SSL Configuration Parameters
Parameters | Default | Description |
---|---|---|
Key_Store_Location | no default | Location of the Java keystore that contains the client certificate. The path can be absolute or relative to your application. Don’t use quotes, even if the path contains spaces. |
Key_Store_Password | no default | Password of the keystore. |
CA_File | no default | CA certificate that was used to sign the server certificate presented by the CipherTrust Manager to the client. The path specified for this parameter can be absolute or relative to your application. Do not use quotes, even if the path contains spaces. All Key Managers in a clustered environment must have an identical configuration, and thus use same server certificate. You need to point to only one CA certificate in the CA_File system parameter. If you do not supply the CA certificate, your client applications cannot establish SSL connections with any of the servers in the cluster. |
Cert_File | The parameter stores the path and file name of the client certificate. The path specified for this parameter can be absolute or relative to your application. Don’t use quotes, even if the path contains spaces.This is used only when your SSL configuration requires clients to provide a client certificate to authenticate to the Key Manager servers. Client certificates must be PEM-encoded. If this value is set, the certificate and private key must be present, even if Key Manager is not configured to request a client certificate. | |
Key_File | no default | The private key associated with the client certificate specified in the specified in the Cert_File parameter. The client private key must be in PEM-encoded PKCS#12 format. The path specified for this parameter can be absolute or relative to your application. Do not use quotes, even if the path contains spaces. If this value is set, the certificate and private key must be present, even if Key Manager is not configured to request a client certificate. |
Passphrase | Passphrase to unlock the client private key specified in the Key_File parameter. This value is required when client certificate authentication is enabled. | |
Credentials_Encrypted | no | This parameter indicates that the Key Manager username and password are encrypted using PassphraseUtility. If the value is set to yes, and an invalid obfuscated string is set then the application throws an error. Possible setting: — yes — no |
Passphrase_Encrypted | no | This parameter indicates that specified parameters Client_Cert_Alias and Client_Cert_Passphrase are encrypted using PassphraseUtility.— yes — no |
Client_Cert_Alias | no default | The client certificate sent to the Key Manager when client certificate authentication is enabled. If you have multiple client certificates in a keystore, you might want to specify which client certificate is sent to the Key Manager during the SSL handshake. If you do not specify a client certificate, either in the properties file or programmatically, the first certificate in the keystore is sent to the Key Manager. |
Client_Cert_Passphrase | No default | The passphrase needed to access the client certificate listed in Client_Cert_Alias . If you specify a value for the Client_Cert_Alias , you should also specify a value for the Client_Cert_Passphrase , otherwise the keystore password is used. |
SysLog_SSLKeystore | no default | To enable SSL protocol for logging on SysLog Server, set the SysLog_SSLKeystore parameter for the location of the keystore/truststore containing SysLog server certificates and CA certificates. By default, keystore cacert from JRE_HOME/lib/security will be referred in case user does not specify the SysLog_SSLKeystore parameter and uses SSL in the SysLog_Protocol parameter. |
SysLog_SSLKeystorePassword | no default | To enable SSL protocol for logging on SysLog Server, set the SysLog_SSLKeystore Password parameter for the password of keystore/truststore containing SysLog server certificates and CA certificates. In case user does not specify the SysLog_SSLKeystore parameter, default password of keystore cacert is used. |