Overview

Lantronix uses certificates to create a secure connection between the Local Manager and the Control Center. Default certificates are provided, but they can be replaced if desired.

Previously, modifying heartbeat certificates was limited to systems running FIPS. In LMS 6.3, this feature is now available for all systems.

Step 1 - Generate a Heartbeat Certificate Signing Request

Log into your Control Center and become root.

Run /uplogix/embassy/scripts/generateCertificateSigningRequest.sh and fill in the prompts. Use the IP address or hostname of the Control Center as the Common Name.

[emsadmin@vUCC ~]$  /uplogix/embassy/scripts/generateCertificateSigningRequest.sh
Initializing crypto.
Common Name: uplogixcontrolcenter92910.uplogix.com
Organizational unit: Lantronix-Heartbeat
Organization: Lantronix
City: Austin
State/Province/Region: Texas
2-letter country code: US
Country code 'US' is United States.
Email address (optional): 
Other Attributes: 
SAN (host or IP): 
Generate? (y/n): y
Generating new 2048-bit key pair.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDBTCCAe0CAQAwgYwxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEPMA0G
A1UEBxMGQXVzdGluMRAwDgYDVQQKEwdVcGxvZ2l4MRowGAYDVQQLExFVcGxvZ2l4
LUhlYXJ0YmVhdDEuMCwGA1UEAxMldXBsb2dpeGNvbnRyb2xjZW50ZXI5MjkxMC51
cGxvZ2l4LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIUs/wV
b3nkLOs5iW8dvSLH+zxmQZ7/ooFGDpjEGV5QJ5dzJfjXQl240o/xkD5SlpXFbfHb
0AWjShns7zcK58qfkFqmbTPtTYq3TkZJR4ZLFE0Q43In8ZzsoMG2RjaUQ/MoPEIm
/EW3vfM/3B6BawSQ7SJHn1i/OYf6u4FLmuA+urUr5Bhd09rYn/4uyYW4K6zq3BsN
mY8SFMb8Oa9IlecCAwEAAaAzMDEGCSqGSIb3DQEJDjEkMCIwCwYDVR0PBAQDAgWg
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCnorqxxSk8
laidEZaH5RWN+EV5KaG3K/yr2mk6/9K/vMw8ftSPeuOW5EcxhUznphFikwJ/8e+z
bmZwX/nnTWW5/GzAt0h4OpssRwY7wO6Ylo3OLszaCTK8SC/9ruRmtQicf76ig32q
lFvqr25FQM04YUQSUC0xWiXYHnnS4qSRqRHy7fYYfNlxOOPBSpUn+mwVAqYU1qWi
LVGUQZb9jIbI
-----END NEW CERTIFICATE REQUEST-----

Step 2 - Sign the Certificate

Copy the output of the script and send it to your certificate authority for signing.

Step 3 - Import Signed Certificate

Once you have received the signed certificate, paste it into a file on the Control Center. Don't forget to become root if you aren't already.

1. Run vi heartbeat.pem
2. Press i to enter INSERT mode
3. Paste the signed certificate information
4. Press ESC
5. Type :wq to write the file and quit

Use the /uplogix/embassy/scripts/importCertificate.sh script to import the signed certificate.

[root@vUCC ~]# /uplogix/embassy/scripts/importCertificate.sh heartbeat LantronixHeartbeat.pem
Reading certificate /root/Lantronix-Heartbeat.pem
Initializing crypto.
Deleting old certificate.
Importing new certificate.

Step 4 - Restart Tomcat Service

To use the new heartbeat certificate, you'll need to restart the Tomcat service.

[root@ems72 ~]# [root@ems72 ~]# service tomcat restart
Updating settings in /usr/tomcat/webapps/ROOT/WEB-INF/classes/database.xml
Updating settings in /uplogix/envoy/config/oracleDatabase.xml
Updating cache file
Shutting down Lantronix Control Center: Lantronix Control Center was not running.
Starting Lantronix Control Center: [ OK ]

Step 5 - Update Local Managers

With the new heartbeat certificate installed, all communication between Local Managers and the Control Center should stop.

If you log into a Local Manager, you should see a Heartbeat alarm similar to the following:

Warning: The system is not communicating with the management server.
 - Heartbeat SSL failure. ((-8157) Certificate extension not found.)

or

Heartbeat SSL failure. ((-8157) Certificate extension not found.)                      
Heartbeat SSL failure. (requested domain name does not match the server's certificate.)

To restore functionality, each Local Manager in your deployment needs to be updated with the new certificate. There are two manual ways to do this.

Option 1 - config system management

Log into the Local Manager and run config system management. Press Enter to accept the existing settings. Before asking you to commit the changes, the Local Manager will reach out to the Control Center and check the certificate. If there is a mismatch, it will display the new certificate and ask you to accept it.

[admin@LantronixLM]# config system management
--- Existing  Values ---
Use Management Server: yes
Hostname or IP: 10.20.30.1
Port: 8443
Heartbeat interval (seconds): 30
Heartbeat band: all
Always use minimal heartbeat: false
Last successful heartbeat: 07/08/2022 14:49:13 GMT (Full)
Change these? (y/n) [n]: y
--- Enter New Values ---
Use Management Server (y/n/auto) [y]: 
Hostname or IP [10.20.30.1]: 
Port [8443]: 
Heartbeat interval (seconds) [30]: 
Heartbeat during [all]: 
Connecting to 10.20.30.1:8443
TCP connection established.

The following certificate was returned by the server.
Certificate:
 Version: 3
 Subject: CN=uplogixcontrolcenter923919.uplogix.com, OU=hb, O=Lantronix, L=Austin, ST=Texas, C=US
 Issuer:  CN=Lantronix OMG BBQ
 Serial Number: --REMOVED--
 Valid From: 06/21/2020 21:09:20 UTC
 Valid To:   09/23/2084 21:09:20 UTC
 Fingerprint: DwEiuYN--REMOVED--(#)ADJFBN
 Algorithm: SHA256withRSA
 Key Usage: digital_signature, key_encipherment
 Extended Usage: server_auth
-----BEGIN CERTIFICATE-----
Loremipsumdolorsitamet,consecteturadipiscingelit,seddoeiusmodtemporincididuntutla
boreetdoloremagnaaliqua.Utenimadminimveniam,quisnostrudexercitationullamcolabor
isnisiutaliquipexeacommodoconsequat.Duisauteiruredolorinreprehenderitinvoluptateve
litessecillumdoloreeufugiatnullapariatur.Excepteursintoccaecatcupidatatnonproident,su
ntinculpaquiofficiadeseruntmollitanimidestlaborum.==
-----END CERTIFICATE-----

Do you trust this certificate? (y/n) [n]: y
Do you want to commit these changes? (y/n): y

Once the new certificate is trusted and accepted, heartbeat communication will resume and the alarms should clear.

Option 2 - install new certificate manually

For a more direct approach, you can use the config system crypto certificate management command to paste in the certificate.

[admin@LantronixLM]# config system crypto certificate management
** Only one certificate is allowed for a management server.                **
** Entering a new certificate here without updating the management server  **
** first will prevent the system from communicating with the management    **
** server.                                                                 **

Proceed? (y/n) [n]: y
Type 'exit' on a line by itself to exit.
[config sys crypto cert management]# Loremipsumdolorsitamet,consecteturadipiscingelit,seddoeiusmodtemporincididuntutla
boreetdoloremagnaaliqua.Utenimadminimveniam,quisnostrudexercitationullamcolabor
isnisiutaliquipexeacommodoconsequat.Duisauteiruredolorinreprehenderitinvoluptateve
litessecillumdoloreeufugiatnullapariatur.Excepteursintoccaecatcupidatatnonproident,su
ntinculpaquiofficiadeseruntmollitanimidestlaborum.==
[config sys crypto cert management]# exit

Once the new certificate is installed, heartbeat communication will resume and the alarms should clear.

Installation Complete

Once all Local Managers are communicating with the Control Center without errors or alarms, installation of a custom heartbeat certificate is now complete.

Automating Certificate Installation

Unless you are installing a customer certificate on a brand new deployment, performing this task will require you to touch every Local Manager in your deployment every time a new certificate is installed (or updated after expiration). The script below can be used to automate the task of logging into each system, running the config system crypto certificate management command to paste in the new certificate, and exiting.

To use this script, you will need:

• A user who can authenticate using SSH keys to bypass interactive login
• A user who is allowed to run config system crypto certificate management
• A list of Local Manager IP addresses (available via CSV download from Administration > Deployment Overview)

Copy and paste the following script into a file on your Control Center.

[emsadmin@vUCC-Eval ~]$ vi updateLMHBCerts.sh

#!/bin/sh

set -e
set -x

IPS="10.10.10.1 10.10.10.2 10.10.10.3"

for ip in $IPS; do
    echo "$ip"
    ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no USERNAME@"$ip" <<EOF || echo $? 
config sys crypto cert man
y
-----BEGIN CERTIFICATE-----
Loremipsumdolorsitamet,consecteturadipiscingelit,seddoeiusmodtemporincididuntutla
boreetdoloremagnaaliqua.Utenimadminimveniam,quisnostrudexercitationullamcolabor
isnisiutaliquipexeacommodoconsequat.Duisauteiruredolorinreprehenderitinvoluptateve
litessecillumdoloreeufugiatnullapariatur.Excepteursintoccaecatcupidatatnonproident,su
ntinculpaquiofficiadeseruntmollitanimidestlaborum.==
-----END CERTIFICATE-----
exit
logout
n
EOF
done

Modify the list of IPS, USERNAME, and the certificate text before saving.

Once saved, make the script executable.

[emsadmin@vUCC-Eval ~]$ chmod u+x updateLMHBCerts.sh 

When run, the script will SSH to each Local Manager IP in the list, run the necessary commands, and exit. This script can be updated with a new list of IP addresses and heartbeat certificate as necessary.