All Metasys Server based devices (ADS, ADX, and OAS) and network engines are installed with and operate in a secure mode using self-signed certificates. Self-signed certificates improve system security by providing a secure, encrypted connection to the Metasys web server. All data on the network occurs over an https connection using TLS 1.2 that cannot be read by a third-party application. When you use a self-signed certificate, the Metasys web server is in effect saying, "don't worry, I am who I say I am. You can trust me." Employing self-signed certificates has no cost.
If the customer wants a higher level of security, they can replace self-signed certificates that are installed on the Metasys server and network engines with a certificate issued by a Certificate Authority (CA). These trusted certificates can be generated by the customer's internal IT department or be purchased from a CA such as Verisign or GoDaddy. When you use a trusted certificate, the Metasys web server is in effect saying, "Trust me - the CA agrees I am who I say I am."
The steps for installing trusted certificates on a Metasys server are covered in the respective installation documents: Metasys Server Installation and Upgrade Instructions (LIT-12012162) or Open Application Server (OAS) Installation and Upgrade Guide (LIT-12013222) . The steps for installing trusted certificates on network engines are described in SCT: System Configuration Tool Help (LIT-12011964) .
When deploying certificates, keep the following in mind:
- The steps for setting up trusted certificates can be complicated. Ask the customer's IT department for assistance.
- Secure and encrypted communication has the greatest importance between the Site Director and a client logging in to the Site Director from the Metasys SMP. In many cases, the most practical choice is to install a trusted certificate at the Site Director (ADS, ADX, or OAS) and a self-signed certificates on each network engine that is upgraded to Release 8.1 or later. If the Site Director is a network engine, you might want to install a trusted certificate on just the Site Director NAE and self-signed certificates on its child devices.
- The name of the network engine within the SCT archive and the subject common name (or hostname associated with certificate) within the certificate must match exactly for a certificate to be imported and bound to IIS.
- Some certificate authorities may require the subject common name (or hostname associated with certificate) within the certificate to include a domain name. If you are implementing certificate management on an existing Metasys system, adding a trusted certificate may require you to add a domain name to the original host name of a server or engine. This action requires you to rename all data in the Metasys historical databases. This renaming operation requires intensive database operations that significantly prolong a system upgrade. Therefore, be sure to allocate extra time if you are renaming historical data as part of an upgrade to the latest Metasys release.