Configure SSL Connection
To use an SSL connection when communicating with the CipherTrust Manager on NAE interface, you must configure both the server and the client.
Note
CipherTrust Manager comes with pre-configured SSL settings. However, you can also configure the settings in accordance with your organizational needs.
SSL with Server Certificate Authentication
When communicating with the CipherTrust Manager, you must configure both the server and the client to have SSL with server certificate authentication.
To configure the server
To configure the client
Add the local CA Certificate, downloaded from the CipherTrust Manager management console to keystore
Creating Local CA on CipherTrust Manager
To create a local CA:
Log on to the CipherTrust Manager management console as an administrator. The Applications page is displayed.
Click Keys & Access Management and then click CA tab on the left.
Under Local Certificate Authorities section, click New Local CA.
On the New Local CA screen , enter or select the details as required (The Common Name parameter is mandatory).
Click Create Local CA. The local CA created is listed beside the Pending CAs label.
Click the local CA beside the Pending CAs label. The local CA with its detail is displayed on screen.
Set the Duration for the local CA. You can either self-sign the certificate or upload an external CA to sign the local CA. The CA gets listed in the Local Certificate Authorities section.
Note
Only a local CA can sign certificate on the CipherTrust Manager. If you are using a CA that does not reside on the CipherTrust Manager, you cannot use the Management Console to sign the sever/client certificate.
Click the ellipsis icon corresponding to local CA and then download the local CA certificate. Save the certificate in the .pem format in the system where the pdbctl utility is used.
Creating Certificate on CipherTrust Manager
To create and sign a certificate with a local CA:
Log on to the CipherTrust Manager management console as an administrator.
Click Keys & Access Management and then click CA tab on the left.
Navigate to the Local Certificate Authorities section and click on the name of local CA (under the heading Subject) using which you want to generate and sign the certificate. The Parent Issuer:
page is displayed. Click Create New Certificate. The Create New Certificate screen is displayed.
Enter or select the details as required (Common Name parameter is mandatory).
Click New Certificate.
Click save private key to download and save the private key with .pem extension.
From the Certificate Purpose drop-down, select server.
Click Issue Certificate.
The server certificate is created and gets signed with the local CA. The certificate is listed under Parent Issuer:
and can be used as the server certificate for the NAE server. Click the ellipsis icon corresponding to the server certificate and then download the server certificate in the .pem format.
Configuring Interface on CipherTrust Manager
To configure the NAE server interface:
Log on to the CipherTrust Manager management console as an administrator. The Applications page is displayed.
Click Admin Settings.
Click to expand System and then click Interfaces.
On the Interface Configurations page, click Add Interface.
Enter/select the details and then click Add.
Click the ellipsis icon corresponding to the interface and then click Edit. The interface configuration screen is displayed.
Note
Select the TLS, user must supply password, verify client cert option when SSL with client certificate authentication is also used.
In the Local CA for Automatic Server Certificate Generation field, select Turn off auto generation from a Local CA option.
Expand Upload Certificate.
In the Certificate text box, paste the contents of server certificate, local CA certificate, and key in the .pem format.
Note
Maintain this order:
while pasting the contents of the certificates and key. In the Format field, select the PEM option.
Click Upload New Certificate.
Click Update.
Adding the Local CA Certificate to Keystore
Run the following command to add the local CA certificate downloaded from CipherTrust Manager to the keystore:
keytool -keystore <name_of_the_keystore> -import -alias <alias_name_of_CAcertificate> -file
</certificate_location/LocalCA_cerfiticate_file.pem>
Updating the Parameters in IngrianNAE.properties File
Update the following parameters in the IngrianNAE.properties file:
| Parameters | Description |
|---|---|
| NAE_Port | Specify the port used by CipherTrust Manager for SSL connection. |
| Protocol | Set it to ssl. |
| Key_Store_Location | Location of the keystore . For example /tmp/KYLO_utility_keystore/cacerts, where /tmp/KYLO_utility_keystore/ is the keystore path and cacert is the keystore name. For Windows machine, the keystore path will be \\tmp\\KYLO_utility_ keystore\\cacerts. |
| Key_Store_Password | Password of the keystore. |
SSL with Client Certificate Authentication
This section describes the procedures to follow when configuring SSL with Client Certificate Authentication. It explains the following processes:
Generating a Client Certificate with Keytool
Open a command prompt window on your client and navigate to the Java security directory (
\lib\security). Generate a public/private key pair by executing the following command. In this step, an alias for the key pair is created.
keytool -keystore <KeystoreName> -genkey -alias <KeyPairAlias> -keyalg RSAThe key generation process will then request the following data:
A keystore password.
The distinguished name. This is a series of fields whose values are incorporated into the certificate request. These fields include country name, state or province name, city or locality name, organization name, organizational unit name, and the users first and last name.
The key password. The certificate password must be the same as the keystore password. You can simply hit Return/Enter key to set the password. You need not retype the keystore password.
Create the certificate by issuing the following command. Reference the key pair alias, created in step 2.
keytool -certreq -alias <KeyPairAlias> -file <CertReqFileName> -keystore <KeystoreName>You will now have a certificate in the
file.
Signing a Certificate and Downloading the Certificate
This section describes how to sign a certificate with a local CA and then download the certificate. You must download the certificate immediately after it is signed by the CA.
To sign a certificate with a local CA:
Open the certificate request in a text editor.
Copy the text of the certificate request. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and the footer (-----END CERTIFICATE REQUEST-----).
Log on to the CipherTrust Manager management console as an administrator.
Click Keys & Access Management and then click CA tab on the left.
Under the Local Certificate Authorities section, click the Subject corresponding to the local CA with which you want to sign the certificate.
Click Upload and Sign CSR.
Paste the text of the certificate in the text field highlighted as Paste external CSR here in PEM format.
Select Certificate Purpose as client and specify the life span of the certificate in days in the Duration in the days field.
Click Issue Certificate. The certificate is listed in the Parent Issuer section.
Click download button against the certificate to be downloaded.
Save the certificate in the machine where the pdbctl utility is installed.
Configuring TLS Option in NAE Server Interface
To configure the TLS option for client certificate authentication:
Log on to the CipherTrust Manager management console as an administrator.
Click Settings >> Interfaces.
Click the edit button under Action column against the nae interface. The Configure NAE pop-up window is displayed.
In the Mode field, select the TLS, user must supply password, verify client cert option.
Click Update.
Note
Restart the application (Settings >> Services >> Restart button) after the TLS option is updated.
Adding the Client Certificate to the Java Keystore
To add the client certificate to the Java keystore:
Open a command prompt window on your client and navigate to the Java security directory (
\lib\security). Import the signed client certificate using the following command. Use the key pair alias you used to create the certificate request. When prompted, enter the keystore password.
keytool -keystore <KeystoreName> -alias <KeyPairAlias> -import -file <CertFileName.pem>Verify that the client certificate was properly imported by executing the following command. Reference the key pair alias you used above. The system should display the certificate.
keytool -keystore <KeystoreName> -alias <KeyPairAlias> -list -vNote
To enable Client Certificate Authentication, your keystore must have a copy of the CA certificate downloaded from CipherTrust Manager management console.
Updating the Parameters in IngrianNAE.properties
Update the following parameters in the IngrianNAE.properties file:
| Parameters | Description |
|---|---|
| Key_Store_Location | Location and name of keystore that contains a copy of the server’s local CA, the client certificate, and the CA that signed the client certificate. For example /tmp/KYLO_utility_keystore/cacerts, where /tmp/KYLO_utility_keystore/ is the keystore path and cacerts is the keystore. For windows machine, the keystore path will be \\tmp\\KYLO_utility_keystore\\cacerts. |
| Key_Store_Password | Password associated with the keystore. |
| Client_Cert_Alias | Client certificate alias. |
| Client_Cert_Passphrase | Client certificate password, if used. |
The SSL/TLS configuration on the CipherTrust Manager appliance is now complete.
