Copy the SSL Certificate to Privileged Access Failover and Atlas Appliances
Bomgar allows you to use additional Bomgar Appliances for failover or for load balancing. If you intend to use additional Bomgar Appliances in your setup, it is important that each additional appliance is properly secured by an SSL certificate.
In a failover setup, the primary and backup appliances must have identical SSL certificates for failover to be successful. Otherwise, in the event of failover, the backup appliance will be unable to connect to any Bomgar software clients. Therefore, you should create a CA-signed certificate that supports each appliance's unique hostname as well as your main Bomgar site hostname. Replicate this certificate on both the primary and the backup appliances.
Additionally, if you plan to use an Atlas setup, it is recommended that you use a wildcard certificate that covers both your Bomgar site name and each traffic node hostname. If you do not use a wildcard certificate, then adding traffic nodes that use different certificates may require a rebuild of the Bomgar software. Therefore, you should create a CA-signed wildcard certificate that supports all of the hostnames used in your Atlas setup. Replicate this certificate on each of your Atlas clustered appliances.
To replicate an SSL certificate, follow the instructions below:
Export the Certificate
- On the primary appliance, log into the /appliance interface. Go to Security > Certificates.
- In the Security :: Certificates section, check the box beside the certificate that is assigned to the active IP address. Then, from the dropdown menu at the top of this section, select Export.
Note:Exporting certificates does not remove them from the appliance.
- On the Security :: Certificates :: Export page, check the options to include the certificate, the private key, and the certificate chain. It is strongly recommended that you set a passphrase for the private key.
Import the Certificate
- On the backup appliance, log into the /appliance interface. Go to Security > Certificates.
- In the Security :: Certificate Installation section, click the Import button.
- Browse to the certificate file you just exported from the primary appliance. If a passphrase was assigned to the file, enter it in the Password field. Then click Upload.
- The imported certificate chain should now appear in the Security :: Certificates section.
- Repeat the import process for each additional clustered appliance.
Update the Bomgar Appliance
To insure the reliability of your client software, Bomgar Technical Support builds your root certificate into your software. Therefore, any time you import a new root certificate to your Bomgar Appliance, you must send to Bomgar Technical Support a copy of the new SSL certificate and also a screenshot of your Status > Basics page to identify the appliance being updated.
Do NOT send your private key file (which ends in .p12) to Bomgar Technical Support. This key is private because it allows the owner to authenticate your Bomgar Appliance's identity. Ensure that the private key and its passphrase are kept in a secure, well-documented location on your private network. If this key is ever exposed to the public (via email, for instance), the security of your appliance is compromised.
- Go to /appliance > Status > Basics and take a screenshot of the page.
- Add the saved screenshot and the all of the SSL certificates files for your certificate chain to a .zip archive. Do NOT include any private key files (e.g., .p12, .pfx, or .key files).
- Compose an email to Bomgar Technical Support requesting a software update. Attach the .zip archive containing the certificate files and screenshot. If you have an open incident with Support, include your incident number in the email. Send the email.
- Once Bomgar Technical Support has built your new software package, they will email you instructions for how to install it. Update your software following the emailed instructions.
- Repeat the update process for each additional clustered appliance.
After these steps are complete, it is advisable to wait 24-48 hours before proceeding further. This allows time for your Bomgar client software (especially Jump Clients) to update themselves with the new certificate which Bomgar Technical Support included in your recent software update.
Assign IP Addresses
Your new certificate will not secure any hostnames until you assign it to one or more IP addresses. However, you should not assign an IP address to a new certificate if your appliance is currently in production with active connections. For new installations, this is not an issue, but appliances in production should schedule down time to change and test IP assignments.
IP address assignment is performed on the Edit Certificate Configuration page of the certificate in question. If your appliance has multiple IP addresses, you must determine which one is correct for your certificate. You can assign an SSL certificate to multiple IP addresses, if necessary.
The correct IP address is the one which has a DNS hostname registered for it on the network. Thus, the approrpirate IP address for a certificate is the IP which receives traffic from the DNS A-record. Private A-records normally have the IP address of the certificate itself, but public A-records normally have a public IP which redirects to the IP address assigned to the certificate. Certificates should not normally be issued to IP addresses.
- Go to /appliance > Security > Certificates.
- Click the Friendly Name or Assign IP link of your new certificate in the Security :: Certificates section.
- Scroll to the bottom of the page, select the IP address or addresses for which the certificate should be active, and click Save Configuration.
Note: If there is no Assign IP link and/or the IP Addresses are grayed out, refer to the Private Key field of the certificate to make sure it reads Available. If not, either contact your certificate authority for instructions to re-key or certificate, or transfer the private key of your certificate from another server on which it resides.
- Repeat the IP address assignment process for each additional clustered appliance.
The configuration can take a few minutes to complete. Once the configuration has finished processing, the new certificate is active on the network and secures the IP addresses you selected.
Any old certificates will still be present on the appliance, but they will not be active on the IP addresses of the new certificate. This is because only one certificate at a time can be assigned to an IP address. If multiple certificates must be active simultaneously (e.g., to support multiple DNS A-records), you must add an IP address and A-record for each.
Any time you add a new IP address to your appliance, that address is assigned to the factory default certificate. You must update the IP Addresses configuration of the appropriate certificate to secure the new IP address. This address should have a DNS hostname registered for it on the network; thus, the appropriate certificate is the one which has a subject alternative name (SAN) entry for the DNS address, not the IP address. Although certificates can include IP address SAN entries, this is not a recommended configuration in most cases.