Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Advanced Topics

Configure TLS for use with CipherTrust Vaultless Tokenization (CT-VL)

search

Please Note:

Configure TLS for use with CipherTrust Vaultless Tokenization (CT-VL)

Authentication can be done using server authentication or using client authentication. The end user can do either, both, or none of them.

Users can configure TLS in one of the following ways:

Setting up SSL using Default Setting

CT-VL Server Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the server{} object commands:

    • sslmode: Default. Indicates trust only a standard valid certificate issued by a Certificate Authority (CA). If the certificate is expired, self-signed, or invalid, communication with the CT-VL server fails. The other ssl-mode values available for CT-VL server authentication are Allow-All and Specify_SSL_Cert. Refer to Configuring TLS for details.

    • VerifyHostName: By default, it is set to true to enable hostname verification for SSL communication.

CT-VL Client Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the client{} object commands:

    • sslmode: Default. Indicates client authentication is disabled. No need to send client identity. The other ssl-mode values available for CT-VL client authentication are Allow-All and Specify_SSL_Cert. Refer to Configuring TLS for details.

    • Keystore: Client keystore file path. This assumes a keystore has already been created; for example, using keytool.

    • storepassword: Client keystore file password.

    • keypassword: Client's key password.

Setting up SSL using Allow-All Setting

User can opt for server and client authentication by configuring bdt.config.

Perform the following steps to set up SSL for secure communication between the BDT utility and the CipherTrust Vaultless Tokenization (CT-VL) using all trust certificates:

CT-VL Server Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the server{} object commands:

    • sslmode: Select Allow-All. Indicates Trust all certificates; no trust policy is defined. Any kind of SSL certificate is acceptable, including valid, expired, self-signed, or any other. The truststore setting is not required.

    • VerifyHostName: By default, it is set to true to enable hostname verification for SSL communication.

CT-VL Client Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the client{} object commands:

    • sslmode: Select Allow-All. Indicates client authentication is disabled and there is no need to send client identity.

      When passing sslmode as ALLOW_ALL, you don't need to configure following 3 params:

      • Keystore: Client keystore file path. This assumes a keystore has already been created; for example, using keytool.

      • storepassword: Client keystore file password.

      • keypassword: Client's key password.

Setting up SSL using Specify_SSL_Cert Setting

Perform the following steps to set up SSL for secure communication between the BDT utility and the CipherTrust Vaultless Tokenization (CT-VL) using valid certificates:

CT-VL Server Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the server{} object commands:

    • sslmode: Select Specify_SSL_Cert. Indicates trust standard certificates and certificates stored in the provided trust store (specified in the truststore setting). Use to accept self-signed and expired certificates.

    • VerifyHostName: By default, it is set to true to enable hostname verification for SSL communication. Set to "false" to disable hostname verification.

    • truststore: Truststore file path. To set up the truststore:

      • Get the server's public certificate. If not available, open the VTS URL in a browser and export it from the Security option.

      • Import the certificate and create the truststore. Use the following command, it will output the truststore password.

        keytool -import -alias "vts host certificate" -file server.crt -keystore server.truststore

        Important: Note this password. You need to provide it in the password parameter.

    • password: Truststore file password obtained when you imported the VTS certificate and created the truststore.

CT-VL Client Authentication

  1. Go to the vts{} section of the bdt.config file.

  2. Specify the following values for the client{} object commands:

    • sslmode: Specify_SSL_Cert Indicates Client authentication is enabled. Create keystore with client certificate and key. Set keystore path in the keystore parameter. Communication succeeds if the VTS server finds a valid certificate set in the keystore.

    • Keystore: Client keystore file path. This assumes a keystore has already been created; for example, using keytool.

    • storepassword: Client keystore file password.

    • keypassword: Client's key password.

On this page