Lenovo XClarity Administrator uses SSL certificates to establish secure, trusted communications between XClarity Administrator and its managed devices (such as chassis and service processors in the System x servers) as well as communications with XClarity Administrator by users or with different services. By default, XClarity Administrator, CMMs, and baseboard management controllers use XClarity Administrator-generated certificates that are self-signed and issued by an internal certificate authority.
Before you begin
This section is intended for administrators that have a basic understanding of the SSL standard and SSL certificates, including what they are and how to manage them. For general information about public key certificates, see X.509 webpage in Wikipedia and Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC5280) webpage.About this task
XClarity Administrator provides several services that accept incoming SSL/TLS connections. When a client, such as a managed device or a web browser, connects to one of these services, XClarity Administrator provides its server certificate to be identified by the client attempting the connection. The client should maintain a list of certificates that it trusts. If XClarity Administrator’s server certificate is not included in the client’s list, the client disconnects from XClarity Administrator to avoid exchanging any security sensitive information with an untrusted source.
XClarity Administrator acts as a client when communicating with managed devices and external services. When XClarity Administrator connects to a device or external service, the device or external service provides its server certificate to be identified by XClarity Administrator. XClarity Administrator maintains a list of certificates that it trusts. If the trusted certificate that is provided by the managed device or external service is not listed, XClarity Administrator disconnects from the managed device or external service to avoid exchanging any security sensitive information with an untrusted source.
Server Certificate. During the initial boot, a unique key and self-signed certificate are generated. These are used as the default Root Certificate Authority, which can be managed on the Certificate Authority page in the XClarity Administrator security settings. It is not necessary to regenerate this root certificate unless the key has been compromised or if your organization has a policy that all certificates must be replaced periodically (see Regenerating or restoring the Lenovo XClarity Administrator self-signed server certificate).
Also during the initial setup, a separate key is generated and a sever certificate is created and signed a certificate is created that is signed by the internal certificate authority. This certificate used as the default XClarity Administrator server certificate. It automatically regenerated each time XClarity Administrator detects that its networking addresses (IP or DNS addresses) have changed to ensure that the certificate contains the correct addresses for the server. It can be customized and generated on demand (see Regenerating or restoring the Lenovo XClarity Administrator self-signed server certificate).
You can choose to use an externally-signed server certificate instead of the default self-signed server certificate by generating a certificate signing request (CSR), having the CSR signed by an private or commercial certificate Root Certificate Authority, and then importing the full certificate chain into XClarity Administrator (see Deploying customized server certificates to Lenovo XClarity Administrator).
If you choose to use the default self-signed server certificate, it is recommended that you import the server certificate in your web browser as a trusted root authority to avoid certificate error messages in your browser (see Importing the Certificate Authority certificate into a web browser).
OS Deploy Certificate. A separate certificate is used by the operating-system deployment service to ensure that the operating-system installer can connect securely to deployment service during the operating-system installation process. If the key has been compromised, you can regenerate it by restarting the management server.
Trusted Certificates.
This trust store manages certificates that are used to establish a secure connection to local resources when XClarity Administrator acts as a client. Examples of local resources are managed devices, local software when forwarding event and an external LDAP server.
External-Services Certificates. This trust store manages certificates that are used to establish a secure connection with external services when XClarity Administrator acts as a client. Examples of external services are online Lenovo Support services that are used to retrieve warranty information or create service tickets, external software (such as Splunk) to which events can be forwarded, and Apple and Google push-notification servers if Lenovo XClarity Mobile push notifications are enabled for an iOS or Android device. It contains preconfigured, trusted certificates from Root Certificate Authorities from certain commonly trusted and world-known certificate-authority providers, such as Digicert and Globalsign).
When you configure XClarity Administrator to use a feature that requires a connection to another external service, refer to the documentation to determine if you need to manually add a certificate to this trust store.
Note that certificates in this trust store are not trusted when establishing connections for other services (such as LDAP) unless you also add them to the main Trusted Certificates trust store. Removing certificates from this trust store prevents successful operation of these services.