vProxy uses a self-signed certificate and cannot use a CA-signed certificate
Summary: vProxy by default uses a self-signed certificate to communicate with NetWorker and it does not currently support using a Certificate Authority (CA) signed certificate.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
A vProxy is configured and already registered to a NetWorker server (NW)
A scanner vulnerability software will report that the communication on this port uses a self-signed certificate and recommends placing a CA-signed certificate.
A scanner vulnerability software will report that the communication on this port uses a self-signed certificate and recommends placing a CA-signed certificate.
Cause
A registered vProxy server shows the following certificates in the folder /data01/runtime/trust:
The certificate vproxyCert.pem is used by vProxy and NetWorker server when communicating over port 9090.
This certificate is also loaded in the NW configuration (nsrdb, nsr vmware proxy resource type). It can also be seen from the NetWorker Management Console (NMC).
This certificate shows it was issued by <NetWorker server name>.
vProxy will only trust the NetWorker it was registered to and vice versa.
| Certificate or file details | File description |
| -rw------- 1 root root 765 Sep 6 14:31 node.CAcert.pem | This certificate comes with the OVA. It is the same to all customers |
| -rw------- 1 root root 887 Sep 6 14:31 node.CAkey.pem | This key comes with the OVA. It is the same to all customers |
| -rw------- 1 root root 806 Dec 17 10:21 vProxy1.domain.CAcert.pem | This certificate is generated on the first boot |
| -rw------- 1 root root 887 Dec 17 10:21 vProxy1.domain.CAkey.pem | This key is generated on the first boot |
| -rw------- 1 root root 996 Dec 18 09:45 vproxyCert.pem | This certificate is created as part of NetWorker registration. It is unique to the NetWorker server to which vProxy is registered |
| -rw------- 1 root root 1676 Dec 18 09:45 vproxyKey.pem | This key is created as part of NetWorker registration. It is unique to the NetWorker server to which vProxy is registered |
The certificate vproxyCert.pem is used by vProxy and NetWorker server when communicating over port 9090.
This certificate is also loaded in the NW configuration (nsrdb, nsr vmware proxy resource type). It can also be seen from the NetWorker Management Console (NMC).
This certificate shows it was issued by <NetWorker server name>.
vProxy will only trust the NetWorker it was registered to and vice versa.
Resolution
It is not possible to place a CA-signed certificate that vProxy can use for communicating over this port.
Nevertheless, there are no security implications as vProxy will only connect to the NetWorker it registered for first time, which means that:
- A malicious vProxy cannot make NW server believe it is talking to the real vProxy, because the certificate of the fake vProxy will not match the one stored in nsrdb
- A malicious NetWorker cannot make vProxy believe it is talking to the real NetWorker, because this fake NetWorker does not have the original certificate in its configuration, so vProxy will reject the connection.
Nevertheless, there are no security implications as vProxy will only connect to the NetWorker it registered for first time, which means that:
- A malicious vProxy cannot make NW server believe it is talking to the real vProxy, because the certificate of the fake vProxy will not match the one stored in nsrdb
- A malicious NetWorker cannot make vProxy believe it is talking to the real NetWorker, because this fake NetWorker does not have the original certificate in its configuration, so vProxy will reject the connection.
Affected Products
NetWorkerArticle Properties
Article Number: 000223117
Article Type: Solution
Last Modified: 15 Mar 2024
Version: 1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.