSEWHOHASBEENINVOLVEDINTHECREATION,PRODUCTION,ORDELIVERYOFTHEINFORMATIONORPROGRAMSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTALORCONSEQUENTIALDAMAGES,INCLUDINGWITHOUTLIMITATION,LOSTPROFITSORLOSTDATA,THATMAYARISEOUTOFYOURUSEOFORFAILURETOUSETHEINFORMATIONORPROGRAMS,EVENIFARUBAORSUCHOTHERENTITIESHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
THEFOREGOINGSHALLNOTBEDEEMEDTOPRECLUDEANYLIABILITYWHICH,UNDERAPPLICABLEPRODUCTSLIABILITYLAW,CANNOTBEPRECLUDEDBYCONTRACT.
ThisdocumentisbeingprovidedtoyoupursuanttotheprovisionsofyourapplicablesoftwarelicenseagreementwithAruba,andtheinformationandprogramsmaybeusedonlypursuanttothetermsandconditionsofsuchagreement.
ThisArubaSecurityAdvisorconstitutesArubaProprietaryInformationandshouldnotbedisseminated,forwardedordisclosed.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SummaryOnJune29,2011thedefaultSSL/TLScertificate"securelogin.
arubanetworks.
com"thatisinstalledonallArubacontrollerswillexpire.
Whilethisdefaultcertificatewasneverintendedforproductionuse,Arubaisawarethatanumberofcustomersareusingthiscertificateinproductionnetworks.
Thesecustomerswillneedtoreplacethecertificate.
Affectedcustomershavetwooptions:1.
Replacethedefaultcertificatewithacertificateissuedbyaninternalcertificateauthorityorapubliccertificateauthority.
Thisoptionisrecommendedandprovidesthegreatestsecurity.
2.
UpgradetheArubaOSimagetoaversionnumberequaltoorgreaterthan3.
3.
3.
10,3.
4.
4.
2,5.
0.
3.
2,6.
0.
1.
1,or6.
1.
0.
0.
Thesesoftwareimagescontainanewdefaultcertificatethatwillreplacetheexpiringcertificate.
Thisoptiondoesnotprovidegoodsecurity,sinceallArubacustomershaveaccesstothesamecertificateandimpersonationattacksarepossible.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
BackgroundTheArubaOSoperatingsystemloadedonallArubaMobilityControllerscontainsapre-loadeddigitalcertificatewiththename"securelogin.
arubanetworks.
com".
Thiscertificatewasissuedbyapubliccertificateauthority(CA)thatistrustedbymostbrowsersandoperatingsystems.
Bydefaultthecertificateisusedforthecontroller'smanagementinterface(WebUI),captiveportal,andEAPtermination.
Thiscertificateisintendedforquicklysettinguplabnetworks,demonstrations,andproof-of-conceptdeployments.
Asstatedintheuserguide,thedefaultcertificateisnotintendedforproductiondeployment,sinceeveryArubacontrollercontainsthesamecertificateandthisenablesimpersonationattacks.
Thefollowingtextsummarizestherisks:CaptivePortal:Anattackerimpersonatingacaptiveportalloginscreenmaybeabletoobtaintheusernameandpasswordofauthorizedusersonthesystem.
Ifcaptiveportalisusedonlyforguestaccess,thismaynotbedeemedaserioussecurityrisk.
Ifcaptiveportalisusedtoauthenticateinternalusers,thisattackcouldcausemoreseriousdamage.
AdministrativeWebUI:Tocarryoutanimpersonationattackagainstthecontroller'sadministrativeWebUI,theattackerwouldneedtointercepttrafficbetweenasystemadministrator'scomputerandthecontroller.
Thiswouldtypicallyrequireaninsiderattack,assumingadministrativeaccessisblockedfrompublicnetworks.
Theriskisseriousinthiscase,sinceasuccessfulattackwouldallowanunauthorizedpersontoobtainadministrativecredentialsfortheArubacontroller.
TheWebUIcertificateshouldalwaysbereplaced,evenifwithaself-signedcertificatethateachsystemadministratormustexplicitlytrust.
802.
1XEAPTermination:Thisistheriskiestuseofthedefaultcertificate,becauseanimpersonationattackmaybecarriedoutoverawirelessnetwork,andasuccessfulattackmayrevealusernamesandpasswordhashes(providingmaterialforanofflinepasswordcrackingattempt)orallowtheattackertogetauserconnectedtoahostilenetworkwhiletheuserthinksheorsheisconnectedtoatrustednetwork.
Thedefaultcertificateshouldneverbeusedfor802.
1X.
Arubaisawarethatsomecustomersdousethedefaultcertificateinproduction,typicallyforsecuringthecaptiveportalloginscreeninguestnetworkswhereensuringtheidentityofthecontrollerisnotanimportantsecurityconsideration.
Thedefaultcertificatewasvalidforfiveyears,andwillexpireonJune29,2011.
Ifthenetworkadministratordoesnotreplacethecertificate,thefollowingwilloccur:1.
UsersconnectingtocaptiveportalorWebUIpageswillreceiveabrowserwarningshowingthattheservercertificatehasexpired.
Usersmaybypassthewarning(withvaryingdegreesofdifficultydependingonthebrowser)andcontinueontousethesystemnormally.
2.
IfEAPterminationhasbeenenabledfor802.
1X,andthedefaultcertificateisbeingusedastheservercertificate,manyclientoperatingsystemswillrefusetocontinuetheauthenticationprocess.
Thiswillresultinanapparentnetworkoutagefortheseusers.
Clientoperatingsystemsmayormaynotdisplayawarningmessagetotheuser.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Thisdocumentoutlinestheproceduresneededtoupdatethedefaultcertificate,inorderofpreference:Option1:InstallauniqueservercertificateOption2:UpgradeArubaOS2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option1:InstallaUniqueServerCertificateThisistherecommendedapproachsinceitprovidesthebestsecurity.
Inthisapproach,thedefaultcertificatewillremainonthecontroller,butyouwillloadoneormorenewcertificatesandthenconfigurethesystemtousethenewcertificate(s).
Ifyourorganizationoperatesaninternalcertificateauthority(CA)andallclientsthatwillusethesystemalreadytrusttheinternalCA,youmayusetheinternalCAtoissueanewcertificatetothecontroller.
Thisoptionisrecommendedfor802.
1XEAPterminationandWebUIadministrativeaccesstothecontroller.
Itcanalsobeusedforcaptiveportalaslongasthegeneralpublicwillnotbeaccessingthesystem(sincetheinternalCAwillnotbetrusted,thegeneralpublicwouldreceivebrowserwarnings.
)Ifpresentingacaptiveportalpagetocomputersownedbythegeneralpublic,acertificateissuedbyapublicCA(VeriSign,GeoTrust,Comodo,etc.
)shouldbeusedsothatbrowserwarningsarenotgenerated.
YoumaychoosetouseacertificateissuedbyapublicCAforWebUIadministrativeaccesstothecontrollerandfor802.
1XEAPterminationaswell,butuseofapublicCAinsteadofaninternalCAprovidesnobenefitinthosecases.
Beforerequestingacertificate,decidewhetheryouneeda1024-bitkey,2048-bitkey,or4096-bitkey.
NotethatmanypublicCAsnolongerissuecertificateswith1024-bitkeys.
IfyouarerunningArubaOS6.
1orgreater,youmayuseacertificatewitha2048-bitkeyforanypurpose.
Youmayuseacertificatewitha4096-bitkeyonlyforcaptiveportalandWebUI.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Tomaximizecompatibility,alwaysuseRSAunlessyouhaveaspecificreasontouseECC.
Ifyouarerunninganyreleasepriorto6.
1,youmayuseacertificatewitha2048-bitor4096-bitkeyonlyforcaptiveportalandWebUI.
802.
1XEAPterminationsupportsonly1024-bitkeys.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Thefollowinginstructionsshouldbefollowedtoobtainandinstallaservercertificate.
1.
GenerateaCertificateSigningRequest(CSR)fromthecontrollerbynavigatingtoConfigurationManagementCertificatesCSR.
Filloutthenecessaryfields.
Afterclicking"GenerateNew",thecontrollerwillgenerateaprivatekey,whichremainslockedinsidethecontroller,andabase64-encodedCSR.
TheCSRcontainsallthedetailsneededforyourCAtoissuethecertificate.
TheCommonName(CN)fieldshouldcontainthefullURLthatwebbrowserswillnavigatetoinordertoreachthecontroller'sembeddedwebserver.
TakecaretofillouttheCommonNamefieldcorrectlyaccordingtothepurposeofthecertificate:a.
Forcaptiveportal,thesystemwillautomaticallyissueHTTPredirectsandspoofDNSresponsestothecaptiveportalclientsothatthebrowserappearstobeconnectingtothecorrectDNSnamethatmatchesthecertificatecommonname.
Thisistoensurethatbrowserwarningsarenotgenerated.
Ifthecertificateisonlybeingusedforcaptiveportal,thenameintheCNfieldisunimportant–butmakesureitfallswithin2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
yourdomainnamesothatapublicCAwillcorrectlyauthorizeownershipofthecertificate.
b.
ForWebUI,theCNfieldshouldmatchtheaddressyouusetomanagethecontroller.
ThiscanbeanIPaddressoraFullyQualifiedDomainName(FQDN).
c.
For802.
1XEAPTermination,theCNfieldisnotmatchedbytheclientagainstanyotherparameter.
ItissuggestedthatyouchooseaFQDNthatisownedbyyourorganization.
2.
Clickon"ViewCurrent".
Copythebase64textshown,andpastethisintothecertificaterequestwindowprovidedbyyourcertificateauthority.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
3.
Onceyouhaveobtainedthecertificate,navigatetoConfigurationManagementCertificatesUploadanduploadthecertificatetothecontroller.
ThecertificatewillmostlikelybeprovidedtoyouinPEMorDERformat–ifyouarenotsurewhichformatitisin,tryPEMfirstandifanerrormessageresults,tryDER.
APEMformatcertificatewillbebase64-encodedandwillbeginwiththetext"-----BEGINCERTIFICATE-----".
4.
Ifyouwanttousethenewcertificateforcaptiveportal,navigatetoConfigurationManagementGeneralandchangetheCaptivePortalServerCertificate.
IfyouwanttousethenewcertificateforWebUI,configurationisfoundonthesamescreenunder"WebUIManagementAuthenticationMethod".
5.
IfyouwanttousethenewcertificateforEAPTermination,navigatetoConfigurationSecurityAuthenticationL2Authentication802.
1XAuthentication2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
ProfileAdvancedandchangetheservercertificateforallactive802.
1XauthenticationprofilesthatuseEAPTermination.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option2:UpgradeArubaOSArubahasobtainedanewcertificatelabeled"securelogin.
arubanetworks.
com"fromapublicCAthatreplacestheolddefaultcertificate.
ThenewcertificatehasanexpirationdateofNovember21,2013.
ThiscertificateisincludedaspartofthefollowingArubaOSsoftwarereleases:6.
1beginningwithrelease6.
1.
0.
06.
0beginningwithrelease6.
0.
1.
15.
0beginningwithrelease5.
0.
3.
23.
4beginningwithrelease3.
4.
4.
23.
3beginningwithrelease3.
3.
3.
10AllotherArubaOSreleasesdatedlaterthanJune1,2011Afterupgradingtooneoftheabovelistedreleases,nofurtheractionisrequiredtoenablethecertificate.
Ifthesystemwaspreviouslyconfiguredtousethedefaultcertificate,itwillautomaticallyusethenewlyupdatedcertificate.
Whilethisoptionprovidesthesamelevelofsecuritygivenbythepreviousdefaultcertificate,itisnotagoodoptionwhereanysecurityrequirementsexist.
SSL/TLSsecurityisprovidedbythecertificate'sprivatekeybeingkeptsecret.
Ifthecertificate'sprivatekeybecomesknown,itispossibleforanattackertoimpersonateanyserverorwebsiteusingthatcertificatewithouttheknowledgeoftheenduser.
BecausethesamecertificateandprivatekeyareinstalledonallArubacontrollers,anattackerneedonlyreverseengineerasinglesoftwareimagetoobtaintheprivatekey.
Whilethisprocessisnon-trivial,itiscertainlynotbeyondthemeansofaskilledanddeterminedattacker.
ItisalsopossibleforanattackertosimplypurchaseanduseanArubacontrollerforthepurposeofconductinganimpersonationattack.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
FAQQ:WhathappensifIhaveconfigured802.
1Xdevicesinmynetworktoonlytrustthe"securelogin.
arubanetworks.
com"certificate,ortoonlytrusttheEquifaxSecureCertificateAuthorityA:Thesedeviceswillneedtobereconfiguredafterinstallationofanewcertificate.
IftheseareWindowsdevices,UNCHECK"Connecttotheseservers"andUNCHECK"EquifaxSecureCertificateAuthority"intheTrustedRootCertificationAuthorities.
Afterconnectingtothecontrollerwiththenewcertificateinstalled,Windowswillupdatethesesettingsbypromptingtheuser.
Q:IsthecertificatebuiltintotheTPMchipaffectedbythisadvisoryA:No.
AllArubacontrollersthatcontainaTrustedPlatformModule(TPM),includingtheM3,3000series,and600series,containacertificateuniquetothecontrollerthathasbeenprogrammedatthefactory.
Thiscertificateisnotexpiringandisnotaffectedbythisadvisory.
ThiscertificateisusedforMaster-Localauthentication,ControlPlaneSecurity(CPsec),andRAPauthentication.
ItisnotsuitableforuseasanSSLcertificatesinceitwasissuedbyAruba'smanufacturingCA,whichisnottrustedbybrowsers.
Q:WhatcertificateauthoritywasusedtogeneratethenewcertificateWhatchainsdoesitcontain2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
A:ThenewcertificatewasissuedbyPositiveSSL,andultimatelychainsbackuptoUSERTrust,whichisissuedbyAddTrustExternalCARoot.
DevicesconnectingtothenetworkmusthaveUSERTrustinstalledasatrustedrootCAinorderfortheArubafactorydefaultcertificatetobetrusted.
UnderaWindowssystem,thecertificatechainappearsas
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SupportAdvisory:ArubaOSDefaultCertificateExpirationIssuedFebruary14,2011UpdatedApril8,2011Thisdocument,includingtheinformationitcontainsandtheprogramsmadeavailablethroughthelinksthatitincludes,isprovidedtoyouonan"asis"basis.
ARUBAANDITSSUPPLIERSDONOTWARRANTTHATSUCHINFORMATIONORTHEFUNCTIONSCONTAINEDINSUCHPROGRAMSWILLMEETYOURREQUIREMENTSORTHATTHEOPERATIONOFTHEPROGRAMSWILLBEUNINTERRUPTEDORERROR-FREE.
THEINFORMATIONANDPROGRAMSAREPROVIDEDTOYOUWITHNOWARRANTYOFANYKIND,EXPRESSORIMPLIED,INCLUDINGWITHOUTLIMITATION,ANYIMPLIEDWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENT.
INNOEVENTWILLARUBA,ITSSUPPLIERS,ORANYONEELSEWHOHASBEENINVOLVEDINTHECREATION,PRODUCTION,ORDELIVERYOFTHEINFORMATIONORPROGRAMSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTALORCONSEQUENTIALDAMAGES,INCLUDINGWITHOUTLIMITATION,LOSTPROFITSORLOSTDATA,THATMAYARISEOUTOFYOURUSEOFORFAILURETOUSETHEINFORMATIONORPROGRAMS,EVENIFARUBAORSUCHOTHERENTITIESHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
THEFOREGOINGSHALLNOTBEDEEMEDTOPRECLUDEANYLIABILITYWHICH,UNDERAPPLICABLEPRODUCTSLIABILITYLAW,CANNOTBEPRECLUDEDBYCONTRACT.
ThisdocumentisbeingprovidedtoyoupursuanttotheprovisionsofyourapplicablesoftwarelicenseagreementwithAruba,andtheinformationandprogramsmaybeusedonlypursuanttothetermsandconditionsofsuchagreement.
ThisArubaSecurityAdvisorconstitutesArubaProprietaryInformationandshouldnotbedisseminated,forwardedordisclosed.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SummaryOnJune29,2011thedefaultSSL/TLScertificate"securelogin.
arubanetworks.
com"thatisinstalledonallArubacontrollerswillexpire.
Whilethisdefaultcertificatewasneverintendedforproductionuse,Arubaisawarethatanumberofcustomersareusingthiscertificateinproductionnetworks.
Thesecustomerswillneedtoreplacethecertificate.
Affectedcustomershavetwooptions:1.
Replacethedefaultcertificatewithacertificateissuedbyaninternalcertificateauthorityorapubliccertificateauthority.
Thisoptionisrecommendedandprovidesthegreatestsecurity.
2.
UpgradetheArubaOSimagetoaversionnumberequaltoorgreaterthan3.
3.
3.
10,3.
4.
4.
2,5.
0.
3.
2,6.
0.
1.
1,or6.
1.
0.
0.
Thesesoftwareimagescontainanewdefaultcertificatethatwillreplacetheexpiringcertificate.
Thisoptiondoesnotprovidegoodsecurity,sinceallArubacustomershaveaccesstothesamecertificateandimpersonationattacksarepossible.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
BackgroundTheArubaOSoperatingsystemloadedonallArubaMobilityControllerscontainsapre-loadeddigitalcertificatewiththename"securelogin.
arubanetworks.
com".
Thiscertificatewasissuedbyapubliccertificateauthority(CA)thatistrustedbymostbrowsersandoperatingsystems.
Bydefaultthecertificateisusedforthecontroller'smanagementinterface(WebUI),captiveportal,andEAPtermination.
Thiscertificateisintendedforquicklysettinguplabnetworks,demonstrations,andproof-of-conceptdeployments.
Asstatedintheuserguide,thedefaultcertificateisnotintendedforproductiondeployment,sinceeveryArubacontrollercontainsthesamecertificateandthisenablesimpersonationattacks.
Thefollowingtextsummarizestherisks:CaptivePortal:Anattackerimpersonatingacaptiveportalloginscreenmaybeabletoobtaintheusernameandpasswordofauthorizedusersonthesystem.
Ifcaptiveportalisusedonlyforguestaccess,thismaynotbedeemedaserioussecurityrisk.
Ifcaptiveportalisusedtoauthenticateinternalusers,thisattackcouldcausemoreseriousdamage.
AdministrativeWebUI:Tocarryoutanimpersonationattackagainstthecontroller'sadministrativeWebUI,theattackerwouldneedtointercepttrafficbetweenasystemadministrator'scomputerandthecontroller.
Thiswouldtypicallyrequireaninsiderattack,assumingadministrativeaccessisblockedfrompublicnetworks.
Theriskisseriousinthiscase,sinceasuccessfulattackwouldallowanunauthorizedpersontoobtainadministrativecredentialsfortheArubacontroller.
TheWebUIcertificateshouldalwaysbereplaced,evenifwithaself-signedcertificatethateachsystemadministratormustexplicitlytrust.
802.
1XEAPTermination:Thisistheriskiestuseofthedefaultcertificate,becauseanimpersonationattackmaybecarriedoutoverawirelessnetwork,andasuccessfulattackmayrevealusernamesandpasswordhashes(providingmaterialforanofflinepasswordcrackingattempt)orallowtheattackertogetauserconnectedtoahostilenetworkwhiletheuserthinksheorsheisconnectedtoatrustednetwork.
Thedefaultcertificateshouldneverbeusedfor802.
1X.
Arubaisawarethatsomecustomersdousethedefaultcertificateinproduction,typicallyforsecuringthecaptiveportalloginscreeninguestnetworkswhereensuringtheidentityofthecontrollerisnotanimportantsecurityconsideration.
Thedefaultcertificatewasvalidforfiveyears,andwillexpireonJune29,2011.
Ifthenetworkadministratordoesnotreplacethecertificate,thefollowingwilloccur:1.
UsersconnectingtocaptiveportalorWebUIpageswillreceiveabrowserwarningshowingthattheservercertificatehasexpired.
Usersmaybypassthewarning(withvaryingdegreesofdifficultydependingonthebrowser)andcontinueontousethesystemnormally.
2.
IfEAPterminationhasbeenenabledfor802.
1X,andthedefaultcertificateisbeingusedastheservercertificate,manyclientoperatingsystemswillrefusetocontinuetheauthenticationprocess.
Thiswillresultinanapparentnetworkoutagefortheseusers.
Clientoperatingsystemsmayormaynotdisplayawarningmessagetotheuser.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Thisdocumentoutlinestheproceduresneededtoupdatethedefaultcertificate,inorderofpreference:Option1:InstallauniqueservercertificateOption2:UpgradeArubaOS2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option1:InstallaUniqueServerCertificateThisistherecommendedapproachsinceitprovidesthebestsecurity.
Inthisapproach,thedefaultcertificatewillremainonthecontroller,butyouwillloadoneormorenewcertificatesandthenconfigurethesystemtousethenewcertificate(s).
Ifyourorganizationoperatesaninternalcertificateauthority(CA)andallclientsthatwillusethesystemalreadytrusttheinternalCA,youmayusetheinternalCAtoissueanewcertificatetothecontroller.
Thisoptionisrecommendedfor802.
1XEAPterminationandWebUIadministrativeaccesstothecontroller.
Itcanalsobeusedforcaptiveportalaslongasthegeneralpublicwillnotbeaccessingthesystem(sincetheinternalCAwillnotbetrusted,thegeneralpublicwouldreceivebrowserwarnings.
)Ifpresentingacaptiveportalpagetocomputersownedbythegeneralpublic,acertificateissuedbyapublicCA(VeriSign,GeoTrust,Comodo,etc.
)shouldbeusedsothatbrowserwarningsarenotgenerated.
YoumaychoosetouseacertificateissuedbyapublicCAforWebUIadministrativeaccesstothecontrollerandfor802.
1XEAPterminationaswell,butuseofapublicCAinsteadofaninternalCAprovidesnobenefitinthosecases.
Beforerequestingacertificate,decidewhetheryouneeda1024-bitkey,2048-bitkey,or4096-bitkey.
NotethatmanypublicCAsnolongerissuecertificateswith1024-bitkeys.
IfyouarerunningArubaOS6.
1orgreater,youmayuseacertificatewitha2048-bitkeyforanypurpose.
Youmayuseacertificatewitha4096-bitkeyonlyforcaptiveportalandWebUI.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Tomaximizecompatibility,alwaysuseRSAunlessyouhaveaspecificreasontouseECC.
Ifyouarerunninganyreleasepriorto6.
1,youmayuseacertificatewitha2048-bitor4096-bitkeyonlyforcaptiveportalandWebUI.
802.
1XEAPterminationsupportsonly1024-bitkeys.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Thefollowinginstructionsshouldbefollowedtoobtainandinstallaservercertificate.
1.
GenerateaCertificateSigningRequest(CSR)fromthecontrollerbynavigatingtoConfigurationManagementCertificatesCSR.
Filloutthenecessaryfields.
Afterclicking"GenerateNew",thecontrollerwillgenerateaprivatekey,whichremainslockedinsidethecontroller,andabase64-encodedCSR.
TheCSRcontainsallthedetailsneededforyourCAtoissuethecertificate.
TheCommonName(CN)fieldshouldcontainthefullURLthatwebbrowserswillnavigatetoinordertoreachthecontroller'sembeddedwebserver.
TakecaretofillouttheCommonNamefieldcorrectlyaccordingtothepurposeofthecertificate:a.
Forcaptiveportal,thesystemwillautomaticallyissueHTTPredirectsandspoofDNSresponsestothecaptiveportalclientsothatthebrowserappearstobeconnectingtothecorrectDNSnamethatmatchesthecertificatecommonname.
Thisistoensurethatbrowserwarningsarenotgenerated.
Ifthecertificateisonlybeingusedforcaptiveportal,thenameintheCNfieldisunimportant–butmakesureitfallswithin2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
yourdomainnamesothatapublicCAwillcorrectlyauthorizeownershipofthecertificate.
b.
ForWebUI,theCNfieldshouldmatchtheaddressyouusetomanagethecontroller.
ThiscanbeanIPaddressoraFullyQualifiedDomainName(FQDN).
c.
For802.
1XEAPTermination,theCNfieldisnotmatchedbytheclientagainstanyotherparameter.
ItissuggestedthatyouchooseaFQDNthatisownedbyyourorganization.
2.
Clickon"ViewCurrent".
Copythebase64textshown,andpastethisintothecertificaterequestwindowprovidedbyyourcertificateauthority.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
3.
Onceyouhaveobtainedthecertificate,navigatetoConfigurationManagementCertificatesUploadanduploadthecertificatetothecontroller.
ThecertificatewillmostlikelybeprovidedtoyouinPEMorDERformat–ifyouarenotsurewhichformatitisin,tryPEMfirstandifanerrormessageresults,tryDER.
APEMformatcertificatewillbebase64-encodedandwillbeginwiththetext"-----BEGINCERTIFICATE-----".
4.
Ifyouwanttousethenewcertificateforcaptiveportal,navigatetoConfigurationManagementGeneralandchangetheCaptivePortalServerCertificate.
IfyouwanttousethenewcertificateforWebUI,configurationisfoundonthesamescreenunder"WebUIManagementAuthenticationMethod".
5.
IfyouwanttousethenewcertificateforEAPTermination,navigatetoConfigurationSecurityAuthenticationL2Authentication802.
1XAuthentication2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
ProfileAdvancedandchangetheservercertificateforallactive802.
1XauthenticationprofilesthatuseEAPTermination.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option2:UpgradeArubaOSArubahasobtainedanewcertificatelabeled"securelogin.
arubanetworks.
com"fromapublicCAthatreplacestheolddefaultcertificate.
ThenewcertificatehasanexpirationdateofNovember21,2013.
ThiscertificateisincludedaspartofthefollowingArubaOSsoftwarereleases:6.
1beginningwithrelease6.
1.
0.
06.
0beginningwithrelease6.
0.
1.
15.
0beginningwithrelease5.
0.
3.
23.
4beginningwithrelease3.
4.
4.
23.
3beginningwithrelease3.
3.
3.
10AllotherArubaOSreleasesdatedlaterthanJune1,2011Afterupgradingtooneoftheabovelistedreleases,nofurtheractionisrequiredtoenablethecertificate.
Ifthesystemwaspreviouslyconfiguredtousethedefaultcertificate,itwillautomaticallyusethenewlyupdatedcertificate.
Whilethisoptionprovidesthesamelevelofsecuritygivenbythepreviousdefaultcertificate,itisnotagoodoptionwhereanysecurityrequirementsexist.
SSL/TLSsecurityisprovidedbythecertificate'sprivatekeybeingkeptsecret.
Ifthecertificate'sprivatekeybecomesknown,itispossibleforanattackertoimpersonateanyserverorwebsiteusingthatcertificatewithouttheknowledgeoftheenduser.
BecausethesamecertificateandprivatekeyareinstalledonallArubacontrollers,anattackerneedonlyreverseengineerasinglesoftwareimagetoobtaintheprivatekey.
Whilethisprocessisnon-trivial,itiscertainlynotbeyondthemeansofaskilledanddeterminedattacker.
ItisalsopossibleforanattackertosimplypurchaseanduseanArubacontrollerforthepurposeofconductinganimpersonationattack.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
FAQQ:WhathappensifIhaveconfigured802.
1Xdevicesinmynetworktoonlytrustthe"securelogin.
arubanetworks.
com"certificate,ortoonlytrusttheEquifaxSecureCertificateAuthorityA:Thesedeviceswillneedtobereconfiguredafterinstallationofanewcertificate.
IftheseareWindowsdevices,UNCHECK"Connecttotheseservers"andUNCHECK"EquifaxSecureCertificateAuthority"intheTrustedRootCertificationAuthorities.
Afterconnectingtothecontrollerwiththenewcertificateinstalled,Windowswillupdatethesesettingsbypromptingtheuser.
Q:IsthecertificatebuiltintotheTPMchipaffectedbythisadvisoryA:No.
AllArubacontrollersthatcontainaTrustedPlatformModule(TPM),includingtheM3,3000series,and600series,containacertificateuniquetothecontrollerthathasbeenprogrammedatthefactory.
Thiscertificateisnotexpiringandisnotaffectedbythisadvisory.
ThiscertificateisusedforMaster-Localauthentication,ControlPlaneSecurity(CPsec),andRAPauthentication.
ItisnotsuitableforuseasanSSLcertificatesinceitwasissuedbyAruba'smanufacturingCA,whichisnottrustedbybrowsers.
Q:WhatcertificateauthoritywasusedtogeneratethenewcertificateWhatchainsdoesitcontain2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
A:ThenewcertificatewasissuedbyPositiveSSL,andultimatelychainsbackuptoUSERTrust,whichisissuedbyAddTrustExternalCARoot.
DevicesconnectingtothenetworkmusthaveUSERTrustinstalledasatrustedrootCAinorderfortheArubafactorydefaultcertificatetobetrusted.
UnderaWindowssystem,thecertificatechainappearsas
- 2011ArubaNetworksInc.相关文档
- cmdmcomodo
- WayBillcomodo
- impactcomodo
- VarParseNumFromStrcomodo
- 丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂comodo
- Europeacomodo
美国云服务器 2核4G限量 24元/月 香港云服务器 2核4G限量 24元/月 妮妮云
妮妮云的来历妮妮云是 789 陈总 张总 三方共同投资建立的网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑妮妮云的市场定位妮妮云主要代理市场稳定速度的云服务器产品,避免新手购买云服务器的时候众多商家不知道如何选择,妮妮云就帮你选择好了产品,无需承担购买风险,不用担心出现被跑路 被诈骗的情况。妮妮云的售后保证妮妮云退款 通过于合作商的友好协商,云服务器提供2天内全额退款到网站余额,超过2天...
Boomer.host:$4.95/年-512MB/5GB/500GB/德克萨斯州(休斯顿)
部落曾经在去年分享过一次Boomer.host的信息,商家自述始于2018年,提供基于OpenVZ架构的VPS主机,配置不高价格较低。最近,主机商又在LET发了几款特价年付主机促销,最低每年仅4.95美元起,有独立IPv4+IPv6,开设在德克萨斯州休斯顿机房。下面列出几款VPS主机配置信息。CPU:1core内存:512MB硬盘:5G SSD流量:500GB/500Mbps架构:KVMIP/面板...
PacificRack 端午节再来一款年付$38 VPS主机 2核4GB内存1TB流量
这不端午节和大家一样回家休息几天,也没有照顾网站的更新。今天又出去忙一天没有时间更新,这里简单搜集看看是不是有一些商家促销活动,因为我看到电商平台各种推送活动今天又开始一波,所以说现在的各种促销让人真的很累。比如在前面我们也有看到PacificRack 商家发布过年中活动,这不在端午节(昨天)又发布一款闪购活动,有些朋友姑且较多是端午节活动,刚才有看到活动还在的,如果有需要的朋友可以看看。第一、端...
comodo为你推荐
-
vpsvps什么意思vps试用免费vps申请哪里有,免费vps试用的也可以?100m网站空间100M的最好的网站空间价格多少?重庆网站空间重庆建网站的公司 我司准备建一个好点的网站,求推荐虚拟主机管理系统虚拟主机管理系统那一家好?下载虚拟主机怎么安装虚拟机windows虚拟主机windows10用什么虚拟机jsp虚拟主机虚拟主机不能支持JSP的吗虚拟主机试用30天需要一个免费的虚拟主机,稳定的域名网站有免费的网站域名吗