Configure SSL connection
To use an SSL connection when communicating with the CipherTrust Manager, you must configure both the server and the client.
SSL with Server Certificate Authentication
When communicating with the CipherTrust Manager, you must configure both the server and the client to have SSL with server certificate authentication.
To configure the server:
Create a local Certificate Authority (CA)
Create a server certificate and sign it with the local CA
Configure the NAE server interface
To configure the client:
Add the local CA Certificate, downloaded from the CipherTrust Manager management console, to keystore.
Update the
CDP_DB2.properties
file.
Creating a Local CA on CipherTrust Manager
To create a local CA:
Log on to the CipherTrust Manager management console as an administrator.
Click the CA tab on the left.
Under Local Certificate Authorities section, click Add Local CA.
On the Add Local CA screen, enter or select the details as required (The Common Name parameter is mandatory).
Click Create Local CA. The local CA created is listed beside the Pending CAs label.
Click the local CA beside the Pending CAs label. The local CA with its detail is displayed on screen.
Set the Duration for the local CA. You can either self-sign the certificate or upload an external CA to sign the local CA. The CA gets listed in the Local Certificate Authorities section.
Note
Only a local CA can sign certificate on the CipherTrust Manager. If you are using a CA that does not reside on the CipherTrust Manager, you cannot use the Management Console to sign the sever/client certificate.
Click the ellipsis icon corresponding to local CA and then click the download button to download the local CA certificate. Save the certificate in .pem format in the system where CDP is used.
Creating a Certificate on CipherTrust Manager
To create and sign a certificate with a local CA:
Log on to the CipherTrust Manager management console as an administrator.
Click the CA tab on the left.
Under CA, click Local to navigate to the Local Certificate Authorities section.
Click the name of local CA and click Issue Certificate.
On the Issue Certificate screen, enter or select the details as required (Common Name parameter is mandatory) and click Issue Certificate.
Click save private key to download and save the private key with .pem extension.
From the Certificate Purpose drop-down, select server.
Click Issue Certificate.
The server certificate is created and gets signed with the local CA. This certificate can be used as the server certificate for the NAE server.
Click the ellipsis icon corresponding to the server certificate and then click the download button to save the server certificate in .pem format.
Configuring Interface on CipherTrust Manager
To configure the NAE server interface:
Log on to the CipherTrust Manager management console as an administrator.
Click to expand Admin Settings and then click Interfaces.
On the Interface Configurations page, click Add Interface.
Enter/select the details such as port, mode and then click Add.
Click the ellipsis icon corresponding to the interface and then click Edit. The interface configuration screen is displayed.
Note
Select the TLS, user must supply password, verify client cert option when SSL with client certificate authentication is also used.
In the Local CA for Automatic Server Certificate Generation field, select Turn off auto generation from a Local CA option.
Expand Upload Certificate.
In the Certificate text box, paste the contents of server certificate, local CA certificate, and key in the PEM format.
Note
Maintain the following order while pasting the contents of the certificates and key.
<server cert> <ca cert> <key>
In the Format field, select the PEM option.
Click Upload New Certificate.
Click Update.
Restart the application (Settings >> Services >> Restart button) after interface is configured.
For DB2 client machine, download the Local CA from CM and place it at (JRE_HOME>lib\security) path and add it in key store using below command.
Adding the Local CA Certificate to Keystore
Navigate to the location where CDP for DB2 is installed and then navigate to db2home/java/jdk/bin directory.
Run the following command to add the local CA certificate downloaded from CipherTrust Manager to the keystore.
a. For Windows
keytool.exe -import -keystore <keystore_name> -file <local CA certificate>
b. For Linux
keytool -import -keystore <keystore_name> -file <local CA certificate>
Updating the Properties file
Update the following parameters in the CDP_DB2.properties file:
Parameter | Description |
---|---|
NAE_Port | Specify the port used by CipherTrust Manager for SSL connection. |
Protocol | Set it to ssl. |
Key_Store_Location | JRE_HOME\lib\security\cacerts. |
Key_Store_Password | Password of the keystore. |
SSL with Client Certificate Authentication
This section describes the procedures to follow when configuring SSL with Client Certificate Authentication. It explains the following processes:
Generating a Client Certificate with Keytool
Signing a Certificate and Downloading the Certificate
Configuring TLS Option in NAE Server Interface
Adding the Client Certificate to the Java Keystore
Updating the Parameters in CDP_DB2.properties
Generating a Client Certificate with Keytool
To generate a client certificate:
Open a command prompt window on your client and navigate to the Java security directory (
\lib\security). Generate a public/private key pair by executing the following command. In this step, an alias for the key pair is created.
keytool -keystore <KeystoreName> -genkey -alias <KeyPairAlias> -keyalg RSA
The key generation process will then request the following data:
A keystore password.
The distinguished name.
This is a series of fields whose values are incorporated into the certificate request. These fields include country name, state or province name, city or locality name, organization name, organizational unit name, and the users first and last name.
- The key password.
The certificate password must be the same as the keystore password. You can simply hit Return/Enter key to set the password. You need not retype the keystore password.
Create the certificate by issuing the following command. Reference the key pair alias, created in step 2.
keytool -certreq -alias <KeyPairAlias> -file <CertReqFileName> -keystore <KeystoreName>
You will now have a certificate in the
file.
Signing a Certificate and Downloading the Certificate
This section describes how to sign a certificate with a local CA and then download the certificate. You must download the certificate immediately after it is signed by the CA.
To sign a certificate with a local CA:
Open the certificate request in a text editor.
Copy the text of the certificate request. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and the footer (-----END CERTIFICATE REQUEST-----).
Log on to the CipherTrust Manager management console as an administrator.
Click the CA tab on the left.
In the Local Certificate Authorities section, click the Subject corresponding to the local CA with which you want to sign the certificate.
Click Upload and Sign CSR.
Paste the text of the certificate in the text field highlighted as Paste external CSR here in PEM format.
Select Certificate Purpose as client and specify the life span of the certificate in days in Duration in days field.
Click Issue Certificate.
Click download button against the certificate to be downloaded.
Save the certificate in the machine where CDP is installed.
Configuring TLS Option in NAE Server Interface
To configure the TLS option for client certificate authentication:
Log on to the CipherTrust Manager management console as an administrator.
Click to expand Admin Settings and then click Interfaces.
Click the edit button under column Action against the nae interface. The Configure NAE pop-up window is displayed.
In the Mode field, select the TLS, user must supply password, verify client cert option.
Click Update.
Note
Restart the application (Settings > Services > Restart button) after the TLS option is updated.
Adding the Client Certificate to the Java Keystore
To add the client certificate to the Java keystore:
Open a command prompt window on your client and navigate to the Java security directory (
\lib\security). Import the signed client certificate using the following command. Use the key pair alias you used to create the certificate request. When prompted, enter the keystore password.
keytool -keystore <KeystoreName> -alias <KeyPairAlias> -import -file <CertFileName.pem>
Verify that the client certificate was properly imported by executing the following command. Reference the key pair alias you used above. The system should display the certificate.
keytool -keystore <KeystoreName> -alias <KeyPairAlias> -list -v
To enable Client Certificate Authentication, your keystore must have a copy of the CA certificate downloaded from CipherTrust Manager management console.
Updating the Properties file
Update the following parameters in the CDP_DB2.properties file:
Parameter | Description |
---|---|
NAE_Port | Specify the port used by CipherTrust Manager for SSL connection. |
Protocol | Set it to ssl. |
Key_Store_Location | Location of the keystore. For example, /tmp/KYLO_utility_keystore/cacerts where: — /tmp/KYLO_utility_keystore/ is the keystore path— cacert is the keystore name. For windows machine, the keystore path will be \\tmp\\KYLO_utility_keystore\\cacerts . |
Key_Store_Password | Password of the keystore. |
The SSL/TLS configuration on the CipherTrust Manager appliance is now complete.