Use this window to set the server certificate trust mode that specifies how all the servers in your ExtremeCloud IQ Site Engine deployment handles certificates received from other servers. Access this window from the Administration > Certificates tab.
Depending on your deployment, there can potentially be many servers in ExtremeCloud IQ Site Engine and ExtremeControl. For example, there is the ExtremeCloud IQ Site Engine server, the ExtremeControl engine servers, and ExtremeControl assessment servers. In addition, there can be external servers such as LDAP servers with which both ExtremeCloud IQ Site Engine and ExtremeControl can communicate. As these different servers communicate, they use server certificates to determine whether or not they trust each other.
The trust mode is used to specify how the servers handle the certificates they receive from other servers. You can set the trust mode to one of the following options:
- All server certificates are accepted.
- All certificates from other
servers are accepted without a trust check. This mode is primarily used while setting up an ExtremeCloud IQ Site Engine/ExtremeControl deployment,
and is also suitable when the network is sufficiently protected from spoofing
attacks.
Use this mode when troubleshooting trust problems on the network. It allows the ExtremeCloud IQ Site Engine server to communicate with all ExtremeControl engines, and configure those engines to accept all certificates. This restores any communication broken due to a trust issue and allows you to resolve the problem from ExtremeControl.
If this option is selected, the Administration > Certificates tab displays the Trust Mode status (for example, TRUSTALL) and its definition in the details field to the right of the Update button.
- All server certificates are accepted and recorded.
- All certificates from other servers are
accepted without a trust check. Additionally, each server records the
certificate that it receives and associates that certificate with the sending server.
In this way, each server builds their own set of recorded certificates, creating
a list of certificates that they trust.
Use this mode initially until all servers build a complete set of required certificates and then change the mode to Only server certificates matching the recorded certificate are accepted. It is important to give this phase enough time so that connections between the various servers can take place and all certificates are recorded. Administrators must ensure that no servers are spoofed during the time this mode is used. When you are confident that all certificates are exchanged and recorded, change the trust mode to Only server certificates matching the recorded certificate are accepted.
If this option is selected, the Administration > Certificates tab displays the Trust Mode status (for example, IMPORT) and its definition in the details field to the right of the Update button.
- Only server certificates matching the recorded certificate are accepted.
- Any certificate from another server must match the
certificate recorded for that server when the mode is set to All server certificates are accepted and recorded. If the server
certificate does not match, then the server is not trusted.
This mode provides an extra level of security intended to detect and prevent someone from spoofing a server. If an IP address or hostname is hijacked and connections are routed to another server, that server is not trusted. While this mode is the most secure, if any server certificate is replaced, the new certificate is rejected. Therefore, if you are replacing a server certificate, select All server certificates are accepted and recorded until the new certificate is recorded.
If this option is selected, the Administration > Certificates tab displays the Trust Mode status (for example, LOCKED) and its definition in the details field to the right of the Update button.
When the trust mode is changed, the ExtremeCloud IQ Site Engine server does not immediately change to use the new mode. A restart of the ExtremeCloud IQ Site Engine is required. ExtremeControl and ExtremeAnalytics engines begin using the new trust mode when enforced. Enforce the engines before the restart of the ExtremeCloud IQ Site Engine.
For more information on how to use trust modes, see Advanced Security Options in the Secure Communication Help topic.
For information on related help topics: