Working with security certificates

Lenovo XClarity Administrator uses SSL certificates to establish secure, trusted communications between XClarity Administrator and its managed devices (such as chassis and service processors in the System x servers) as well as communications with XClarity Administrator by users. By default, XClarity Administrator, CMMs, and baseboard management controllers use XClarity Administrator-generated certificates that are self-signed and issued by an internal certificate authority.

About this task

The default server certificate, which is uniquely generated in every instance of XClarity Administrator, provides sufficient security for many environments. You can choose to let Lenovo XClarity Administrator manage certificates for you, or you can take a more active role and customize or replace the server certificates. XClarity Administrator provides options for customizing certificates for your environment. For example, you can choose to:
  • Generate a new server key and certificate that uses values that are specific to your organization.
  • Generate a certificate signing request (CSR) that can be sent to your choice of certificate authority to create a signed certificate that can then be uploaded to XClarity Administrator trust store.
  • Download the certificate to your local system so that you can import that certificate into your web browser's list of trusted certificates.

Lenovo XClarity Administrator provides a number of services that accept incoming Transport Layer Security (TLS) connections. When a client, such as a managed device or a web browser, connects to one of these services, Lenovo XClarity Administrator provides its server certificate to authenticate itself to the client. The client should maintain a list of certificates that it trusts. If Lenovo XClarity Administrator’s server certificate is not included in the client’s list, the client disconnects from Lenovo XClarity Administrator to avoid exchanging any security sensitive information with an untrusted source.

Lenovo XClarity Administrator acts as a client when communicating with managed devices and external services. When Lenovo XClarity Administrator connects to a device or external service, the device or external service provides its server certificate to authenticate itself to Lenovo XClarity Administrator. Lenovo XClarity Administrator maintains a list of certificates that it trusts. If the trusted certificate that is provided by the managed device or external service is not listed, Lenovo XClarity Administrator disconnects from the managed device or external service to avoid exchanging any security sensitive information with an untrusted source.

The following certificates are used by Lenovo XClarity Administrator:
  • Trusted Certificates. These certificates verify that Lenovo XClarity Administrator can trust a device or server (in most cases) when that Lenovo XClarity Administrator acts as a client to establish a secure connection to another device or server. For example, certificates in this trust store are used when establishing a secure connection to managed devices and trusted LDAP servers. Additionally, the Lenovo XClarity Administrator internal CA certificate as well as the CA certificate of a customized externally-signed server certificate (if one is installed) are present in this trust store to support internal Lenovo XClarity Administrator communication.

  • External Services Certificates. These certificates verify that Lenovo XClarity Administrator can trust another Lenovo server or other external server only for specific external services. This trust store is used when connecting to Lenovo to look up warranty status information. It is also used to connect to the Apple and Google push-notification server if Lenovo XClarity Mobile push notifications are enabled for an iOS or Android device. Certificates in this trust store are not trusted when establishing connections for other services (such as LDAP) unless you also add them to the main Trusted Certificates trust store. Removing certificates from this trust store prevents successful operation of these services.

  • Internally-Signed Certificates. During the initial setup of Lenovo XClarity Administrator, a unique key and self-signed certificate are generated. These are used as the default certificate authority, which can be managed on the Certificate Authority page in the Lenovo XClarity Administrator security settings. It is not necessary to regenerate this certificate unless the key has been compromised or if your organization has a policy that all certificates must be replaced periodically (see Regenerating or restoring the Lenovo XClarity Administrator internally-signed server certificate).

    Also during the initial setup, a separate key is generated and a certificate is created that is signed by the internal certificate authority. This certificate used as the default Lenovo XClarity Administrator server certificate. It automatically regenerated each time Lenovo XClarity Administrator detects that the networking addresses (IP or DNS addresses) have changed to ensure that the certificate contains the correct addresses for the server. It can be customized and generated on demand (see Regenerating or restoring the Lenovo XClarity Administrator internally-signed server certificate).

    If you do not install an externally-signed server certificate, it is recommended that you perform the following steps to avoid certificate error messages in your browser:
    1. Download the internally-signed CA certificate using the download button on the Certificate Authority page and to install it into your web browser as a trusted root authority (see Importing the Certificate Authority certificate into a web browser).

    2. Regenerate the server certificate, following the help guidance when deciding whether to use an IP address or a hostname as the Common Name (see Regenerating or restoring the Lenovo XClarity Administrator internally-signed server certificate).

  • Externally-Signed Certificates. You can choose to generate a certificate signing request (CSR) for signing by your organization’s certificate authority or a third-party certificate authority. After the CSR is signed, you can import the full certificate chain and use it in place of the unique default internally signed certificates (see Installing a customized, externally signed server certificate).

  • OS Deploy Certificate. A separate certificate is used by the operating-system deployment service to ensure that the operating-system installer can connect securely to deployment service during the operating-system installation process. The key and certificate that are used by this service are regenerated during every Lenovo XClarity Administrator boot. If the key has been compromised, you can regenerate it by restarting the management server.

Lenovo XClarity Administrator supports PKCS 1.5 RSA-2048/SHA-256 certificate signatures and ECDSA p256/SHA-256 signatures in all product configurations. Other algorithms such as SHA-1 stronger or SHA hashes might be supported depending on your configuration. Consider the selected cryptographic mode in Lenovo XClarity Administrator (see Configuring cryptography settings) and the capabilities of other software and devices in your environment. ECDSA certificates that are based on some elliptic curves (including p256), but not all elliptic curves, are supported on the Trusted Certificates page and in the signing chain of the Lenovo XClarity Administrator certificate but are not currently supported for use by the Lenovo XClarity Administrator server certificate.
Note: Only PKCS 1.5 RSA-2048/SHA-256 signatures are supported. RSA-PSS signatures are not supported at this time.