Administrator Guide

ManualsBrandsDell ManualsCloudLink SecureVMHybrid Cloud System for Microsoft

131

132

133

134

135

136

137

138

139

140

• View the certicates to determine whether or not certicates are self-signed, and when certicates will expire.

• If you have not already done so, replace self-signed certicates with CA-signed certicates to help improve the security of Dell Hybrid

Cloud System for Microsoft.

• As certicates expire, you must periodically perform tasks in Replacing self-signed certicates with CA-signed certicates again.

Viewing the certicates

You can view certicates in the GUI, by opening the certlm.msc snap-in on the Console VM, and targeting the snap-in at Dell Hybrid Cloud

System for Microsoft computers that are running Windows Azure Pack website services, SMA, and SPF. These VMs are <

Prex

>APT01

and <

Prex

>APA01.

Replacing self-signed certicates with CA-signed certicates

The self-signed certicates that are generated as part of Dell Hybrid Cloud System for Microsoft installation are intended to be temporary.

As a security best practice, if there are self-signed certicates still supporting Dell Hybrid Cloud System for Microsoft website services, you

should promptly replace them with certicates that are issued by a trusted certication authority (CA), such as VeriSign or Thawte. The

type of certicate you want for Dell Hybrid Cloud System for Microsoft website services is also called an SSL certicate.

You must also perform procedures in this section when you are updating expired certicates, as part of regular certicate management.

It is especially important that the following components use trusted certicates:

• Tenant portal

• Tenant public API

• Tenant authentication site

• Management portal for administrators

• SMA

Updating self-signed certicates to CA-signed certicates involves the following tasks:

• Step 1: Export the self-signed certicates to .pfx les, and create a folder tree for the certicates.

• Step 2: Obtain certicates from a trusted certication authority, and copy the .cer les to a share.

• Step 3: Import the trusted root and intermediate certication authority .cer les to establish the certicate chain on each VM.

• Step 4: Prepare the le share with the new .pfx certicates.

• Step 5: Update to the new trusted certication authority certicate on each component virtual machine.

• Step 6: Secure the shares that you created.

Each of these steps is described in the sections that follow.

Step 1: Export self-signed certicates to .pfx les, and create a folder tree

for the certicates

1 On the Console VM, create a Universal Naming Convention (UNC) le share to back up existing certicates:

a Create a folder, for example C:\WAPCerts.

b Right-click the folder, point to Share with, and then click Specic people.

c Type the user account <Prefix>-System, and then click Add.

d Under Permission Level for the <Prex>-System account, click Read, and change it to Read/Write.

e Click Share, and then click Done.

The le share path is \\<Prex>CON01\WAPCerts.

2 Sign in to the Windows Azure Pack management portal for administrators by using an account that is a member of the <

Prex

>-Ops-

Admins group.

Security

133