Configure SSL on CipherTrust Manager for NAE Interface
SSL with Server Certificate Authentication
When communicating with the CipherTrust Manager, you must configure both the server and the client to have SSL with server certificate authentication.
Configure the server
Create a local Certificate Authority (CA) on the CipherTrust Manager management console.
Create a server certificate and sign it with the local CA.
Configure the NAE server interface.
Configure the client
Add the local CA Certificate, downloaded from the CipherTrust Manager management console, to keystore.
Update the CADP_for_JAVA.properties file.
Create Local CA on CipherTrust Manager
Log on to the CipherTrust Manager management console as an administrator.
Click the CA tab on the left.
Under Local Certificate Authorities section, click New Local CA.
On the New Local CA screen, enter or select the details as required (The Common Name parameter is mandatory).
Click Create Local CA. The local CA created is listed beside the Pending CAs label.
Click the local CA beside the Pending CAs label. The local CA with its detail is displayed on screen.
Set the Duration for the local CA. You can either self-sign the certificate or upload an external CA to sign the local CA. The CA gets listed in the Local Certificate Authorities section.
Note
Only a local CA can sign certificate on the CipherTrust Manager. If you are using a CA that does not reside on the CipherTrust Manager, you cannot use the Management Console to sign the sever/client certificate.
Click the ellipsis icon corresponding to local CA and then click the download button to download the local CA certificate. Save the certificate in .pem format in the system where CADP for Java is used.
Create a Certificate on CipherTrust Manager
Log on to the CipherTrust Manager management console as an administrator.
Click the CA tab on the left.
Navigate to the Local Certificate Authorities section and click on the name of local CA (under the heading Subject) using which you want to generate and sign the certificate.
Click Create New Certificate. The Create New Certificate screen is displayed.
Enter or select the details as required (Common Name parameter is mandatory).
Click *New Certificate.
Click save private key to download and save the private key with .pem extension.
From the Certificate Purpose drop-down, select server.
Click Issue Certificate.
The server certificate is created and gets signed with the local CA. This certificate can be used as the server certificate for the NAE server.
Click the ellipsis icon corresponding to the server certificate and then click the download button to save the server certificate in .pem format.
Configure Interface on CipherTrust Manager
Log on to the CipherTrust Manager management console as an administrator.
Click to expand Admin Settings and then click Interfaces.
On the Interface Configurations page, click Add Interface.
Enter/select the details and then click Add.
Click the ellipsis icon corresponding to the interface and then click Edit. The interface configuration screen is displayed. Select the TLS, user must supply password, verify client cert option when SSL with client certificate authentication is also used.
In the Local CA for Automatic Server Certificate Generation field, select Turn off auto generation from a Local CA option.
Expand Upload Certificate.
In the Certificate text box, paste the contents of server certificate, local CA certificate, and key in the PEM format.
Note
Maintain this order: <server cert> <ca cert> <key>
while pasting the contents of the certificates and key.
In the Format field, select the PEM option.
Click Upload New Certificate.
Click Update.
Note
Restart the application (Settings >> Services >> Restart button) after interface is configured.
Add the Local CA Certificate to Keystore
Run the following command to add the local CA certificate downloaded from CipherTrust Manager to the keystore:
keytool -keystore <name_of_the_keystore> -import -alias <alias_name_of_CAcertificate> -file
</certificate_location/LocalCA_cerfiticate_file.pem>
Update CADP_for_JAVA.properties File
Update the following parameters in the CADP_for_JAVA.properties file:
NAE_Port=Specify the port used by CipherTrust Manager for SSL connection.
Protocol=Set it to ssl.
Key_Store_Location=Location of the keystore . For example
/tmp/KYLO_utility_keystore/cacerts
, where/tmp/KYLO_utility_keystore/
is the keystore path and cacert is the keystore name. For windows machine, the keystore path will be\\tmp\\KYLO_utility_keystore\\cacerts
.Key_Store_Password=Password of the keystore.
SSL with Client Certificate Authentication
This section describes the procedures to follow when configuring SSL with Client Certificate Authentication. It explains the following processes:
Generating a Client Certificate with Keytool
Signing a Certificate and Downloading the Certificate
Configuring TLS Option in NAE Server Interface
Adding the Client Certificate to the Java Keystore
Updating the Parameters in CADP_for_JAVA.properties
Generate Client Certificate with Keytool
Open a command prompt window on your client and navigate to the Java security directory (
<Java_Home>\lib\security
).Generate a public/private key pair by executing the following command. In this step, an alias for the key pair is created.
keytool -keystore <KeystoreName> -genkey -alias <KeyPairAlias> -keyalg RSA
The key generation process will then request the following data:
A keystore password
The distinguished name - This is a series of fields whose values are incorporated into the certificate request. These fields include country name, state or province name, city or locality name, organization name, organizational unit name, and the users first and last name.
The key password- The certificate password must be the same as the keystore password. You can simply hit Return/Enter key to set the password. You need not retype the keystore password.
Create the certificate by issuing the following command. Reference the key pair alias, created in step 2.
keytool -certreq -alias <KeyPairAlias> -file <CertReqFileName> -keystore <KeystoreName>
You will now have a certificate in the
<CertReqFileName>
file.
Sign and Download Certificate
This section describes how to sign a certificate with a local CA and then download the certificate. You must download the certificate immediately after it is signed by the CA.
Open the certificate request in a text editor.
Copy the text of the certificate request. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and the footer (-----END CERTIFICATE REQUEST-----).
Log on to the CipherTrust Manager management console as an administrator.
Click the CA tab on the left.
In the Local Certificate Authorities section, click the Subject corresponding to the local CA with which you want to sign the certificate.
Click Upload and Sign CSR.
Paste the text of the certificate in the text field highlighted as Paste external CSR here in PEM format.
Select Certificate Purpose as client and specify the life span of the certificate in days in Duration in days field.
Click Issue Certificate.
Click download button against the certificate to be downloaded.
Save the certificate in the machine where CADP for JAVA is installed.
Configure TLS Option in NAE Server Interface
Log on to the CipherTrust Manager management console as an administrator.
Click to expand Admin Settings and then click Interfaces.
Click the edit button under column Action against the nae interface. The Configure NAE pop-up window is displayed.
In the Mode field, select the TLS, user must supply password, verify client cert option.
Click Update.
Note
Restart the application (Settings >> Services >> Restart button) after the TLS option is updated.
Add Client Certificate to Java Keystore
Open a command prompt window on your client and navigate to the Java security directory (
\lib\security). Import the signed client certificate using the following command. Use the key pair alias you used to create the certificate request. When prompted, enter the keystore password.
keytool -keystore <KeystoreName> -alias <KeyPairAlias> -import -file <CertFileName.pem>
Verify that the client certificate was properly imported by executing the following command. Reference the key pair alias you used above. The system should display the certificate.
keytool -keystore <KeystoreName> -alias <KeyPairAlias> -list -v
Note
To enable Client Certificate Authentication, your keystore must have a copy of the CA certificate downloaded from CipherTrust Manager management console.
Update CADP_for_JAVA.properties File
Update the following parameters in the CADP_for_JAVA.properties file:
Key_Store_Location=Location and name of keystore that contains a copy of the server’s local CA, the client certificate, and the CA that signed the client certificate. For example
/tmp/KYLO_utility_keystore/cacerts
, where/tmp/KYLO_utility_keystore/
is the keystore path and cacerts is the keystore. For windows machine, the keystore path will be\\tmp\\KYLO_utility_keystore\\cacerts
.Key_Store_Password=Password associated with the keystore.
Client_Cert_Alias=
<client certificate alias>
.Client_Cert_Passphrase=
<client certificate password, if used>
Configuring and using BCFKS keystore
Create BCFKS Keystore
The steps to create a BCFKS keystore is similar to any other keystore described in this topic. You just need to provide the following additional parameters to all the existing keytool commands.
-keystoretype bcfks -providerpath <Path to bc fips jar> -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -storepass <KeystorePassword>
Run BCFKS keystore with TLS
To run the BCFKS keystore with TLS, do the following changes in addition to the instructions mentioned in this topic:
Add the BC FIPS provider jar file to
jre/lib/ext
.Add the BC FIPS provider jar file to the list of security providers. You can either use Option 1 or Option 2.
Modify the
jre/lib/security/java.security
file and add the BC FIPS provider jar file at the end of the list of security poviders.security.provider.<xx>=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
Add the BC FIPS provider class programmatically as shown here.
Security.addProvider(new BouncyCastleFipsProvider());
Set the
javax.net.ssl.keyStoreType
property to BCFKS.
Note
The GCM, SEED, and EC cryptos don't work with BCFKS keystore in local mode.