Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Advanced Topics

Configure TLS for use with CipherTrust Vaultless Tokenization (CT-VL)

search

Please Note:

printsuggest an edit

Configure TLS for use with CipherTrust Vaultless Tokenization (CT-VL)

Authentication can be done using server authentication or using client authentication. The end user can do either, both, or none of them.

Users can configure TLS in one of the following ways:

copy link to clipboardSetting up SSL using Default Setting

copy link to clipboardCT-VL Server Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the server{} object commands:

    • sslmode: Default. Indicates trust only a standard valid certificate issued by a Certificate Authority (CA). If the certificate is expired, self-signed, or invalid, communication with the CT-VL server fails. The other ssl-mode values available for CT-VL server authentication are Allow-All and Specify_SSL_Cert. Refer to Configuring TLS for details.

    • VerifyHostName: By default, it is set to true to enable hostname verification for SSL communication.

copy link to clipboardCT-VL Client Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the client{} object commands:

    • sslmode: Default. Indicates client authentication is disabled. No need to send client identity. The other ssl-mode values available for CT-VL client authentication are Allow-All and Specify_SSL_Cert. Refer to Configuring TLS for details.

    • Keystore: Client keystore file path. This assumes a keystore has already been created; for example, using keytool.

    • storepassword: Client keystore file password.

    • keypassword: Client's key password.

copy link to clipboardSetting up SSL using Allow-All Setting

User can opt for server and client authentication by configuring bdt.config.

Perform the following steps to set up SSL for secure communication between the BDT utility and the CipherTrust Vaultless Tokenization (CT-VL) using all trust certificates:

copy link to clipboardCT-VL Server Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the server{} object commands:

    • sslmode: Select Allow-All. Indicates Trust all certificates; no trust policy is defined. Any kind of SSL certificate is acceptable, including valid, expired, self-signed, or any other. The truststore setting is not required.

    • VerifyHostName: By default, it is set to true to enable hostname verification for SSL communication.

copy link to clipboardCT-VL Client Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the client{} object commands:

    • sslmode: Select Allow-All. Indicates client authentication is disabled and there is no need to send client identity.

      When passing sslmode as ALLOW_ALL, you don't need to configure following 3 params:

      • Keystore: Client keystore file path. This assumes a keystore has already been created; for example, using keytool.

      • storepassword: Client keystore file password.

      • keypassword: Client's key password.

copy link to clipboardSetting up SSL using Specify_SSL_Cert Setting

Perform the following steps to set up SSL for secure communication between the BDT utility and the CipherTrust Vaultless Tokenization (CT-VL) using valid certificates:

copy link to clipboardCT-VL Server Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the server{} object commands:

    • sslmode: Select Specify_SSL_Cert. Indicates trust standard certificates and certificates stored in the provided trust store (specified in the truststore setting). Use to accept self-signed and expired certificates.

    • VerifyHostName: By default, it is set to true to enable hostname verification for SSL communication. Set to "false" to disable hostname verification.

    • truststore: Truststore file path. To set up the truststore:

      • Get the server's public certificate. If not available, open the VTS URL in a browser and export it from the Security option.

      • Import the certificate and create the truststore. Use the following command, it will output the truststore password.

        keytool -import -alias "vts host certificate" -file server.crt -keystore server.truststore

        Important: Note this password. You need to provide it in the password parameter.

    • password: Truststore file password obtained when you imported the VTS certificate and created the truststore.

copy link to clipboardCT-VL Client Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the client{} object commands:

    • sslmode: Specify_SSL_Cert Indicates Client authentication is enabled. Create keystore with client certificate and key. Set keystore path in the keystore parameter. Communication succeeds if the VTS server finds a valid certificate set in the keystore.

    • Keystore: Client keystore file path. This assumes a keystore has already been created; for example, using keytool.

    • storepassword: Client keystore file password.

    • keypassword: Client's key password.

On this page