Applies to:
Version 6.x
Summary:
Validation allows us to ensure that the public certificate we have stored in our database is, in fact, still available on the device/application we are monitoring. There are two ways to turn off validation for your certificates and/or drivers.
- At the server level, using the platform tree.
- At the object level in the policy tree.
Definition:
Network Validations merely sync to the correct IP address, and port, whereas, On-board Validations will attach to the server in question via SSH, authenticate and browse it's file system to procure and validate the certificate. The Validation Manager module can be installed on each Certificate Manager server. This Validation Manager runs Network validations of SSH Server Key, Certificate, and Application objects. It also performs On-Board Validations of Application objects.
More info:
This article addresses on-board, and network validations of your certificates.
1: Network Validation:
Network Validation requires network access to the server where the certificate is installed. During the Network Validation process, Director sends an SSL request to the server. If the server responds to the SSL request, Director retrieves the certificate’s serial number and compares it to the certificate Director Certificate Manager has archived for the corresponding Certificate object.
If you enable Network Validation on a Certificate object and select the Use Certificate Common Name option, Director does a DNS lookup of the certificate’s common name. It then validates the certificate at every IP address returned from the DNS lookup.
Network Validation is available for Application and Certificate objects. If you enable Network Validation on the Application object Director validates the certificate associated with the Application object.
2: On board Validation:
On-Board Validation can be enabled only on Application objects. During On-Board Validation Director uses the information defined in the Application object to authenticate with the server, and locate the installed certificate. It then compares the installed certificate’s serial number to the certificate Director Certificate Manager has archived for the application’s corresponding Certificate object. On-Board Validation is performed using the application’s supported management protocol.
The purpose of On-Board Validation is to determine if the Application object configuration is correct and to verify that the correct certificate is installed on the server. If Director can authenticate with the server, it knows the Application object’s credentials are correct. If it can locate the certificate, it knows the Application object’s certificate configuration is correct. Finally, when it retrieves the certificate serial number, Director can determine if the correct certificate is installed.
Configuring Validation:
To configure validation for Application objects (on board validation):
- Log in to the Director administration console.
- RIghts: You must have the View and Write rights to the Application object.
- Select the Policy tree from the drop-down menu.
- In the Policy tree, expand the parent Device object, then select the Application object.
- Click the Validation tab.
- Configure the Application object Validation settings, then click Apply/Save.
Disabling via policy:
To disable both On-Board Validation, and Network validations follow these steps.
Using WinAdmin:
- Navigate to to a policy object.
- Select the applications tab.
- Select the application you want to turn validation off for.
- Under the validation title choose one of these options:
- To only disable the onboard Validation choose the "Disable" under the File Settings title.
- To only disable Network validation, choose 'Disable Network Validation.
- To do both, choose both.
- Navigate to the policy object.
- Select the validations tab.
- Select the application you need to turn off validation for.
- Click disable.
- Choose the type of lock you want for the policy.
- Press save.
- TIP: To turn it off for all applications, select the Certificate tab, scroll to the bottom and set "Disable network validation" to yes.
To configure validation directly on Certificate objects ( Network validation):
- Log in to the Director administration console.
- Tip: You must have the View and Write rights to the Certificate object.
- Select the Policy tree from the Tree drop-down menu.
- In the Policy tree, expand the parent Policy, Device, or Application object, then select the Certificate object.
- Click the Validation tab.
- Configure the Certificate object Validation settings, then click Apply/Save.
NOTE: To turn off network validation select the "Do not validate" option under network settings.
Frequently asked questions:
1: To disable Validation at the server level:
- Log in to the Director Windows administration console.
- TIP: You must have the View and Write rights to the Validation Manager module.
- Select the Platforms tree from the Tree drop-down menu.
- In the Platforms tree, select the Validation Manager module.
- Select the disable radio button, and press apply.
- Log in to the Director Windows administration console.
- Navigate to the logging tree.
- Click on Notification rules, and then on Validation failure.
- Click on the plus sign, to add another argument.
- Choose and > matches > component, and add in the name of the policy tree you want validation to run against.
- TIP: This will ensure that only that only validation failure events will be sent from this part of the policy tree.
By default, Validation scans occur daily according to the daily task schedule configured on the Director server object in the Platforms tree; however, you can manually run a Validation scan at any time by clicking the Validate Now option in the Application and Certificate objects.
This information was taken from the "DIrector Certificate Management Guide."
Comments