Heartbeat Certificates¶
Lantronix uses certificates to create a secure connection between the Local Manager and the Control Center. Default certificates are provided, but they can be replaced if desired.
Previously, modifying heartbeat certificates was limited to systems running FIPS. In LMS 6.3, this feature is now available for all systems.
Step 1 - Generate Heartbeat Certificate Signing Request¶
Log into your Control Center and become root.
Run /uplogix/embassy/scripts/generateCertificateSigningRequest.sh and fill in the prompts. Use the IP address or hostname of the Control Center as the Common Name.
[emsadmin@vCC ~]$ /uplogix/embassy/scripts/generateCertificateSigningRequest.sh
Initializing crypto.
Common Name: uplogixcontrolcenter92910.uplogix.com
Organizational unit: Lantronix-Heartbeat
Organization: Lantronix
City: Austin
State/Province/Region: Texas
2-letter country code: US
Country code 'US' is United States.
Email address (optional):
Other Attributes:
SAN (host or IP):
Generate? (y/n): y
Generating new 2048-bit key pair.
-----BEGIN NEW CERTIFICATE REQUEST-----
Loremipsum...[certificate request content] ...
-----END NEW CERTIFICATE REQUEST-----
Step 2 - Sign the Certificate¶
Copy the output of the script and send it to your certificate authority for signing.
Step 3 - Import the Signed Certificate¶
CC: Administration > Certificates
Once you have received the signed certificate, import it using the Control Center web interface.
Log into the Control Center as a user with admin privileges on the server resource. Select the Administration tab and then Certificates to display the Heartbeat Certificate Management details.
Click Add.
Paste the contents of the signed certificate.
Click Save.
The certificate will be displayed as a "Staged Heartbeat Certificate."
Wait for each Local Manager to get a copy of the staged certificate. You may need to refresh the web browser to update the status. In the example above, clicking the link “2 of 2” will display the status of the staged heartbeat certificate on the Local Managers.
There are likely many reasons that not all Local Managers will receive the Staged certificate. Some systems may be offline for long periods of time due to maintenance or connectivity issues. Any Local Manager that has not received a copy of the Staged certificate will no longer be able to communicate with the Control Center after a server restart. You can resolve this issue by updating the heartbeat certificate manually on each Local Manager using their CLI, as shown in Step 5 - Update Local Managers.
Step 4 - Activate and Restart Control Center¶
Next, you will activate and restart the Control Center.
During activate and restart, the Staged certificate will replace the Active certificate. The previously Active certificate will be deleted. This operation cannot be undone.
On the Certificates page, click Activate and Restart Control Center.
Wait for the Control Center to complete the operation and restart.
When the Control Center restarts, all connections will be dropped. All logged in users will need to re-authenticate after the server comes back up. Consider planning the downtime and setting an Announcement Banner or Send Email to notify users of the restart.
Step 5 - Update Local Managers¶
Any Local Manager that has not received a copy of the Staged certificate will no longer be able to communicate with the Control Center after a server restart. You can resolve this issue by updating the heartbeat certificate manually on each Local Manager using their CLI.
If you log into any Local Manager that did not receive the Staged certificate, you will see a Heartbeat alarm like the following:
Warning: The system is not communicating with the management server.
- Heartbeat SSL failure. ((-8157) Certificate extension not found.)
or
Heartbeat SSL failure. ((-8157) Certificate extension not found.)
Heartbeat SSL failure. (requested domain name does not match the server's certificate.)
To restore functionality, each Local Manager reporting this alarm needs to be updated with the new certificate. There are two manual ways to do this.
Option 1 - config system management¶
Log into the Local Manager and run config system management. Press Enter to accept the existing settings. Before asking you to commit the changes, the Local Manager will reach out to the Control Center and check the certificate. If there is a mismatch, it will display the new certificate and ask you to accept it.
[admin@LantronixLM]# config system management
--- Existing Values ---
Use Management Server: yes
Hostname or IP: 10.20.30.1
Port: 8443
Heartbeat interval (seconds): 30
Heartbeat band: all
Always use minimal heartbeat: false
Last successful heartbeat: 07/08/2022 14:49:13 GMT (Full)
Change these? (y/n) [n]: y
--- Enter New Values ---
Use Management Server (y/n/auto) [y]:
Hostname or IP [10.20.30.1]:
Port [8443]:
Heartbeat interval (seconds) [30]:
Heartbeat during [all]:
Connecting to 10.20.30.1:8443
TCP connection established.
The following certificate was returned by the server.
Certificate:
Version: 3
Subject: CN=uplogixcontrolcenter923919.uplogix.com, OU=hb, O=Lantronix, L=Austin, ST=Texas, C=US
Issuer: CN=Lantronix OMG BBQ
Serial Number: --REMOVED--
Valid From: 06/21/2020 21:09:20 UTC
Valid To: 09/23/2084 21:09:20 UTC
Fingerprint: DwEiuYN--REMOVED--(#)ADJFBN
Algorithm: SHA256withRSA
Key Usage: digital_signature, key_encipherment
Extended Usage: server_auth
-----BEGIN CERTIFICATE-----
Loremipsum...[certificate content] ...
-----END CERTIFICATE-----
Do you trust this certificate? (y/n) [n]: y
Do you want to commit these changes? (y/n): y
Once the new certificate is trusted and accepted, heartbeat communication will resume, and the alarms should clear.
Option 2 - install new certificate manually¶
For a more direct approach, you can use the config system crypto certificate management command to paste in the certificate.
[admin@LantronixLM]# config system crypto certificate management
** Only one certificate is allowed for a management server. **
** Entering a new certificate here without updating the management server **
** first will prevent the system from communicating with the management **
** server. **
Proceed? (y/n) [n]: y
Type 'exit' on a line by itself to exit.
[config sys crypto cert management]#
Loremipsum...[certficate content]...
[config sys crypto cert management]# exit
Once the new certificate is installed, heartbeat communication will resume and the alarms should clear.
Installation Complete¶
Once all Local Managers are communicating with the Control Center without errors or alarms, installation of a custom heartbeat certificate is now complete.
Automating Certificate Installation¶
Caution
Advanced scripting ahead. Please read this section completely and contact Lantronix Support with any questions before attempting.
The script below can be used to automate the task of logging into each system included in the script, running the config system crypto certificate management command to paste in the new certificate, and exiting.
To use this script, you will need:
- A user who can authenticate using SSH keys to bypass interactive login
- A user who is allowed to run config system crypto certificate management
- A list of Local Manager IP addresses that didn't receive a copy of the staged certificate
Copy and paste the following script into a file on your Control Center.
#!/bin/sh
set -e
set -x
IPS="10.10.10.1 10.10.10.2 10.10.10.3"
for ip in $IPS; do
echo "$ip"
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no USERNAME@"$ip" <<EOF || echo $?
config sys crypto cert man
y
-----BEGIN CERTIFICATE-----
Loremipsum...[certificate content] ...
-----END CERTIFICATE-----
exit
logout
n
EOF
done
Modify the list of IPS, USERNAME, and the certificate text before saving.
Once saved, make the script executable.
When run, the script will SSH to each Local Manager IP in the list, run the necessary commands, and exit. This script can be updated with a new list of IP addresses and heartbeat certificate as necessary.