You should obtain an SSL certificate for these situations:
•If you have Android or iOS devices that you want to connect to Avalanche, you must have an SSL certificate. Connecting iOS devices also requires an APNS certificate for iOS devices.
•If you want to secure the connection between the Avalanche Console (a web browser) and the Avalanche web server. This step is optional. If you do not use an SSL certificate for the web server, it connects to the browser and devices using Hypertext Transfer Protocol (HTTP), which is not encrypted.
•If you want to secure the connection between the Avalanche Remote Control server and the Remote Control viewer. This step is optional. The connection between the server and devices is automatically secured using PSK and does not require an SSL certificate.
When you use Avalanche with an SSL certificate for a secure connection, we strongly recommend that you purchase a certificate through a third-party certificate authority (such as Verisign). If you install the Avalanche web server, Smart device server, or Remote Control server on different systems, you need either a wildcard certificate or a certificate for each system where those Avalanche components are installed.
These instructions explain how to manipulate certificates using OpenSSL. Ivanti does not include OpenSSL with Avalanche. The install files can be found on the OpenSSL Web site. If you want to use a different tool, refer to the user guide for that tool for the process of creating a certificate request or self-signed certificate.
See the following sections for information on setting up SSL certificates for Avalanche:
These instructions explain how to generate a certificate signing request using OpenSSL. Ivanti does not include OpenSSL with Avalanche or install it for you. You can find a version of OpenSSL that runs on Windows through the OpenSSL Web site.
Ivanti strongly recommends using a certificate signed by a certificate authority. Utilizing a certificate authority like Verisign tells clients that your server information was verified by a trusted source and is authentic.
Ivanti recommends that you backup all certificate files after you have implemented your certificate.
To generate a private key for the certificate:
1.From a command line, navigate to:
[OpenSSL installation directory]\bin
2.Use the command:
openssl genrsa -des3 -out privateKey.key 2048
3.At the prompt Enter pass phrase for privateKey.key, type a pass phrase. When prompted, re-enter the pass phrase. The pass phrase is arbitrary, but should be noted for future reference.
If you get a message that says "WARNING: can't open config file: /usr/local/ssl/openssl.cfg", you need to set the configuration file location. From the command prompt, use the following command: set OPENSSL_CONF=[OpenSSL installation directory]\bin\openssl.cfg
If OpenSSL created the privateKey.key file anyway, delete it. Then repeat steps 2 and 3.
5.At the prompts, enter all requested information. For the Common Name, provide the fully qualified domain name of the computer where you plan to install the certificate. The domain name used should be one that your company owns. Add a DNS entry if needed to resolve this computer.
An example of generating a CSR:
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Some-State]:Utah Locality Name (eg, city) [Newbury]:Midvale Organization Name (eg, company) [My Company Ltd]:Wavelink Corporation Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:avaself.wavelink.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: avalanche An optional company name []: Wavelink Corporation
Next Steps
When you apply to a certificate authority for an SSL web server certificate, you will need to submit the CACert.csr file that is generated by this process.
After you get the certificate back from the certificate authority, import the private key into the certificate file and export it as a PKCS #12 file.
In order to use an SSL certificate for the Avalanche Console, Remote Control, or the Smart Device Server, the certificate must be in PKCS #12 format and include the private key. Even if the certificate authority gave you a .p12 file, you must import the private key into the .p12 file before you can use it with Avalanche.
Where privateKey.key is the name of the key you created (either before creating the CSR, or when you generated a self-signed certificate), and ca.pem is the name of the certificate you are converting.
If you submitted a certificate signing request to a certificate authority and they sent back the certificate chain separate from the certificate, add -certfile intcert.crt to the end of the command, where intcert.crt is the name of the intermediate certificate.
3.Enter the pass phrase associated with the private key. Self-signed certificates created using the command given in Creating a Self-Signed Certificate will not request a pass phrase.
4.Enter an export password. Verify the export password again.
The PKCS #12 file is created in the OpenSSL installation directory.
After obtaining a SSL certificate, import it into Avalanche using the Console so that the Smart device server can use it.
The certificate must be in PKCS #12 format. If the certificate is in a different format, convert it to PKCS #12 first.
To complete the setup:
1.From the Avalanche Console, navigate to Tools > System Settings.
2.In the HTTPS Configuration section, click Add.
3.Locate the certificate.p12 file and click Open.
4.Enter the pass phrase associated with the certificate. When the pass phrase is entered correctly, the Common Name is displayed in the SDS Public Address text box.
5.If the certificate is a wildcard certificate (uses a * in the Common Name), type the server address in the SDS Public Address text box.
6.Click Save at the top right of the page.
7.Perform a deployment from My Enterprise.
After you have set up the APNS certificate, GCM key, and the SSL certificate, communication between Smart devices and the Smart device server is enabled and you can enroll devices. You should import your licenses before attempting to connect devices. For information on licensing, see Licensing. For information on connecting devices, see Connecting Devices to the Avalanche Server.
Once you have a PKCS #12 certificate, you can configure the Avalanche web server, Tomcat, to use encrypt traffic between the Console and the Avalanche server. This requires modifying the server.xml file and then restarting the Tomcat server.
Where the keystoreFile value is the path to the certificate and the keystorePass value is the password you entered when creating the certificate. In the path to the certificate, use forward slashes.
5.Save your changes to the file.
6.Restart the Tomcat service.
Once you have generated a certificate, activated SSL for Tomcat, and restarted the Tomcat server, you can access the Web Console over an HTTPS connection.
To access the Web Console over a secure connection:
•In the address field of your browser, type:
https://[DNS name or IP address of Avalanche]:8443/AvalancheWeb
If you choose to use self-signed certificates in order to set up a demo environment, see Creating a Self-Signed Certificate for more information about self-signed certificates. Ivanti strongly recommends using a certificate from a certificate authority for a production environment.
Creating a Certificate Request for a Certificate Authority