SSL Configuration Parameters
| Parameter | Default | Description |
|---|---|---|
| CA_File | no default | CA certificate used to sign the server certificate presented by the NAE Server to the client. The certificate can be stored in Microsoft Certificate Store or in a File. Depending on the location of the certificate, the value for the CA_File parameter changes as follows. Possible settings: • The path and file name - The path and file name of the CA certificate. The path need to be absolute. Don’t use quotes, even if the path contains spaces. For example: "CA_File=C:\SSL_Certs\72.162\xyz_CA.crt" • CA_Location|CA common name or CA file path - The location and name/path of the CA certificate depending on the value set for CA_Location.CA_Location can have values Cert_File_Path or Microsoft_Cert_Store. These values are valid only for Windows. While for other platforms the CA_Location will have path of the CA file. In case of Cert_File_Path, path of the CA certificate file is given after |. While for Microsoft Certificate Store, the common name of the CA certificate is given after |.Example For Windows, if value is Cert_File_Path, then "CA_File=Cert_File_Path|C:\SSL_Certs\72.162\xyz_CA.crt" Note: Using Cert_File_Path is same as the default setting.For Windows, if value is Microsoft_Cert_Store, then CA_File=Microsoft_Cert_Store|xyzWhere, xyz is the common name of the CA certificate. Note: For Microsoft_Cert_Store, the CA certificate must be imported under Trusted Root Certification Authorities of the Local Machine which is accessible only by the Admin users.For other platforms, the value is path of the CA file. For example: "CA_File=C:\SSL_Certs\72.162\xyz_CA.crt" As all the CipherTrust Manager servers in a clustered environment must have an identical configuration, all servers in the cluster use the same server certificate. You only need to point to one CA certificate in the CA_File system parameter.If you do not supply the CA certificate that was used to sign the server certificate used by the CipherTrust Manager, your client applications cannot establish SSL connections with any of the servers in the cluster. If a local CA on CipherTrust Manager was used to sign the NAE Server certificate, you can download the certificate for the local CA, and put that certificate on the client. |
| Cert_File | no default | Stores the path and file name of the client certificate. This is used only when your SSL configuration requires clients to provide a client certificate to authenticate to CipherTrust Manager. This value depends on the option chosen in Cert_File_Location.Possible settings: The path and file name - The path and filename of the client certificate to be used for authentication. The path need to be absolute. Don’t use quotes, even if the path contains spaces. Client certificates must be PEM encoded. This value is set when Cert_File_Location is set to Cert_File_Path.• The common name (CN) - The Common Name of the certificate, placed in Microsoft Certificate Store or EToken. Note: This Common Name must be unique in the certificate store). This value is set when Cert_File_Location is set to Microsoft_Cert_Store or EToken. In this case, the Key_File and Passphrase can be left blank.Note: If this value is set for "path and file name", the certificate and private key must be present, even if CipherTrust Manager is not configured to request a client certificate. |
| Key_File | no default | Refers to the private key associated with the client certificate specified in the Cert_File parameter.Possible setting: • The path and file name - The path need to be absolute. Don’t use quotes, even if the path contains spaces. The client private key must be in the PEM-encoded PKCS#8 format. As this key is encrypted, you must use the Passphrase parameter so that CipherTrust Manager can decrypt it.Note: For Microsoft_Cert_Store or EToken, this parameter can be left blank. |
| Passphrase | no default | Refers to the passphrase associated with the private key. The passphrase associated with the private key specified in the Key_File parameter.If a callback is registered (using the I_C_SetPassPhraseCallback() function call prior to I_C_OpenSession()), the value of the Passphrase parameter is ignored. If you don't provide this passphrase, the client attempts to read the passphrase from standard input; this causes the application to hang. Note: The properties file is NOT encrypted. Make sure that this file resides in a secure directory and has appropriate permissions so that it is readable only by the appropriate application or user. Note: For Microsoft_Cert_Store or EToken, this parameter can be left blank. |
| Passphrase_Encrypted | no | Allows you to enable/disable passphrase obfuscation. Possible settings: • yes - The passphrase obfuscation is enabled. The passphrase can be obfuscated by using the command line utility (PassPhraseSecure) and stored in the Passphrase parameter.• no - The Disables the passphrase obfuscation. In this case, the passphrase can either be stored as plaintext in the Passphrase parameter or secured using the user-specified callback function. However, if the callback function is used, then the plaintext passphrase stored in the Passphrase parameter is ignored. For more information, refer to "Securing Passphrase". |
