Table of Contents
Recently the internal Public Key Infrastructure (PKI) at one of my customers will change in a few weeks, with new private keys, too.
What does that mean regarding my encrypted NetScaler Native OTP Attributes? You have to re-encrypt (decrypt following by encrypt) all of your users OTP Active Directory Attributes so the NetScaler further is able to read and write the attributes for successful OTP-Authentication. The other option is to let all Users create new Tokens by themself – quite a bad idea, isn’t it?
There’s already a description at Citrix Docs, I just want to give some missing details in this post.
As already mentioned in the Citrix docs, don’t install python and pip3 on your NetScaler. I used my MacBook or any other Linux OS to connect to your Domain Controller (connection to your NetScaler isn’t necessary, you directly talk to your Active Directory) for running the script against to.
It’s important to copy the OTP Encryption Tool (located at \var\netscaler\otptool) from a latest 13.1 Build, older ones (13.0 or 12.1) sometimes including syntax issues and you will never get a running configuration.
The requirements to install with pip are the following, which are also located in requirements.txt:
The certificates (old and new) must contain both the certificate and the associated private key in the PEM or MERGED format (PFX is non supported). In my case, it worked without issues when I created a MERGED File. You can simply create one with your CERT and (unencrypted) KEY file:
cat certificate.cert certificate.key > certkey.merged
I recommend to test first on a testgroup, so the necessary commands should look like this:
#replace 10.10.10.10 with your preferred Domain Controller #replace firstname.lastname@example.org with your AD-User (which has read and write access to the OTP AD-Attribute) #replace search_base with your Active Directory DN #replace search_filter with your Active Directory Group DN #replace source_attribute with your choosen OTP AD-Attriubute #replace OTPEncryption with your current bound userDataEncryptionKey Certificate #replace OTPEncryption2024 with your new userDataEncryptionKey Certificate #Filter on a Group: python3 main.py -Host 10.10.10.10 -Port 636 -username email@example.com -search_base DC=contoso,DC=local -search_filter "(&(objectClass=user)(memberOf=CN=Testgroup1,OU=Groups,DC=sw,DC=contoso,DC=local))" -source_attribute CitrixOTP -operation 2 -cert_path OTPEncryption.merged -new_cert_path OTPEncryption2024.merged #Filter on a Group with nested groups support: python3 main.py -Host 10.10.10.10 -Port 636 -username firstname.lastname@example.org -search_base DC=contoso,DC=local -search_filter "(&(objectClass=user)(memberOf:1.2.840.1135126.96.36.1991:=CN=Testgroup1,OU=Groups,DC=sw,DC=contoso,DC=local))" -source_attribute CitrixOTP -operation 2 -cert_path OTPEncryption.merged -new_cert_path OTPEncryption2024.merged
You’re getting some informations about the fetched, modified and not modified User-Attributes. Not modified can simply mean a User who hasn’t enrolled a NetScaler OTP – so the AD-Attribute is empty.
A Logfile called app.log is created during the runtime where you can verify every entry, here’s an example of a successful modified User:
29-Feb-23 15:35:10 - root - INFO [upgrade_cert.py:220-convert_to_json_and_store() ] - Update successful for CN=Julian Jakob,OU=Users,OU=Test,DC=contoso,DC=local 29-Feb-23 15:35:10 - root - INFO [upgrade_cert.py:102-traverse_entries() ] - updation successful for the user CN=Julian Jakob,OU=Users,OU=Test,DC=contoso,DC=local 29-Feb-23 15:35:10 - root - INFO [upgrade_cert.py:132-decrypt_and_update() ] - verifying if the encryption is intact
After your fist successful tests, you can run the Tool against the whole Active Directory without a search filter:
python3 main.py -Host 10.10.10.10 -Port 636 -username email@example.com -search_base DC=contoso,DC=local -search_filter "(&(objectClass=user))" -source_attribute CitrixOTP -operation 2 -cert_path OTPEncryption.merged -new_cert_path OTPEncryption2024.merged
As one last step, don’t miss to unbind your old certificate and bind the new one on the NetScaler for the encryption process:
unbind vpn global -userDataEncryptionKey OTPEncryption bind vpn global -userDataEncryptionKey OTPEncryption2024
I hope this Post will save you some time struggling with the correct usage of the OTP Encryption Tool.