Zones for ZoneRestrictor are configured under Usage Configurations > ZoneBuilder.
Certificates used by ZoneBuilder and ZoneRestrictor, referred to as Zone certificates, can either (A.) be created automatically by the solution or be (B.) required to be issued by the own CA.
Note that the Trusted IP Zone that is often used to select trusted machines is established in the SafeConsole Configurator. Zones established for ZoneRestrictor and ZoneBuilder then rely on certificate trusts after being initialized first based on IP. To achieve multiple subnets, please consult the KB article Multiple subnets...
A. Using automatic self signed certificates
ZoneRestrictor - Restrict login to the trusted IP zone
1. Allow unlock both inside and outside the trusted IP zone with but require Zone certificate to be present
If the device is unlocked on a machine within the trusted IP zone where there is no issued certificate installed it will automatically generate a self signed Zone certificate and trust this. The machine/user account and device must be initialized within the trusted IP zone and be connected to SafeConsole before being used outside the trusted IP zone.
2. Allow unlock only with a SafeConsole connection established
If Require live connection to SafeConsole is activated in SafeConsole the device will rely on receiving Zone information from SafeConsole directly. This means that devices must have a connection to be able to unlock.
B. Requiring certificates from own CA
You can configure ZoneBuilder and ZoneRestrictor with individual certificates issued by an internal CA to ensure maximum control granularity. The following items must be performed to achieve this
- Obtain a CA certificate
- Configure ZoneBuilder in SafeConsole with the CA certificate
- Configure SafeConsole trusted zone IP address filter
- Generate one or more client certificates issued by the CA
- Install the client certificates on machines where the devices are to be allowed
- Authenticate to a device (unlock it) on a machine with an installed client certificate
Detailed steps using your own CA
1. Obtain a CA certificate
If you don't have your own CA, one can by a knowledgeable user be generated using OpenSSL by following these steps:
- Generate a CA using the following commands:
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
and provide all relevant information such as company name etc.
2. Configure ZoneBuilder in SafeConsole
- Log into SafeConsole with an account in the SafeConsole Administrators group
- Go to Installed Certificates
- Add the ca.crt file to the certificates (don't provide a password)
- Go to ZoneBuilder configuration under Configuration Overview
- Check Allow devices to be automatically unlocked and select the ca certificate
- Check Restrict Login to the trusted zone and click apply
3. Configure Trusted Zone IP address filter
Launch the SafeConsole configurator (SafeConsole install folder) and enter an IP address filter in the access settings page. Devices will only be possible to pair with a certificate on a computer within this zone.
4. Generate client certificates
Either issue client certificates directly to the relevant machines using Microsoft Certificates Services (please see Microsoft documentation) or use the following OpenSSL commands (these require that you already followed the steps to create a CA above)
genrsa -out ia.key 2048
openssl req -new -key ia.key -out ia.csr
openssl x509 -req -days 1826 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt
openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt
and provide all relevant information such as company name etc. It is adviseable to use a descriptive subject, such as: secret-office-zone.organization.org
This will generate the file ia.p12, you can replace ia with any name of choice. This will allow you to repeat the steps to generate more certificates for multiple zones.
5. Install the client ZoneRestrictor certificates on machines
Start with the machine where you will initialize the devices. This requires a connection to SafeConsole. Devices that have been initialized can be unlocked on offline machines that have the same certificate present, but they must be initialized on a SafeConsole connected machine:
- Copy the ia.p12 file to that machine and run it.
- Accept the prompts in the import wizard.
- Remove the ia.p12 file from this machine to prevent further unauthorized distribution of the certificate
- Repeat the steps on all machines and user accounts where you want to allow the device to be used.
Setting up multiple zones
There are two options availble:
- Use another machine as an "initialization machine" and install another client certificate on this machine
- Remove the current certificate from the certificate store (using internet options-contents-certificates in Internet explorer or the Control panel) and then install a second certificate before initializing a new device. This way you can alter between what zone the device should be coupled to.
6. Initialize and link a device to the Zone certificate
To trust a certificate, simply plug in a device and unlock it on a computer where you have the Zone client certificate installed and that is in the trusted IP address range configured in SafeConsole. The device must have a connection to SafeConsole on the first time use, this will allow it to become managed. Once the device is unlocked on this machine it won't be possible to unlock it on machines outside the trusted IP address zone if a ZoneRestrictor certificate is not installed on the machine (and user account) where the device is attempted to be used.
It is possible to allow a device in multiple zones by unlocking it on other machines in the trusted IP zone while connected to SafeConsole with the preferred Zone certificate present.