Working with security certificates
Lenovo SDI Management Platform uses SSL certificates to establish secure and trusted communications with resource managers (such as Lenovo XClarity Administrator) and users. By default, Lenovo SDI Management Platform and resource managers use self-signed certificates generated by Lenovo SDI Management Platform.
About this task
The default server certificate, which is uniquely generated in every instance of Lenovo SDI Management Platform, provides sufficient security for many environments. You can choose to let Lenovo SDI Management Platform manage certificates for you, or you can take a more active role by customizing and replacing the server certificates. Lenovo SDI Management Platform provides options for customizing certificates for your environment. For example, you can choose to:
Generate a new server key and certificate, using values that are specific to your organization.
Generate a certificate signing request (CSR) and send it to the selected certificate authority to create a signed certificate that can then be uploaded to Lenovo SDI Management Platform and used as an end-server certificate for all its hosted services.
Download the server certificate to your local system so that you can import that certificate into your web browser's list of trusted certificates.
Lenovo SDI Management Platform provides several services that accept incoming Transport Layer Security (TLS) connections. When a client, such as a resource manager or web browser, connects to one of these services, Lenovo SDI Management Platform provides its server certificate to be identified by the client attempting the connection. The client should maintain a list of certificates that it trusts. If the Lenovo SDI Management Platform server certificate is not included in the client’s list, the client disconnects from Lenovo SDI Management Platform to avoid exchanging any security-sensitive information with an untrusted source.
Lenovo SDI Management Platform acts as a client when communicating with resource managers and external services. When this occurs, the resource manager or external service provides its server certificate to be verified by Lenovo SDI Management Platform. Lenovo SDI Management Platform maintains a list of certificates that it trusts. If the trusted certificate that is provided by the resource manager or external service is not listed, Lenovo SDI Management Platform disconnects from the resource manager or external service to avoid exchanging any security-sensitive information with an untrusted source.
The following category of certificates is used by Lenovo SDI Management Platform.
Server Certificate. During the initial setup, a server key and a self-signed certificate are generated. This certificate is used as the default Lenovo SDI Management Platform server certificate. It is automatically regenerated each time Lenovo SDI Management Platform detects that its networking addresses (IP or DNS addresses) have changed to ensure that the certificate contains the correct addresses for the server. It can be customized and generated on demand (see Regenerating an internally-signed Lenovo SDI Management Platform server certificate).
You can choose to use an externally-signed server certificate instead of the default self-signed server certificate by generating a certificate signing request (CSR), having the CSR signed by a private or commercial certificate authority, and then importing the full certificate chain into Lenovo SDI Management Platform (see Installing an externally-signed Lenovo SDI Management Platform server certificate).
If you choose to use the default self-signed server certificate, it is recommended that you import the server certificate into your web browser as a trusted root authority to avoid certificate error messages in your browser (see Importing the server certificate into a web browser).
Trusted Certificates. This truststore manages certificates that are used to establish a secure connection to local resources when Lenovo SDI Management Platform acts as a client. Examples of local resources are managed Resource Managers, local software when forwarding events etc.
External-Services Certificates. This truststore manages certificates that are used to establish a secure connection with external services when Lenovo SDI Management Platform acts as a client. Examples of external services include online Lenovo Support services that are used to retrieve warranty information or create service tickets and external software (such as Splunk) that can forward events. It contains preconfigured, trusted certificates from Root Certificate Authorities from certain commonly trusted and world-known certificate-authority providers, such as Digicert and Globalsign.
When you configure Lenovo SDI Management Platform to use a feature that requires a connection to another external service, refer to the documentation to determine if you need to manually add a certificate to this truststore.
Note that certificates in this truststore are not trusted when establishing connections for other services (such as LDAP) unless you also add them to the main Trusted Certificates truststore. Removing certificates from this truststore prevents these services from running successfully.
Adding a trusted certificate for external services These certificates are used to establish trust relationships with external services. For example, certificates in this truststore are used when retrieving warranty information from Lenovo, creating tickets, forwarding events to an external application (such as Splunk), and using external LDAP servers.
Adding a trusted certificate for internal services These certificates are used to establish trust relationships with local resources when Lenovo SDI Management Platform acts as a client to those resources, such as resource managers, forwarding events to local software, and the embedded LDAP server. Additionally, the internal CA certificate, as well as the CA certificate of a customized externally-signed server certificate (if one is installed), are present in this truststore to support internal Lenovo SDI Management Platform communication.
Installing an externally-signed Lenovo SDI Management Platform server certificate You can choose to use a trusted server certificate that was signed by a private or commercial certificate authority (CA). To use an externally-signed server certificate, generate a certificate signing request (CSR), and then import the resulting server certificate to replace the existing server certificate.
Regenerating an internally signed Lenovo SDI Management Platform server certificate You can generate a new server certificate to replace the current internally-signed Lenovo SDI Management Platform server certificate to reinstate the Lenovo SDI Management Platform-generated certificate if Lenovo SDI Management Platform currently uses a customized externally-signed server certificate. The new internally signed server certificate is used by Lenovo SDI Management Platform for HTTPS access.
Importing the server certificate into a Web browser You can save a copy of the current server certificate, in PEM format, to your local system. You can then import the certificate into your web browser's list of trusted certificates or to other applications (such as Lenovo XClarity Mobile or Lenovo XClarity Integrator) to avoid security warning messages from your web browser when you access Lenovo SDI Management Platform.