Document toolboxDocument toolbox

(12.06.100-en) Device Communication Certificates in the IGEL UMS

In the section Device Communication, you can manage certificates for the communication between the IGEL Universal Management Suite (UMS) and the devices. The preconfigured certificate, which has the Keystore alias "tckey", is used by default if no changes are made.

You can set a different certificate as default; if you do so, all newly registered devices will use this certificate, and already registered devices will replace their previously used certificate with the new default certificate.

No Support

Certificate chains and expired certificates cannot be imported. Certificates that use the MD5 algorithm are also not supported.


Menu path: UMS Administration > Global Configuration > Certificate Management > Device Communication

 

At an interval of 5 minutes, the UMS checks whether the certificate on the device and the default certificate are still identical.

If a device does not support the default certificate, the UMS checks for each certificate whether it is supported, starting from the top of the list. The first one that matches the requirements will be used. If no certificate matches, the device is not registered.

If you select a certificate in the area Device Communication, all devices which use this certificate are shown in the area Devices which use the selected certificate (<number>).

High Availability

If you are running the UMS in a High Availability (HA) network, be aware that if you make changes to certificates (import of a key pair, generation of a new key pair, deletion, activation/deactivation of a certificate, changes of a certificate's priority), a new network token is automatically generated and you will have to define a location in which the new network token should be stored. The changes are then automatically synchronized within a HA network, and no restart of the IGEL RMGUIServer/igelRMserver services is required.

 

Restoring from a Backup

When restoring from a backup, check if certificates included in the backup differ from the certificates that are currently in use. If this is the case, all devices that have been registered before restoring will have to be registered again.

 

UMS Update

Certificates are not overwritten in the course of an update.

Possible Actions

image-20240617-134830.png - Import a certificate from a file.
The private key must be included in the file. The file path is provided under Keystore file and the import password is entered under Keystore password. The certificate's signature algorithm is checked. If the signature algorithm is not supported by the UMS, the certificate is not imported.

Supported Signature Algorithms

The following signature algorithms are supported: SHA512withRSA, SHA384withRSA, SHA256withRSA, SHA1withRSA, SHA256withDSA, and SHA1withDSA.

 

Using certificates with SHA1 signature algorithms is NOT recommended because of security reasons.

 

Supported Keystore Types

The following keystore types are supported: JCEKS, JKS, PKCS#12, BKS-V1, BKS, UBER, and BCFKS.

 

image-20240617-134840.png - Generate a new certificate.

image-20240617-134847.png - Delete the selected certificate.

Do not delete a certificate that is being used by a device; otherwise, the UMS will not be able to communicate with this device anymore.

 

image-20240617-134908.png - Move the selected certificate up in the list to increase its priority.

If you move the selected certificate to the top of the list, it will become the default certificate. The change of the default certificate is propagated to the devices in a background task of the UMS. This task replaces the certificate on all devices that are compatible with this certificate and runs every 5 minutes.

 

image-20240617-134922.png - Move the selected certificate down in the list to decrease its priority.

image-20240617-134929.png - Activate the selected certificate. When a certificate is activated, it can be used for communication between UMS and devices.

image-20240617-134936.png - Deactivate the selected certificate. A deactivated certificate will not be used when a new device is registered. If a certificate is deactivated while it is in use, communication between UMS and device is still possible. If only 1 certificate is active, this certificate can not be deactivated.

image-20240617-134942.png - Export the selected certificate.

image-20240617-134947.png - Export the key pair of the selected certificate.

image-20240617-134952.png - Show the content of the selected certificate.Â