NAE Client Registration
For registering a NAE client, a certificate is required. The certificate facilitates authentication and communication between CipherTrust Manager and the client.
You can register NAE clients using the following methods:
Using Auto Registration (using an existing certificate)
Auto registration is useful when the clients are having certificates from the Classic KeySecure, or from older versions of the CipherTrust Manager, or certificates issued by External CAs.
If you are already having one of the above certificate, you can utilize it to register your NAE client. For detailed steps, refer to the section NAE Client Registration using existing Certificates on CipherTrust Manager.
Using Manual Registration
Before proceeding to manual registration, make sure that a client profile is created on the CipherTrust Manager. The client profile contains a set of properties, on the basis of which, the NAE client gets registered.
NAE clients can be registered manually by creating a new certificate using local CA on the CipherTrust Manager.
Refer to To Register a new NAE Client for details.
Warning
The client validation will be mandatory for all NAE clients in the future release leading to deprecation of the following interface modes:
TLS, ignore client cert, allow anonymous logins
TLS, ignore client cert, user must supply password
Therefore, it is recommended not to use the above mentioned modes.
NAE Client Registration using existing Certificates on CipherTrust Manager
Create a registration token to register NAE clients.
Request
ksctl clientmgmt tokens create --configfile config_example.yaml
Response
{ "id": "dd8289f4-adbe-412f-9191-320bf2bac847", "uri": "kylo:kylo:munshi:tokens:dd8289f4-adbe-412f-9191-320bf2bac847", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2019-12-19T05:52:36.590956451Z", "updatedAt": "2019-12-19T05:52:36.590956451Z", "token": "RwIgd6RfXd7kzri12ydzoeFXsA2R9ju2YDxMv2xM9duQbqAhcKcyMQO2OpqZesti", "valid_until": "0001-01-01T00:00:00Z", "max_clients": -1, "cert_duration": 730, "clients_registered": 0, "ca_id": "713172e0-02be-48c2-be60-6aae964ce943", "label": null }
Update the NAE Interface for which you want to allow the Auto registration of NAE clients. For auto registration, the client certificate to be registered should be signed by the trusted CA for the interface. To update the NAE interface, run the ksctl interfaces modify command with the following parameters.
-a
(true
|false
) is for enabling or disabling auto registration-r
is for providing registration token as input
If
-a
is set totrue
, then providing registration token in-r
is mandatory.Note
A new NAE interface can also be created with the
-a
and-r
parameters.Request to update interface with auto registration on:
ksctl interfaces modify -n nae -a true -r RwIgd6RfXd7kzri12ydzoeFXsA2R9ju2YDxMv2xM9duQbqAhcKcyMQO2OpqZesti --configfile config_example.yaml
Response
{ "id": "54523325-62d0-40d4-a45e-f45b9e1679e7", "name": "nae", "mode": "tls-cert-pw-opt", "cert_user_field": "CN", "auto_gen_ca_id": "kylo:kylo:naboo:localca:713172e0-02be-48c2-be60-6aae964ce943", "trusted_cas": { "local": [ "kylo:kylo:naboo:localca:713172e0-02be-48c2-be60-6aae964ce943" ] }, "createdAt": "2019-12-13T03:27:28.767622Z", "updatedAt": "2019-12-19T05:55:26.362558Z", "default_connection": "local_account", "port": 5696, "network_interface": "all", "interface_type": "nae", "minimum_tls_version": "tls_1_2", "local_auto_gen_attributes": { "cn": "nae.keysecure.local", "email_addresses": [ "support@gemalto.com" ], "names": [ { "C": "US", "ST": "MD", "L": "Belcamp", "O": "Gemalto", "OU": "" } ], "generated": false }, "auto_registration": true, "registration_token": "RwIgd6RfXd7kzri12ydzoeFXsA2R9ju2YDxMv2xM9duQbqAhcKcyMQO2OpqZesti" }
Note
The
cert_user_field
specifies how the user name is extracted from the client certificate. The default value isCN
. This parameter must be one of the following:CN: common name
OU: organizational unit
SN: surname
E: Email address
UID: User ID
E_ND: Email without domain; the data to the left of the @ sign in the email address is taken as the user name
Connect to the NAE interface using the client certificate you want to register. It will automatically register the NAE client corresponding to that certificate.
Note
The auto registration is only supported for the following interface modes:
TLS, verify client cert, allow anonymous logins
TLS, verify client cert, user must supply password
TLS, verify client cert, user name taken from client cert, auth request is optional
TLS, verify client cert, password is needed, user name in cert must match user name in authentication request
To Register a new NAE Client
Create a json file to specify properties. You can create a NAE client profile using:
Ingrian Properties
csr parameters
profile.json: This file is a user input to CLI for providing profile parameters.
Note
The profile.json is just a place holder for name of file, user can choose any name for this file.
** Ingrian Properties Explanation**
Symmetric Cache Enabled
: Determines if the symmetric key caching is enabled. If set to true, the client can use the symmetric keys locally. The default value isfalse
.Symmetric Cache Expiry(in msec)
: The minimum amount of time that a key will remain in the client key cache. Time period after which a cached symmetric key can be removed from the cache. If set to 0, the keys will never purged from the client cache. The default value is 43200 msec.Persistent Cache Expiry(in msec)
: Duration after which a key will expire from the persistent cache. The default value is 43200 msec.Connection Timeout(in msec)
: Determines how long the client will wait for the connection to be established with the CipherTrust Manager before time out. The default value is 10000msec.Read Timeout(in msec)
:
** CSR Parameters Explanation**
cert_user_field
: Specifies how the user name is extracted from the client certificate. The default value isCN
. For more information, click here.Note
After registering the new nae client, the
cert_user_field
setting of profile is used instead of the setting present in the interface.csr_cn
: Common Name used to create CSR.csr_org_name
: Organization name to be used in CSR.csr_uid
: User ID used to create CSR.csr_org_unit
: Organizational unit to be used in CSR.csr_email
: Email address to be used in CSR.csr_city
: City name to be used in CSR.csr_state
: State name to be used in CSR.csr_country
: Country name to be used in CSR.csr_sn
: Surname to be used in CSR.
Create the nae profile using the json file created in step 1.
Request
ksctl protectapp profiles create --profile-name 123 --profile-prop ~/profile.json
Response
{ "id": "fb882a85-0e92-4c6f-8503-75c7d48d8a90", "uri": "kylo:kylo:nae:profile:123", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2022-11-28T07:07:10.833729699Z", "name": "123", "updatedAt": "2022-11-28T07:07:10.833729699Z", "nae_iface_name": "", "owner": "ncryptify:gemalto:admin:users:admin", "properties": { "cert_user_field": "CN", "csr_email": "", "csr_sn": "", "csr_state": "", "csr_org_name": "", "csr_org_unit": "", "csr_country": "", "csr_city": "", "csr_cn": "admin", "symmetric_cache_enabled": false, "verify_ssl_certificate": false, "syslog_server_ip": "", "syslog_server_port": 514, "syslog_server_protocol": "tcp_ok", "syslog_no_of_retries": 3, "syslog_retry_interval": 1, "syslog_retry_limit": 2, "use_persistent_connections": true, "size_of_connection_pool": 300, "load_balancing_algorithm": "round-robin", "connection_idle_timeout": 600000, "connection_retry_interval": 600000, "cluster_synchronization_delay": 170, "cert_file_location": "", "credentials_encrypted": false, "asymmetric_key_cache_enabled": false, "persistent_cache_enabled": false, "persistent_cache_directory": "", "persistent_cache_expiry_keys": 43200, "persistent_cache_max_size": 100, "log_level": "medium", "log_file": "", "log_rotation": "Daily", "log_size_limit": "100k", "key_non_exportable_policy": true, "symmetric_cache_expiry": 43200, "pcache_cache_expiry": 43200, "connection_timeout": 60000, "read_timeout": 7000, "impersonated_users": [ "admin" ], "csr_uid": "" } }
Create a registration token using the profile created in the previous step.
Note
The client registration is not allowed through an external CA.
Request
ksctl clientmgmt tokens create --ca_id 679994cb-d551-425c-b46a-bda9c3d8630b --label '{"ClientProfile": "123"}'
Note
The
profile_name
is required and must be present in the system before creating a registration token.Response
{ "id": "b58815a7-ab0c-42b4-ae65-611c791a69f8", "uri": "kylo:kylo:munshi:tokens:b58815a7-ab0c-42b4-ae65-611c791a69f8", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2022-11-28T07:20:39.215478Z", "updatedAt": "2022-11-28T07:20:39.215478Z", "token": "fIsQt1gUt6tqfY5zypLkSnYpMJ0cLloPhkus9PUSSr7btPiI62yamB0QJqo23XMI", "valid_until": "0001-01-01T00:00:00Z", "max_clients": -1, "cert_duration": 730, "clients_registered": 0, "ca_id": "679994cb-d551-425c-b46a-bda9c3d8630b", "label": { "ClientProfile": "123" } }
Register the new nae client using the registration token generated in the previous step. Also, add the IngrianNAE.properties file in the root (
/
) directory.Request
ksctl protectapp register --name testDemo -t v9W6l79y2ACpOSfg2xrGUVSLrb9jI36oc06zCZHRHuq6jamAcOzzGCTsRh7rVhkg -c protectappjce
Response
Client Registration Successful
Use Client Certificate and Client Private Key to connect with the server.
Click here to know about client validation on NAE interface.
User Impersonation
The CipherTrust Manager allows a client to impersonate a user for a client, meaning, the client can connect to the CipherTrust Manager as a user without providing the user credentials, on NAE and KMIP interfaces. By default, the user impersonation functionality is limited to impersonate users of the clients' domain (where the client is registered) only. Hence, user impersonation applies only to the users created in the clients' domain or assigned users (users created in the clients' domain and assigned to some other domain).
If you set the ALLOW_USER_IMPERSONATION_ACROSS_DOMAIN
property to true
, clients belonging to the root domain are allowed to impersonate the users created within sub-domains. The property is only applicable to NAE and KMIP interfaces. The default value of this property is false
.
ksctl properties modify --name ALLOW_USER_IMPERSONATION_ACROSS_DOMAIN --value true