Certificates and Keys

Certificates are only needed if you intend to implement full PKI authentication for the viewer connections. If an SSL-encrypted session is already enough for your security requirements, you can just ignore this aspect of PKI authentication. Where can you get the certificates? There is a default set of certificates on your support CD. You can use them to practice the certificate uploads. In a real-world scenario, you can generate the certificates by yourself (there is some freeware or shareware, such as XCA, for this purpose); or you can buy certificates from companies that provide authentication services. The valid file names and formats of the certificates and keys to be uploaded to the switch should be exactly as shown here: root.crt, server.crt, serverkey.pem, ldapcert.crt and ldapkey.pem.

Viewer Connections

The browser connections to the Web Management interface are always using SSL connections. The viewer connections can use different levels of security.

Security Level (SSL): The switch offers three levels of security for viewer connections. From the drop-down menu, select the level appropriate for your real demands on viewer connection security: “Level 1,” “Level 2” or “Level 3.”

Level 1 uses no SSL data encryption and no authentication. It’s the most straightforward setting and offers the most convenience if there are no security concerns. Anyone who has a viewer and an Internet connection can easily connect to the switch as long as the user fulfills the password policy requests.

Level 2 uses SSL encryption for viewer connection, but only requires server authentication by the viewer client. Remote users are not required to install any certificates on their client computers. However, the viewer connection is encrypted with 256-bit SSL technology to ensure that all data contents transmitted via the viewer connection is protected, including keyboard, mouse and video signals.

Level 3 uses 256-bit encryption and a bi-directional PKI authentication between the server and viewer client. With this level of security, all remote users who want to make viewer connections must install a proper client certificate on their computer. This client certificate must come from the same CA that issued the root.crt certificate of the switch.

In all, there are nine possible combinations of viewer security levels and password policies available for the flexibility to adapt to your specific security needs.

KVM Server Password: This field will only appear if you choose to implement Level 3 security. See Page 16. Enter the password that has encrypted the server private key in the server private key file (serverkey.pem) in order to make a successful viewer connection with the switch in the Level 3 security setting. If you use the standard set of certificates provided on the included support CD, the password that encrypts the server private key is “serverpwd.” However, if you use your own set of certificates (as you should for a genuinely secure installation), you need to get the correct server password from the Certificate Authority that issued those certificates.

First, you should obtain a set of certificates from your administrator. If your certificate files have different names, change them to the valid names before uploading. To upload the certificates, click “Browse” to go to the location where your certificates reside. Select a certificate file, then click “Upload” to upload your certificates, one at a time, to the switch. After the uploading is completed, you should see the prompt page for a reboot. However, you don’t have to reboot before you have uploaded all the necessary certificates: Just reboot once after you’ve uploaded all necessary certificates: root.crt, server.crt and serverkey.pem. If you need to SSL-encrypt the LDAP connection for user remote authentication, you must upload two extra certificates: ldapcert.crt and ldapkey.pem.

User-Password Policy: The switch offers three types of password policies for selection from the drop-down menu: “No Password,” “Global Password” and “User Password.”

No Password means the viewer will not prompt you for any user password: The door is open unless you are using Level 3 security.

32

MANAGEMENT OVER A BROWSER

 

Page 32
Image 32
Intellinet Network Solutions 524100 user manual Certificates and Keys, Viewer Connections