Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Certificate replacement for Management Console and EUQ Console in InterScan Messaging Security Suite (IMSS) 9.1 Linux

    • Updated:
    • 23 Apr 2019
    • Product/Version:
    • InterScan Messaging Security Suite 9.1 Linux
    • Platform:
    • Linux All
Summary

The IMSS Management Console supports encrypted communication using SSL. This communication would already function because a default certificate is produced along with the installation process. Trend Micro suggests creating your own certificate to further tighten security. This KB article will guide you through certificate replacement for the Management Console and EUQ Console.

Details
Public

Replacing with a self-signed certificate

  1. Run the following command on the Linux server in order to generate a self-signed certificate (imss.crt) and a private key (imss.key).

    # openssl req -x509 -newkey rsa:2048 -nodes -keyout imss.key -out imss.crt -days 3652

  2. Make sure to back up the default certificate and private key.

    (Management Console)

    # cp -p $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt.org
    # cp -p $IMSS_HOME/UI/apache/conf/ssl.key/server.key $IMSS_HOME/UI/apache/conf/ssl.key/server.key.org

    (EUQ Console)

    # cp -p $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt.org
    # cp -p $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key.org

  3. Replace the default certificate and private key with the self-signed certificate and private key created at Step 1.

    (Management Console)

    # cp imss.crt $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt
    # cp imss.key $IMSS_HOME/UI/apache/conf/ssl.key/server.key

    (EUQ Console)

    # cp imss.crt $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt
    # cp imss.key $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key

  4. Run the commands below to restart the Management Console and EUQ Console.

    # LANG=C; $IMSS_HOME/script/S99ADMINUI restart
    # $IMSS_HOME/script/S99EUQ restart

Replacing with an SSL certificate issued by a public CA

  1. Run the following command on the Linux server in order to generate a CSR (imss91.crt) and a private key (imss91.privkey).

    # openssl req -new -keyout imss91.privkey -out imss91.csr

  2. Ask the CA to issue an SSL certificate.
  3. After the SSL certificate is issued, create a certificate file (imss91.crt) and its intermediate certificate (intermediate_ca.crt).
    Also, run the command below to remove the passphrase from the private key. The private key file without a passphrase is imss91.key.

    # openssl rsa -in imss91.privkey -out imss91.key

  4. Back up the default certificate, private key and the configuration files (widget.conf and EUQ.conf).

    (Management Console)

    # cp -p $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt.org
    # cp -p $IMSS_HOME/UI/apache/conf/ssl.key/server.key $IMSS_HOME/UI/apache/conf/ssl.key/server.key.org
    # cp -p $IMSS_HOME/UI/php/conf/widget.conf $IMSS_HOME/UI/php/conf/widget.conf.org

    (EUQ Console)

    # cp -p $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt.org
    # cp -p $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key.org
    # cp -p $IMSS_HOME/UI/euqUI/conf/EUQ.conf $IMSS_HOME/UI/euqUI/conf/EUQ.conf.org

  5. Replace the default certificate and private key with the self-signed certificate and private key created at Step 3.

    (Management Console)

    # cp imss91.crt $IMSS_HOME/UI/apache/conf/ssl.crt/server.crt
    # cp imss91.key $IMSS_HOME/UI/apache/conf/ssl.key/server.key

    (EUQ Console)

    # cp imss91.crt $IMSS_HOME/UI/apache/conf/ssl.crt/euq.server.crt
    # cp imss91.key $IMSS_HOME/UI/apache/conf/ssl.key/euq.server.key

  6. Copy the intermediate certificate (intermediate_ca.crt) to $IMSS_HOME/UI/apache/conf/ssl.crt and change its ownership and permission.

    # cp intermediate_ca.crt $IMSS_HOME/UI/apache/conf/ssl.crt/
    # chown imss:imss $IMSS_HOME/UI/apache/conf/ssl.crt/intermediate_ca.crt
    # chmod 750 $IMSS_HOME/UI/apache/conf/ssl.crt/intermediate_ca.crt

  7. Add the "SSLCertificateChainFile" directive to widget.conf and EUQ.conf.

    (Management Console) $IMSS_HOME/UI/php/conf/widget.conf:

    ...
    SSLCertificateFile conf/ssl.crt/server.crt
    SSLCACertificateFile conf/ssl.crt/server.crt
    SSLCertificateKeyFile conf/ssl.key/server.key
    SSLCertificateChainFile conf/ssl.crt/intermediate_ca.crt
    ...

    (EUQ Console) $IMSS_HOME/UI/euqUI/conf/EUQ.conf:

    ...
    SSLCertificateFile conf/ssl.crt/euq.server.crt
    SSLCACertificateFile conf/ssl.crt/euq.server.crt
    SSLCertificateKeyFile conf/ssl.key/euq.server.key
    SSLCertificateChainFile conf/ssl.crt/intermediate_ca.crt
    ...

  8. Run the commands below to restart the Management Console and EUQ Console.

    # LANG=C; $IMSS_HOME/script/S99ADMINUI restart
    # $IMSS_HOME/script/S99EUQ restart

Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
1122544
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.