Administrator Guide

ManualsBrandsDell ManualsCloudLink SecureVMHybrid Cloud System for Microsoft

121

122

123

124

125

126

127

128

129

130

• As certicates expire, you must periodically perform tasks in Replacing self-signed certicates with CA-signed certicates again.

Viewing the certicates

You can view certicates in the GUI, by opening the certlm.msc snap-in on the Console VM, and targeting the snap-in at Dell Hybrid Cloud

System for Microsoft computers that are running Windows Azure Pack website services, SMA, and SPF. These VMs are <

Prex

>APT01

and <

Prex

>APA01.

Replacing self-signed certicates with CA-signed certicates

The self-signed certicates that are generated as part of Dell Hybrid Cloud System for Microsoft installation are intended to be temporary.

As a security best practice, if there are self-signed certicates still supporting Dell Hybrid Cloud System for Microsoft website services, you

should promptly replace them with certicates that are issued by a trusted certication authority (CA), such as VeriSign or Thawte. The

type of certicate you want for Dell Hybrid Cloud System for Microsoft website services is also called an SSL certicate.

You must also perform procedures in this section when you are updating expired certicates, as part of regular certicate management.

It is especially important that the following components use trusted certicates:

• Tenant portal

• Tenant public API

• Tenant authentication site

• Management portal for administrators

• SMA.

Updating self-signed certicates to CA-signed certicates involves the following tasks:

• Step 1: Export the self-signed certicates to .pfx les, and create a folder tree for the certicates

• Step 2: Obtain certicates from a trusted certication authority and copy the .cer les to a share

• Step 3: Import the trusted root and intermediate certication authority .cer les to establish the certicate chain on each VM

• Step 4: Prepare the le share with the new .pfx certicates

• Step 5: Update to the new trusted certication authority certicate on each component virtual machine

• Step 6: Secure the shares that you created.

Each of these steps is described in the sections that follow.

Step 1: Export the self-signed certicates to .pfx les, and create a folder

tree for the certicates

1 On the Console VM, create a UNC (Universal Naming Convention) le share to back up existing certicates.

a Create a folder, for example C:\WAPCerts.

b Right-click the folder, point to Share with, and then click Specic people.

c Type the user account <Prefix>-System, and then click Add.

d Under Permission Level for the <Prex>-System account, click Read, and change it to Read/Write.

e Click Share, and then click Done.

The le share path will be \\<Prex>CON01\WAPCerts.

2 Sign in to the Windows Azure Pack management portal for administrators by using an account that is a member of the <

Prex

>-Ops-

Admins group

3 Create a PowerShell Credential asset. The password for this asset is used to protect the private keys of the exported certicates.

a In the Windows Azure Pack management portal for administrators, click Automation in the navigation pane.

b On the Automation page, click Assets.

128

Security