Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Tasks

Change TLS settings between application and CRDP

search

Please Note:

printsuggest an editpdf paneldownload

Change TLS settings between application and CRDP

Note

  • It is recommended to keep your registration token and certificates in secret.

  • It is recommended to keep your secrets in a safe vault.

copy link to clipboardSteps to enable TLS with mandatory client authentication

  1. Create a secret, if it doesn't exist.

    kubectl create secret generic <crdp secret name> --from-file=cert=<certificate file path> --from-file=key=<key file path> --from-file=ca=<ca certificate path>

  2. In the CRDP deployment file (for example, <crdp-deployment.yaml>), add/update the below lines in the env section.

    env:
  - name: SERVER_MODE
    value: "tls-cert"
  - name: CERT_VALUE
    valueFrom:
      secretKeyRef:
        name: <crdp secret name>
        key: cert
  - name: KEY_VALUE
    valueFrom:
      secretKeyRef:
        name: <crdp secret name>
        key: key
  - name: TRUSTED_CA
    valueFrom:
      secretKeyRef:
        name: <crdp secret name>
        key: ca

  3. Upgrade your CRDP deployment.

    helm upgrade <release-name> <path of helm chart/chart-name> .

    Example

    helm upgrade crdp <path of helm chart/chart-name> .

  1. Create a secret, if it doesn't exist.

    kubectl create secret generic <crdp secret name> --from-file=cert=<certificate file path> --from-file=key=<key file path> --from-file=ca=<ca certificate path> --from-literal=regtoken=<registration token>

    Note

    If your secret already exists with <registration token>:

    • Update the values of cert, key, and ca in the secret, OR

    • Create a new secret using the kubectl create secret command as described above

  2. In the CRDP deployment file (for example, <crdp-deployment.yaml>), add/update the below lines in the env section.

    env:
  - name: SERVER_MODE
    value: "tls-cert"
  - name: CERT_VALUE
    valueFrom:
      secretKeyRef:
        name: <crdp secret name>
        key: cert
  - name: KEY_VALUE
    valueFrom:
      secretKeyRef:
        name: <crdp secret name>
        key: key
  - name: TRUSTED_CA
    valueFrom:
      secretKeyRef:
        name: <crdp secret name>
        key: ca

  3. Update your CRDP deployment.

    kubectl replace -f <deployment_filename>

  1. Stop the existing container.

  2. Start the container with the updated configuration, as below.

    docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:<CRDP_port> -e SERVER_MODE=tls-cert -e CERT_VALUE="<certificate value>" -e KEY_VALUE="<key value>" -e TRUSTED_CA="<trusted ca>" <crdp image name>

    In the command,

    • SERVER_MODE is tls-cert

    • CERT_VALUE: Value of the client certificate.

    • KEY_VALUE: Value of the key associated with the client certificate.

    • TRUSTED_CA: Value of the CA certificate.

    Now, CRDP will verify the certificate presented by the client.

copy link to clipboardSteps to enable TLS without client authentication

  1. In the values.yaml file, under configuration, update the value of servermode to tls-cert-opt.

  2. In the CRDP deployment file (for example, <crdp-deployment.yaml>), add the below lines to the data section of kind:Secret.

    data:
    server.crt: {{.Values.configuration.servercrt}}
    server.key: {{.Values.configuration.serverkey}}

  3. Upgrade your CRDP deployment.

    helm upgrade <helm chart name> <path of helm chart>

  1. In the CRDP deployment file (for example, <crdp-deployment.yaml>), in the data section of ConfigMap, set SERVER_MODE to tls-cert-opt.

  2. Add the following lines to the data section of kind:Secret.

    data:
    server.crt: {{.Values.configuration.servercrt}}
    server.key: {{.Values.configuration.serverkey}}
    trustedca: {{.Values.configuration.trustedca}}

  3. Update your CRDP deployment.

    kubectl replace -f <deployment_filename>

  1. Stop the existing container.

  2. In the environment variable, set the SERVER_MODE field to tls-cert-opt.

  3. Specify the environment variables:

    • CERT_VALUE: Value of the client certificate.

    • KEY_VALUE: Value of the key associated with the client certificate.

  4. Start the container.

    docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:<CRDP_port> -e SERVER_MODE=tls-cert-opt -e CERT_VALUE="<certificate value>" -e KEY_VALUE="<key value>" <crdp image name>

copy link to clipboardSteps to disable TLS

  1. In the values.yaml file, under configuration, update the value of servermode to no-tls.

  2. Upgrade your CRDP deployment.

    helm upgrade <helm chart name> <path of helm chart>

  1. In your deployment file, in the data section of ConfigMap, set SERVER_MODE to no-tls.

  2. Update your CRDP deployment.

    kubectl replace -f <deployment_filename>

  1. Stop the existing container.

  2. In the environment variable, set the SERVER_MODE field to no-tls.

  3. Start the container.

    docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:<CRDP_port> -e SERVER_MODE=no-tls <crdp image name>

On this page