Configuring TLS for use with CipherTrust Vaultless Tokenization (CT-VL)
Authentication can be done using server authentication or using client authentication. The end user can do either, both, or none of them.
Users can configure TLS in one of the following ways:
Setting up SSL using Default
Setting
CT-VL Server Authentication
Go to the
vts{}
section of thebdt.config
file.Specify the following values for the
server{}
object commands:sslmode
: Default. Indicates trust only a standard valid certificate issued by a Certificate Authority (CA). If the certificate is expired, self-signed, or invalid, communication with the CT-VL server fails. The other ssl-mode values available for CT-VL server authentication areAllow-All
andSpecify_SSL_Cert
. Refer to Configuring TLS for details.VerifyHostName
: By default, it is set to true to enable hostname verification for SSL communication.
CT-VL Client Authentication
Go to the
vts{}
section of thebdt.config
file.Specify the following values for the
client{}
object commands:sslmode
: Default. Indicates client authentication is disabled. No need to send client identity. The other ssl-mode values available for CT-VL client authentication areAllow-All
andSpecify_SSL_Cert
. Refer to Configuring TLS for details.Keystore
: Client keystore file path. This assumes a keystore has already been created; for example, using keytool.storepassword
: Client keystore file password.keypassword
: Client's key password.
Setting up SSL using Allow-All
Setting
User can opt for server and client authentication by configuring bdt.config
.
Perform the following steps to set up SSL for secure communication between the BDT utility and the CipherTrust Vaultless Tokenization (CT-VL) using all trust certificates:
CT-VL Server Authentication
Go to the
vts{}
section of thebdt.config
file.Specify the following values for the
server{}
object commands:sslmode
: Select Allow-All. Indicates Trust all certificates; no trust policy is defined. Any kind of SSL certificate is acceptable, including valid, expired, self-signed, or any other. The truststore setting is not required.VerifyHostName
: By default, it is set to true to enable hostname verification for SSL communication.
CT-VL Client Authentication
Go to the
vts{}
section of thebdt.config
file.Specify the following values for the
client{}
object commands:sslmode
: Select Allow-All. Indicates client authentication is disabled and there is no need to send client identity.
When passingsslmode
as ALLOW_ALL, you don't need to configure following 3 params:Keystore
: Client keystore file path. This assumes a keystore has already been created; for example, using keytool.storepassword
: Client keystore file password.keypassword
: Client's key password.
Setting up SSL using Specify_SSL_Cert
Setting
Perform the following steps to set up SSL for secure communication between the BDT utility and the CipherTrust Vaultless Tokenization (CT-VL) using valid certificates:
CT-VL Server Authentication
Go to the
vts{}
section of thebdt.config
file.Specify the following values for the
server{}
object commands:sslmode
: Select Specify_SSL_Cert. Indicates trust standard certificates and certificates stored in the provided trust store (specified in the truststore setting). Use to accept self-signed and expired certificates.VerifyHostName
: By default, it is set to true to enable hostname verification for SSL communication. Set to "false" to disable hostname verification.truststore
: Truststore file path. To set up the truststore:Get the server's public certificate. If not available, open the VTS URL in a browser and export it from the Security option.
Import the certificate and create the truststore. Use the following command, it will output the truststore password.
keytool -import -alias "vts host certificate" -file server.crt -keystore server.truststore
Important: Note this password. You need to provide it in the password parameter.
password
: Truststore file password obtained when you imported the VTS certificate and created the truststore.
CT-VL Client Authentication
Go to the
vts{}
section of thebdt.config
file.Specify the following values for the
client{}
object commands:sslmode
: Specify_SSL_Cert Indicates Client authentication is enabled. Create keystore with client certificate and key. Set keystore path in the keystore parameter. Communication succeeds if the VTS server finds a valid certificate set in the keystore.Keystore
: Client keystore file path. This assumes a keystore has already been created; for example, using keytool.storepassword
: Client keystore file password.keypassword
: Client's key password.