Lenovo XClarity Administrator uses SSL certificates to establish secure, trusted communications between XClarity Administrator and its managed devices (such as chassis and service processors in the System x servers) as well as communications with XClarity Administrator by users. By default, XClarity Administrator, CMMs, and baseboard management controllers use XClarity Administrator-generated certificates that are self-signed and issued by an internal certificate authority.
About this task
Lenovo XClarity Administrator provides a number of services that accept incoming Transport Layer Security (TLS) connections. When a client, such as a managed device or a web browser, connects to one of these services, Lenovo XClarity Administrator provides its server certificate to authenticate itself to the client. The client should maintain a list of certificates that it trusts. If Lenovo XClarity Administrator’s server certificate is not included in the client’s list, the client disconnects from Lenovo XClarity Administrator to avoid exchanging any security sensitive information with an untrusted source.
Lenovo XClarity Administrator acts as a client when communicating with managed devices and external services. When Lenovo XClarity Administrator connects to a device or external service, the device or external service provides its server certificate to authenticate itself to Lenovo XClarity Administrator. Lenovo XClarity Administrator maintains a list of certificates that it trusts. If the trusted certificate that is provided by the managed device or external service is not listed, Lenovo XClarity Administrator disconnects from the managed device or external service to avoid exchanging any security sensitive information with an untrusted source.
Trusted Certificates. These certificates verify that Lenovo XClarity Administrator can trust a device or server (in most cases) when that Lenovo XClarity Administrator acts as a client to establish a secure connection to another device or server. For example, certificates in this trust store are used when establishing a secure connection to managed devices and trusted LDAP servers. Additionally, the Lenovo XClarity Administrator internal CA certificate as well as the CA certificate of a customized externally-signed server certificate (if one is installed) are present in this trust store to support internal Lenovo XClarity Administrator communication.
External Services Certificates. These certificates verify that Lenovo XClarity Administrator can trust another Lenovo server or other external server only for specific external services. This trust store is used when connecting to Lenovo to look up warranty status information. It is also used to connect to the Apple and Google push-notification server if Lenovo XClarity Mobile push notifications are enabled for an iOS or Android device. Certificates in this trust store are not trusted when establishing connections for other services (such as LDAP) unless you also add them to the main Trusted Certificates trust store. Removing certificates from this trust store prevents successful operation of these services.
Internally-Signed Certificates. During the initial setup of Lenovo XClarity Administrator, a unique key and self-signed certificate are generated. These are used as the default certificate authority, which can be managed on the Certificate Authority page in the Lenovo XClarity Administrator security settings. It is not necessary to regenerate this certificate unless the key has been compromised or if your organization has a policy that all certificates must be replaced periodically (see Regenerating or restoring the Lenovo XClarity Administrator internally-signed server certificate).
Also during the initial setup, a separate key is generated and a certificate is created that is signed by the internal certificate authority. This certificate used as the default Lenovo XClarity Administrator server certificate. It automatically regenerated each time Lenovo XClarity Administrator detects that the networking addresses (IP or DNS addresses) have changed to ensure that the certificate contains the correct addresses for the server. It can be customized and generated on demand (see Regenerating or restoring the Lenovo XClarity Administrator internally-signed server certificate).
Download the internally-signed CA certificate using the download button on the Certificate Authority page and to install it into your web browser as a trusted root authority (see Importing the Certificate Authority certificate into a web browser).
Regenerate the server certificate, following the help guidance when deciding whether to use an IP address or a hostname as the Common Name (see Regenerating or restoring the Lenovo XClarity Administrator internally-signed server certificate).
Externally-Signed Certificates. You can choose to generate a certificate signing request (CSR) for signing by your organization’s certificate authority or a third-party certificate authority. After the CSR is signed, you can import the full certificate chain and use it in place of the unique default internally signed certificates (see Installing a customized, externally signed server certificate).
OS Deploy Certificate. A separate certificate is used by the operating-system deployment service to ensure that the operating-system installer can connect securely to deployment service during the operating-system installation process. The key and certificate that are used by this service are regenerated during every Lenovo XClarity Administrator boot. If the key has been compromised, you can regenerate it by restarting the management server.