Certificate-Based Console and Monitor Authentication

We at ControlUp care about your security. Our latest security feature, Advanced Authentication implements certificate-based authentication. This security mechanism allows connections only from and between those Real-Time Consoles and ControlUp Monitors that have a certificate configured. You can either generate your own self-signed certificate within the ControlUp Console or use a third-party certificate to authenticate ControlUp Monitors and Consoles to the ControlUp cloud backend. 

 Table of contents

How Authentication Works with Advanced Authentication

Advanced Authentication is used for securely identifying and authenticating the ControlUp components that log into the ControlUp backend, your Real-Time Consoles and the monitors. The organization owner must configure a certificate in the Real-Time Console, either by generating a self-signed or using a third-party certificate.

The certificate that you configure is dedicated to your organization and stored in the local Certificate Store on the console machine on which the organization owner created the certificate. Once you configure a certificate for your ControlUp organization, the console automatically distributes the private certificate to all monitors in your ControlUp environment and a public certificate is sent to the ControlUp backend in the cloud. 

It's important to understand that if the configured certificate is missing on a console machine, it is not possible to connect to your ControlUp organization from that particular machine. In this case, you have to manually apply the new certificate to this machine to allow the Console to connect to your ControlUp environment. This is explained in the Distribute the New Certificate to Consoles and Assign Read Permissions to Console Users sections.

Prerequisites

  • ControlUp Version 8.5.1 or higher. On-premises versions do not include this feature.
  • A ControlUp organization owner who has local admin rights on the console machine where you enable Advanced Authentication. 
  • A valid certificate. Needed only if you want to use a third-party certificate.

Certificate Information

  • Version: X.509v3
  • Serial number: a random number between 1 and 9223372036854775807
  • CN=controlupcert
  • O=ControlUp
  • Expiry Date: 5 years after the creation date of the certificate

The hash of the data is generated by the SHA256 algorithm and signed with the RSA algorithm.

Create a Self-Signed Certificate

You can create a self-signed X.509 certificate from the Real-Time Console. In this section, we show you how to create a certificate and how it is used within ControlUp. Only the user with organization owner permissions can create a certificate. 

To create a self-signed certificate:

  1. Open the Real-Time Console and right-click your organization.
  2. Select Organization Properties. The Organization Properties dialog appears.
    OrganizationProperties.png 
  3. Click the Advanced Authentication button.
    OrganizationProperties_AdvancedAuthentication.png
  4. In the Advanced Authentication Setup, mark the Enable Advanced Authentication checkbox (1). This activates two buttons for selecting a certificate, Generate and Browse (2). 
    Buttons.png
  5. Click Generate to create a new certificate. Once the certificate is created, the Certificate Details pane is populated with the Issuer, the organization that the certificate is issued to, and the creation date of the certificate. 
    Self-Signed_Certificate.png
  6. Click Apply to create the certificate file. Click OK to confirm the warning message.
    WarningMessage.png

    Important: A rollback to basic authentication is not possible once you confirm the warning message. Be aware of that when you activate Advanced Authentication.

  7. To see the new certificate, open the Certificate Manager on the console machine. Select Run from the Start menu, and enter certlm.msc. Navigate to the Certificates folder under the Personal directory and you can see the new certificate you just created. 

Certificates.png

Note: The new private certificate is automatically distributed to all monitors in your organization, but not to the other machines where the ControlUp Consoles are installed.

Distribute the New Certificate to Consoles

In the previous section, you created and configured a self-signed certificate that is now used for the communication between your monitors and the Real-Time Console from where you generated the certificate. As already mentioned, the new certificate is distributed only to the monitors and not to the other Real-Time Consoles. You must distribute the certificate to all machines from where a Real-Time Console connects to your organization. 

Note: Ensure that you exported the private key (.pfx file), either from the console or the monitor machine. For more information on exporting a PFX file, refer to this article

There are two ways you can distribute the pfx file to other console machines. You can perform the steps manually or you can use our PowerShell script attached to this article. If you choose to do it manually, then you have to manually distribute the certificate to all console machines and set read permissions for all non-admin users on the console machine. If you want to use our PowerShell script to perform both steps automatically, refer to the Distribution and Permission Setting via PowerShell section. 

Manual Distribution of the Certificate

To distribute the certificate manually:

  1. On each Real-Time Console machine, open the local certificate store. Run mmc > Add/Remove Snap-in > Certificates > Add.
    In the Certificates snap-in wizard, select Computer account > Next > Local computer: (the computer this console is running on) > Finish.
  2. Right-click the Personal folder (1) > All Tasks (2) > Import… (3)
    Import.png
  3. In the Certificate Import Wizard, make sure that Local Machine is checked. Click Next to continue with the import.
    ImportCertificateManager.png
  4. Browse the certificate file and open it.
    SelectCertificate.png
  5. Enter the Password for the certificate (1) and select Mark this key exportable...(2). Click Next to continue.
    UsePassword.png
  6. Select Place all certificates in the following store and click Next.
    PlaceCertificates.png
  7. Review the Import Summary and click Finish.
    Review.png
  8. Once the import is finished, this popup appears.
    ImportSuccessfull.png
  9. Check the imported certificate under Personal > Certificates.
    CertificateIsHere.png
  10. Assign the necessary read permission for all Real-Time Console users, as described in the next section.

Assign Read Permissions to Console Users

Any user that needs to use the Real-Time Console must have read permissions to the certificate that you configured in the section above. By default, only users with administrator rights on the Real-Time Console machine can access the Console without manually modifying permissions. 

If a non-admin user wants to connect to the Console without read permissions, this popup appears upon login. 

NotEnoughPermissionsToConnecToConsole.png

To set read permissions to the certificate manually:

  1. Select Run from the Start menu, and enter certlm.msc
  2. In the Certificate Store, browse to the certificate that was created for your organization, right-click the certificate and select All Tasks > Manage Private Keys …
    ManagePrivateKeysOK1.png
  3. In the permissions wizard, click Add...
    AddUser.png
  4. Enter the username for which the permission to the certificate should be applied. Confirm by clicking OK.
    CopUser1.png
  5. Make sure that you select the correct user. Under Read, click the Allow checkbox and confirm by clicking Apply > OK.
    ReadOnly.png
  6. Start the Real-Time Console as the user you just created the permission for.
  7. Select the organization in the Select a ControlUp organization list and click Continue. The Real-Time Console connects to the selected organization.  
    SelectOrganization.png
    If everything was set up correctly, the main screen of the Real-Time Console appears. 
    Console.png

Distribute the Certificate and Assign Read Permissions via PowerShell

If you want to distribute the certificate to specific console machines in your organization and to set the read permissions for non-admin users on those machines, then you can use our PowerShell script to perform both actions automatically. 

To distribute the script to console machines and set read permissions via Powershell:

  1. Download the script attached and place it onto the console machine where you saved the pfx file that you want to distribute. 
  2. Copy the path of the pfx file. You need the path when you execute the PowerShell script. 
  3. Create a new text file that contains the machine name(s) to which you want to distribute the certificate file (your console machines). Machine names must be line-separated. Make sure that you do not leave a space after each line. 
    MachineNames.png
  4. Open your favorite PowerShell IDE and run the script
    & '.\Assign auth certificates to CU.ps1' -certificatePath C:\temp\mycert.pfx -Verbose -clearTextPassword "mypassword01" -copyCertificateLocally -computersfile C:\Scripts\DistributionScript\cucertmachines.txt -allow "testdomain.local\copuser1", "testdomain.local\Domain Users"

    Input parameters:
    -certificatePath. The path where the pfx file is located.
    -Verbose. Activates verbose output in the Terminal. This gives you an overview of the script output. 
    -clearTextPassword. The password of the private key file.
    -copyCertificateLocally. Used for manually copying the certificate. 
    -computersfile. The text file which contains the machine names to which the pfx file will be distributed.
    -allow. A comma-separated list of domain users or domain groups to which read permissions are granted. 
  5. Check the verbose output of the script execution. The screenshot below indicates the successful execution of the script (0 failures out of X Computers). 
    ScriptOutcome.png
  6. Log into a console machine to which you distributed your certificate and open the Real-Time Console. Local admins and non-admin users, as long as you defined it in the -allow parameter, are now able to open the Real-Time Console.

Use a Third-Party Certificate

Instead of creating a self-signed certificate, you can also use a third-party certificate.

To import a third-party certificate:

  1. Follow steps 1-4 from the Create a Self-Signed Certificate section.
  2. In the Advanced Authorization Setup, click Browse.
    Authentication_Browse.png
  3. In the Certificate Selection wizard, open the certificate you want to import. The certificates displayed here are taken from the Certificate Store on the local machine. Click OK to confirm the selection. 
    CertificateSelection.png
  4. Click Apply and confirm the warning. Once the import completes, the certificate is exported to the organization settings. 
    Warning.png

    Important: A rollback to basic authentication is not possible once you confirm the warning message. Be aware of that when you activate Advanced Authentication.

  5. All Monitors assigned to the organization are now being restarted and the new certificate is applied to all Monitors. You can verify a successful upload by opening the Certificate Store on the Monitor machine:
    NewImportedCertificate.png
  6. Verify that the Monitors are online. Click Monitoring Status and see if the Monitors are marked with a green status icon. 
    MonitorOKGesamt.png
  7. Import the new certificate to each console machine. Follow the steps in the Distribute the New Certificate to Consoles section. 
  8. Make sure that the certificate is configured with read permissions for all non-admin users on the console machines. Follow the instructions in the Assign Read Permissions to Console Users section. 
1-on-1 Demo
Schedule now
Price Quote
Get it now
Need a Script?
Get it here
Powered by Zendesk