Readying Certificates | Apple 10.6 guide

When certificates and keys are imported via Certificate Manager, they are put in the /etc/certificates/ directory. The directory contains four PEM formatted files for every identity:

ÂÂ The certificate

ÂÂ The public key ÂÂ The trust chain

ÂÂ The concatenated version of the certificate plus the trust chain (for use with some services)

The certificate and trust chain are owned by the root user and the wheel group, with permissions set to 644. The public key and concatenation file are owned by the root user and the certusers group, with permissions set to 640.

Each file has the following naming convention:

<common name>.<SHA1 hash of the certificate>.<cert chain concat key>.pem

For example, the certificate for a web server at example.com might look like this:

www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem

Readying Certificates

Before you can use SSL in Mac OS X Server’s services, you must create or import certificates. You can create self-signed certificates, create certificates and then generate a Certificate Signing Request (CSR) to send to a CA, or import certificates previously created with OpenSSL.

If you have previously generated certificates for SSL, you can import them for use by Mac OS X Server services. The OpenSSL keys and certificates must be in PEM format.

Select a CA to sign your certificate request. If you don’t have a CA to sign your request, consider becoming your own CA and then import your CA certificates into the root trust database of your managed machines.

When you set up Mac OS X Server, the Server Assistant creates a self-signed certificate based on information you provided when it’s first installed. It can be used for any service that supports SSL. When your clients choose to trust the certificate, SSL connections can be used without user interaction from that point on.

This initial self-signed certificate is used by Server Admin and Server Preferences to encrypt administrative functions.

64

Chapter 4    Enhancing Security

Image 64

Apple 10.6 manual Readying Certificates

Contents

Mac OS X Server 019-1410/2009-08-15 Contents Administration Tools Enhancing Security Installation and Deployment Initial Server Setup Ongoing System Management Monitoring Your System Push Notification Server Index Contents About This Guide What’s in This Guide Using Onscreen Help To see the most recent server help topics Document Road Map Getting Started Preface About This Guide Getting Documentation Updates Getting Additional Information System Requirements for Installing Mac OS X Server Standards What’s New in Mac OS X Server ÂÂ iCal Server What’s New in Server Admin Understanding Server Configuration Methods Snmp NFS Supported Standards Radius System Overview and Supported Standards System Overview and Supported Standards Mac OS X Server’s Unix Heritage Planning Server Usage Determining Your Server Needs Determining Whether to Upgrade or Migrate Setting Up a Planning Team Identifying Servers to Set Up Determining Services to Host on Each Server Planning Server Usage Migrating from Windows Defining a Migration StrategyDefining an Integration Strategy Defining Server Setup Infrastructure Requirements Defining Physical Infrastructure Requirements Setting up basic server infrastructure Defining Backup and Restore Policies Minimizing the Need to Relocate Servers After SetupMaking Sure Required Server Hardware Is Available Understanding Backup and Restore Policies Understanding Backup Types Understanding Backup Scheduling Understanding Restores Other Backup Policy Considerations Defining a Backup Verification Mechanism Command-Line Backup and Restoration Tools Understanding Time Machine as a Server Backup Tool ÂÂ Remote Access Settings ÂÂ Software Update ÂÂ Wiki ÂÂ Xgrid Server Admin Opening and Authenticating in Server Admin Server Admin Interface M N Customizing the Server Admin Environment Server Assistant Server Assistant is used for Server Preferences Workgroup Manager Workgroup Manager Interface Server Monitor Customizing the Workgroup Manager Environment For additional information, see Server Monitor Help ICal Service Utility ICal Service Utility Interface System Image Management Media Streaming Management RAID Admin Command-Line ToolsServer Status Widget Xgrid Admin Podcast Capture, Composer, and Producer Apple Remote Desktop Enhancing Security About Physical Security Firewalls and Packet Filters About Network SecurityNetwork DMZ VLANs MAC Filtering Transport Encryption Payload Encryption File and Folder Permissions About File SecurityAbout File Encryption About Authentication and Authorization Secure Delete You have several options for authenticating users ÂÂ Secure Shell SSH Single Sign-On About Certificates, SSL, and Public Key Infrastructure Public and Private Keys Certificates About Certificate Authorities CAs About Self-Signed Certificates About IdentitiesAbout Intermediate Trust To configure clients to trust a certificate Certificate Manager in Server AdminFrom the command line Enhancing Security Readying Certificates Creating a Self-Signed Certificate Requesting a Certificate from a Certificate AuthorityTo create a self-signed certificate To request a signed certificate Creating a Certificate Authority To create a CA Enhancing Security Using a CA to Create a Certificate for Someone Else Importing a Certificate IdentityTo create a certificate for someone else To import an existing OpenSSL style certificate Managing Certificates Editing a Certificate Distributing a CA Public Certificate to Clients Deleting a CertificateTo distribute your certificate to your clients To delete a certificate Using Certificates Renewing an Expiring CertificateReplacing an Existing Certificate To renew an expiring certificate Key-Based SSH Login To do this, run the following commands in TerminalSSH and SSH Keys Generating a Key Pair for SSH Key-Based SSH with Scripting Sample Administration Level Security Setting Administration Level Privileges Setting Sacl Permissions Service Level SecurityTo set Sacl permissions for a service Security Best Practices Password Guidelines Creating Complex Passwords Confirm you meet the requirements Installation Overview Gather your information Set up the environment Start up the computer from an installation disk Start the installer Prepare the target disk Set Up Services Gathering the Information You Need Setting Up Network Services About the Server Install DiscConnecting to the Directory During Installation SSH During Installation Mac OS X Server Install Disc Preparing an Administrator ComputerAdministration Tools CD To install Mac OS X Server v10.6 administration tools About Starting Up for InstallationBefore Starting Up To start up the computer with the installation disc Starting Up from the Install DVDStarting Up from an Alternate Partition Create a restorable image of the Install DVD Restore the image to the alternate partitionTo create an image of the Install DVD Prepare the disks and partitions on the target computer To restore the image to a free volume Remotely Accessing the Install DVD To access the computer with Server Assistant To access the computer using Screen Sharing To access the computer with VNCTo access the computer with SSH Identifying Remote Servers When Installing Mac OS X Server Identify the target server Starting Up from a NetBoot Environment Preparing Disks for Installing Mac OS X Server Create a NetInstall image from the Install DVD Start up the computer from the NetBoot server To create a NetInstall image from the Install DVD Choosing a File System ÂÂ Mac OS Extended Journaled, Case-Sensitive aka Hfsx About Hard Disk Partitioning To partition a disk using Disk Utility Partitioning a Disk So the command is About Creating a RAID Set To create a RAID set using Disk Utility You cannot create a RAID set from the startup disk Diskutil createRAID mirror setName format device device Installing Server Software Interactively For example Installing Locally from the Installation Disc To install server software locally Installing Remotely with Server Assistant To install on a remote server by using Server Assistant Installing Remotely with Screen Sharing and VNC Changing a Remote Computer’s Startup Disk To change a remote computer’s startup disk To use installer to install server software 105 Most Efficient Methods of Installation Installing Multiple ServersMore Interactive Methods of Installation How to Keep Current Upgrading a Computer from Mac OS X to Mac OS X Server To postpone setting up Mac OS X Server Postponing Server Setup Following InstallationInformation You Need Configuring Servers with Multiple Ethernet Ports Connecting to the Network During Initial Server SetupAbout Settings Established During Initial Server Setup Specifying Initial Open Directory Usage ÂÂ Create Users and Groups ÂÂ Configure Manually Not Changing Directory Usage When UpgradingÂÂ Import Users and Groups Setting Up a Server as a Standalone Server Binding a Server to Multiple Directory Servers Setting up Servers Interactively To interactively connect to an additional directory server To set up servers interactively Select the target servers from the configuration list Using Automatic Server Setup Creating and Saving Setup Data To create a setup data file Using Encryption with Setup Data Files How a Server Searches for Saved Setup Data Files Setting Up Servers Automatically Using Data Saved in a File To use setup data from a file remotely Create the saved setup folder on the remote serverRestart the remote server To set the server serial number Handling Setup Errors Setting Up Services Adding Services to the Server ViewTo change services to administer From the command-line Setting Up Open Directory Setting Up User ManagementSetting Up All Other Services To set up a user account Computers You Can Use to Administer a Server Setting Up an Administrator Computer Using a Non-Mac OS X Computer for Administration Insert the Mac OS X Server Admin Tools CD Using the Administration Tools Working with Pre-v10.6 Computers from v10.6 Servers Ports Used for Administration Ports Open By Default Server Admin Basics Adding and Removing Servers in Server Admin Grouping Servers Manually Grouping Servers Using Smart GroupsTo create a server group Working with Settings for a Specific Server To create a server smart group Toolbar button Shows 132 ÂÂ NetBoot ÂÂ Directory Service ÂÂ Firewall ÂÂ Mobile AccessUnderstanding Mac OS X Server Names Directory Service and Kerberos Dhcp NetBoot Mobile Access Proxy ServicesFirewall ÂÂ MySQL Web MySQL Certificates for Web and Wiki ServicesWiki 138 Certificates for Mail Services ÂÂ Certificates for collaboration servicesImap and POP Mailing List ICal Service Address Book ServiceIChat Service Certificates for Collaboration Services To change the IP address of the Podcast Producer computer To change the DNS name of the Podcast Producer computer Software Update Server PrintPush Notification Xgrid Changing the Server’s DNS Name After Setup Changing the IP Address of a ServerChanging the Server’s Computer Name and the Local Hostname To change the DNS name From the command line Administering ServicesTo change computer name and local hostname Adding and Removing Services in Server Admin Importing and Exporting Service SettingsTo add or remove a service in Server Admin To export service settings Controlling Access to Services To configure service access SACLs Using SSL for Remote Server Administration Managing Sharing Tiered Administration Permissions Workgroup Manager Basics Defining Administrative PermissionsTo assign permissions Opening and Authenticating in Workgroup Manager Administering AccountsWorking with Users and Groups 152 Defining Managed Preferences Working with Directory Data To display the inspector Service Configuration Assistants Critical Configuration and Data FilesAssistants are available for the following services General Firewall Service Mail ServiceIChat Server Mail-POP/IMAP Server Dovecot MySQL Service NAT Service OpenDirectory Service NotificationsQuickTime Streaming Server Tomcat App Server Improving Service Availability Web ServiceEliminating Single Points of Failure Wiki and Blog Server Using Xserve for High Availability Setting Up Your Server for Automatic Restart Using Backup PowerUsing UPS with Xserve Following is the Energy Saver panel of System Preferences To enable automatic restart Ensuring Proper Operational ConditionsProviding Open Directory Replication Automatic restart options are Link Aggregation About the Link Aggregation Control Protocol Lacp Link Aggregation Scenarios Computer to Switch Setting Up Link Aggregation in Mac OS X Server To create a link aggregate Monitoring Link Aggregation Status To monitor the status of a link aggregate Load Balancing Using launchd for Daemon Control ÂÂ mDNSresponder local network service discovery processDaemon Overview Viewing Running Daemons 170 Planning a Monitoring Policy Planning Monitoring Response Using Server Monitor Using with Server Status WidgetTo configure the Server Status widget Using Console for Server Monitoring Using RAID Admin for Server MonitoringUsing Disk Monitoring Tools Using Network Monitoring Tools Using Server Status Notification in Server Admin Monitoring Server Status Overviews Using Server AdminTo set a notification To see a status overview for one server Using Remote Kernel Core Dumps Following shows a sample Overview pane for a single server 177 Setting Up a Core Dump Server Setting up a core dump server Setting up a core dump client Setting Up a Core Dump ClientRestart the computer for the settings to take effect Configuring Common Core Dump Options About Simple Network Management Protocol Snmp To enable Snmp Configuring snmpdEnabling Snmp reporting Customize data To enable and configure Snmp Restart snmpd to take changes Additional Information about Snmp About Notification and Event Monitoring DaemonsTools to Use with Snmp There are two main notification daemons syslogd and emond Logging Syslog Directory Service Debug Logging Syslog Configuration FileOpen Directory Logging To start debugging at startup To enable client-side logging Additional Monitoring AidsAFP Logging To run slapd in debugging mode Push Notification Server About Push Notification Server To enable Push Notification Starting and Stopping Push Notification Click Save, then restart the service Changing a Service’s Push Notification ServerTo change the existing push notification server Index 192 193 194 195 196 197