Skip to main content

Managing Lenovo XClarity Management Hub security certificates

Lenovo XClarity Management Hub uses SSL certificates to establish secure, trusted communications between Lenovo XClarity Management Hub and its managed devices, as well as communications with Lenovo XClarity Management Hub by users or with different services. By default, Lenovo XClarity Management Hub and XClarity Orchestrator use XClarity Orchestrator-generated certificates that are self-signed and issued by an internal certificate authority.

Before you begin

This section is intended for administrators that have a basic understanding of the SSL standard and SSL certificates, including what they are and how to manage them. For general information about public key certificates, see X.509 webpage in Wikipedia and Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC5280) webpage.

About this task

The default server certificate, which is uniquely generated in every instance of Lenovo XClarity Management Hub, provides sufficient security for many environments. You can choose to let Lenovo XClarity Management Hub manage certificates for you, or you can take a more active role by customizing and replacing the server certificates. Lenovo XClarity Management Hub provides options for customizing certificates for your environment. For example, you can choose to:
  • Generate a new pair of keys by regenerating the internal certificate authority and/or the end server certificate that uses values that are specific to your organization.
  • Generate a certificate signing request (CSR) that can be sent to your choice of certificate authority to sign a custom certificate that can then be uploaded to Lenovo XClarity Management Hub to be used as end-server certificate for all its hosted services.
  • Download the server certificate to your local system so that you can import that certificate into your web browser's list of trusted certificates.

Lenovo XClarity Management Hub provides several services that accept incoming SSL/TLS connections. When a client, such as a web browser, connects to one of these services, Lenovo XClarity Management Hub provides its server certificate to be identified by the client attempting the connection. The client should maintain a list of certificates that it trusts. If Lenovo XClarity Management Hub server certificate is not included in the client’s list, the client disconnects from Lenovo XClarity Management Hub to avoid exchanging any security sensitive information with an untrusted source.

Lenovo XClarity Management Hub acts as a client when communicating with managed devices and external services. When this occurs, the managed device or external service provides its server certificate to be verified by Lenovo XClarity Management Hub. Lenovo XClarity Management Hub maintains a list of certificates that it trusts. If the trusted certificate that is provided by the managed device or external service is not listed, Lenovo XClarity Management Hub disconnects from the managed device or external service to avoid exchanging any security sensitive information with an untrusted source.

The following category of certificates is used by Lenovo XClarity Management Hub services and are supposed to be trusted by any client connecting to it.
  • Server Certificate. During the initial boot, a unique key and self-signed certificate are generated. These are used as the default Root Certificate Authority, which can be managed on the Certificate Authority page in the Lenovo XClarity Management Hub security settings. It is not necessary to regenerate this root certificate unless the key has been compromised or if your organization has a policy that all certificates must be replaced periodically (see Regenerating the internally-signed XClarity Orchestrator server certificate).

    Also during the initial setup, a separate key is generated and a sever certificate is created and signed by the internal certificate authority. This certificate used as the default Lenovo XClarity Management Hub server certificate. It automatically regenerated each time Lenovo XClarity Management Hub detects that its networking addresses (IP or DNS addresses) have changed to ensure that the certificate contains the correct addresses for the server. It can be customized and generated on demand (see Regenerating the internally-signed XClarity Orchestrator server certificate).

    You can choose to use an externally-signed server certificate instead of the default self-signed server certificate by generating a certificate signing request (CSR), having the CSR signed by an private or commercial certificate Root Certificate Authority, and then importing the full certificate chain into Lenovo XClarity Management Hub (see Installing a trusted, externally-signed XClarity Orchestrator server certificate

    If you choose to use the default self-signed server certificate, it is recommended that you import the server certificate in your web browser as a trusted root authority to avoid certificate error messages in your browser (see Importing the server certificate into a web browser

  • OS Deploy Certificate. A separate certificate is used by the operating-system deployment service to ensure that the operating-system installer can connect securely to deployment service during the deployment process. If the key has been compromised, you can regenerate it by restarting Lenovo XClarity Management Hub.
  • Regenerating the self-signed XClarity Management Hub server certificate
    You can generate a new server certificate to replace the current self-signed Lenovo XClarity Management Hub server certificate or to reinstate a XClarity Management Hub-generated certificate if XClarity Management Hub currently uses a customized externally-signed server certificate. The new self-signed server certificate is used by XClarity Management Hub for HTTPS access.
  • Installing a trusted, externally-signed XClarity Management Hub server certificate
    You can choose to use a trusted server certificate that was signed by a private or commercial certificate authority (CA). To use an externally-signed server certificate, generate a certificate signing request (CSR), and then import the resulting server certificate to replace the existing server certificate.
  • Importing the server certificate into a web browser
    You can save a copy of the current server certificate, in PEM format, to your local system. You can then import the certificate into your web browser's list of trusted certificates or to other applications to avoid security warning messages from your web browser when you access Lenovo XClarity Management Hub.