The IMSS Management Console supports encrypted communication using SSL. This communication would already function because a default certificate is produced along with the installation process. Trend Micro suggests creating your own certificate to further tighten security. This KB article will guide you through certificate replacement for the Management Console and EUQ Console.
Replacing with a self-signed certificate
- Run the following command on the Linux server in order to generate a self-signed certificate (imss.crt) and a private key (imss.key).
# openssl req -x509 -newkey rsa:2048 -nodes -keyout imss.key -out imss.crt -days 3652
- Make sure to back up the default certificate and private key.
(Management Console)
# cp -p $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt.org
# cp -p $IMSS_HOME/UI/apache/conf/ssl.key/server.key $IMSS_HOME/UI/apache/conf/ssl.key/server.key.org(EUQ Console)
# cp -p $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt.org
# cp -p $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key.org - Replace the default certificate and private key with the self-signed certificate and private key created at Step 1.
(Management Console)
# cp imss.crt $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt
# cp imss.key $IMSS_HOME/UI/apache/conf/ssl.key/server.key(EUQ Console)
# cp imss.crt $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt
# cp imss.key $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key - Run the commands below to restart the Management Console and EUQ Console.
# LANG=C; $IMSS_HOME/script/S99ADMINUI restart
# $IMSS_HOME/script/S99EUQ restart
Replacing with an SSL certificate issued by a public CA
- Run the following command on the Linux server in order to generate a CSR (imss91.crt) and a private key (imss91.privkey).
# openssl req -new -keyout imss91.privkey -out imss91.csr
- Ask the CA to issue an SSL certificate.
- After the SSL certificate is issued, create a certificate file (imss91.crt) and its intermediate certificate (intermediate_ca.crt).
Also, run the command below to remove the passphrase from the private key. The private key file without a passphrase is imss91.key.# openssl rsa -in imss91.privkey -out imss91.key
- Back up the default certificate, private key and the configuration files (widget.conf and EUQ.conf).
(Management Console)
# cp -p $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt.org
# cp -p $IMSS_HOME/UI/apache/conf/ssl.key/server.key $IMSS_HOME/UI/apache/conf/ssl.key/server.key.org
# cp -p $IMSS_HOME/UI/php/conf/widget.conf $IMSS_HOME/UI/php/conf/widget.conf.org(EUQ Console)
# cp -p $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt.org
# cp -p $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key.org
# cp -p $IMSS_HOME/UI/euqUI/conf/EUQ.conf $IMSS_HOME/UI/euqUI/conf/EUQ.conf.org - Replace the default certificate and private key with the self-signed certificate and private key created at Step 3.
(Management Console)
# cp imss91.crt $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt
# cp imss91.key $IMSS_HOME/UI/apache/conf/ssl.key/server.key(EUQ Console)
# cp imss91.crt $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt
# cp imss91.key $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key - Copy the intermediate certificate (intermediate_ca.crt) to $IMSS_HOME/UI/apache/conf/ssl.crt and change its ownership and permission.
# cp intermediate_ca.crt $IMSS_HOME/UI/apache/conf/ssl.crt/
# chown imss:imss $IMSS_HOME/UI/apache/conf/ssl.crt/intermediate_ca.crt
# chmod 750 $IMSS_HOME/UI/apache/conf/ssl.crt/intermediate_ca.crt - Add the "SSLCertificateChainFile" directive to widget.conf and EUQ.conf.
(Management Console) $IMSS_HOME/UI/php/conf/widget.conf:
...
SSLCertificateFile conf/ssl.crt/server.crt
SSLCACertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
SSLCertificateChainFile conf/ssl.crt/intermediate_ca.crt
...(EUQ Console) $IMSS_HOME/UI/euqUI/conf/EUQ.conf:
...
SSLCertificateFile conf/ssl.crt/euq.server.crt
SSLCACertificateFile conf/ssl.crt/euq.server.crt
SSLCertificateKeyFile conf/ssl.key/euq.server.key
SSLCertificateChainFile conf/ssl.crt/intermediate_ca.crt
... - Run the commands below to restart the Management Console and EUQ Console.
# LANG=C; $IMSS_HOME/script/S99ADMINUI restart
# $IMSS_HOME/script/S99EUQ restart
