Administrator Guide

Table Of Contents
View the certica
tes to determine whether or not certicates are self-signed, and when certicates will expire.
If you have not already done so, replace self-signed certica
tes with CA-signed certicates to help improve the security of Dell Hybrid
Cloud System for Microsoft.
As certica
tes expire, you must periodically perform tasks in
Replacing self-signed certica
tes with CA-signed certicates again.
Viewing the certica
tes
You can view certicates in the GUI, by opening the certlm.msc snap-in on the Console VM, and targeting the snap-in at Dell Hybrid Cloud
System for Microsoft computers that are running Windows Azure Pack website services, SMA, and SPF. These VMs are <
Prex
>APT01
and <
Prex
>APA01.
Replacing self-signed certica
tes with CA-signed certicates
The self-signed certicates that are generated as part of Dell Hybrid Cloud System for Microsoft installation are intended to be temporary.
As a security best practice, if there are self-signed certicates still supporting Dell Hybrid Cloud System for Microsoft website services, you
should promptly replace them with certicates that are issued by a trusted certication authority (CA), such as VeriSign or Thawte. The
type of certicate you want for Dell Hybrid Cloud System for Microsoft website services is also called an SSL certicate.
You must also perform procedures in this section when you are updating expired certicates, as part of regular certicate management.
It is especially important that the following components use trusted certicates:
Tenant portal
Tenant public API
Tenant authentication site
Management portal for administrators
SMA
Updating self-signed certica
tes to CA-signed certicates involves the following tasks:
Step 1: Export the self-signed certica
tes to .pfx les, and create a folder tree for the certicates.
Step 2: Obtain certica
tes from a trusted certication authority, and copy the .cer les to a share.
Step 3: Import the trusted root and intermediate certica
tion authority .cer les to establish the certicate chain on each VM.
Step 4: Prepare the le shar
e with the new .pfx certicates.
Step 5: Update to the new trusted certication authority certicate on each component virtual machine.
Step 6: Secure the shares that you created.
Each of these steps is described in the sections that follow.
Step 1 Export self-signed certica
tes to .pfx les, and create a folder tree
for the certicates
1 On the Console VM, create a Universal Naming Convention (UNC) le shar
e to back up existing certicates:
a Create a folder, for example C:\WAPCerts.
b Right-click the folder, point to Share with, and then click Specic people.
c Type the user account
<Prefix>-System, and then click Add.
d Under
Permission Level for the <Prex>-System account, click Read, and change it to Read/Write.
e Click
Share, and then click Done.
The le shar
e path is \\<Prex>CON01\WAPCerts.
2 Sign in to the Windows Azure Pack management portal for administrators by using an account that is a member of the <
Prex
>-Ops-
Admins group.
Security 133