(imported topic written by N5RH_Paul_Aage_Aasheim)
When you are going to install all of the modules that IBM / Tivoli Endpoint Manager include, you will probably soon recognize that there are some issues associated the configuration of SSL-certificates… Here is my experiences so long:
Issue nr 1: Web-reports certificates
There is a very good description of how to create a certificate for the purpose of to deliver encrypted reports from the TEM-server:
http://www-01.ibm.com/support/docview.wss?uid=swg21505848
However, the description has not in the scope that different providers of certificates deliver the certificates in different formats, which in the next turn create a challenge to convert the certificate into the right format and you have to refresh your knowledge about working with Open SSL. The main headache about working with certificates is the absence of tools to check if the certificate is ok and work properly. In my case, I experience that you do not get any information from the logs or elsewhere that it is the certificate that is reason why the reports is not running - You get Win socket error and other curious events which do not give any idea what is the real reason… namely the certificate
Issue nr 2: Windows server - RDP - Multiple Domain (UCC) SSL Certificate
Ok, when you recognize that you need a SAN-certificate to run all the services at the TEM-Server properly with SSL-certificate, in such way that each service can have their own subdomain, you run into the next problem. The same certificate, which you use for the web-reports, will not work for running RDP-sessions with SSL-certificate if you follow the description as mention earlier. Because, if you are going to use the certificates for the RDP-service at the Windows 2008 R2 server - Then you must create another .csr-file with a another private key that has the .key-ending as I have described in the Developer Works forum:
Issue nr 3: TEM Software Usage Analysis (SUA)
Yes - When you come to this point of the installation process, you are a lucky man if you have manage the first challenges and you have saved money because you have one SSL-certificates with 5 subdomains: subdomain.domain.com, rdp.domain.com, ldap.domain.com, sua.domain.com, mdm.domain.com etc. GoDaddy require 89.99$ for 1 certificate and 199$ for a SAN-certificate with 5 sub-domains a year… But - When you start to configure the SSL-of the SUA reports, you will suddenly recognize that the reports require PEM-certificate, but only 2048 bit, not 4096 bit which you maybe has created to be sure for the web-reports. Ok, you must start all over again from the beginning of the process to get a proper certificate. (4096 is by the way required in connection with FIPS)
Issue nr 4: TEM Security and Compliance (SCA)
When you came to the Security and Compliance guide, the guide tells me “If you provide a pre-existing private key and certificate, they must be PEM-encoded. If your private key is protected with a password, you must enter it in the Private key password field.” But, what kind of PEM key/certificate does it require? Maybe the same as original described for the web-reports, but only 2048 bit? So long, I have not figured out how to get it to work until recently: PEM-format X509 converted from CRT to DER to PEM…
Issue nr 5: TEM Remote Control
When you start the process of installing the Remote Control you will soon recognize that you must install the IBM Web-Sphere server - Great, web-server number 3 or 4 at the TEM server. The description of how to add keys and the certificates at web sphere-server is very good, but again, yet another new tool with its own principles. If you have done everything right so long, (get the right name of the web sphere server in accordance with the certificate fx.) you can still use the same SAN-certificate also at the Web sphere-server for the administration console of server. But - When you come the configuration of the Remote Control and you want to use the support of FIPS or not, you will soon run into trouble when trying to manage Remote Control to use the right certificate. Maybe it is not possible to use ordinary SSL-certificates in connection with FIPS because of the heavy encryption… But, without FIPS, is should work… Not for me so long… You get a certificate with errors…
Issue nr 6: TEM-Server - TEM-Client certificate
When installing the server and connect the clients to the server, it generates a client certificates to be used when encrypting the communication with server and the client - But that’s is an internal certificate with no references to the organization or the domain - Maybe that certificates can be used to other purposes too if domain was included?
Issue nr 7: MDM - Apple iOS certificate
There is very good description of the process in this note about how to obtain the certificate:
But - “Download the CSR file that was generated during the installation” which mean that you have small possibilities to have impact on the content of the certificate that will be created. Maybe you will end up with another organization, or even worse, wrong domain or name of the server, which in next turn will create a warning when you open the site fx. In Firefox. It does looks professional for the customer when you provide solutions that contain warnings and errors… In addition, what I have learn, when you provide the MDM solutions to different customer with the same certificate, it is maybe in conflict of the license rules of Apple and maybe worse, it can generate security issues if different customers run their mobile client application with the same certificate
Conclusion
I am not the expert of certificates and security issues and I am sure there are many very good reasons why the developer of BigFix and different IBM software have done their choice. On the other hand, as a user and a newbie of the system, there is lot of work to do to get TEM-server up and running, and sometimes a bit confusing and frustrating. What I am really missing is a complete documentation of all the certificates you need to plan for in one article included different guidelines and tips about different choice you must do. The wet dream for the futere is the need of only one certificate in the next IEM version 10, a certificate for all purposes and if there is a need for a special certificate, the system takes care of generating that certificate automatically…. Maybe there should be a user interface where you can register the information it need to create the certificate(s), especially with the possibility to register different organizations, which in the next turn give the possibility to generate different certificates in connection with providing MDM-services to different customers.
Anyway, the certificate issues does not my main experience with BigFix, Tivolie Endpoint Manager: Is’s an excellent system with overwhelming possibilities and funvtionalities…