SSL Configuration Parameters
| Parameter | Default | Recommended | Description |
|---|---|---|---|
| Passphrase_Encrypted | no | yes | Specifies whether Passphrase is encrypted using the PassPhraseEncryption method from the PassPhraseSecure class. You can use this obfuscated passphrase in the Passphrase parameter in the Properties file.Possible settings in the Properties file • yes - enables the parameter. To enable, set Passphrase_Encrypted=yes.• no - disables the parameter. For more details of PassPhraseEncryption method, refer to API Definition for PassPhraseEncryption Method. |
| Passphrase | no default | It is used for client private key while generating the client certificate in the PFX format. This value is required when client certificate authentication is enabled on the NAE server. When ClientCert Location='MSCertStore', then Passphrase is not used. It is considered only when Protocol is set to ssl. The supported characters for passphrase are: ( ) ! \ ` | ; > $ + , - . / : = [ ] ^ _ { } ~ ' # " ? The & and < characters are not supported.Note: The length of the passphrase varies for Windows and Linux. For Windows, the supported length is 254 characters, for Linux, it is 509 characters. | |
| Verify_SSL_Certificate | no | yes | Specify this parameter to enable or disable verification of the CipherTrust Manager IP address/host name against Subject Common Name (CN) or Subject Alternative Name (DNS or IP) in the certificate. This property is considered only when Protocol is set to ssl. Valid values: • yes • no |
| Host | blank | blank | This field contains the Common Name or Subject Alternative Name of the Server Certificate on the NAE Server. Valid values: • blank • valid CN/SAN of server certificate Note: • It is recommended to keep the <Host> property blank. It will be fetched from the server certificate provided by the NAE Server at the time of SSL handshake internally.• If CN/SAN value is different for the server certificates used by multiple NAE servers, the <Host> field must be left blank to make an SSL connection. The <Host> field does not support multiple values.• The <Host> property will be deprecated in a future release. |
| ClientCert | Location = 'File' | Specifies the location of the client certificate. The client certificate must be in the PFX format. If Location='File', it works for all the platforms including windows. For example, For Microsoft Cert Store on windows, set the Location='MSCertStore' and pass the Thumbprint as value. For example: <ClientCert Location ='MSCertStore'>ed 16 e0 50 78 7a 0b fb d5 bb 68 19 4c 07 a1 b3 64 5d 9d 1b</ClientCert>If Location='File', it works for all the platforms including windows. For example: <ClientCert Location ='File'>C:\Certificates\clientcred.pfx</ClientCert>ClientCert is required when client certificate authentication is enabled on the NAE server. It is considered only when Protocol is set to ssl. | |
| CA_File | no default | yes | CA certificate that was used to sign the server certificate presented by the NAE Server to the client. Possible setting: The path and file name - The path and file name of the CA certificate. The path can be absolute or relative to your application. Don’t use quotes, even if the path contains spaces. For example: <CA_File Tier="1">C:\SSL_Certs\72.162\xyz_CA.crt</CA_File>All CipherTrust Manager servers in a clustered environment must have an identical configuration, and thus use same server certificate. You only need to point to one CA certificate in the CA_File system parameter.If you do not supply the CA certificate either in the CA_File property or in the trusted store, your client applications cannot establish SSL connections with any of the servers in the cluster.If a local CA was used to sign the NAE Server certificate, download and copy the certificate to the client's machine. In case of root Certificate Authority, specify single root CA in the file. For intermediate CAs, specify all the intermediate CAs with the root CA in the file. This property is tier-aware. |
