One of the challenges for any Enterprise Management software product is making sure that it’s secure and, perhaps even more importantly, making sure that existing security levels are not compromised in any way. In this world of black hatted hackers, sniffers and lurkers secure communications are of primary concern to any Enterprise Admin and any software that is intended for use on their secure environment must be up to standard or better. 2Pint iPXE Anywhere has been developed with this in mind and accordingly it can be configured to communicate over HTTPS for any customers that requires such a level of security.
There are a number of different Certification Authorities on each part of the chain which need to trust each other in order for communication to happen between the various components that make up the iPXE Anywhere infrastructure.
Firstly the iPXE Anywhere component itself has a 2PintSoftware.crt embedded into the software which is issued by the 2PintSoftware Root CA.
Also embedded in the iPXE Anywhere software is an iPXE.org.crt CA certificate issued from their Root CA (CA.iPXE.com) which in turn trusts the Root Public CAs such as Verisign etc. It now trusts Itself, 2Pint and Public Root CAs. So far so good!
The iPXE Anywhere service on a client needs to establish a connection with the 2PXE server. This is initial request is hardcoded to http as the service is not aware if the server is configured to accept HTTPS traffic. (In future versions there will be some configuration available around security options for this initial request and if this is important for your enterprise then please contact us for an update) Assuming that the initial response advises the client that it should utilize a secured channel then the service will establish an https connection with the 2PXE Server over the default Port of 8050 (a different Port may be configured through DHCP option #252). Assuming that all is well and the Server has been properly configured to use https, the 2PXE server will then return the .ipxe script file over the SSL tunnel and the iPXE anywhere client can now get on with connecting to the configured resources as directed in the .iPXE script and perform some of that ol’ iPXE Anywhere magic.
Next the client needs to connect to the content Distribution Point.
Using the embedded 2PintSoftware.crt the 2Pint 2PXE server cross signs with the Clients/Customers CA.crt (their Public Certificate). This cross signed certificate is then returned to the client over the secure channel. The iPXE client can now contact the DP to request an SSL secure connection. The DP will reply requiring that the iPXE client use the Customers Certificate to secure communication. The client will do this as it holds a cross signed certificate which allows it to trust the Customer CA.
The next step in this security trust matrix is the client authentication.
The DP now requests authentication from the client. The client forwards a list of certificates for which it holds private keys. One of these will be the Private Key held by the DP. This is extracted from the Configuration Manager server registry and is used in the creation of a .key and .crt files which in turn is forwarded to the client. Once the DP has checked that the client does indeed hold the required Private Keys full communication and file sharing can commence over the secured channel.
The above is a Configuration Manager based scenario where the Certificate and Private Key can be passed to the client by the DP when requested. In a non-CM environment there is some further configuration required as you must create and distribute the cross signed certificate manually. If you require assistance with this please feel free to contact the 2Pint Support team or search the Knowledge Base as it’s possible that, by the time you are reading this, a document on this has been written and uploaded.