Skip to main content

Management-hub security certificates

Lenovo XClarity Management Hub 2.0 uses SSL certificates to establish secure, trusted communications between the management hub and its managed devices, as well as communications with management hub by users or with different services. By default, XClarity Management Hub 2.0 and the XClarity One portal use XClarity One-generated certificates that are self-signed and issued by an internal certificate authority.

Attention
Managing security certificates requires a basic understanding of the SSL standard and SSL certificates, including what they are and how to manage them. For general information about public key certificates, see X.509 webpage in Wikipedia and Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC5280) webpage.

The default server certificate, which is uniquely generated in every instance of XClarity Management Hub 2.0 provides sufficient security for many environments. You can choose to let XClarity Management Hub 2.0 manage certificates for you, or you can take a more active role by customizing and replacing the server certificates. XClarity Management Hub 2.0 provides options for customizing certificates for your environment. For example, you can choose to:

  • Generate a new pair of keys by regenerating the internal certificate authority and/or the end server certificate that uses values that are specific to your organization.

  • Generate a certificate signing request (CSR) that can be sent to your choice of certificate authorities to sign a custom certificate that can then be uploaded to the management hub to be used as the end-server certificate for all its hosted services.

  • Download the server certificate to your local system so that you can import that certificate into your web browser's list of trusted certificates.

XClarity Management Hub 2.0 provides several services that accept incoming SSL/TLS connections. When a client, such as a web browser, connects to one of these services, the management hub provides its server certificate to be identified by the client attempting the connection. The client should maintain a list of certificates that it trusts. If a management-hub server certificate is not included in the client’s list, the client disconnects from the management hub to avoid exchanging any security-sensitive information with an untrusted source.

XClarity Management Hub 2.0 acts as a client when communicating with managed devices and external services. When this occurs, the managed device or external service provides its server certificate to be verified by the management hub. The management hub maintains a list of certificates that it trusts. If the trusted certificate that is provided by the managed device or external service is not listed, the management hub disconnects from the managed device or external service to avoid exchanging any security sensitive information with an untrusted source.

Server Certificate

During the initial boot, a unique key and self-signed certificate are generated. These are used as the default Root Certificate Authority, which can be managed on the Certificate Authority page in the XClarity Management Hub 2.0 security settings. It is not necessary to regenerate this root certificate unless the key has been compromised or if your organization has a policy that all certificates must be replaced periodically (see Regenerating the self-signed management hub server certificate).

Also during the initial setup, a separate key is generated and a sever certificate is created and signed by the internal certificate authority. This certificate used as the default management-hub server certificate. It is automatically regenerated each time XClarity Management Hub 2.0 detects that its IP address, hostname or domain name have changed to ensure that the certificate contains the correct addresses for the server. It can be customized and generated on demand (see Regenerating the self-signed management hub server certificate).

You can choose to use an externally-signed server certificate instead of the default self-signed server certificate by generating a certificate signing request (CSR), signing the CSR using an private or commercial root certificate authority, and then importing the full certificate chain into the management hub (see Installing a trusted, externally-signed management hub server certificate).

If you choose to use the default self-signed server certificate, it is recommended that you import the server certificate in your web browser as a trusted root authority to avoid certificate error messages in your browser (see Importing the management hub server certificate into a web browser).