Skip to main content

Security certificates

XClarity One uses SSL certificates to establish secure, trusted communications between the portal and management hubs, as well as communications with the portal by users or with different services. When running XClarity One as a virtual machine, the XClarity One portal and the management hubs use XClarity One-generated certificates that are self-signed and issued by an internal certificate authority by default.

Attention
Managing security certificates requires a basic understanding of the SSL standard and SSL certificates, including what they are and how to manage them. For general information about public key certificates, see X.509 webpage in Wikipedia and Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC5280) webpage.

The default server certificate, which is uniquely generated in every instance of XClarity One provides sufficient security for many environments. You can choose to let XClarity One manage certificates for you, or you can take a more active role by customizing and replacing the server certificates. XClarity One provides options for customizing certificates for your environment. For example, you can choose to:

  • Generate a new pair of keys by regenerating the internal certificate authority and/or the end server certificate that uses values that are specific to your organization.

  • Generate a certificate signing request (CSR) that can be sent to your choice of certificate authorities to sign a custom certificate that can then be uploaded to the portal to be used as the end-server certificate for all its hosted services.

  • Download the server certificate to your local system so that you can import that certificate into your web browser's list of trusted certificates.

XClarity One provides several services that accept incoming SSL/TLS connections. When a client, such as a web browser, connects to one of these services, the portal provides its server certificate to be identified by the client attempting the connection. The client should maintain a list of certificates that it trusts. If a portal certificate is not included in the client’s list, the client disconnects from the portal to avoid exchanging any security-sensitive information with an untrusted source.

XClarity One acts as a client when communicating with managed devices and external services. When this occurs, the managed device or external service provides its server certificate to be verified by the portal. The portal maintains a list of certificates that it trusts. If the trusted certificate that is provided by the managed device or external service is not listed, the portal disconnects from the management hub or external service to avoid exchanging any security sensitive information with an untrusted source.

Server Certificate

During the initial boot, a unique key and self-signed certificate are generated. These are used as the default Root Certificate Authority, which can be managed on the Certificate Authority page in the XClarity One security settings.

Also during the initial setup, a separate key is generated and a sever certificate is created and signed by the internal certificate authority. This certificate used as the default portal server certificate. It is automatically regenerated each time XClarity One detects that its IP address, hostname or domain name have changed to ensure that the certificate contains the correct addresses for the server.

You can choose to use an externally-signed server certificate instead of the default self-signed server certificate by generating a certificate signing request (CSR), signing the CSR using an private or commercial root certificate authority, and then importing the full certificate chain into the portal (see Installing a trusted, externally-signed XClarity One server certificate).

If you choose to use the default self-signed server certificate, it is recommended that you import the server certificate in your web browser as a trusted root authority to avoid certificate error messages in your browser (see Importing the XClarity One server certificate into a web browser).

  • Regenerating the self-signed XClarity One server certificate
    You can generate a new server certificate to replace the current self-signed XClarity One server certificate or to reinstate a portal-generated certificate if XClarity One currently uses a customized externally-signed server certificate. The new self-signed server certificate is used by the portal for HTTPS access.
  • Installing a trusted, externally-signed XClarity One server certificate
    When running Lenovo XClarity One as a virtual machine, you can choose to use a trusted server certificate that was signed by a private or commercial certificate authority (CA). To use an externally-signed server certificate, generate a certificate signing request (CSR), and then import the resulting server certificate to replace the existing server certificate.
  • Importing the XClarity One server certificate into a web browser
    You can save a copy of the current server certificate, in PEM format, to your local system. You can then import the certificate into your web browser's list of trusted certificates or to other applications to avoid security warning messages from your web browser when you access XClarity One.