Manualshelf

Deployment Guide

ManualsBrandsDell ManualsConverged InfrastructureEncryption
71727374757677787980
Table Of Contents
The Dell Core Server and Compatibility Server cannot run simultaneously with the Server Configuration Tool. Stop the Core
Server service and Compatibility Server service in Services (Start > Run. Type
services.msc
) prior to starting the Server
Configuration Tool.
To launch the Server Configuration Tool, go to Start > Dell > Run Server Configuration Tool .
The Server Configuration Tool logs to C:\Program Files\Dell\Enterprise Edition\Server Configuration
Tool\Logs.
Add New or Updated Certificates
You have a choice of which type of certificates to use - self-signed or signed:
Self-signed certificates are signed by their own creator. Self-signed certificates are appropriate for pilots, POCs, so on. For
a production environment, Dell recommends public CA-signed or domain-signed certificates.
Signed (public CA-signed or domain-signed) certificates are signed by a public CA or a domain. For certificates that are
signed by a public certificate authority (CA), the certificate of the signing CA will, usually, already exist in the Microsoft
certificate store and therefore, the chain of trust is automatically established. For domain CA-signed certificates, if the
workstation has been joined to the domain, the signing CA certificate from the domain will have been added to the
workstation's Microsoft certificate store, thereby also creating a chain of trust.
The components that are affected by certificate configuration:
Java Services (for instance, Device Server and so on)
.NET Applications (Core Server)
Validation of smart cards used for Preboot Authentication (Security Server)
Importing of private encryption keys to be used for signing policy bundles being sent to Dell Manager. Dell Manager performs
SSL validation for managed Encryption clients with self-encrypting drives, or BitLocker Manager.
Client Workstations:
Workstations running BitLocker Manager
Workstations running Encryption Enterprise (Windows)
Workstations running Endpoint Security Suite Enterprise
Information regarding which type of certificates to use:
Preboot Authentication using smart cards requires SSL validation with the Security Server. Dell Manager performs SSL
validation when connecting to the Dell Core Server. For these types of connections, the signing CA must be in the keystore
(either the Java keystore or the Microsoft keystore, depending on which Dell Server component is being discussed). If self-
signed certificates are chosen, the following options are available:
Validation of smart cards used for Preboot Authentication:
Import the "Root Agency" signing certificate and full chain of trust into the Security Server Java keystore. The full chain
of trust must be imported.
Dell Manager:
Insert the "Root Agency" signing certificate (from the self-signed certificate generated) into the workstation's "Trusted
Root Certification Authorities" (for "local computer") in the Microsoft keystore.
The Security Management Server is compatible with the Microsoft requirement for LDAP channel binding and LDAP signing
when Active Directory is in use.
To enable this on the Security Management Server, it must have the root issuing certificate for the domain controller
certificates that are imported into the "Trusted Root" store within the Microsoft Certificate Key Store.
Modify the behavior of Server-side SSL validation. To turn off Server-side SSL trust validation, select Disable Trust Chain
Check on the Settings tab.
There are two methods to create a certificate - Express and Advanced.
Choose one method:
Express - Choose this method to generate a self-signed certificate for all components. This is the easiest method, but self-
signed certificates are appropriate only for pilots, POCs, and so on For a production environment, Dell recommends public
CA-signed or domain-signed certificates.
Advanced - Choose this method to configure each component separately.
Post-Installation Configuration
75