Validating CM and CTE with a Local CA Certificate
Note
This feature is not compatible when using CipherTrust Transparent Encryption with CipherTrust Data Security Platform Services (CDSPaaS).
To ensure that registration by the CTE agent is serviced only by the expected key manager, you can provide a copy of the root CA certificate that will be used to authenticate the TLS communications with the key manager, during the registration process.
Note
You can only download the CA certificate when you are a root user in the root domain. You cannot download the certificate from a subdomain. It will not work.
Prerequisite
Make sure that you have previously created the client in CipherTrust Manager.
Using a Local CA Certificate
-
Extract the root CA certificate from the CipherTrust Manager.
-
Log on to CipherTrust Manager as an administrator.
-
In the left navigation pane, click CA > Local. The list of available CAs displays.
-
Click the ellipsis icon corresponding to the CA.
-
Click Download to download the CA.
-
Copy the certificate to a directory on the agent system.
-
-
Present the root certificate data to CTE in one of two ways:
-
Use a file:
When written to a file, it must be in PEM file format, starting and ending with:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-------
-
Use a a string parameter:
If you are providing the information in a single string, it must contain the same data as in the preceding case, except that all new lines are replaced by
\n
escape sequences. For example:CA_CERT=-----BEGIN CERTIFICATE-----\n
-----END CERTIFICATE-----\n
-
-
To install the root certificate into the CTE client:
/opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host.exe -s <Path-to-install-file> AGENT_HOST_NAME=<Hostname-or-IP-of-agent> REG_TOKEN=<CM registration token> CA_FILE=<Path-to-root-ca-cert>
Example
/opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host.exe -s /opt/silent/vte_reg_log.txt AGENT_HOST_NAME=ani-vm-217-35190.sjcicd.com REG_TOKEN=mMEz3Y6Ob9D4L7QuvK5SOmhulRm8DYI8odV5j3OdvuHqk6LhZqE0FeIZHILYTmDiE9 CA_FILE=/cert_files/Austin175.pem
-
Confirm in CipherTrust Manager that the client is registered and healthy.