6.3 should work the same as 6.5 as far as encryption goes. The options for 256 and higher are only available for self signed certificates. If you import your own certificate then it will not show the options. Page 62 and 63 of the user's guide discuss the HTTPS encryption options.
Disabling SSL would stop the web interface from functioning. You would only be able to use the command line interface to issue commands. If you want to do this then all you need to do is to turn off the web interface service "DSM SA CONNECTION". It will be in your services.msc interface.
I verified the user's guide information in a lab. We were able to create a 2048 self signed key, but it would not accept anything higher than 1024 when importing a certification. OMSA 7 is scheduled to release at some point this year. I do not have information on it yet, but it may address this issue. For the time being you will probably not be able to use OMSA, or you will have to use the command line interface.
If your server is not in the supported list then you may need to use an older version of OMSA. If you have any issues locating a compatible version let me know the model number and OS of the server and I will get a link for you.
I actually have Dell OpenManage Server Administrator Version 6.3.0 and when I create a CSR and give it to my SSL Cert provider they say its made with a key less than 2048 bits. Would installing the newer version fix this?
Because of the security Audit I can't use a self signed certificate, as that is a finding in itself. I am reviewing the document, but it sounds like its not possible to get a SSL cert installed that uses a key larger than 1024 bits if it isn't self signed?
Yes, unfortunately that is the same way I am reading it. I don't think OMSA will pass that security audit. Openmanage Essentials is a new software application that released around December of last year. It is a replacement of ITA though; which is a monitoring application. I looked into the possibility of using that in place of OMSA, but it appears to still require OMSA to be installed on the servers it is monitoring.
At this time I cannot locate a management application we have that will pass that security audit.
I have the wildcard cert in pkcs12 format, which includes CA certs and the private key, and I can convert that to whatever format (the doc indicates an imported cert needs to be in p7b format) but when I tried to import the p7b version of the cert and even supplied the password for the cert it still fails. Of course this is a cert made with a 2048 bit key.
At this point I may be able to work around the findings by disabling SSL all together in OMSA, if that's possible...
I checked with some people and this functionality is not in OM 7.0. At this time, it is doubtful that it will be in any version of OM this year, but I have entered the request to have it considered.
Yes, thank you both for looking into this. I hate to disable the web interface but as long as OMSA will continue to log alerts to the event log (which is how our company scans for them) then that will be our only viable option at this time. I'll make this question as answered since we pretty much have an answer for the time being. Thanks again guys.
Is there any change in this since February 2012? Is it still the case that SSL certs that use keys larger than 1024 bits have to be self signed?
No, it still requires self signed certs. I'm not aware of any plans to change the certificate system within OpenManage. There have been many requests to change this functionality so that OMSA will pass security audits, but I'm not sure when/if this will be changed.
Once again, just checking to see if there has been any progress on this. We are looking at another round of audits and need to have a solution for this. My SSL Certificate provider will not issue 1024 bit keyed certs, and most I have checked with also will not.
Once again, just checking to see if there has been any progress on this. We are looking at another round of audits and need to have a solution for this. My SSL Certificate provider will not issue 1024 bit keyed certs, and most I have checked with also will not.
There is not currently a version that supports it. I don't have access to specifics of unreleased versions of OMSA, but the information I received about version 7.2 is that it will allow 1024 cert uploads. Release dates of software are not set in stone, but I expect it to be released within the month. I'm sorry I am not able to provide more information, but I won't know for sure what the details of the release are until the actual release date.
Daniel My
10 Elder
•
6.2K Posts
1
February 22nd, 2012 10:00
Lios
6.3 should work the same as 6.5 as far as encryption goes. The options for 256 and higher are only available for self signed certificates. If you import your own certificate then it will not show the options. Page 62 and 63 of the user's guide discuss the HTTPS encryption options.
http://support.dell.com/support/edocs/software/svradmin/6.5/en/UG/PDF/OMSAUG.pdf
Thanks
Daniel My
10 Elder
•
6.2K Posts
1
February 22nd, 2012 15:00
Lios
Disabling SSL would stop the web interface from functioning. You would only be able to use the command line interface to issue commands. If you want to do this then all you need to do is to turn off the web interface service "DSM SA CONNECTION". It will be in your services.msc interface.
I verified the user's guide information in a lab. We were able to create a 2048 self signed key, but it would not accept anything higher than 1024 when importing a certification. OMSA 7 is scheduled to release at some point this year. I do not have information on it yet, but it may address this issue. For the time being you will probably not be able to use OMSA, or you will have to use the command line interface.
Here is the CLI guide for OMSA: http://support.dell.com/support/edocs/software/svradmin/6.5/en/CLI/PDF/CLIUG.pdf
Thanks
Daniel My
10 Elder
•
6.2K Posts
0
February 21st, 2012 17:00
Hello Lios
Dell Server Assistant was replaced by Open Manage Server Administrator. OMSA supports up to 512 encryption.
This is the latest version of OMSA(6.5):
http://ftp.us.dell.com/sysman/OM-SrvAdmin-Dell-Web-WIN-6.5.0-2247_A01.10.exe
Here is the support matrix for version 6.5:
http://support.dell.com/support/edocs/software/svradmin/65_02/sup_mat/installa.htm#wp999358
If your server is not in the supported list then you may need to use an older version of OMSA. If you have any issues locating a compatible version let me know the model number and OS of the server and I will get a link for you.
Thanks
Lios
14 Posts
0
February 22nd, 2012 07:00
I actually have Dell OpenManage Server Administrator Version 6.3.0 and when I create a CSR and give it to my SSL Cert provider they say its made with a key less than 2048 bits. Would installing the newer version fix this?
Lios
14 Posts
0
February 22nd, 2012 12:00
Because of the security Audit I can't use a self signed certificate, as that is a finding in itself. I am reviewing the document, but it sounds like its not possible to get a SSL cert installed that uses a key larger than 1024 bits if it isn't self signed?
Daniel My
10 Elder
•
6.2K Posts
0
February 22nd, 2012 13:00
Lios
Yes, unfortunately that is the same way I am reading it. I don't think OMSA will pass that security audit. Openmanage Essentials is a new software application that released around December of last year. It is a replacement of ITA though; which is a monitoring application. I looked into the possibility of using that in place of OMSA, but it appears to still require OMSA to be installed on the servers it is monitoring.
At this time I cannot locate a management application we have that will pass that security audit.
Thanks
Lios
14 Posts
0
February 22nd, 2012 14:00
I have the wildcard cert in pkcs12 format, which includes CA certs and the private key, and I can convert that to whatever format (the doc indicates an imported cert needs to be in p7b format) but when I tried to import the p7b version of the cert and even supplied the password for the cert it still fails. Of course this is a cert made with a 2048 bit key.
At this point I may be able to work around the findings by disabling SSL all together in OMSA, if that's possible...
DELL-Rey G
3 Apprentice
•
1.1K Posts
0
February 23rd, 2012 06:00
I checked with some people and this functionality is not in OM 7.0. At this time, it is doubtful that it will be in any version of OM this year, but I have entered the request to have it considered.
Daniel My
10 Elder
•
6.2K Posts
0
February 23rd, 2012 09:00
Rey
Thanks for looking into this for us!
Lios
14 Posts
0
February 23rd, 2012 11:00
Yes, thank you both for looking into this. I hate to disable the web interface but as long as OMSA will continue to log alerts to the event log (which is how our company scans for them) then that will be our only viable option at this time. I'll make this question as answered since we pretty much have an answer for the time being. Thanks again guys.
DELL-Rey G
3 Apprentice
•
1.1K Posts
0
February 23rd, 2012 11:00
I've sparked the conversation internally, so if they come up with anything more definitive, I'll post here.
Randy_Brown
3 Posts
0
August 14th, 2012 19:00
Is there any change in this since February 2012? Is it still the case that SSL certs that use keys larger than 1024 bits have to be self signed?
Daniel My
10 Elder
•
6.2K Posts
0
August 15th, 2012 09:00
No, it still requires self signed certs. I'm not aware of any plans to change the certificate system within OpenManage. There have been many requests to change this functionality so that OMSA will pass security audits, but I'm not sure when/if this will be changed.
Thanks
Lios
14 Posts
0
December 10th, 2012 11:00
Once again, just checking to see if there has been any progress on this. We are looking at another round of audits and need to have a solution for this. My SSL Certificate provider will not issue 1024 bit keyed certs, and most I have checked with also will not.
Daniel My
10 Elder
•
6.2K Posts
0
December 10th, 2012 14:00
There is not currently a version that supports it. I don't have access to specifics of unreleased versions of OMSA, but the information I received about version 7.2 is that it will allow 1024 cert uploads. Release dates of software are not set in stone, but I expect it to be released within the month. I'm sorry I am not able to provide more information, but I won't know for sure what the details of the release are until the actual release date.
Thanks