• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Are you having HotKey issues? Click here for tips and tricks.
Locked

‎08-05-2016 06:09 PM

HP Recommended
Product: HPDM
Operating System: Other

I am trying to replace the auto generated self-signed (Issued to DM, issued by DM) certificates for the HDPM Server and Master Repository.  I am NOT refereeing to FTPS, the HPDM Embedded HTTPS Server, or the Thin Client Agent certs.  

 

I have already setup certs from our own domain internal CA for FTPS in IIS and the Apache Embedded HTTPS server.  These are working fine and Repository tests pass for both protocols.  I have also issues to the Thin Clients from our internal CA just fine.

 

I'm interested in the actual HPDM Server cert and Master repository cert. These are self-generated when the two services start up.  They use a very weak MD5 hash and RSA 1024 key.  I cannot find any documentation around this except for troubleshooting in which you can delete these certs restart the services and they will be regenerated.  

 

Here are the certs\key paths
%HPDM Install Path%\MasterRepositoryController\Controller.crt (Repository Cert)

%HPDM Install Path%\MasterRepositoryController\Controller.key (Repository Key)

%HPDM Install Path%\MasterRepositoryController\Client.crt (HPDM Server Cert)

%HPDM Install Path%\Server\Bin\hpdmskey.keystore (Both HPDM Server and Repository Certs and Keys)(Not sure the format it is in.  It's not PEM and ok P12 as far as I can tell)

 

There is also %HPDM Install Path%\Server\bin\hpdmcert.key.  Not sure what this is.  Think it’s the HPDM Server key but deleting it does nothing and it is never auto re generated in any of my tests.  

 

I am able to replace the Controller.crt and key files with my own internal CA issued ones just fine.  The service start and no error happen.  However if I replace the Client.cert (HPDM Server Cert) with my own the service will start but there are SSL Socket errors in the repository logs and the HPDM Server can't connect to the Master Repository. I have no idea where the key file is supposed to be for HPDM Server Cert.

 

Can anyone help with this?  I can't find any config files either for the services to generate their own certs.  If I did I would at least try to change the config to not uses MD5.  

1 ACCEPTED SOLUTION

Accepted Solutions

‎08-07-2016 07:33 PM

HP Recommended

Hi,

 

Those certiricates between HPDM Server and MRC are not designed of customizable. Please submite an impact case if you have any security concern on this.

 

 

Just FYI:

hpdmcert.key is for communication between HPDM Server and HPDM Gateway

hpdmskey.keystore  is for the communication between HPDM Server and MRC

server_keystore is for the commhucation between HPDM Server and HPDM Console

 

I am an HPI Employee.
My opinions are my own, and do not express those of HPI.
**Click the White Thumbs Up Button on the right to say Thanks**

View solution in original post

Tags (2)
Was this reply helpful? Yes No
12 REPLIES 12

‎08-07-2016 07:33 PM

HP Recommended

Hi,

 

Those certiricates between HPDM Server and MRC are not designed of customizable. Please submite an impact case if you have any security concern on this.

 

 

Just FYI:

hpdmcert.key is for communication between HPDM Server and HPDM Gateway

hpdmskey.keystore  is for the communication between HPDM Server and MRC

server_keystore is for the commhucation between HPDM Server and HPDM Console

 

I am an HPI Employee.
My opinions are my own, and do not express those of HPI.
**Click the White Thumbs Up Button on the right to say Thanks**
Tags (2)
Was this reply helpful? Yes No

‎08-07-2016 08:03 PM

HP Recommended

Thanks for the excelent description of the files and their relations for comunication.   In our deployment the HPDM Server, MRC, Console, and Gateway are on the same system. So it's not that important for high security encryption between them.  However, I am wondering how the clients fall into this.  I know the Thin Clients use the customized certs in IIS for FTPS and the HPDM Embbeded HTTPS server for file transfer.  What aboutn commnds from the HPDM server to the clients?  I was thinking these would be encrypted with the HPDM Server cert.  If so it would be nice to be able to replace it.  

 

Is there any option for changing the default cipher suite or hash that is used for these auto generated certs?  I would like to use SHA256 instead of MD5 and RSA 2048 instead of 1024.  

 

Also on a nother not I followed the manual for making a CTL file and included the two CA certs from my organization in it.  Our sub ordinate and root CA.  These are used for the certs I used in IIS FTPS and the Embeded HTTPS server.  However, running the test for thoes protocols for the MRC fails instantly when I have a CTL present.  I initial was not aware of the HPDM and MRC certs that were auto generated not useing our CA.  Shoud I add the auto generated selfsigned  certs to the CTL as well?

 

Thanks! 

Was this reply helpful? Yes No

‎08-07-2016 08:45 PM

HP Recommended

The white paper WP_HPDM 4.7_Security_Mechanism.pdf describes more about the security thing we used in HPDM. You can easily get that from HPDM Console -> Help -> White paper

 

The communication between DM Components - like command task are through TLS 1.2 connection created with Open SSL.

The crypto algorithms in SSL/TLS use an RSA-created key pair of length 512 or 1024 and an X.509-created certificate. The symmetric cipher is AES (AES256-SHA).

 

There is no option to chagne the default cipher suite or hash as of now. But I agree that we should enhance this in the future. I would suggest you submit a request to region so that the DM team will put this as higer priority.

 

Please make sure the certs are included in the Certificate TRUST LIST. The whilte paper _ HPDM_Embedded_HTTPS_ServerDeployment_Guide should have included this part. You can get this in the 4.7 SP3 folder from white paper link above.

I am an HPI Employee.
My opinions are my own, and do not express those of HPI.
**Click the White Thumbs Up Button on the right to say Thanks**
Was this reply helpful? Yes No

‎08-08-2016 11:50 AM

HP Recommended

Thanks for all the info!  I am new to using HPDM and the HP support forms.  Where do I go tot submit feature requests?

 

Thanks

Was this reply helpful? Yes No

‎08-08-2016 01:48 PM

HP Recommended

I have followed the instructions on the CTL but it always fails with error:

 

Failed to connect repository Master Repository with protocol FTPS

For FTPS, Insufficient privilege on repository Master Repository with protocol FTPS

 

I issued a internal cert from our CA to the IIS server for FTPS.  It has a CA chain going in the order of  Root CA>Sub CA>Cert

 

I Exported the Root and Sub CA certs as Base-64 cer files and copied the contents to the CTL file.  I also now have added both the self generated DM certs (client and controller) from the MRC location to it as well.

 

No matter what I try it seems to fail when there is a CTL present.  I have ran cerutil -verify on the cert chain and everything passes.  

Was this reply helpful? Yes No

‎08-08-2016 05:58 PM

HP Recommended

Can you please check the White Paper of "FTPS Certificate Configuration" to see the difference between recommended configuration and yours? 

 

We have detailed certificate configuration step in the white paper and you should be OK by following that.

 

Before changing the certificate, please make sure FTPS works with default one - this is to eliminate the privilege or path configuration issue.

 

Regarding to the feature request, you have to contact the support team in your region for help.

I am an HPI Employee.
My opinions are my own, and do not express those of HPI.
**Click the White Thumbs Up Button on the right to say Thanks**
Was this reply helpful? Yes No

‎08-09-2016 05:10 PM

HP Recommended

So far I have been unable to get a CTL file to work.  It contains the PEM output for both of our CA certs in the chain.  I have followed the whitepaper but still it is not working.  For now I have removed the CTL.

 

Today I followed the white paper to setup client certificate authentication for both IIS FTPS and the Embedded HTTPS Web Server.  This went fine.  I tested from the ThinClinet with WinScp installed and setup a FTPS connection to the master reposiotory using the client certificate file and no user or password.  I was able to browser the repository just fine.  

 

I then tested both a Deploy File and Capture File from the HPDM console.  Both passed.  The test file was sent to the Thin Client fine and sent back to the repository fine.  I tested the same with my Child Repositories just fine.

 

However, it fails when trying to do an image capture of the Thin Client.  Below is the output of the HPDM Console task and my IIS FTPS Log.  The console indicates the Data Channel canot be opened.  Is image capturing using a different FTP client on the Thin Client then what is used for the Deploy/Capture file tasks?  

 

 

2016-08-09 15:53:04 [Error Details]: Capture image to the Master Repository.
Failure capturing T730-W7E-VDI.ibr to /Repository/Images/T730-W7E-VDI_3.
Failed to execute CaptureImage task.
ErrorCode: 1068032, Error Info: ..\..\Task\wins\ImageTask_XPE.cpp@130: Failed to download client kit.
..\..\Task\common\ImageCommon.cpp@819: Failed to download image mapping file, file name: toolsConfig.xml
..\..\Task\common\ImageCommon.cpp@737: Failed to download mapping file.
ftpclient\fileclient.cpp@394: Failed to get remote file, LocalDir:C:\,RemoteDir:/./Repository/Tools/Imaging/Mapping,Name:toolsConfig.xml
ftpclient\fileclient.cpp@367: Cannot open data connection.
..\..\Task\wins\ImageTask_XPE.cpp@130: Failed to download client kit.
..\..\Task\common\ImageCommon.cpp@819: Failed to download image mapping file, file name: toolsConfig.xml
..\..\Task\common\ImageCommon.cpp@737: Failed to download mapping file.
ftpclient\fileclient.cpp@394: Failed to get remote file, LocalDir:C:\,RemoteDir:/./Repository/Tools/Imaging/Mapping,Name:toolsConfig.xml
ftpclient\fileclient.cpp@367: Cannot open data connection.

 

 

 

2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PASS *** 230 0 0 aefcf65b-f04f-4a2e-aeb6-f8b1b8b1dd0b /
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PBSZ 0 200 0 0 aefcf65b-f04f-4a2e-aeb6-f8b1b8b1dd0b -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PROT P 200 0 0 aefcf65b-f04f-4a2e-aeb6-f8b1b8b1dd0b -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 FEAT - 211 0 0 aefcf65b-f04f-4a2e-aeb6-f8b1b8b1dd0b -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 QUIT - 221 0 0 aefcf65b-f04f-4a2e-aeb6-f8b1b8b1dd0b -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 ControlChannelClosed - - 0 0 aefcf65b-f04f-4a2e-aeb6-f8b1b8b1dd0b -
2016-08-09 22:57:05 172.16.30.153 - 172.16.250.30 990 ControlChannelOpened - - 0 0 d0ef1702-6567-4d1c-8234-5fd9f87c70f5 -
2016-08-09 22:57:05 172.16.30.153 - 172.16.250.30 990 USER SVC-HPDMFTP 331 0 0 d0ef1702-6567-4d1c-8234-5fd9f87c70f5 -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PASS *** 230 0 0 d0ef1702-6567-4d1c-8234-5fd9f87c70f5 /
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PBSZ 0 200 0 0 d0ef1702-6567-4d1c-8234-5fd9f87c70f5 -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PROT P 200 0 0 d0ef1702-6567-4d1c-8234-5fd9f87c70f5 -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 FEAT - 211 0 0 d0ef1702-6567-4d1c-8234-5fd9f87c70f5 -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PWD - 257 0 0 d0ef1702-6567-4d1c-8234-5fd9f87c70f5 -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 QUIT - 221 0 0 d0ef1702-6567-4d1c-8234-5fd9f87c70f5 -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 ControlChannelClosed - - 0 0 d0ef1702-6567-4d1c-8234-5fd9f87c70f5 -
2016-08-09 22:57:05 172.16.30.153 - 172.16.250.30 990 ControlChannelOpened - - 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:05 172.16.30.153 - 172.16.250.30 990 USER SVC-HPDMFTP 331 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PASS *** 230 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 /
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PBSZ 0 200 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PROT P 200 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 FEAT - 211 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:05 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PASV - 227 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:20 - MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 52252 DataChannelClosed - - 1223 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:20 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PORT 172,16,30,153,192,17 200 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:21 172.16.250.30 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 52099 DataChannelOpened - - 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:21 172.16.250.30 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 52099 DataChannelClosed - - 1236 38 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:21 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 LIST /./Repository/Images 425 1236 38 eff55e20-dbc6-4be6-954e-03865e402de8 /Repository/Images
2016-08-09 22:57:21 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 QUIT - 221 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:21 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 ControlChannelClosed - - 0 0 eff55e20-dbc6-4be6-954e-03865e402de8 -
2016-08-09 22:57:21 172.16.30.153 - 172.16.250.30 990 ControlChannelOpened - - 0 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:21 172.16.30.153 - 172.16.250.30 990 USER SVC-HPDMFTP 331 0 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:21 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PASS *** 230 0 0 42009df6-d459-427f-bb37-ec785324fdba /
2016-08-09 22:57:21 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PBSZ 0 200 0 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:21 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PROT P 200 0 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:21 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 FEAT - 211 0 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:21 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PWD - 257 0 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:21 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 CWD /./Repository/Tools/Imaging/Mapping 250 0 0 42009df6-d459-427f-bb37-ec785324fdba /Repository/Tools/Imaging/Mapping
2016-08-09 22:57:21 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PASV - 227 0 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:36 - MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 52256 DataChannelClosed - - 1223 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:36 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 PORT 172,16,30,153,192,22 200 0 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:36 172.16.250.30 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 52099 DataChannelOpened - - 0 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:36 172.16.250.30 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 52099 DataChannelClosed - - 1236 38 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:36 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 LIST - 425 1236 38 42009df6-d459-427f-bb37-ec785324fdba /Repository/Tools/Imaging/Mapping
2016-08-09 22:57:36 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 QUIT - 221 0 0 42009df6-d459-427f-bb37-ec785324fdba -
2016-08-09 22:57:36 172.16.30.153 MCKINLEYIRV\SVC-HPDMFTP 172.16.250.30 990 ControlChannelClosed - - 0 0 42009df6-d459-427f-bb37-ec785324fdba -

Was this reply helpful? Yes No

‎08-09-2016 05:51 PM

HP Recommended

Nevermind it was a firelwall issue with the passive port range for FTPS.  It icaptureing the image now!  So I'm left with just the CTL issue. 

Was this reply helpful? Yes No

‎08-10-2016 02:05 PM

HP Recommended

Also it appears there is no way to supply the client certificate for authentication in the Repository Management.  If I try to do a child sync it fals satating the policy requires a client certificate.  The interface only allows for a username and password to be presented.  Is there any way to provide a client cert for authentication?  

Was this reply helpful? Yes No
Warning
Be alert for scammers posting fake support phone numbers and/or email addresses on the community.
If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.
Didn't find what you were looking for? Ask the community
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.