Authenticating Client Certificate on CipherTrust Manager
This section explains the procedure of authenticating Client Certificate on CipherTrust Manager.
In this SSL configuration, both the server and the client provided certificates are required. Each certificate is signed by a trusted CA known to both the server and the client. Most likely, you will use one CA to sign both the certificates. During the SSL handshake, the certificates are exchanged. Both the client and the server use the CA certificate to validate each others' certificate, thus authenticating the other party.
To enable client certificate authentication, you must first successfully configure SSL. Then, you must make additional configuration changes to the client and the server.
It is recommended that you increase security only after confirming network connectivity. You should establish a TCP connection before enabling SSL. Otherwise, an unrelated network connection mistake could interfere with your SSL setup and complicate the troubleshooting process.
To configure the client:
Create a client certificate. This involves two steps:
Signing a Certificate Request and Downloading the Certificate
You can create a certificate request using OpenSSL. You can then sign the request with the local CA on the CipherTrust Manager appliance. Once signed, the certificate request becomes a valid certificate.
If you are not using a local CA, consult your CA documentation for instructions on signing requests and exporting certificates.
Update the
CADP_PKCS11.properties
file as follows:Cert_File=
<location and name of the client certificate>
Key_File=<location and name of the client’s key file>
Passphrase=<the passphrase used to unlock the client’s key file>
Restart the Oracle Database service after updating the properties file for the changes to take effect.
To configure the server, you must upload a CA certificate on the server.
Generating a Client Certificate Request with OpenSSL
To generate a client certificate request:
Open the command window.
If you are using OpenSSL, run the following command:
openssl req -out clientreq -newkey rsa:2048 -keyout clientkey
By default, both the certificate request and private key will be created in the working directory. You can generate them in another directory by including a location in the certificate request and key name.
For example, to create them in theC:\client_certs
directory, use the following command:openssl req -out C:\client_certs\clientreq -newkey rsa:2048 - keyout C:\client_certs\clientkey
.The certificate request generation process will then request the following details:
A PEM passphrase to encode the private key: The passphrase that encodes the private key is the first passphrase you provide after issuing the above command. This will be the Passphrase parameter in the
CADP_PKCS11.properties
file.The distinguished name: The distinguished name is a series of fields whose values are incorporated into the certificate request. These fields include country name, state or province name, locality name, organization name, organizational unit name, common name, and email address.
A challenge password: This challenge password is NOT used in the CipherTrust Manager environment.
An optional company name.
Signing a Certificate Request and Downloading the Certificate
This section describes how to sign a certificate request with a local CA and then download the certificate. You must download the certificate immediately after it is signed by the CA.
To sign a certificate request with a local CA:
Log on to the console as an administrator with Certificate Authorities access controls.
Navigate to CA > Local Certificate Authorities and click the local CA by which you want to sign the CSR.
Click Upload and Sign CSR.
Copy the CSR and paste it on the Upload Externally Generated CSR window. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and footer (-----END CERTIFICATE REQUEST-----).
From the Certificate Purpose list, select client.
In the Duration in days field, enter the life span of the certificate. Enter minimum 365 days.
Click Issue Certificate. The newly created certificate is listed under Parent Issuer.
Click the image button to save the certificate on your local machine.
You should place the certificate in a secure location and modify access appropriately.
Update the following parameters in the
CADP_PKCS11.properties
file:Cert_File=<path to client cert>\client.crt Key_File=<path to client key>\clientkey Passphrase=<the passphrase used to unlock the client's key file>
Restart the Oracle Database service after updating the properties file for the changes to take effect.
Use theCert_File
parameter in theCADP_PKCS11.properties
file to indicate the name and location of the client certificate.
Configuring external CA Certificate on CipherTrust Manager
Creating the external CA Certificate
To create an External CA Certificate and upload it on the CipherTrust Manager, follow the below steps:
Create a RSA key using the following openssl command:
openssl genrsa -out rootCAKey.pem 2048
This command will generate
rootCAKey.pem
file.Create a CA certificate using the generated RSA key.
openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem
The above command uses
rootCAKey.pem
generated in previous step to generate the CA Certificate,rootCACert.pem
.Upload the CA on the CipherTrust Manager, using the following steps:
Go to CA > External.
On the CA page, click Add External CA.
Paste the contents of the
rootCACert.pem
and click Save.
Creating Client Certificate
To create a client certificate, perform the following steps:
Create a key to be used in the client certificate.
openssl genrsa -out client.key 2048
This command generates the RSA key
client.key
.Create a client CSR using the key generated above.
openssl req -key client.key -new -sha256 -out client.csr -subj /O=my-org/OU=my-org/OU=client/CN=client
This command uses the
client.key
generated in previous step to generate the client CSRclient.csr
.Sign the CSR using the RSA key generated above and the CA.
openssl x509 -req -days 360 -in client.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out client.cert -sha256
Creating Server Certificate
To create a server certificate, perform the following steps:
Create a server key using the following command.
openssl genrsa -out server.key 2048
Create a CSR for the server using the above generated key.
openssl req -key server.key -new -sha256 -out server.csr -subj /O=my-org/OU=my-org/OU=server/CN=server
Create a server certificate using the following openssl command.
openssl x509 -req -days 7300 -in server.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out server.cert -sha256
Configuring NAE Interface
On the CM, go to Admin Settings and perform the following steps to configure the NAE Interface:
Click Interfaces.
On the Interfaces page, select the NAE Interface with the required port.
Click the 3-dot menu against the required interface and select Upload/Generate New Certificate. The Upload Certificate window appears.
Select Text option under Certificate, a text box appears.
In the Certificate text box, paste the contents of
Server Certificate
,External CA Certificate
, andServer Key file
in the same order. Do not introduce any space or character or symbol between the contents of these files.Select certificate Format as PEM.
Password field is optional and can be skipped.
Click Upload Certificate.