Import SSL certificates and check for software updates

Import SSL certificates

All BeyondTrust software communication occurs via secure, encrypted connections. These rely on the industry standard Secure Sockets Layer (SSL) technology and DNS address of the B Series Appliance.

While the default B Series Appliance certificate secures all connections on all IP addresses, the BeyondTrust client software requires more rigorous validation checks than standard web browsers. Before BeyondTrust can provide you with the complete software licensing package, your B Series Appliance must have a valid SSL certificate installed that matches the DNS A-record you have registered for your B Series Appliance.

Certificate requirements

Valid SSL certificates can be either certificate authority-signed (CA-signed) or self-signed. A CA-signed certificate is required to access all of BeyondTrust's functionality (e.g., click-to-chat and mobile clients).

• To receive a CA-signed certificate, a certificate signing request (CSR) must be submitted to a certificate authority.
• The CA-signed certificate must be downloaded from the certificate authority's web site (or certificate purchase email) and imported to the B Series Appliance from the /appliance interface.

In addition to the CA certificate request feature, BeyondTrust includes functionality for obtaining and automatically renewing its own TLS certificates from the open Certificate Authority Let's Encrypt.

Create a new certificate

The guide above describes the steps for initial configuration in detail. An overview of the process is given below.

1. Log into the BeyondTrust /appliance interface, and create a certificate signing request (CSR) or self-signed certificate.

   ℹ️

   Note

   If the B Series Appliance will be using a copy of the certificate from another B Series Appliance or server, no CSR or self-signed certificate is necessary. Instead, export the certificate with its private key from the system on which it currently resides and import it to the B Series Appliance.

2. Assign the new certificate to the IP address(es) of the B Series Appliance.

3. Send BeyondTrust Technical Support a copy of the SSL root certificate and/or B Series Appliance DNS address.

   ℹ️

   Note

   If a self-signed certificate is used, the certificate serves as its own root certificate, and therefore, the self-signed certificate should be sent to BeyondTrust Technical Support. If a CA-signed certificate is used, contact the CA for a copy of their root certificate. If you have trouble contacting the CA, you can find articles to assist with obtaining your root certificate. In either case, BeyondTrust Technical Support will need to know the DNS address of the B Series Appliance. If your DNS address is public and the SSL certificate is already installed, Support can retrieve a copy of the root from the public DNS address; in this case, it is not necessary to manually send the root certificate.

Once the above steps are complete, BeyondTrust Technical Support encodes the DNS hostname and SSL root certificate into a new software licensing package, sends it to the BeyondTrust licensing servers for building, and then sends you instructions to install the newly-built package once it is complete.

Send appliance information to Support

The BeyondTrust Technical Support encodes your B Series Appliance's DNS hostname and SSL root certificate into the software.

Once you have configured your hostname, created a signed SSL Certificate, and accessed the /appliance interface during network configuration, send BeyondTrust Technical Support the items listed below.

1. DNS hostname (fully qualified domain name) of the B Series Appliance (e.g., appliance.example.com).
2. SSL root certificate or self-signed SSL certificate. This is obtained from the /appliance > Security > Certificates page. Export the certificate portion with matching Issued To and Issued By fields.
3. Screenshot of the /appliance > Status > Basics page.

BeyondTrust Technical Support now builds your complete software package and registers your appliance for future updates.

Check for software updates

B Series Appliance updates are installed from the /appliance web interface on the Updates page. Each update must be built by BeyondTrust and is keyed to the serial number of the B Series Appliance for which it was built. For this reason, the B Series Appliance must be registered in order to check for updates.

⚠️

Important

Ensure you have sent BeyondTrust Technical Support the following items to receive your Base Software and/or software licensing updates:

1. DNS hostname (fully qualified domain name) of the B Series Appliance
2. SSL root certificate or self-signed SSL certificate
3. Screenshot of the /appliance > Status > Basics page

Once BeyondTrust has built an update for your B Series Appliance, you will receive a notification email. Follow the steps below to install and update your appliance.

1. Go to /appliance > Updates. Retrieve the update using either Updates :: Check > Check for Updates or Updates :: Manual Installation > Appliance Download Key.

   ℹ️

   Note

   The Check for Updates option can be used only if the B Series Appliance has outbound access over TCP port 443 to btupdate.com. Manual installation does not require this connection.

2. Once the check is complete, all available updates matching the serial number of your B Series Appliance will be listed in the /appliance web interface. There are two types of updates:

   • Updates for /login licensing (always shown in the format of BeyondTrust-x.x.x)
   • Updates for /appliance Base Software (always shown in the format of Base Software x.x.x)

   If no update packages or patches are available for your B Series Appliance, a message stating No updates available is displayed. If an update is available but an error occurred when distributing the update to your B Series Appliance, an additional message is displayed, such as, An error occurred building your update. Please visit beyondtrust.com/support for more information.

   The B Series Appliance Base Software includes features and patches for the /appliance interface, and in some cases includes the required code for new licensing updates. In cases where a Base Software update is required prior to a licensing update, the BeyondTrust update interface lists the correct order in which to install each update. If you are still unsure, take a screenshot of your available updates and send the screenshot to BeyondTrust Technical Support for assistance.

3. Once installation is complete, the B Series Appliance is ready to be used. Access the /login interface at your B Series Appliance's URL followed by /login (e.g., appliance.example.com/login).

4. If this is your first time logging in, use the following credentials:

   • Default Username: admin
   • Default Password: password

   You are prompted to change your password.

5. After logging in, you can validate your software licensing configuration on the Status > Information page, add user accounts on Users & Security > Users, and download client software from My Account. Because BeyondTrust Secure Remote Access is licensed by number of endpoints allowed, you can set up as many accounts as you need, each with unique usernames and passwords.

For security purposes, the administrative username and password used for the /appliance interface are distinct from those used for the /login interface and must be managed separately. Usernames and passwords for /login are valid for both the /login interface (where users and configuration are managed) and for consoles (where sessions are run). The options available in both of these locations are dependent upon the permissions assigned by the /login administrator to each user's account.