Configuring the Symantec Management Platform 7.1 to use SSL.

Article:HOWTO53002  |  Created: 2011-05-16  |  Updated: 2012-12-19  |  Article URL http://www.symantec.com/docs/HOWTO53002
Article Type
How To


Subject


 

 

Configuring the Symantec Management Platform 7.1 to use SSL.
 
The Symantec Installation Manager creates a self signed SSL certification during the installation process or offers to install an existing certificate.
 
Note
HTTPS has a significant overhead on Web servers in general that is specific to the operating system you are running. Please refer to Microsoft documentation for the overhead that HTTPS places on communication to determine the hardware needs and server load that will be generated if you change from HTTP to HTTPS for all Altiris Agent communication. Example: in some publicly available Web server test results, smaller servers could handle only 10-20% of the same Web browsing traffic when configured to use HTTPS instead of HTTP. Available hardware can significantly improve HTTPS communication. Many public Web sites will purchase network cards that off-load the encryption/decrypting processing from the CPU to the network card, thereby largely bypassing the overhead of HTTPS.
 
Requesting and installing an SSL certificate post Symantec Management Platform installation.
Obtain a Certificate
1.     Select the server node in the treeview and double-click the Server Certificates feature in the listview.

2.     Click Create Certificate Request... in the Actions pane.

Enter the Distinguished Name Properties for the new certificate and click Next.
Select a Bit Length for the certificate and a File Name for the certificate request.
3.     Import the Certificate Request into your certificate authority (company internal or 3rd party).
4.     Once the certificate authority response has been provided click on the Complete Certificate Request….
5.     Choose the *.Cer file and Friendly name to import the certificate.
 
 
 
 
 
Create an SSL Binding
Select a site in the tree view and click Bindings... in the Actions pane.  This brings up the bindings editor that lets you create, edit, and delete bindings for your Web site. Click Add... to add your new SSL binding to the site.
(Source and all rights reserved; http://learn.iis.net)
 
The default settings for a new binding are set to HTTP on port 80.  Select https in the Type drop-down list. Select the self-signed certificate you created in the previous section from the SSL Certificate drop-down list and then click OK.
(Source and all rights reserved; http://learn.iis.net)
 
Now you have a new SSL binding on your site and all that remains is to verify that it works.
 (Source and all rights reserved; http://learn.iis.net)
Verify the SSL Binding
In the Actions pane, under Browse Web Site, click the link associated with the binding you just created.
(Source and all rights reserved; http://learn.iis.net)
 
Internet Explorer (IE) 7 will display an error page because the self-signed certificate was issued by your computer, not by a trusted Certificate Authority (CA).  IE 7 will trust the certificate if you add it to the list of Trusted Root Certification Authorities in the certificates store it on the local computer, or in Group Policy for the domain. 
Click Continue to this website (not recommended).

(Source and all rights reserved; http://learn.iis.net)
 
Configure SSL Settings
Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates. Click the site node in the tree view to go back to the site's home page. Double-click the SSL Settings feature in the middle pane.
(Source and all rights reserved; http://learn.iis.net)
 
 
Using a certificate issued to a name different than that of the SMP Server FQDN.
 
Note: The below steps are valid for the Symantec Management Platform and may vary in the individual Solution requirements. Individual Solutions may have their own requirements or known issue for using a certificate issued to a name different than that of the SMP Server FQDN.
If the certificate was generated using a name that is different than that of the server. The codebases for the Notification Server will be incorrect. The Task Server on the SMP will also use the FQDN of the SMP Server for client registration. The following steps need to be done to allow the agents to communicate effectively.
The setting called PreferredNSHost lets you specify a preferred Notification Server hostname for SWD codebase and snapshot URLs that point to the Notification Server (Package Server URLs are unaffected).
 
With Symantec Management Platform 7 (NS 7) has changed the way you implement this setting. In the past you had to change the coreSettings.config file to add the value for the preferred Notification Server hostname (See Article ID: HOWTO2789 "Usage of the PreferredNSHost coresettings.config option"). With NS 7.0 and 7.1 there is a registry key that controls that information. The CoreSettings.config file has the record for the registry key but it is just as a reference of this regkey. If you modify the regvalue in the coreSettings.config you will break its functionality.
The entry in the coreSettings.config for NS 7 looks like this:
<customSetting key="PreferredNSHost" type="registry" regkey="Notification Server" regvalue="PreferredNSHost" />
 
By default, during the installation of the Notification Server, SIM (Symantec Installation Manager) populates this regkey with whatever server name you selected during the configuration page during the initial installation, which usually is the Full Qualified Domain Name (FQDN). So, in order to modify the preferred Notification Server hostname for SWD codebase and snapshot URLs, you need to do the following:
1. Open the Registry Editor (Open the RUN prompt and type regedit and click OK)
2. Go to HKLM>Software>Altiris>eXpress>Notification Server and open the PreferredNSHost regkey.
3. Modify the PreferredNSHost regkey by adding the NetBIOS, FQDN, or IP Address that you want to use for SWD codebases and snapshot URLs.
4. Restart the Altiris Service
5. Then go to Control Panel>Scheduled Tasks and run the NS.Package Refresh schedule (by default it runs everyday at 3:30am). By running this schedule, the SWD codebases and snapshot URLs should be updated.
Note: If for some reason the PreferredNSHost regkey is not present but there is the reference of it on the coreSettings.config, just recreate the regkey. Create a String Value and call it 'PreferredNSHost'.
Additional Note: Do not add ports to the PreferredNSHost setting (such as nsServer:5814 or 10.x.x.x:5484). Adding a port will cause the NS.PackageRefresh to FAIL.
 
Configure the Group Policy to Trust the Authority
If the certificate has been issued by a non trusted Root Certificate authority, then the following steps should be performed to add the Trusted Root Certification Authority.
1.In Active Directory Users and Computers, right-click on the domain and select Properties.
2. Select the Group Policy tab.
3. Edit the default domain policy or create a new policy (Microsoft recommends creating a new policy for each different area you are configuring and leaving the default domain policy as the last in the list).
4. Browse to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities. 5. Right-click on the results pane and IMPORT the root certificate.
 
 
Changing expired / updated SSL certificates
For those situations where customers need to replace their SSL certificates (like expired ones, different vendor, etc) on their SMP, our products follow standard IIS/SSL implementation procedures. The following general guidelines are provided, assuming the server host name has not changed and DNS resolution is properly configured:
1.     Replace expired or updated SSL Certificates if client certificates have been issued to your client machines.
2.     On the actual SMP server, the certificate needs to be replaced as well. Please refer to the steps mentioned at the beginning of this article.
 
For further information please refer to best practices on SSL implementation found on the web. For example: http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/
 
KNOWN ISSUES:
TECH152293 - Symantec Endpoint Protection Integration::Failed to create package and Failed to create a command line for the package.
TECH122154 - Unable to authenticate via SSL with the certificate that is been applied to the Notification Server.
Articles used:

 

 




Article URL http://www.symantec.com/docs/HOWTO53002


Terms of use for this information are found in Legal Notices