Setting the Address Manager and Gateway server certificate - Adaptive Applications - BlueCat Gateway - 22.2.2

Cloud Discovery & Visibility Administration Guide
Locale
English
Product name
BlueCat Gateway
Version
22.2.2

In order to use Cloud Discovery & Visibility on systems with HTTPS, you'll need to set up an SSL/TLS certificate for BlueCat Address Manager (BAM) and Gateway to communicate with each other. You'll do so either letting Address Manager use self-signed certificates, or by manually uploading custom certificates yourself.

Certificates are composed of a private key (a .key file) and a public key (a .crt) and . Basic steps are summarized below. For more details, see the Address Manager Administration Guide and the Gateway Administration Guide.

Using self-signed Address Manager certificates

  1. Set up Address Manager to generate a self-signed certificate:

    1. Within Address Manager, in the Administration tab, under User Management, click Secure Access.

    2. In the Self-Signed Certificate section, fill in the needed information for the certificate you want to create.

      When you're done, click Update.

  2. Download the certificate files that Address Manager created. A simnple way to do so is through a Python script.
    1. Create a new script file named get_certificate.py with the following content: 
      import ssl
import os
                    
cert = ssl.get_server_certificate(
    (
      "BAM_IP_HERE",                              # For example, "192.168.55.10"
      443,
    )
  )
base_file_path = "Full_path_to_save_cert_file"    # For example, "/home/tma/Downloads/Cert/test.crt"
os.makedirs(os.path.dirname(base_file_path), exist_ok=True)
cert_file = open(base_file_path, "w")
cert_file.write(cert)
cert_file.close()
      (Remember to replace BAM_IP_HERE with the IP address of the instance of Address Manager that you're connecting to. Also replace Full_path_to_save_cert_file with the path to where you want to extract the certificate files.)

    2. If you don't already have it installed, install the requests Python 3 library (run the command pip3 install requests).

    3. Run the script (run the command python get_certficate.py).

      The certificates will be extracted to the location you specified.

  3. Upload the extracted certificates to BlueCat Gateway as follows:

    1. In Gateway, in the navigator area to the left, expand Administration and Configurations, then click General Configuration.

    2. In the Gateway section, in SSL Certificate, click Choose file and browse to the .crt file that you extracted.
    3. In SSL Certificate Key, click Choose file and browse to the .key file that you extracted.

    4. In the BAM section, click to select the Validate SSL Certificate checkbox.

    5. When you're done, click Save.

Using custom certificates

Gateway also supports custom certificates for communications with Address Manager. You can use a certificate you already have from a certificate authority, or a certificate that you created yourself. When creating your own certificate, you'll generate a new randomized private .key file, create a .csr file from it (a Certificate Signing Request), then use the CSR to create the public certificate file (.crt).

Note: You'll need an SSL toolkit to set up your own custom certificate. The following instructions assume you're using OpenSSL, a multi-featured open source SSL toolkit.

To create the .key and .csr files, you can either use BlueCat Address Manager, or create it manually with your SSL toolkit.

To create the .key and .csr files in Address Manager:

  1. Within Address Manager, in the Administration tab, under User Management, click Secure Access.

  2. Under Server Certificate Settings, select Custom, then select Generate Certificate Signing Request.

    1. Fill in the Common Name, Organization, Department, City, State/Province, Country code, Email address (optional), and Comment (optional) as desired.
    2. Click to select the Generate Private Key checkbox.
    3. In Key Size, select the desired size of the encryption key. We strongly recommend you choose a Key size of at least 2048 bits.
    4. When you're done, click Generate.
  3. With the certificate generated, click Download CSR and Download Private Key to download the newly-generated .csr and .key files, respectively.

To create the .key and .csr files manually:

  1. Generate the private key (the .key file). To do so, run the following OpenSSL command: 
    openssl genrsa -des3 -out <private_key_name>.key <key_size>
    Where <private_key_name> is a file name for your private key, and the <key_size> is the size (in bits). We recommend a size of at least 2048.

    You'll be asked for a pass phrase. You can leave the pass phrase blank if you prefer.

    When you're done, you'll have a .key file.

  2. Generate the .csr file with the following OpenSSL command: 
    openssl req -new -key <private_key_name>.key -out <csr_name>.csr
    Where <private_key_name> is the name of your private key file, and <csr_name> is the desired name for your CSR file. (Since the files have different file name extensions, these names they can be the same.)

  3. Fill in the fields as requested, one by one. The Email Address, Challenge password, and Company name are optional.

  4. When you're done, OpenSSL will generate the .csr file.

To set up the public key file (.crt) and add the certificates to Address Manager:

Note: You must already have a private key (.key) and matching certificate signing request (.csr) files to generate the public key.
  1. Generate the .crt file with the following OpenSSL command: 
    openssl x509 -req -days 365 -in <csr_name>.csr -signkey <private_key_name>.key
    Where <csr_name> is the name of your CSR file and <private_key_name> is the desired name for your private key file. (Since the files have different file name extensions, these names they can be the same.)

    OpenSSL will generate the .crt file.

  2. Add the new certificate files to Address Manager:

    1. Within Address Manager, in the Administration tab, under User Management, click Secure Access.

    2. If you haven't already done so, enable HTTPS (under General, in HTTPS, select Enable).

    3. Under Server Certificate Settings, select Custom.
    4. Select Load Custom Certificate.
    5. In the Upload Certificate section, upload the certificate files:
      • Under Private Key, click Choose File and browse to your private key file (.key).
      • Under Domain Signed Certificate, click Choose File and browse to your public certificate file (.crt).

  3. Upload the extracted certificates to BlueCat Gateway as follows:

    1. In Gateway, in the navigator area to the left, expand Administration and Configurations, then click General Configuration.

    2. In the Gateway section, in SSL Certificate, click Choose file and browse to the .crt file that you extracted.
    3. In SSL Certificate Key, click Choose file and browse to the .key file that you extracted.

    4. In the BAM section, click to select the Validate SSL Certificate checkbox.

    5. When you're done, click Save.