Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Advanced Topics

Setting up SSL/TLS

search

Setting up SSL/TLS

This section explains the steps to Configure SSL/TLS with CipherTrust Manager.

After configuring the SSL/TLS, you can:

The CipherTrust Manager comes with pre-configured SSL/TLS settings. However, you can also configure the settings according to your organizational needs.

Configuring SSL/TLS with CipherTrust Manager

Standard SSL/TLS communication requires a certificate that identifies the server. This certificate is signed by a certificate authority (CA) known to both the server and the client. During the SSL/TLS handshake, the server certificate is passed to the client. The client uses a copy of the CA certificate to validate the server certificate, thus authenticating the server.

It is recommended that you increase security only after confirming network connectivity. You should establish a TCP connection before enabling SSL/TLS. Otherwise, an unrelated network connection mistake could interfere with your SSL/TLS setup and complicate the troubleshooting process.

While the CA can be a third-party CA or your corporate CA, you will most likely use a local CA on the CipherTrust Manager appliance. If you are not using a local CA, consult your CA documentation for instructions on signing requests and exporting certificates.

To use an SSL/TLS connection when communicating with the CipherTrust Manager appliance, configure the server and the client.

To configure the server:

  1. Create a server certificate. (If you are using a cluster, each member must have its own, unique certificate). To create a server certificate:

    1. Create a Local CA

    2. Create a CSR on the console

    3. Sign a Certificate Request with a Local CA

  2. Make the certificate active. Refer to Activating the Server Certificate.

  3. Enable the SSL/TLS connection.

    1. Log on to the console as an administrator with Certificate Authorities access control.

    2. Navigate to Settings > Interfaces.

    3. Under Interface Configurations, edit NAE interface and select a TLS option in the Mode field. Available options are:

      1. TLS, allow anonymous logins, ignore client cert

      2. TLS, user must supply password, ignore client cert

      3. TLS, allow anonymous logins, verify client cert

      4. TLS, user must supply password, verify client cert

      5. Verify client cert, username taken from client cert, auth request is optional

      6. Verify client cert, password is needed, username in cert must match username in authentication request

Without TLS, any secret or message transmitted to and from the CipherTrust Manager through this interface could be compromised.

To configure the client, you must:

  1. Place a copy of the CA certificate on your client. Refer to Downloading a Local CA Certificate

  2. Update the CADP_PKCS11.properties file as follows:

    Protocol=ssl
CA_File=<location and name of the CA certificate file>

Authenticating Server Certificate on CipherTrust Manager

This section describes the procedure to configure SSL/TLS for server certificate authentication.

Creating a Local CA

To create a local CA:

  1. Log on to the console as an administrator with Certificate Authorities access control.

  2. Click CA.

  3. Under the Local Certificate Authorities section, click New Local CA.

  4. On the New Local CA window, enter the fields as needed.

  5. Click Create Local CA. It is added in the Pending CAs.

  6. From the Pending CAs list, click the local CA that you want to create. A window containing property and value of the CA displays.

  7. You can either self-sign Certificate Signing Request (CSR) or upload a certificate signed by an external CA.

    For uploading a certificate signed by an external CA, you must have installed the external CA certificate.

    Once the CA is verified, it is listed under the Local Certificate Authorities section.

    In the Local Certificate Authorities list, you can view Subject, Serial#, Activation, Expiration, and State.

    You can also delete, view certificate details, and download the local certificate.

    Only a local CA can sign certificate requests on CipherTrust Manager appliance. If you are using a CA that does not reside on CipherTrust Manager appliance you cannot use the console to sign certificate requests.

Creating a CSR on the Console

To create a certificate signing request on the console:

  1. Log on to the console as an administrator with Certificates access control.

  2. Click CA.

  3. Under the CSR Tool section, click Create CSR.

  4. On the Create CSR window, enter the fields as needed (Common Name is mandatory).

  5. Click Create. You'll be prompted with two options: save csr and save private key.

    1. Click save csr to save the CSR in the .pem format.

      You must save the Private Key to continue.

    2. Click save private key to save the private key in .pem format.

      For generation of public/private key pairs for server certificates only RSA algorithm is supported.

Signing a Certificate Request with a Local CA

To sign a certificate request with a local CA:

  1. Log in to the console as an administrator with Certificates access control.

  2. Navigate to CA > Local Certificate Authorities and click on the local CA from which you want to sign the CSR.

  3. Click Upload and Sign CSR.

  4. Copy the saved CSR in the previous section and paste it on the Upload Externally Generated CSR window. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and footer (-----END CERTIFICATE REQUEST-----).

  5. From the Certificate Purpose list, select server.

  6. In the Duration in days field, enter the life span of the certificate. Enter minimum 365 days.

  7. Click Issue Certificate.

    The newly created certificate is listed under Parent Issuer. This certificate can be used as the server certificate for the NAE Server.

Activating the Server Certificate

To activate the server certificate:

  1. Log on to the Management Console as an administrator.

  2. Navigate to Settings > Interfaces.

  3. For NAE interface, click icon in the Action column.

  4. In the Local CA for Automatic Server Certificate Generation field, select Turn off auto generation from a local CA.

    In the Local CA for Automatic Server Certificate Generation field, if you select any CA then just click Update. It will automatically generate a server certificate and make it active.

  5. Expand Upload Certificate.

  6. In the Certificate text box, paste the server certificate, CA certificate, and key in the PEM format or base64 encoded PKCS#12 format.

    The list of certificates must be added from server cert to root ca in the ascending order. If there are any intermediate CAs, they can be added. Maintaining this order is important: <server cert> <ca cert> <key>

  7. Select Format.

  8. Click Upload New Certificate and then click Update.

Downloading a Local CA Certificate

To download a local CA certificate from CipherTrust Manager appliance:

  1. Log in to the console as an administrator with Certificate Authorities access controls.

  2. Navigate to CA > Local Certificate Authorities and click the download button to download a local CA. You should place the CA certificate in a secure location and modify access appropriately.

    Update the following parameters in your CADP_PKCS11.properties file:

    Protocol=ssl
CA_File=<path to CA cert>\localca.crt

    • Whenever you update the properties file, you must restart the application for the changes to take effect.
    • Use the CA_File parameter in the CADP_PKCS11.properties file to indicate the name and location of the CA certificate.

On this page