5.6 Using the Security Checkup Results Viewer for Evaluation

The Security Checkup Results Viewer allows you to view results generated from policy template runs. For more information about reports and policy templates, see Section 4.0, Auditing Your IT Assets. Based on your Secure Configuration Manager console user account permissions, you can remotely audit your enterprise security by reviewing which assets are in compliance, out of compliance, or have an unknown compliance for each policy template. In addition, you can review details from the Data View tab of the Report Viewer.

5.6.1 Implementing SSL and Digital Certificates

To ease implementation of Secure Sockets Layer protocol (SSL) on the Web server, the setup program installs a demo security certificate. While the demo certificate provided allows for the configuration of your server, consider upgrading to a certificate provided by a certificate authority or creating a self-signed certificate. For example, both VeriSign and Thawte can provide valid, secure certificates and are considered certificate authorities.

Secure Configuration Manager provides the same demo certificate in every installation kit. Because the certificate is not unique, other people may share the same key and possibly eavesdrop on your encrypted traffic. If you do not want to immediately purchase a security certificate, create a self-signed certificate to eliminate the certificate uniqueness issue.

Whether you plan to install a purchased security certificate or want to permanently implement a self-signed certificate within your environment, you need to create an RSA key pair and a self-signed certificate. Secure Configuration Manager provides the required tools to complete these tasks.

Creating a Self‑Signed Security Certificate

The following procedure guides you through implementing a self-signed security certificate:

  • Creating a 2048-bit key pair

  • Creating a self-signed security certificate

  • Installing a self-signed security certificate

Secure Configuration Manager provides all the tools you need to quickly create both a 2048-bit key pair and your self-signed security certificate, and then install this certificate. After completing this procedure, you will have a unique and secure HTTPS site. You can then decide whether to purchase a certificate from a certificate authority or continue to use your own, self-signed certificate.

To create and install a server certificate key pair and self-signed certificate:

  1. Log on to the Core Services computer with an administrator account.

  2. Use Windows Explorer to open the etc folder. By default, you can locate the etc folder in:

    \Program Files\NetIQ\Secure Configuration Manager\Core Services\web\

  3. Delete the keystore.dat file.

  4. Use Windows Explorer to open the bin folder. By default, you can locate the bin folder in:

    Program Files\NetIQ\Secure Configuration Manager\Core Services\

  5. Double‑click sslkey.bat.

  6. Enter all requested information in lower case and refrain from using commas.

  7. Copy the self-signed certificate you created to the etc folder. By default, you can locate the etc folder in:

    \Program Files\NetIQ\Secure Configuration Manager\Core Services\web\

  8. On the Core Services computer, start the Core Services Configuration Utility in the NetIQ Secure Configuration Manager program folder.

  9. On the Web Services tab, update the key store and key passwords.

  10. Stop and restart the NetIQ Core Services service.

Installing a Purchased Security Certificate

Secure Configuration Manager can also implement a security certificate provided by a certificate authority. To install a purchased security certificate, complete the steps in the following sections.

NOTE:If you want to use VeriSign as your certificate authority, ensure that you request a Secure Site certificate for ApacheSSL. The Secure Site Pro certificate for ApacheSSL is not compatible with Secure Configuration Manager.

Creating a Certificate Signing Request

Secure Configuration Manager provides tools to create a certificate signing request that you submit to your certificate authority.

To create a certificate signing request:

  1. Ensure that you have created and installed a self-signed security certificate. For more information, see Creating a Self‑Signed Security Certificate.

  2. Log on to the Core Services computer with an administrator account.

  3. Click Start > Run, and then enter cmd.

  4. Use the cd command to navigate to the bin folder. By default, you can locate the bin folder in:

    Program Files\NetIQ\Secure Configuration Manager\Core Services\

  5. Enter sslkey request > request.txt.

  6. When your certificate authority asks you to provide your certificate signing request, open the request.txt file and copy the information into the appropriate form. You can often send the entire file to your certificate authority.

Installing a Purchased Certificate

Secure Configuration Manager also provides the tools to import the certificate you receive from your certificate authority. Ensure that you have read and understand the information provided by your certificate authority before installing your certificate.

NOTE:You can download an intermediate CA certificate from VeriSign.

To install the certificate provided by your certificate authority:

  1. Log on to the Core Services computer with an administrator account.

  2. Save a copy of your security certificate to the bin folder. If you received an intermediate CA certificate, save a copy of the intermediate CA certificate to the bin folder. By default, you can locate the bin folder in:

    Program Files\NetIQ\Secure Configuration Manager\Core Services\

  3. Click Start > Run, and then enter cmd.

  4. (Conditional) If you have purchased a VeriSign security certificate and received both an intermediate CA certificate and your purchased certificate, complete the following procedure:

    1. Use the cd command to navigate to the Secure Configuration Manager Core Services folder. By default, the Core Services folder is:

      Program Files\NetIQ\Secure Configuration Manager\Core Services\

    2. Enter the following command:

      Jre\bin\keytool -import -trustcacerts -file bin\IntermediateCACertificate.cer -keystore server\conf\keystore.dat -storepass secure

      where IntermediateCACertificate.cer is the name of the intermediate CA certificate.

    3. When prompted whether to trust this certificate, enter y.

  5. (Conditional) If you are unsure whether your certificate is encoded using the X.509 format or you receive an unsupported encoding error when attempting to install your certificate, complete the following procedure:

    1. Use Windows Explorer to open the bin folder. By default, you can locate the bin folder in:

      Program Files\NetIQ\Secure Configuration Manager\Core Services\

    2. Double-click the certificate you saved in Step 2.

    3. On the Certificate window, select the General tab, and then click Install Certificate.

    4. Complete the Certificate Import wizard. On the Certificate Store window, ensure that you click Place all certificates in the following store, and then use Browse to select the Other People certificate store.

    5. Start Internet Explorer.

    6. Click Tools > Internet Options.

    7. On the Internet Options window, select the Content tab, and then click Certificates.

    8. On the Certificates window, select the Other People tab and then select the certificate you installed in Step 5.b.

    9. Complete the Certificate Export wizard. On the Export File Format window, ensure that you check DER encoded binary X.509 (.CER).

  6. At the command prompt, use the cd command to navigate to the bin folder. By default, you can locate the bin folder in:

    Program Files\NetIQ\Secure Configuration Manager\Core Services\

  7. Enter sslkey import < NameOfCertificateFile.cer.

Viewing Your Installed Security Certificate

You can use the sslkey tool provided with Secure Configuration Manager to view your security certificate.

To view your security certificate:

  1. Log on to the Web server with an administrator account.

  2. Click Start > Run, and then enter cmd.

  3. At the command prompt, use the cd command to navigate to the bin folder. By default, you can locate the bin folder in:

    Program Files\NetIQ\Secure Configuration Manager\Core Services\

  4. Enter sslkey list.

  5. Review the information displayed and ensure that it is correct.

5.6.2 Logging in to the Security Checkup Results Viewer

You can launch the Security Checkup Results Viewer from the Secure Configuration Manager console task pane, or from any computer running Internet Explorer. The task pane provides access to common tasks you might want to perform in the Secure Configuration Manager console. For quick and easy access, add the Security Checkup Results Viewer URL to the Favorites list of your browser. To access the Security Checkup Results Viewer, your console user account needs the Access Security Checkup Results Viewer permission. For more information, see Section 3.6, Managing Permissions.

To log in to the Security Checkup Results Viewer remotely:

  1. Start Internet Explorer.

  2. Specify the following URL, where hostcomputer is the name of the Core Services computer:

    https:// hostcomputer :8044

    The URL specified uses the default port number. You can configure the Security Checkup Results Viewer to use a different port. For more information, see Section 5.7.1, Configuring Web Services.

  3. Specify the name and password of your console user account.

  4. Click Log In.

5.6.3 Filtering the Security Checkup Results Viewer

Secure Configuration Manager console administrators can filter the Security Checkup Results Viewer to display results from only specified policy templates.

To filter results:

  1. From the Security Checkup Results Summary page, click Filtering.

  2. In the Available list, select the policy templates for which you want to see results.

  3. Click the right arrow to move the templates to the Selected list.

  4. Select Show only Templates Listed under Selected.

  5. Click Save and Close.