Manage certificates (FAST Search Server 2010 for SharePoint)(informazioni in lingua inglese)

  • Articolo

Aggiornato: 10 febbraio 2011

FAST Search Server 2010 for SharePoint uses certificates for authentication and encryption purposes. The certificates are used both for communication between servers in a multiple server FAST Search Server 2010 for SharePoint deployment, and between FAST Search Server 2010 for SharePoint and Microsoft SharePoint Server.

Each server in a FAST Search Server 2010 for SharePoint deployment potentially has three certificates which serve different functions and which must be configured and replaced separately:

  • General purpose FAST Search certificate (used for internal communication, administration services, and feeding from Microsoft SharePoint Server)

  • Server-specific certificate for query traffic using HTTPS (only on query servers that have HTTPS query traffic enabled).

  • Claims certificate (only on query servers).

Note that the two first certificates may be combined into one certificate if the requirements that are listed under General purpose FAST Search certificate are fulfilled. However, you must perform certain configuration steps to replace each of these two certificates (for example, because of expiration or revocation).

In this section:

  • General purpose FAST Search certificate

  • Query HTTPS certificate

  • Claims certificate

General purpose FAST Search certificate

During initial installation, FAST Search Server 2010 for SharePoint generates a self-signed certificate. The self-signed certificate has a one year expiration date from the time of configuration and is only meant to be used in test environments. There are several limitations to this certificate:

  • Self-signed certificates provide limited security because they cannot be revoked. This could allow an attacker to spoof identities or insert data into connections if the private key was compromised.

  • The self-signed certificate cannot be used to enable queries over HTTPS.

  • The self-signed certificate cannot be used to enable administration services over HTTPS.

To help achieve a very high level of security, FAST Search Server 2010 for SharePoint should use an existing public key infrastructure (PKI). Each server in a multiple server FAST Search Server 2010 for SharePoint deployment should have a separate certificate that is issued by a common certification authority (CA).

The following requirements apply to each server certificate:

  • The subject name or subject alternative name (SAN) field must contain the fully qualified domain name (FQDN) of the server that the certificate is issued to. This is required to support queries over HTTPS and administration services over HTTPS.

  • The certificate that is issued to Microsoft SharePoint Server must have the same issuer as the certificates that are issued to servers in the FAST Search Server 2010 for SharePoint deployment.

  • The FAST Search Server 2010 for SharePoint user must have access to the private key of the certificate.

The FAST Search Server 2010 for SharePoint distribution includes a Windows PowerShell script which must be run on each server in the deployment to replace the default self-signed certificate. The script can perform two separate tasks:

  • Create a new self-signed certificate with a one year expiration and configure FAST Search Server 2010 for SharePoint to use the new certificate. See Replace the self-signed certificate with a new self-signed certificate.

  • Configure FAST Search Server 2010 for SharePoint to use an existing certificate that is signed by a certification authority (CA) by supplying a thumbprint to an already installed certificate. See Replace the self-signed certificate with a certificate signed by a certification authority (CA)

Replace the self-signed certificate with a new self-signed certificate

To replace the default self-signed certificate with a new self-signed certificate, follow these steps:

  1. Stop FAST Search Server 2010 for SharePoint on all servers in the farm, including the monitoring service.

  2. On the administration server, follow these steps:

    1. On the Start menu, click All Programs.

    2. Click Microsoft FAST Search Server 2010 for SharePoint.

    3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.

    4. At the command prompt, browse to installer\scripts under the installation folder.

    5. Type the following command:

      .\ReplaceDefaultCertificate.ps1 -generateNewCertificate $true

    6. Enter a password for the certificate.

  3. Start FAST Search Server 2010 for SharePoint on the administration server.

  4. On each non-administration server, follow these steps:

    1. On the Start menu, click All Programs.

    2. Click Microsoft FAST Search Server 2010 for SharePoint

    3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.

    4. At the command prompt, browse to installer\scripts under the installation folder.

    5. Type the following command:

      .\ReplaceDefaultCertificate.ps1 -generateNewCertificate $true

    6. Enter the password you defined for the certificate on the administration server.

  5. Start FAST Search Server 2010 for SharePoint on all non-administration servers.

The new self-signed certificate will have a one year expiration date.

If FAST Search Server 2010 for SharePoint is already added as a back-end for Microsoft SharePoint Server, you must also redo the certificate steps in Configure SSL enabled communication under Create and set up the Content Search Service Application (FAST Search Server 2010 for SharePoint)(informazioni in lingua inglese).

Replace the self-signed certificate with a certificate signed by a certification authority (CA)

To replace the default self-signed certificate with a certificate signed by a certification authority, follow these steps:

  1. Stop FAST Search Server 2010 for SharePoint on all servers in the farm, including the monitoring service.

  2. On each server in the FAST Search Server 2010 for SharePoint farm:

    • Make sure that the new certificate is installed correctly, and that the FAST Search Server 2010 for SharePoint user has access to the private key of the certificate.

      The certificate must be installed under Certificates(Local Computer)\Personal in the certificate store.

      The CA certificate of the certificate must be installed under Certificates(Local Computer)\Trusted Root Certification Authorities.

  3. On the administration server, follow these steps:

    1. On the Start menu, click All Programs.

    2. Click Microsoft FAST Search Server 2010 for SharePoint and then Microsoft FAST Search Server 2010 for SharePoint shell.

    3. At the command prompt, browse to installer\scripts under the installation folder.

    4. Type the following command:

      .\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint"

      You can determine the certificate thumbprint by opening the certificate store on the local server and locating the certificate.

  4. Start FAST Search Server 2010 for SharePoint on the administration server.

  5. On each non-administration server, follow these steps:

    1. On the Start menu, click All Programs.

    2. Click Microsoft FAST Search Server 2010 for SharePoint and then Microsoft FAST Search Server 2010 for SharePoint shell.

    3. At the command prompt, browse to installer\scripts under the installation folder.

    4. Type the following command:

      .\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint"

      You can determine the certificate thumbprint by opening the certificate store on the local server and locating the certificate.

  6. Start FAST Search Server 2010 for SharePoint on all non-administration servers.

The Microsoft SharePoint Server where the Content SSA is running also needs a certificate that is signed by the same CA to feed documents to FAST Search Server 2010 for SharePoint:

  1. Install the certificate on Microsoft SharePoint Server under Certificates(Local Computer)\Personal in the certificate store. The CA certificate of the certificate must be installed under Certificates(Local Computer)\Trusted Root Certification Authorities. The next steps will help set the correct permissions on the certificates.

  2. Copy the script SecureFASTSearchConnector.ps1 from the FAST Search Server 2010 for SharePoint administration server to the SharePoint Server 2010 server which is running the FAST Search connector. The SecureFASTSearchConnector.ps1 script can be found in the installation folder, under \installer\scripts\.

  3. On the SharePoint Server 2010 server that is running the FAST Search connector, follow these steps:

    1. On the Start menu, click All Programs.

    2. Click Microsoft SharePoint 2010 Products.

    3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.

    4. Browse to the directory where you copied the SecureFASTSearchConnector.ps1 script and run it, replacing the necessary parameters with the values for your environment. The domain and user name should reflect the details of the user running the SharePoint Server Search 14 (OSearch14) service:

      • If you know the thumbprint of your certificate, type the following command:

        .\SecureFASTSearchConnector.ps1 -certThumbprint "certificate thumbprint" -ssaName "name of your content SSA" -username "domain\username"

      • If you do not know the thumbprint of your certificate, type the following command:

        .\SecureFASTSearchConnector.ps1 -ssaName "name of your content SSA" -username "domain\username"

        This command will return the thumbprint of the available certificates and a prompt asking whether you want to use the suggested certificate.

        Enter y for yes, and then click Enter.

Query HTTPS certificate

The query HTTPS certificate is used to encrypt query traffic. For initial setup, see Enable HTTPS (optional).

Replace the query HTTPS certificate

To replace the query HTTPS certificate, follow these steps on each FAST Search Server 2010 for SharePoint query server:

  1. Import the new server-specific SSL certificate into the certificate store. The certificate must be saved under Certificates(Local Computer)\Personal. Grant the FASTSearchAdministrators group full access to the certificate.

  2. Delete the previous certificate binding from baseport+286:

    1. On the Start menu, click All Programs.

    2. Click Microsoft FAST Search Server 2010 for SharePoint.

    3. Right click Microsoft FAST Search Server 2010 for SharePoint shell and select Run as administrator.

    4. At the Windows PowerShell command prompt, type the following command(s):

      netsh http delete sslcert ipport=0.0.0.0:<baseport+286>

      Where:

      • <baseport+286> is the actual port number.

  3. Configure the query server to use the new certificate on baseport+286:

    1. At the Windows PowerShell command prompt, type the following command(s):

      netsh http add sslcert ipport=0.0.0.0:<baseport+286>  appid={a5455c78-6489-4e13-b395-47fbdee0e7e6} certhash=<Cert_Thumprint>

      Where:

      • <Cert_Thumbprint> is the thumbprint of the new certificate.

      • <baseport+286> is the actual port number.

In addition, if the new certificate was not signed by the same certification authority (CA) as the previous certificate, you must add the CA certificate to the Microsoft SharePoint Server:

On Microsoft SharePoint Server:

  1. Enable a trust relationship in Microsoft SharePoint Server for the SSL certificate(s) that you created for each FAST Search Server 2010 for SharePoint query server. Do this by importing the public certificate of the signing authority of the SSL Certificate(s) into Microsoft SharePoint Server:

    1. On the Start menu, click All Programs.

    2. Click Microsoft SharePoint 2010 Products.

    3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.

    4. At the command prompt, type the following command(s):

      $trustCert = Get-PfxCertificate '<SSL_CA_Public_Cert>.cert'
New-SPTrustedRootAuthority "FASTSearchHostQuerySSLCert" -Certificate $trustCert

      Where:

      • <SSL_CA_Public_Cert> is the name of the certificate from the signing authority of the SSL certificate(s)

Claims certificate

The claims certificate provides claims-based authentication. To replace this certificate, repeat the steps listed under Create a FAST Search Center site (FAST Search Server 2010 for SharePoint)(informazioni in lingua inglese).

Cronologia delle modifiche

Data Descrizione Motivo

10 febbraio 2011

2011/02/07

Aggiornamento contenuto

12 maggio 2010

Pubblicazione iniziale