Securing Access to the Web & Admin consoles with Lets Encrypt!

The Web & Admin consoles provide a simplified interface for performing common Commvault tasks. Each service pack release brings additional functionality allowing the Admin console to replace more of the day-to-day administration tasks.

Https is used by default to secure the consoles, however; as it is a self signed certificate users are presented with the following:

untrusted.PNG

Official Documentation for the procedure outlined in this post can be found here. This guide focuses on using Let’s encrypt as the certificate authority and is more suited to lab environments due to the 3 month expiry of certificates. I’m looking at ways to allow for auto renewal of public certs (as Let’s Encrypt is designed to do) however this will give a good starting point.

Prerequisites

  • Commvault Commserve installed with web server.
  • ACMESharp powershell modules (installation covered in procedure section)
  • Internet access
  • Access to public DNS management (i.e. Route53)

Procedure – Obtain certificate

    1. First we need to install and configure ACMESharp. This will be used to request the certificate from LetsEncrypt. The steps included below are modified from the official quick start guide here. This post uses the manual method and as such the certificate is only valid for 3 months.
    2. Install the powershell modules using an elevated powershell window. You will be prompted twice, answer the 2 prompts with either “Y” or “A”.
      Install-Module ACMESharp
    3. Install the extension modules. Answer “A” when prompted for each of the extensions.
      Install-Module ACMESharp.Providers.AWS
      Install-Module ACMESharp.Providers.IIS
      Install-Module ACMESharp.Providers.Windows
    4. Enable the extension modules.
      Import-Module ACMESharp
      Enable-ACMEExtensionModule ACMESharp.Providers.AWS
      Enable-ACMEExtensionModule ACMESharp.Providers.IIS
      Enable-ACMEExtensionModule ACMESharp.Providers.Windows
    5. Verify the providers have been added correctly
      Get-ACMEExtensionModule | select Name

      You should receive the following output:
      providers.PNG

    6. Initialize the ACME vault as follows:
      Initialize-ACMEVault
    7. Register with LetsEncrypt
New-ACMERegistration -Contacts mailto:me@mydomain.com -AcceptTos
  1. Submit a new domain identifier. This is the name of the dns name you wish to secure.
    New-ACMEIdentifier -Dns myserver.example.com -Alias dns1
  2. You now need to prove you own the domain. The easiest way to do this is to automate the process using IIS, unfortunately this needs to be using port 80 which is already bound to the tomcat service. The workaround I’m using is to prove I have ownership of DNS.
    Complete-ACMEChallenge dns1 -ChallengeType dns-01 -Handler manual
  3. Run the following command to request the required details to prove DNS ownership.
    (Update-ACMEIdentifier dns1 -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}

    When you get a resoponse similar to the following; you can continue to the next step.
    token.PNG

  4. Add the TXT record to your DNS as indicated in the challenge. For Route53 it would appear as follows:
    dns.PNG
  5. Once you have completed the DNS entry, run the following to submit the challenge:
    Submit-ACMEChallenge dns1 -ChallengeType dns-01
  6. Run the following to check whether the challenge was successful.
    (Update-ACMEIdentifier dns1 -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}

    If successful, you will be presented with the following:
    challenegesuccess

  7. If the status is shown as valid (highlighted above) you can now request & retrieve your new certificate. It is possible to request a SAN (Subject Alternative Name) at this point, however for this example we’re sticking with one. Run the following two commands:
    New-ACMECertificate dns1347 -Generate -Alias cert1
    Submit-ACMECertificate cert1
  8. If almost all fields are populated in the response, the certificate is now ready to be stored in the vault
    Update-ACMECertificate cert1
  9. You can now export the certificate in pkcs12 format:
    Get-ACMECertificate cert1 -ExportPkcs12 "C:\certs\cert1.pfx" -CertificatePassword 'myPassw0rd'
  10. Check to ensure the new pfx file is visible in the chosen location.

Procedure – Update Commvault configuration

The next stage is to instruct the web server to use the created certificate bundle as its certificate source.

  1. Stop the Commvault Tomcat process via Process Manger.
  2. Copy the pfx file created earlier to [programdrive]:\Program Files\Commvault\ContentStore\Apache.
  3. Edit conf\server.xml (Notepad++ is a good choice for this)
  4. The official documentation indicates that the default connector redirect port should be adjusted, however new installations should already be configured to redirect to 443. Either way it should look like this:
    <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" server="Commvault WebServer" compression="on" noCompressionUserAgents="gozilla,traviata" compressionMinSize="500" compressableMimeType="text/html,text/json,application/json,text/xml,text/plain,application/javascript,text/css,text/javascript,text/js" useSendfile="false"/>
  5. Add a second connector, beneath the line you have just edited. This will reference the pfx file created earlier.
    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" URIEncoding="UTF-8" maxPostSize="40960000" maxHttpHeaderSize="1024000" maxThreads="2500" enableLookups="true" SSLEnabled="true" scheme="https" secure="true" server="Commvault WebServer" compression="on" noCompressionUserAgents="gozilla,traviata" compressableMimeType="application/javascript,text/css,text/javascript,text/js" useSendfile="false">
     <SSLHostConfig certificateVerification="none" honorCipherOrder="true" protocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA">
     <Certificate certificateKeystoreFile="E:\Program Files\Commvault\ContentStore\Apache\cert1.pfx" certificateKeystorePassword="myPasw0rd" certificateKeystoreType="PKCS12"/>
     </SSLHostConfig>
    </Connector>
  6. You can test the certificate by visiting your web console using the web console button in the CommCell console; you’ll still see the certificate error but upon further inspection you should see the certificate issuer is Let’s Encrypt. The next step is to adjust Commvault to use the public domain name to access the web console (ensure your internal DNS is configured to direct the DNS name to the internal IP).
    cert
  7. As described here, add the following additional setting to the ComCell.
    Name:WebConsoleURL
    Category CommServDB.GxGlobalParam
    Type String
    Value: https://hostname:port/webconsole/clientDetails/fsDetails.do?clientName=CLIENTNAME
    hostname:port should match the name you associated with the certificate.
  8. Restart the CommCell services. The web console link should now reference the new name.
  9. If you have a windows shortcut to the Admin Console, that will also need its properties adjusted to reflect the new link.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s