Support Center > Search Results > SecureKnowledge Details
Invoking the ICA Management Tool
Symptoms
  • Some certificate management features require the use of this tool on the Security Management Server / Domain Management Server.
Solution

Table of Contents:

  • Procedure
  • Notes
  • Related documentation
  • Related solutions

 

Procedure

The ICA Management Tool is not accessible, by default. The access to the tool can be configured via the command line on the Security Management Server / Domain Management Server (first, switch to the context of involved Domain with 'mdsenv Domain_Name' command).

  1. To check the current status of ICA Management Tool:

    [Expert@HostName]# cpca_client [-d] set_mgmt_tool print

    where:
    • -d - (optional) enables debug for this operation (output is printed on the terminal)


  2. To enable the ICA Management tool:

    [Expert@HostName]# cpca_client [-d] set_mgmt_tool on [-a "administrator DN" | -u "user DN"]

    where:
    • -d - (optional) enables debug for this operation (output is printed on the terminal)
    • on - sets the status of the ICA Management Tool 
    • -a "administrator DN" | -u "user DN" - (optional) sets the DN of the authorized administrator ('-a' flag) or DN of the authorized user ('-u' flag) permitted to use the ICA Management tool (must specify the full DN as appears in SmartDashboard in administrator/user properties - on 'Certificates' pane - in the 'DN:' field)

    Note: Having port 18265 open is not a vulnerability. The Management Tool Portal is secured and protected by SSL. In addition, only authorized administrators are allowed to access it using a certificate.

    Follow these recommendations:

    1. Make sure ICA Management Tool is running using the SSL authentication (this is the default):

      Check the current authentication:
      [Expert@HostName]# cpca_client set_mgmt_tool print

      The second line of the output will be:

      • Using SSL - no need to take any further steps
      • Not using SSL - configure the tool to not use SSL by running the command 'cpca_client set_mgmt_tool on -no_ssl'


    2. If ICA Management Tool is not needed for a long period of time, then perform one of the following:

      • Either disable ICA Management Tool:

        • On Security Management Server

          [Expert@HostName]# cpca_client set_mgmt_tool off

        • On Multi-Domain Security Management Server

          [Expert@HostName]# mdsenv Domain_Name
          [Expert@HostName]# cpca_client set_mgmt_tool off


      • Or make sure that certificate used to authenticate to the ICA Management Tool uses "strong private key protection".

        Follow these steps to import certificate with use of "strong private key protection":

        Reference: Import or export certificates and private keys - click on "To import a certificate and private key".

        1. Go to Start menu - click on "Run..." / click in "Search" field - type/paste certmgr.msc - press Enter

          Administrator permission required. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

        2. Click on "Trusted Publishers" to select it - go to 'Action' menu - go to 'All Tasks' - click on 'Import':



        3. Click 'Next', and then follow the instructions.

          Important Note: On the "Password" sceen, make sure to check this box:

          "Mark this key as exportable."

    3. Reduce amount of Administrators/Users and Hosts that have access to ICA Management Tool to the required minimum.

      Check the current list of Administrators/Users:
      [Expert@HostName]# cpca_client set_mgmt_tool print

      Look at the following sections:

      • The authorized administrators:
      • The authorized users:
      • The authorized custom users:

      To remove an administrator, run:
      cpca_client set_mgmt_tool remove -a Administrator_DN

      To remove all the users, run:
      cpca_client set_mgmt_tool clean

    Comments:

    1. If the command is run without '-a' or '-u' flags, the list of the permitted users and administrators is not changed, however any "custom" users will need to be recreated once you generate the private key. The ICA Management tool can be stopped or started with the previously defined permitted users and administrators.

    2. If two consecutive start operations are initiated (cpca_client set_mgmt_tool on), the ICA Management Tool will not respond, unless you change the SSL mode. After the SSL mode has been modified, the ICA Management tool can be stopped and restarted.


  3. To disable the ICA Management tool:

    [Expert@HostName]# cpca_client [-d] set_mgmt_tool off

    where:
    • off - stops the ICA Management Tool (by closing port 18265)
    • -d - (optional) enables debug for this operation (output is printed on the terminal)


  4. If you create a new administrator SmartDashboard for ICA Management Tool, then you have to create a certificate for this new administrator, and import this certificate into the browser's certificate repository:

    1. Connect to Security Management Server / Domain Management Server with SmartDashboard.

    2. Go to 'Manage' menu - select 'Users and Administrators'.

    3. Click on 'New...' - select 'Administrator...' - 'Administrator Properties' window opens.

    4. Fill the relevant details on the 'General Properties' pane.

    5. In the 'Permissions Profile:' field, click on 'New...' - 'Permission Profile Properties' window opens.

    6. Set the relevant permissions.

    7. Click on 'OK' to close the 'Permission Profile Properties' window.

    8. Go to 'Authentication' tab - select and configure the relevant 'Authentication Scheme'.

    9. Go to 'Certificates' tab - click on Generate and save button.

    10. Certificate *.p12 file will be created.

    11. Save the file in some folder.

    12. Notice/copy the full DN from the 'DN:' field - this DN has to be used in the syntax of cpca_client set_mgmt_tool on command.
      Example:
      [Expert@HostName]# cpca_client set_mgmt_tool on -u CN=ICA_Tool_User,OU=users,O=MGMT..ecuekf
      Management tool is ON.
      Using SSL.
      The authorized administrators: 
      ()
      The authorized users: 
      (
              : ("CN=ICA_Tool_User,OU=users,O=MGMT..ecuekf")
      )
      The authorized custom users: 
      ()
      
    13. Click on 'OK' to close the 'Administrator Properties' window.

    14. Click on 'Close' to close the 'Users and Administrators' window.

    15. Import the Administrator's certificate *.p12 file to your web browser:

      • For Internet Explorer / Google Chrome

        • Right-click on the *.p12 file - select Install PFX - 'Certificate Import Wizard' opens.
        • Click 'Next' to continue.
        • Specify the file you want to import - click 'Next'.
        • Type the password for private key - click 'Next'.
        • Select the desired certificate store - click 'Next'.
        • Click 'Finish'.
        • You should receive a confirmation that the import was successful.


      • For Mozilla FireFox

        • Go to 'Tools' menu - select 'Options...' - 'Options' window opens.
        • Go to 'Advanced' - go to 'Encryption' tab - click on 'View Certificates' button - 'Certificate Manager' window opens.
        • Go to 'Your Certificates' tab - click on 'Import...'.
        • Select the *.p12 file.
        • Enter the password.
        • You should receive a confirmation that the import was successful.
        • Click on 'OK' to close the 'Certificate Manager' window.
        • Click on 'OK' to close the 'Options' window.


  5. Connect to the ICA Management Tool with your browser over HTTPS:

    https://<Management_Machine_IP_Address>:18265

    where <Management_Machine_IP_Address> is the IP address of Security Management Server / of Domain Management Server.

 

Notes

After upgrading the Security Management Server / Multi-Domain Security Management Server, or after migrating the Database, the ICA Management Tool might become unreachable because the private key file $FWDIR/state/InternalCA_site.p12 does not migrate during the upgrade / migration operation.

In such case, after upgrading/migrating, follow these steps on Security Management Server / Domain Management Server:

  1. Rename the current private key file $FWDIR/state/InternalCA_site.p12:

    [Expert@HostName]# mv  $FWDIR/state/InternalCA_site.p12  $FWDIR/state/InternalCA_site.p12_ORIGINAL

  2. Disable the ICA Management Tool:

    [Expert@HostName]# cpca_client set_mgmt_tool off

  3. Enable the ICA Management Tool:

    [Expert@HostName]# cpca_client [-d] set_mgmt_tool on [-a "administrator DN" | -u "user DN"]

  4. Check if the new private key file was created:

    [Expert@HostName]# ls -l $FWDIR/state/InternalCA_site.p12

  5. Try to connect to the ICA Management Tool with your browser over HTTPS:

    https://<Management_Machine_IP_Address>:18265

 

 

Imported from Nokia support database

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment