Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Advanced Topics

Configure SSL on CipherTrust Manager for NAE Interface

search

Please Note:

Configure SSL on CipherTrust Manager for NAE Interface

SSL with Server Certificate Authentication

When communicating with the CipherTrust Manager, you must configure both the server and the client to have SSL with server certificate authentication.

Configure the server

  1. Create a local Certificate Authority (CA) on the CipherTrust Manager management console.

  2. Create a server certificate and sign it with the local CA.

  3. Configure the NAE interface.

Configure the client

  1. Add the local CA Certificate, downloaded from the CipherTrust Manager management console, to keystore.

  2. Update the bdt.properties file.

Create Local CA on CipherTrust Manager

  1. Log on to the CipherTrust Manager management console as an administrator.

  2. Click the CA tab on the left.

  3. Under Local Certificate Authorities section, click New Local CA.

  4. On the New Local CA screen, enter or select the details as required (The Common Name parameter is mandatory).

  5. Click Create Local CA. The local CA created is listed beside the Pending CAs label.

  6. Click the local CA beside the Pending CAs label. The local CA with its detail is displayed on screen.

  7. Set the Duration for the local CA. You can either self-sign the certificate or upload an external CA to sign the local CA. The CA gets listed in the Local Certificate Authorities section.

    Note

    Only a local CA can sign certificate on the CipherTrust Manager. If you are using a CA that does not reside on the CipherTrust Manager, you cannot use the Management Console to sign the sever/client certificate.

  8. Click the ellipsis icon corresponding to local CA and then click the download button to download the local CA certificate. Save the certificate in .pem format in the system where BDT is used.

Create a Certificate on CipherTrust Manager

  1. Log on to the CipherTrust Manager management console as an administrator.

  2. Click the CA tab on the left.

  3. Navigate to the Local Certificate Authorities section and click on the name of local CA (under the heading Subject) using which you want to generate and sign the certificate.

  4. Click Create New Certificate. The Create New Certificate screen is displayed.

  5. Enter or select the details as required (Common Name parameter is mandatory).

  6. Click *New Certificate.

  7. Click save private key to download and save the private key with .pem extension.

  8. From the Certificate Purpose drop-down, select server.

  9. Click Issue Certificate.

  10. The server certificate is created and gets signed with the local CA. This certificate can be used as the server certificate for the NAE server.

  11. Click the ellipsis icon corresponding to the server certificate and then click the download button to save the server certificate in .pem format.

Configure Interface on CipherTrust Manager

  1. Log on to the CipherTrust Manager management console as an administrator.

  2. Click to expand Admin Settings and then click Interfaces.

  3. On the Interface Configurations page, click Add Interface.

  4. On the Configure Interface tab, select the Interface Type as NAE and click Next.

  5. On the Network Form screen, enter/select the following details :

    • Select the Allow unregistered clients check-box.

    • Enter the port.

    • Select the desired Network Interface from the available options.

    • Select the TLS, user must supply password, verify client cert option from the drop-down list.

    • click Next.

  6. On the Add Certificate tab, enter/select the details.

    • In the Username Location in Certificate, enter CN.

    • In the Local CA for Automatic Server Certificate Generation field, select Turn off auto generation from a Local CA.

    • Select Local Trusted CAs.

    • If available, select External Trusted CAs.

    • Click Save.

Note

Restart the application (Settings >> Services >> Restart button) after interface is configured.

Add the Local CA Certificate to Keystore

Run the following command to add the local CA certificate downloaded from CipherTrust Manager to the keystore:

keytool -keystore <name_of_the_keystore> -import -alias <alias_name_of_CAcertificate> -file
</certificate_location/LocalCA_cerfiticate_file.pem>

Update bdt.properties File

Update the following parameters in the bdt.properties file:

  • NAE_Port=Specify the port used by CipherTrust Manager for SSL connection.

  • Protocol=Set it to ssl.

  • Key_Store_Location=Location of the keystore . For example /tmp/KYLO_utility_keystore/cacerts, where /tmp/KYLO_utility_keystore/ is the keystore path and cacert is the keystore name. For windows machine, the keystore path will be \\tmp\\KYLO_utility_keystore\\cacerts.

  • Key_Store_Password=Password of the keystore.

SSL with Client Certificate Authentication

This section describes the procedures to follow when configuring SSL with Client Certificate Authentication. It explains the following processes:

  • Generating a Client Certificate with Keytool

  • Signing a Certificate and Downloading the Certificate

  • Configuring TLS Option in NAE Interface

  • Adding the Client Certificate to the Java Keystore

  • Updating the Parameters in bdt.properties

Generate Client Certificate with Keytool

  1. Open a command prompt window on your client and navigate to the Java security directory (<Java_Home>\lib\security).

  2. Generate a public/private key pair by executing the following command. In this step, an alias for the key pair is created.

    keytool -keystore <KeystoreName> -genkey -alias <KeyPairAlias> -keyalg RSA

  3. The key generation process will then request the following data:

    • A keystore password

    • The distinguished name - This is a series of fields whose values are incorporated into the certificate request. These fields include country name, state or province name, city or locality name, organization name, organizational unit name, and the users first and last name.

    • The key password- The certificate password must be the same as the keystore password. You can simply hit Return/Enter key to set the password. You need not retype the keystore password.

  4. Create the certificate by issuing the following command. Reference the key pair alias, created in step 2.

    keytool -certreq -alias <KeyPairAlias> -file <CertReqFileName> -keystore <KeystoreName>

    You will now have a certificate in the <CertReqFileName> file.

Sign and Download Certificate

This section describes how to sign a certificate with a local CA and then download the certificate. You must download the certificate immediately after it is signed by the CA.

  1. Open the certificate request in a text editor.

  2. Copy the text of the certificate request. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and the footer (-----END CERTIFICATE REQUEST-----).

  3. Log on to the CipherTrust Manager management console as an administrator.

  4. Click the CA tab on the left.

  5. In the Local Certificate Authorities section, click the Subject corresponding to the local CA with which you want to sign the certificate.

  6. Click Upload and Sign CSR.

  7. Paste the text of the certificate in the text field highlighted as Paste external CSR here in PEM format.

  8. Select Certificate Purpose as client and specify the life span of the certificate in days in Duration in days field.

  9. Click Issue Certificate.

  10. Click download button against the certificate to be downloaded.

  11. Save the certificate in the machine where BDT is installed.

Configure TLS Option in NAE Interface

  1. Log on to the CipherTrust Manager management console as an administrator.

  2. Click to expand Admin Settings and then click Interfaces.

  3. Click the edit button under column Action against the nae interface. The Configure NAE popup window is displayed.

  4. In the Mode field, select the TLS, user must supply password, verify client cert option.

  5. Click Update.

    Note

    Restart the application (Settings >> Services >> Restart button) after the TLS option is updated.

Add Client Certificate to Java Keystore

  1. Open a command prompt window on your client and navigate to the Java security directory (\lib\security).

  2. Import the signed client certificate using the following command. Use the key pair alias you used to create the certificate request. When prompted, enter the keystore password.

        keytool -keystore <KeystoreName> -alias <KeyPairAlias> -import -file <CertFileName.pem>

  3. Verify that the client certificate was properly imported by executing the following command. Reference the key pair alias you used above. The system should display the certificate.

        keytool -keystore <KeystoreName> -alias <KeyPairAlias> -list -v

Note

To enable Client Certificate Authentication, your keystore must have a copy of the CA certificate downloaded from CipherTrust Manager management console.

Update bdt.properties File

Update the following parameters in the bdt.properties file:

  • Key_Store_Location=Location and name of keystore that contains a copy of the server’s local CA, the client certificate, and the CA that signed the client certificate. For example /tmp/KYLO_utility_keystore/cacerts, where /tmp/KYLO_utility_keystore/ is the keystore path and cacerts is the keystore. For windows machine, the keystore path will be \\tmp\\KYLO_utility_keystore\\cacerts.

  • Key_Store_Password=Password associated with the keystore.

  • Client_Cert_Alias=<client certificate alias>.

  • Client_Cert_Passphrase=<client certificate password, if used>

On this page