Help Installing customer Trusted Certificate on EqualLogic environment

Hi Joe

Thanks for the quick response - that's exactly what I'm looking for! Will have a read through the IPSEC sections of the Admin and CLi Guides

Matt

Ahh, ok - I will need to secure connectivity between the Web GUI and Group Management IP (on a dedicated management network).

Am I right in saying all I need to do is generate a local certificate for the Group Management Network address and install the root-CA plus local certificate, and then install a the same/relevant certificate chain on the machine(s) running the web GUI?

Note, this is a PS6x00 array, which has a dedicated management interface

Also, it would be a good idea for Dell to properly sign the applet(s) so that the Java runtime doesn't complain about them.

So, to confirm, you're saying there is no way to provide the web GUI with a valid SSL certificate?

That's unfortunate, because it means we have to click through a browser warning every time we use the GUI, and because it means we have no reasonably reliable way of knowing that the Java applet we're about to run hasn't been maliciously modified.

We can work around the first problem by using http instead of https.  But that makes the second problem even worse.

Could you please consider this as a feature request for future versions of the firmware?

Thanks.

What prevents the applet from running if it has been modified?  It isn't digitally signed as far as I can tell.

OK, looking again I see there's something more complicated going on.

When I go to our EqualLogic server's group management site, I am prompted twice to allow an application to run.  The first application is not digitally signed, and it isn't clear what if anything it actually does.  The second application is the management GUI and it *is* digitally signed, so provided the user checks the signature it is protected from modification.

Any idea what's going on here?  How can I avoid the extra prompt?

Excellent.  That also avoids the issue with the browser-based GUI only wanting one instance open at a time per client machine.

In fact, if I explicitly aim javaws at groupmgr.jnlp, I don't even need to install Java in the browser.  What version of Java is recommended, 6 or 7?

Is this stil unavailable ?

Since modern security requirements for stepping stones and management stations we really need signed certificates for access to management pages.

It would be very strange do add exeptions for every EQL group because they all have self signed certificates. modern browser and secure OS policies don't allow this by default.

All the Dell iDRAC interfaces are also configurable with signed certificates.

If it is not possible, what should be the most secure work around? and is this a roadmap item ?

Well, no.  You don't know what the source is; it might be the EQL array, or it might be a man-in-the-middle attacker.  The Java runtime should confirm that the applet is signed, but will not prevent an attacker using a signed but malicious applet.  (Not a concern for my organization, since the management network is isolated, but that's not always possible.)

I suppose since EQL supports ipsec that might be a solution, but it's kind of complicated.  And you'd also need ipsec on your DNS servers.

Ah, OK.  If the arrays don't support IPSEC on the management network then that doesn't protect the Java app at all.  So it really is essential from a security standpoint to have an isolated management network.

But even with an isolated management network, you're at risk if your DNS might be compromised by an attacker on the LAN.  You would either need to secure your DNS somehow (IPSEC or DNSSEC or similar) or always use the IP address of the management server in the URL rather than the name.

On the other hand, SSL doesn't provide perfect protection either, unless you can set up certificate pinning.

OP: one option might be a custom instance of Java with all certificates removed other than the one Dell uses to sign the app.  You can create a shortcut that invokes that custom instance with the URL to the app.  (Using a custom instance is desirable anyway, because it means you don't need to have Java enabled in your web browser.)