Configure SSL connection
This section explains various procedures for establishing secure connections between the CipherTrust Manager and their clients:
Authenticating Server Certificate on the CipherTrust Manager
Authenticating Client Certificate on the CipherTrust Manager
Note
CipherTrust Manager comes with pre-configured SSL settings. However, you can also configure the settings in accordance with your organizational needs.
Configuring SSL with the CipherTrust Manager
Standard SSL communication requires a certificate that identifies the server. This certificate is signed by a certificate authority (CA) known to both the server and the client. During the SSL handshake, the server certificate is passed to the client. The client uses a copy of the CA certificate to validate the server certificate, thus authenticating the server.
Tip
It is recommended that you increase security only after confirming network connectivity. You should establish a TCP connection before enabling SSL. Otherwise, an unrelated network connection mistake could interfere with your SSL setup and complicate the troubleshooting process.
While the CA can be a third-party CA or your corporate CA, you will most likely use a local CA on the CipherTrust Manager appliance. If you are not using a local CA, consult your CA documentation for instructions on signing requests and exporting certificates.
To use an SSL connection when communicating with the CipherTrust Manager appliance, configure the server and the client.
To configure the server:
Create a server certificate. (If you are using a cluster, each member must have its own, unique certificate). To create a server certificate, follow these steps:
Creating a Local CA
Creating a CSR on the console
Signing a Certificate Request with a Local CA
Make the certificate active. Refer to the Activating the Server Certificate.
Enabling SSL connection.
Log on to the console as an administrator with Certificate Authorities access control.
Navigate to Settings > Interfaces.
Under Interface Configurations, edit NAE interface and select a TLS option in the Mode field. Available options are:
TLS, allow anonymous logins, ignore client cert
TLS, user must supply password, ignore client cert
TLS, allow anonymous logins, verify client cert
TLS, user must supply password, verify client cert
Verify client cert, username taken from client cert, auth request is optional
Verify client cert, password is needed, username in cert must match username in authentication request
Tip
Without TLS, any secret or message transmitted to and from the CipherTrust Manager through this interface could be compromised. Restart the CipherTrust Manager for these configuration changes to come into effect.
To configure the client, you must:
Place a copy of the CA certificate on your client. Refer to the Downloading a Local CA Certificate
Update the
CDP_MSSQLServer.properties
file as follows:Protocol=ssl CA_File=<location and name of the CA certificate file>
Authenticating Server Certificate on the CipherTrust Manager
This section describes the procedure to configure SSL for server certificate authentication.
Creating a Local CA
To create a local CA:
Log on to the console as an administrator with Certificate Authorities access control.
Click CA.
Under the Local Certificate Authorities section, click New Local CA.
On the New Local CA window, enter the fields as needed.
Click Create Local CA. It is added in the Pending CAs.
From the Pending CAs list, click the local CA that you want to create. A window containing property and value of the CA displays.
You can either self-sign Certificate Signing Request (CSR) or upload a certificate signed by an external CA.
Note
For uploading a certificate signed by an external CA, you must have installed the external CA certificate.
Once the CA is verified, it is listed under the Local Certificate Authorities section.
In the Local Certificate Authorities list, you can view Subject, Serial#, Activation, Expiration, and State.
You can also delete, view certificate details, and download the local certificate.
Note
Only a local CA can sign certificate requests on the CipherTrust Manager appliance. If you are using a CA that does not reside on the CipherTrust Manager appliance you cannot use the console to sign certificate requests.
Creating a CSR on the Console
To create a certificate signing request on the console:
Log on to the console as an administrator with Certificates access control.
Click CA.
Under the CSR Tool section, click Create CSR.
On the Create CSR window, enter the fields as needed (Common Name is mandatory).
Click Create. You'll be prompted with two options: save csr and save private key.
Click save csr to save the CSR in the .pem format.
Note
You must save the Private Key to continue.
Click save private key to save the private key in .pem format.
Note
For generation of public/private key pairs for server certificates only RSA algorithm is supported.
Signing a Certificate Request with a Local CA
To sign a certificate request with a local CA:
Log in to the console as an administrator with Certificates access control.
Navigate to CA > Local Certificate Authorities and click on the local CA from which you want to sign the CSR.
Click Upload and Sign CSR.
Copy the saved CSR in the previous section and paste it on the Upload Externally Generated CSR window. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and footer (-----END CERTIFICATE REQUEST-----).
From the Certificate Purpose list, select server.
In the Duration in days field, enter the life span of the certificate. Enter minimum 365 days.
Click Issue Certificate.
The newly created certificate is listed under Parent Issuer. This certificate can be used as the server certificate for the NAE Server.
Activating the Server Certificate
To activate the server certificate:
Log on to the Management Console as an administrator.
Navigate to Settings > Interfaces.
For NAE interface, click icon in the Action column.
In the Local CA for Automatic Server Certificate Generation field, select Turn off auto generation from a local CA.
Note
In the Local CA for Automatic Server Certificate Generation field, if you select any CA then just click Update. It will automatically generate a server certificate and make it active.
Expand Upload Certificate.
In the Certificate text box, paste the server certificate, CA certificate, and key in the PEM format or base64 encoded PKCS#12 format.
Note
The list of certificates must be added from server cert to root ca in the ascending order. If there are any intermediate CAs, they can be added. The key can be anywhere. Maintaining the following order is important:
<server cert> <ca cert> <key>
Select Format.
Click Upload New Certificate and then click Update. Restart the application after uploading the certificate.
Downloading a Local CA Certificate
To download a local CA certificate from the CipherTrust Manager appliance:
Log in to the console as an administrator with Certificate Authorities access controls.
Navigate to CA > Local Certificate Authorities and click the download button to download a local CA. You should place the CA certificate in a secure location and modify access appropriately.
Update the following parameters in your
CDP_MSSQLServer.properties
file:Protocol=ssl CA_File=<path to CA cert>\localca.crt
Note
Whenever you update the property file, you must restart the database for the changes to take effect.
Use the
CA_File
parameter in theCDP_MSSQLServer.properties
file to indicate the name and location of the CA certificate.
Authenticating Client Certificate on the CipherTrust Manager
This SSL configuration requires that both the server and the client provide certificates. Each certificate is signed by a trusted CA known to both the server and the client. Most likely, you will use one CA to sign both the certificates. During the SSL handshake, the certificates are exchanged. Both the client and the server use the CA certificate to validate each others' certificate, thus authenticating the other party.
Note
For more information about configuring SSL, see Configuring SSL with the CipherTrust Manager.
To enable client certificate authentication, you must first successfully configure SSL. Then, you must make additional configuration changes to the client and the server.
Tip
It is recommended that you increase security only after confirming network connectivity. You should establish a TCP connection before enabling SSL. Otherwise, an unrelated network connection mistake could interfere with your SSL setup and complicate the troubleshooting process.
To configure the client:
Create a client certificate. This involves two steps:
Signing a Certificate Request and Downloading the Certificate
You can create a certificate request using OpenSSL. You can then sign the request with the local CA on the CipherTrust Manager appliance. Once signed, the certificate request becomes a valid certificate.
If you are not using a local CA, consult your CA documentation for instructions on signing requests and exporting certificates.
Update the
CDP_MSSQLServer.properties
file as follows:Cert_File=
<location and name of the client certificate>
Key_File=<location and name of the client’s key file>
Passphrase=<the passphrase used to unlock the client’s key file>
Note
Restart the database after updating the property file for the changes to take effect.
To configure the server, you must upload a CA certificate on the server.
Generating a Client Certificate Request with req.exe
To generate a client certificate request:
Open a command prompt window and navigate to the directory where the Certificate Request Generator utility (req.exe) is installed.
Generate an RSA key and a client certificate request using the following command::
req -out clientreq -newkey rsa:1024 -keyout clientkey
Here,
clientreq
is the name of the certificate request being created, andclientkey
is the name of the private key associated with the certificate request.If you are using OpenSSL, use the following command:
openssl req -out clientreq -newkey rsa:1024 -keyout clientkey
Note
By default, both the certificate request and private key will be created in the working directory. You can generate them in another directory by including a location in the certificate request and key name.
For example, to create them in the
C:\client_certs
directory, use the following command:openssl req -out C:\client_certs\clientreq -newkey rsa:2048 - keyout C:\client_certs\clientkey
The key generation process will then request the following data:
A PEM passphrase to encode the private key: The passphrase that encodes the private key is the first passphrase you provide after issuing the above command. This will be the Passphrase parameter in the
CDP_MSSQLServer.properties
file.The distinguished name: The distinguished name is a series of fields whose values are incorporated into the certificate request. These fields include country name, state or province name, locality name, organization name, organizational unit name, common name, and email address.
A challenge password: This challenge password is NOT used in the CipherTrust Manager environment.
An optional company name.
!!! note In the Organization Name, specify an appropriate name instead of the default value.
Signing a Certificate Request and Downloading the Certificate
This section describes how to sign a certificate request with a local CA and then download the certificate. You must download the certificate immediately after it is signed by the CA.
To sign a certificate request with a local CA:
Log on to the console as an administrator with Certificate Authorities access controls.
Navigate to CA > Local Certificate Authorities and click the local CA by which you want to sign the CSR.
Click Upload and Sign CSR.
Copy the CSR and paste it on the Upload Externally Generated CSR window. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and footer (-----END CERTIFICATE REQUEST-----).
From the Certificate Purpose list, select client.
In the Duration in days field, enter the life span of the certificate. Enter minimum 365 days.
Click Issue Certificate. The newly created certificate is listed under Parent Issuer.
Click the image button to save the certificate on your local machine.
Note
You should place the certificate in a secure location and modify access appropriately.
Update the following parameters in the CDP_MSSQLServer.properties file:
Cert_File=<path to client cert>\client.crt Key_File=<path to client key>\clientkey Passphrase=<the passphrase used to unlock the client's key file>
Note
Restart the database after updating the properties file for the changes to take effect.
Use the
Cert_File
parameter in theCDP_MSSQLServer.properties
file to indicate the name and location of the client certificate.
Uploading an External CA Certificate on the Server
If the client certificate was signed by an external CA, you must upload the CA certificate on the CipherTrust Manager appliance. To upload a CA certificate:
Log in to the console as an administrator with Certificate Authorities access controls.
Navigate to CA > External Certificate Authorities.
In the Upload External Certificate text box, paste all text from the certificate, including header and footer.
Click upload.
Note
Both the server and client certificates should be signed by the same CA to make SSL work.
The SSL/TLS configuration on the CipherTrust Manager appliance is now complete.