Manuals / WatchGuard Technologies / Household Appliance / Water Heater

WatchGuard Technologies SSL VPN manual Converting to a PEM-FormattedCertificate

Models: SSL VPN

1 198

Download 198 pages 26.5 Kb

Page 165

Converting to a PEM-Formatted Certificate

Converting to a PEM-Formatted Certificate

For information about downloading OpenSSL for Windows, see the SourceForge Web site at http://sourceforge.net/project/showfiles.php?group_id=23617&release_id=48801.

Converting to a PEM-Formatted Certificate

The signed certificate file that you receive from the Certificate Authority might not be in a PEM format. If the file is in binary format (DER), convert it to PEM format as follows:

openssl x509 -in certFile -inform DER -outform PEM -out convertedCertFile

If the certificate is already in a text format, it may be in PKCS format. You will receive a PKCS formatted certificate if you specified that the certificate will be used with a Microsoft rather than Apache operating system. The following command results in an error message if the certificate is not in PEM format. The certFile should not contain the private key when you run this command.

openssl verify -verbose -CApath /tmp certFile

If that command results in the following error message, the file is not in PEM format. certFile: unable to load certificate file

4840:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:781:

To convert the certificate from PKCS7 to PEM format

1Run the command:

openssl pkcs7 -in ./certFile-print_certs The output will look like this: subject=...

...

-----BEGIN CERTIFICATE-----

... Server Certificate ...

-----END CERTIFICATE-----

subject=...

...

-----BEGIN CERTIFICATE-----

... Intermediate Cert ...

-----END CERTIFICATE-----

2Combine the server certificate data and the intermediate certificate data (if it exists) from the output with the private key as specified in “Combining the Private Key with the Signed Certificate” on page 155 and “Generating Trusted Certificates for Multiple Levels” on page 156.

Combining the Private Key with the Signed Certificate

You must combine the signed certificate with the private key before you can upload it to the Firebox SSL VPN Gateway.

Administration Guide

155

Image 165

WatchGuard Technologies SSL VPN Converting to a PEM-FormattedCertificate, openssl verify -verbose -CApath /tmp certFile

Contents

Firebox SSL VPN Gateway SUPPORT ADDRESSSALES ABOUT WATCHGUARDContents Setting Up the Firebox SSL VPN Gateway Hardware Configuring Secure Certificate ManagementFirebox SSL VPN Gateway Administration Desktop The Firebox SSL VPN Gateway operates as followsUsing the Serial Console Configuring Authentication and Authorization Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Generating a Secure Certificate for the Firebox SSL VPN Gateway APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting Combining the Private Key with the Signed Certificate VPN Gateway CHAPTER 1 Getting Started with Firebox SSLAudience Operating System RequirementsThreat responses, alerts, and expert advice LiveSecurity Service SolutionsEasy software updates Access to technical support and trainingSoftware Update LiveSecurity Service BroadcastsInformation Alert Threat ResponseActivating LiveSecurity Service LiveSecurity Service Self Help ToolsBasic FAQs New from WatchGuardKnown Issues Advanced FAQsWatchGuard Users Forum Fireware “How To”’sUsing the WatchGuard Users Forum LiveSecurity Service technical supportOnline Help Product DocumentationVPN Installation Service Firebox Installation ServiceService time Training and Certificationa certification exam. The training materials include links to books and web sites with more information about network security Overview CHAPTER 2 Introduction to Firebox SSL VPN GatewayOverview Network topology showing the TCP circuitAuthentication and one-timepasswords New FeaturesNew versions of the Secure Access Client Configurable symmetric encryption ciphersDisable desktop sharing Secure Access Client connectionsDisable kiosk mode Automatic port redirectionNTLM authentication and authorization support FeaturesUpdated serial console menu Administration ToolFirebox SSL VPN Gateway Settings Authentication and AuthorizationUser Groups, Local Users, and Resources Server Upgrade FeatureEnable External Administration Saving and RestoringServerConfigurationThe User Experience Feature SummaryConnecting to the Firebox SSL Access Portal Deployment and AdministrationPlanning your deployment Planning your deploymentAuthentication Support Configuring Secure Certificate Management•A cross-overcable and a Windows computer To physically connect the Firebox SSL VPN Gateway Setting Up the Firebox SSL VPN Gateway HardwareTo configure TCP/IP settings using a serial cable To configure TCP/IP Settings Using Network Cables To configure TCP/IP settings using network cablesFirebox SSL VPN Gateway Administration Tool The Firebox SSL VPN Gateway operates as follows Using the Firebox SSL VPN GatewayTo redirect unsecure connections 2Click the General Networking tabTo configure a proxy server Starting the Secure Access ClientOperation through Firewalls and Proxies Establishing the Secure TunnelPerformance and Real-TimeTraffic Using the Firebox SSL VPN GatewayAdministration Guide Connecting to a Server Load Balancer Using Kiosk ModeAdministration Guide Using the Firebox SSL VPN GatewayFirebox SSL VPN Gateway Using the Firebox SSL VPN GatewayCHAPTER 3 Configuring Basic Settings Firebox SSL VPN Gateway Administration Desktop Using the Administration PortalDownloads Tab Admin Users Tab Using the Serial ConsoleMaintenance Tab To change the administrator passwordUsing the Administration Tool To download and install the Administration ToolTo open the serial console Upgrading the tunnel and tunnel upgrade license To publish Firebox SSL VPN Gateway settingsProduct Activation and Licensing In SyncTo manage licenses on the Firebox SSL VPN Gateway Managing LicensesTesting Your License Installation To install a license fileTo test your configuration Information about Your LicensesUsing the Default Portal Page Using Portal Pages7Click My own computer and then click Connect 1Click the VPN Gateway Cluster tabVariable Content inserted by variableUsing the ActiveX Control Enabling Portal Page Authentication To enable portal page authenticationLinking to Clients from Your Web Site Pre-AuthenticationPolicy Portal Page Multiple Log On Options using the Portal PageSecure Desktop Access Secure Application AccessConnecting Using Secure Access Client Connecting Using a Web AddressDouble-sourceAuthentication Portal Page Double-sourceauthentication portal pageTo save the Firebox SSL VPN Gateway configuration Saving and Restoring the ConfigurationTo restore a saved configuration To upgrade the Firebox SSL VPN GatewayShutting Down the Firebox SSL VPN Gateway Restarting the Firebox SSL VPN GatewayFirebox SSL VPN Gateway System Date and Time To restart the Firebox SSL VPN GatewayAllowing ICMP traffic To enable ICMP trafficTo change the system date and time Network Time ProtocolCHAPTER 4 Configuring Firebox SSL VPN Configuring Network InformationGateway Network Connections General Networking General NetworkingDuplex mode External Public FQDNVPN port IP addressTo enable split DNS Name Service ProvidersTo edit the HOSTS file DNS Server 1, DNS Server 2, DNS ServerEnable Dynamic Gateway Configuring Network RoutingDynamic and Static Routing To remove an entry from the HOSTS fileEnabling RIP Authentication for Dynamic Routing Configuring Dynamic RoutingTo configure dynamic routing To enable RIP authentication for dynamic routingChanging from Dynamic Routing to Static Routing Configuring a Static RouteTo save dynamic routes to the static route table To add a static routeTo test a static route Static Route ExampleTo remove a static route Network topology showing a static routeConfiguring Internal Failover Configuring Firebox SSL VPN Gateway FailoverTo set up the example static route To enable internal failoverConfiguring Network Access Controlling Network AccessSpecifying Accessible Networks Enabling Split Tunneling1Click the Global Cluster Policies tab To enable split tunneling Denying Access to Groups without an ACLConfiguring User Groups 1Click the Global Cluster Policies tabImproving Voice over IP Connections To deny access to user groups without an ACLEnabling Improving Voice over IP Connections 1Click the Global Cluster Policies tab1Click the Global Cluster Policies tab To improve latency for UDP trafficCHAPTER 5 Configuring Authentication and AuthorizationConfiguring Authentication and Authorization Configuring Authentication and Authorization Configuring Authentication without Authorization The Default RealmUsing a Local User List for Authentication Changing Password for Users Configuring Local UsersAdding Users to Multiple Groups To add a user to a groupTo change a user’s password Configuring the Default RealmTo remove and create a Default realm 4In Authorization Type, select LDAP AuthorizationCreating Additional Realms To create a realm3On the Action menu, select Remove Default realm Using SafeWord for Authentication To disable Firebox SSL VPN Gateway authentication SafeWord PremierAccess AuthorizationTo configure SafeWord on the Access Gateway To configure the IAS RADIUS realm 1Click the Authentication tabServer 5Select Local computer and click Finish default RADIUS=Standard 22Under Vendor-assignedattribute number, type23In Attribute format, select String To configure RADIUS authorization To specify RADIUS server authenticationChoosing RADIUS Authentication Protocols 1Click the Authentication tabLDAP Server LDAP authenticationUser Attribute Case SensitiveTo configure LDAP authentication 1Click the Authentication tab5Click the Authentication tab LDAP Authorization To configure LDAP authentication LDAP authorization group attribute fields1Click the Authentication tab 4Click the Authentication tabTo configure LDAP authorization To install and set up the LDAP Browser Using certificates for secure LDAP connectionsDetermining Attributes in your LDAP Directory To upload a secure client certificate for LDAPHost Using RSA SecurID for AuthenticationPort Base DN5 For Agent type, select UNIX Agent To enable RSA SecurID authentication Configuration Files1Click the Authentication tab Resetting the node secret Configuring RSA Settings for a ClusterConfiguring Gemalto Protiva Authentication To reset the node secret on the RSA ACE/ServerTo configure NTLM authentication Configuring NTLM Authentication and Authorization1Click the Authentication tab 5Click the Authentication tabConfiguring NTLM Authorization To configure NTLM authorization3In Authorization type, select NTLM authorization Configuring Double-SourceAuthentication To prevent caching of one-timepasswords1On the Authentication tab, click Authentication To change the password labels Changing Password LabelsAdding Local Users To create a user on the Firebox SSL VPN Gateway1Click the Access Policy Manager tab To delete a user from the Firebox SSL VPN Gateway User Group OverviewTo create a local user group Creating User GroupsTo remove a user group 1Click the Access Policy Manager tabDefault group properties Configuring Properties for a User GroupTo enable or disable Default group properties Forcing Users to Log on Again1Click the Access Policy Manager tab Enabling domain logon scriptsTo enable session time-out To enable logon scriptsEnabling session time-out 1Click the Access Policy Manager tabSetting Application Options Configuring Web Session Time-OutsTo enable Web session time-outs To disable desktop sharingEnabling Split DNS To configure IP pooling for a groupEnabling IP Pooling To allow failover to a user’s local DNSChoosing a portal page for a group Client certificate criteria configurationTo specify a portal page for a group 3In Use this custom portal page, select the pageTo specify client certificate configuration Configuring Resources for a User GroupTo create pre-authenticationpolicies Global policiesGroup resources include Group properties includeAdding Users to Multiple Groups Defining network resources To configure resource access control for a groupTo remove a resource from a user group 1Click the Access Policy Manager tab1Click the Access Policy Manager tab To create and configure a network resourceApplication policies To configure an application policyTo add a network resource to a group To remove a network resourceTo deny one application network access Configuring file share resourcesTo add an application policy to a group To deny applications without policiesTo create and configure a kiosk resource Configuring kiosk modeTo create a file share resource To remove a shareEnd point resources and policies Configuring end point resourcesTo create an end point resource 1Click the Access Policy Manager tabTo delete an end point resource Configuring an end point policy for a groupTo create an end point policy for a group 1Click the Access Policy Manager tabSetting the Priority of Groups To build an end point policy expression1Click the Access Policy Manager tab To set the priority of groups Configuring Pre-AuthenticationPoliciesTo view the group priorities for a user To create pre-authenticationpoliciesFirebox SSL VPN Gateway Setting the Priority of GroupsCertificates CHAPTER 7 Creating and Installing SecureOverview of the Certificate Signing Request Password-ProtectedPrivate KeysTo create a Certificate Signing Request Creating a Certificate Signing Request1Click the VPN Gateway Cluster tab Creating Root Certificates Using a Command Prompt Installing Multiple Root CertificatesResetting the Certificate to the Default Setting To reset the default certificateClient Certificates To require client certificates1Click the Global Cluster Policies tab Installing Root Certificates Wildcard Certificates Requiring Certificates from Internal ConnectionsSystem Requirements CHAPTER 8 Working with Client ConnectionsOperating Systems Web BrowsersTo connect using the default portal page Using the Access PortalTo remove the Linux VPN client Connecting from a Private ComputerThe Firebox SSL VPN Gateway operates as follows sbin/service net6vpnd startipconfig/all or route print Establishing the Secure TunnelConnecting from a Private Computer Administration GuideOperation through Firewalls and Proxies ActiveX Helper Using the Secure Access Client WindowTo log on to the Firebox SSL VPN Gateway Connecting from a Private ComputerAdministration Guide To disconnect the Secure Access Client To use the Secure Access Client status propertiesTo manually configure a proxy server To view the Connection LogTo disconnect the Secure Access Client Connections Using Kiosk Mode Connecting from a Public ComputerTo enable kiosk mode Creating a Kiosk Mode Resourcecomputer To add a file share to a kiosk resource Working with File Share ResourcesTo create and configure a kiosk resource 1Click the Access Policy Manager tabClient Applications To enable client applicationsTo remove a file share To work with file share resourcesTo configure Remote Desktop To configure FirefoxFirefox Web Browser Remote Desktop clientVNC Client Telnet 3270 Emulator ClientGaim Instant Messenging To use the SSH clientTo use Gaim Supporting Secure Access ClientConnection handling Managing Client ConnectionsTo enable a user at a particular MAC address To disable a user at a particular MAC addressClosing a connection to a resource Disabling and enabling a user4Click OK Firebox SSL VPN Gateway Managing Client ConnectionsAPPENDIX A Firebox SSL VPN Gateway Monitoring and TroubleshootingViewing and Downloading System Message Logs To view and filter the system logViewing the W3C-FormattedRequest Log Forwarding System Messages to a Syslog Server3Click Logging/Settings 4Under Gateway Log, click Display Logging WindowEnabling and Viewing SNMP Logs To enable logging of SNMP messagesMulti Router Traffic Grapher Example 2 Under SNMP Settings, select Enable SNMPMonitoring Firebox SSL VPN Gateway Operations Viewing System StatisticsEthereal Network Analyzer Firebox SSL Real-timeMonitorxNetTools TracerouteBacking up your configuration settings Reinstalling v 4.9 application softwareUpgrading to SSL v Upgrading to SSL vLaunching the v 5.5 Administration Tool TroubleshootingTroubleshooting the Web Interface Applications do not Appear after Logging OnOther Issues Read/Write Access to the Firebox SSL VPN GatewayWeb Interface Credentials Are Invalid Ping Command Defining Accessible NetworksLDAP Authentication VMWareInternal Failover The Administration Tool Is InaccessibleCertificate Signing Certificate Revocation ListsSecure Access Client Certificates Using 512-bitkeypairsSecure Access Client Connections with Windows XP DNS Name Resolution Using Named Service ProvidersUsing Third-PartyClient Software NTLM AuthenticationClient Connections from a Windows Server WINS EntriesVPN Gateway APPENDIX B Using Firewalls with Firebox SSLTo view Secure Access Client status properties BlackICE PC ProtectionMcAfee Personal Firewall Plus Sygate Personal Firewall Free and Pro Versions Norton Personal FirewallTiny Personal Firewall ServicesZoneAlarm Pro APPENDIX C Installing Windows Certificates To install Cygwin4Click Install from Internet and then click Next To unencrypt the private key Unencrypting the Private Keyopenssl verify -verbose -CApath /tmp certFile Converting to a PEM-FormattedCertificateBEGINRSA PRIVATE KEY <Unencrypted Private Key> Administration Guide Intermediate Certificate Intermediate CertificateIntermediate Certificate Firebox SSL VPN Gateway Administration Guide APPENDIX D Examples of Configuring Network Access•Global Cluster Policies •Authentication Collecting the LDAP directory information Collecting the LDAP Directory Information ou=Users,dc=ace,dc=com cn=Users,dc=ace,dc=com Configuring Accessible Networks To configure accessible networks2Click the Global Cluster Policies tab 5In Realm Name, type Default 1Click the Access Policy Manager tab 1Click the Access Policy Manager tab10.10.0.0/24 10.60.10.0/24 10.10.25.50/32 Administration Guide Creating a Guest User Authentication Realm Creating Local Users To add the local users1Click the Access Policy Manager tab 2Expand User Groups and then expand Local Users 1Click the Access Policy Manager tabAPPENDIX E Legal and Copyright Information GNU GENERAL PUBLIC LICENSE change be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or NO WARRANTY END OF TERMS AND CONDITIONS Administration Guide Firebox SSL VPN Gateway Index Page Page Page Page Page Page Firebox SSL VPN Gateway