Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Tasks

Modifying the CADP for C Basic Configuration File

search

Please Note:

Modifying the CADP for C Basic Configuration File

This section lists and defines each of the parameters within the CADP for C basic configuration file named cadp_for_c_basic.conf. The configuration file defines the IP address/Hostname, port, protocol, and other parameters on of the CipherTrust Manager to which your client connects.

The configurations defined in the cadp_for_c_basic.conf file are used for Silent installation. After the installation, the configurations defined in this configuration file are reflected in the CADP_PKCS11.properties and CADP_CAPI.properties files.

Modifying the Parameters in the Configuration File

Note

• In case of TCP protocol, make sure you enter the correct IP address and TCP port as any invalid entry may cause error and can only be caught after running the sample application.
• After installation, if you have selected SSL protocol, ensure that there is no error log present in <install_folder>/logs/cadp_for_c_basic.log. If there are any error in the logs, you need to re-run the installer with correct values.

The content of the cadp_for_c_basic.conf file including the default settings are:

SERVER_IP=
SERVER_PORT=
SERVER_PROTOCOL=ssl
LOG_LEVEL=WARN
NAE_USER=
NAE_PASSWORD=
PASSPHRASE=
USER_CREDENTIALS_ENCRYPTED=
COUNTRY=US
STATE=California
CITY="San Jose"
ORG=Thales
ORG_UNIT=DIS
COMMON_NAME=
EMAIL=
BACKWARD_COMPATIBILITY_VAE=
REG_TOKEN=

If you choose to use the SSL protocol for communication between the Client and the CipherTrust Manager, then configure all of the parameters within the configuration file.

If you choose to use the TCP protocol, then provide values only for the following parameters:

  • SERVER_IP

  • SERVER_PORT

  • SERVER_PROTOCOL

  • LOG_LEVEL

  • BACKWARD_COMPATIBILITY_VAE

SERVER_IP

The SERVER_IP is the IP address or hostname of the CipherTrust Manager which will be updated in CADP_PKCS11.properties and CADP_CAPI.properties files. This IP address is used to make connection with CipherTrust Manager.

For example,

SERVER_IP=hostname

SERVER_IP=192.168.123.14

SERVER_PORT

The SERVER_PORT parameter specifies the port on which the client communicates with the CipherTrust Manager. Your client must use the port configured with "NAE" interface including root or local CA on CipherTrust Manager. If you are using the TCP connection, the Certificate settings are not required.

For example, SERVER_PORT=9030

Note

The installer generates/update the client certificate and client key in property files, if interface is configured with root or local CA only.

Note

If you plan to use an external Certificate Authority (CA) with the CipherTrust Manager and CADP for C, then you will need to configure the SSL settings for the CADP for C (client) manually. During the CADP for C installation, enter TCP as the Key Management Server Protocol when prompted. Then after the installation, manually configure the client for SSL settings. Refer to Configuring the Client Manually for more information.

SERVER_PROTOCOL

The SERVER_PROTOCOL parameter specifies the protocol used for communication between the client and server.

The Possible settings are:

  • ssl - The ssl option enables TLSv1.2 (default)
  • tcp - The tcp option.

For example, SERVER_PROTOCOL=ssl

LOG_LEVEL

The Log_Level parameter determines the level of logging performed by the client.

Possible settings:

  • NONE – Disables client logging. It is recommended not to disable logging.

  • ERROR – Only error messages are logged. For example, if you want that only error messages are logged, set Log_Level=ERROR.

  • WARN – The client logs error messages and warnings. This is the default setting.

  • INFO – The client logs error messages, warnings, and informational messages. This level generates a very large number of entries and is usually reserved for debugging. For example, if you want that error messages, warnings, and informational messages are logged, set Log_Level=INFO.

NAE_USER

The NAE_USER parameter refers to the username associated with the user account to use to log into the CipherTrust Manager.

This CipherTrust Manager user must have the CA Admins, Read-Only Admins, and Key Users privileges in-order to generate the client certificate through installer to setup the TLS connection.

Note

This username is used to get the client cert and key generated and signed with available CA on NAE interface. Make sure you do not provide this username with any domain.

For example,

  • NAE_USER=_username

  • NAE_USER=4EC879E12BE14780ECB0E5C4DFA3B764 (if encrypted, the value will be in 'hex' format generated by PassPhraseSecure utility)

NAE_PASSWORD

The NAE_PASSWORD parameter refers to the password (associated with the username defined in NAE_USER) to log into the CipherTrust Manager.

The following sections describe the parameters that are associated with the use of the server protocol of SSL. If you selected SSL, then the following parameters are required.

For example,

  • NAE_PASSWORD=_password

  • NAE_PASSWORD=BC41CECC1A3F0927A58FD45AA7686BFB (if encrypted, the value will be in 'hex' format generated by PassPhraseSecure utility)

PASSPHRASE

The PASSPHRASE parameter refers to the passphrase associated with the client's private key.

The CADP for C installer encrypts the client private with the passphrase and also updates the obfuscated value of the provided passphrase to the property files.

Note

It is recommended to choose a minimum 10 digits password/passphrase with one capital letter, small letter, special character, and digits to increase entropy.

For example,

  • PASSPHRASE=Qwerty@1234

  • PASSPHRASE=4E698F0836A5E62254B715A4FFDC5D02 (if encrypted, the value will be in 'hex' format generated by PassPhraseSecure utility)

USER_CREDENTIALS_ENCRYPTED

The USER_CREDENTIALS_ENCRYPTED parameter refers to the encrypted state of the User Credentials(NAE_USER, NAE_PASSWORD, and PASSPHRASE). Enabling or Disabling this parameter will allow the user credentials to be provided in encrypted text or plain text respectively. This encrypted text can only be generated using PassPhraseSecure utility.

For example, USER_CREDENTIALS_ENCRYPTED=Y

COUNTRY

The COUNTRY parameter refers to the name of the country where your company or organization is legally incorporated.

STATE

The STATE parameter refers to the name of state or province where your company or organization is legally incorporated. Make sure you do not use an abbreviation.

CITY

The CITYparameter refers to the name of the city where your company or organization is legally incorporated. Make sure you do not use an abbreviation.

ORG

The ORG parameter refers the full legal name of your company or organization. Do not use an abbreviation. For example, thales.

ORG_UNIT

The ORG_UNIT parameter refers to the name of your business unit or department within your company or organization. For example, Marketing or Engineering.

COMMON_NAME

The COMMON_NAME parameter refers to the FQDN (fully-qualified domain name) you want to secure with the certificate. For example, www.thalesgroup.com.

Note

There are interface settings available in the CipherTrust Manager where username are obtained from the client certificate. In such case,the COMMON_NAME can be same as the username, which can be used to perform the crypto and key management operation.

The possible settings are:

  • COMMON_NAME=_user_name

  • COMMON_NAME=_domain_name||_user_name

  • COMMON_NAME=www.thalesgroup.com

EMAIL

The EMAIL parameter refers to the email address associated with the company. For example, support.internet@thalesgroup.com.

BACKWARD_COMPATIBILITY_VAE

This parameter is applicable to the CADP_PKCS11.properties file.

The BACKWARD_COMPATIBILITY_VAE parameter refers to whether to maintain backward compatibility with VAE, known as binary compatibility mode. This is applicable only if you have previously installed VAE on the machine on which you have installed CADP for C.

Possible settings:

  • Y - Yes. Maintain backward compatibility with VAE. With this setting, the Client_Compatibility_Mode in the CADP for C PKCS#11 property file (CADP_PKCS11.properties) will be set to LegacyVAE: Client_Compatibility_Mode=LegacyVAE. The Client_Compatibility_Mode indicates the mode in which the PKCS#11 library runs. In LegacyVAE mode, the CADP for C PKCS#11 library will execute specific functionality associated with the legacy VAE.

  • N - No. Do not maintain backward compatibility with VAE. This is the default setting. If you set this setting to N (or you do not enter a value), then the compatiblity mode of CipherTrust is used: Client_Compatibility_Mode= CipherTrust. In CipherTrust mode, the CADP for C PKCS#11 library will execute functionality associated with the converged CADP for C features.

REG_TOKEN

This parameter refers to the registration token that can be used to register client on Key Manager.

If you provide a valid token as a value to this parameter, it will be used to register the client on Key Manager. If no value is provided, the installation will proceed without registering the client on Key Manager.

Go back to the Installation section.

On this page