Configure SSL
To use an SSL connection when communicating with the CipherTrust Manager, you must configure both the server and the client.
SSL with Server Certificate Authentication
When communicating with the CipherTrust Manager, you must configure both the server and the client to have SSL with server certificate authentication.
To configure the server:
Create a local Certificate Authority (CA)
Create a server certificate and sign it with the local CA
Configure the NAE server interface
To configure the client:
Add the local CA Certificate, downloaded from the CipherTrust Manager management console, to keystore.
Update the
ProtectDB.propertiesfile.
Creating a Local CA on CipherTrust Manager
To create a local CA:
Log on to the CipherTrust Manager management console as an administrator.
Click the CA tab on the left.
Under Local Certificate Authorities section, click New Local CA.
On the New Local CA screen, enter or select the details as required (The Common Name parameter is mandatory).
Click Create Local CA. The local CA created is listed beside the Pending CAs label.
Click the local CA beside the Pending CAs label. The local CA with its detail is displayed on screen.
Set the Duration for the local CA. You can either self-sign the certificate or upload an external CA to sign the local CA. The CA gets listed in the Local Certificate Authorities section.
Note
Only a local CA can sign certificate on the CipherTrust Manager. If you are using a CA that does not reside on the CipherTrust Manager, you cannot use the Management Console to sign the sever/client certificate.
Click the ellipsis icon corresponding to local CA and then click the download button to download the local CA certificate. Save the certificate in .pem format in the system where CDP is used.
Creating a Certificate on CipherTrust Manager
To create and sign a certificate with a local CA:
Log on to the CipherTrust Manager management console as an administrator.
Click the CA tab on the left.
Navigate to the Local Certificate Authorities section and click on the name of local CA (under the heading Subject) using which you want to generate and sign the certificate.
Click Create New Certificate. The Create New Certificate screen is displayed.
Enter or select the details as required (Common Name parameter is mandatory).
Click New Certificate.
Click save private key to download and save the private key with .pem extension.
From the Certificate Purpose drop-down, select server.
Click Issue Certificate.
10.The server certificate is created and gets signed with the local CA. This certificate can be used as the server certificate for the NAE server.
11.Click the ellipsis icon corresponding to the server certificate and then click the download button to save the server certificate in .pem format.
Configuring Interface on CipherTrust Manager
To configure the NAE server interface:
Log on to the CipherTrust Manager management console as an administrator.
Click to expand Admin Settings and then click Interfaces.
On the Interface Configurations page, click Add Interface.
Enter/select the details and then click Add.
Click the ellipsis icon corresponding to the interface and then click Edit. The interface configuration screen is displayed.
Note
Select the TLS, user must supply password, verify client cert option when SSL with client certificate authentication is also used.
In the Local CA for Automatic Server Certificate Generation field, select Turn off auto generation from a Local CA option.
Expand Upload Certificate.
In the Certificate text box, paste the contents of server certificate, local CA certificate, and key in the PEM format.
Note
Maintain this order:
while pasting the contents of the certificates and key. In the Format field, select the PEM option.
Click Upload New Certificate.
Click Update.
Note
Restart the application (Settings >> Services >> Restart button) after interface is configured.
Adding the Local CA Certificate to Keystore
Run the following command to add the local CA certificate downloaded from CipherTrust Manager to the keystore:
`keytool -keystore <name_of_the_keystore> -import -alias <alias_name_of_CAcertificate> -file </certificate_location LocalCA_cerfiticate_file.pem>`
Updating the Properties file
Update the following parameters in the ProtectDB.properties file:
| Parameter | Description |
|---|---|
| NAE_Port | Specify the port used by CipherTrust Manager for SSL connection. |
| Protocol | Set it to ssl. |
| Key_Store_Location | Location of the keystore. For example, /tmp/KYLO_utility_keystore/cacertswhere: — /tmp/KYLO_utility_keystore/ is the keystore path— cacert is the keystore name. For windows machine, the keystore path will be \\tmp\\KYLO_utility_keystore\\cacerts. |
| Key_Store_Password | Password of the keystore. |
SSL with Client Certificate Authentication
This section describes the procedures to follow when configuring SSL with Client Certificate Authentication. It explains the following processes:
Generating a Client Certificate with Keytool
Signing a Certificate and Downloading the Certificate
Configuring TLS Option in NAE Server Interface
Adding the Client Certificate to the Java Keystore
Updating the Parameters in ProtectDB.properties
Generating a Client Certificate with Keytool
To generate a client certificate:
Open a command prompt window on your client and navigate to the Java security directory (
\lib\security). Generate a public/private key pair by executing the following command. In this step, an alias for the key pair is created.
keytool -keystore <KeystoreName> -genkey -alias <KeyPairAlias> -keyalg RSAThe key generation process will then request the following data:
A keystore password.
The distinguished name.
This is a series of fields whose values are incorporated into the certificate request. These fields include country name, state or province name, city or locality name, organization name, organizational unit name, and the users first and last name.
- The key password.
The certificate password must be the same as the keystore password. You can simply hit Return/Enter key to set the password. You need not retype the keystore password.
Create the certificate by issuing the following command. Reference the key pair alias, created in step 2.
keytool -certreq -alias <KeyPairAlias> -file <CertReqFileName> -keystore <KeystoreName>You will now have a certificate in the
file.
Signing a Certificate and Downloading the Certificate
This section describes how to sign a certificate with a local CA and then download the certificate. You must download the certificate immediately after it is signed by the CA.
To sign a certificate with a local CA:
Open the certificate request in a text editor.
Copy the text of the certificate request. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and the footer (-----END CERTIFICATE REQUEST-----).
Log on to the CipherTrust Manager management console as an administrator.
Click the CA tab on the left.
In the Local Certificate Authorities section, click the Subject corresponding to the local CA with which you want to sign the certificate.
Click Upload and Sign CSR.
Paste the text of the certificate in the text field highlighted as Paste external CSR here in PEM format.
Select Certificate Purpose as client and specify the life span of the certificate in days in Duration in days field.
Click Issue Certificate.
Click download button against the certificate to be downloaded.
Save the certificate in the machine where CDP is installed.
Configuring TLS Option in NAE Server Interface
To configure the TLS option for client certificate authentication:
Log on to the CipherTrust Manager management console as an administrator.
Click to expand Admin Settings and then click Interfaces.
Click the edit button under column Action against the nae interface. The Configure NAE pop-up window is displayed.
In the Mode field, select the TLS, user must supply password, verify client cert option.
Click Update.
Note
Restart the application (Settings >> Services >> Restart button) after the TLS option is updated.
Adding the Client Certificate to the Java Keystore
To add the client certificate to the Java keystore: 1. Open a command prompt window on your client and navigate to the Java security directory (
Import the signed client certificate using the following command. Use the key pair alias you used to create the certificate request. When prompted, enter the keystore password.
keytool -keystore <KeystoreName> -alias <KeyPairAlias> -import -file <CertFileName.pem>Verify that the client certificate was properly imported by executing the following command. Reference the key pair alias you used above. The system should display the certificate.
keytool -keystore <KeystoreName> -alias <KeyPairAlias> -list -v
To enable Client Certificate Authentication, your keystore must have a copy of the CA certificate downloaded from CipherTrust Manager management console.
Updating the Properties file
Update the following parameters in the ProtectDB.properties file:
| Parameter | Description |
|---|---|
| NAE_Port | Specify the port used by CipherTrust Manager for SSL connection. |
| Protocol | Set it to ssl. |
| Key_Store_Location | Location of the keystore. For example, /tmp/KYLO_utility_keystore/cacertswhere: — /tmp/KYLO_utility_keystore/ is the keystore path— cacert is the keystore name. For windows machine, the keystore path will be \\tmp\\KYLO_utility_keystore\\cacerts. |
| Key_Store_Password | Password of the keystore. |
The SSL/TLS configuration on the CipherTrust Manager appliance is now complete.
