In order to use Cloud Discovery & Visibility on systems with HTTPS, you'll need to set up an SSL/TLS certificate for BlueCat Address Manager (BAM) and Gateway to communicate with each other. You'll do so either letting Address Manager use self-signed certificates, or by manually uploading custom certificates yourself.
Certificates are composed of a private key (a .key
file) and a public
key (a .crt
) and . Basic steps are summarized below. For more details,
see the Address Manager Administration Guide and the Gateway
Administration Guide
.
Using self-signed Address Manager certificates
- Set up Address Manager to generate a self-signed certificate:
-
Within Address Manager, in the Administration tab, under User Management, click Secure Access.
-
In the Self-Signed Certificate section, fill in the needed information for the certificate you want to create.
When you're done, click Update.
-
- Download the certificate files that Address Manager created. A simnple way to do
so is through a Python script.
- Create a new script file named
get_certificate.py
with the following content:
(Remember to replaceimport ssl import os cert = ssl.get_server_certificate( ( "BAM_IP_HERE", # For example, "192.168.55.10" 443, ) ) base_file_path = "Full_path_to_save_cert_file" # For example, "/home/tma/Downloads/Cert/test.crt" os.makedirs(os.path.dirname(base_file_path), exist_ok=True) cert_file = open(base_file_path, "w") cert_file.write(cert) cert_file.close()
BAM_IP_HERE
with the IP address of the instance of Address Manager that you're connecting to. Also replaceFull_path_to_save_cert_file
with the path to where you want to extract the certificate files.) If you don't already have it installed, install the
requests
Python 3 library (run the commandpip3 install requests
).Run the script (run the command
python get_certficate.py
).The certificates will be extracted to the location you specified.
- Create a new script file named
-
Upload the extracted certificates to BlueCat Gateway as follows:
-
In Gateway, in the navigator area to the left, expand Administration and Configurations, then click General Configuration.
- In the Gateway section, in SSL
Certificate, click Choose file
and browse to the
.crt
file that you extracted. - In SSL Certificate Key, click Choose
file and browse to the
.key
file that you extracted. -
In the BAM section, click to select the Validate SSL Certificate checkbox.
- When you're done, click Save.
-
Using custom certificates
Gateway also supports custom certificates for communications with Address Manager.
You can use a certificate you already have from a certificate authority, or a
certificate that you created yourself. When creating your own certificate, you'll
generate a new randomized private .key
file, create a
.csr
file from it (a Certificate Signing Request), then use the
CSR to create the public certificate file (.crt
).
To create the .key
and .csr
files, you can either
use BlueCat Address Manager, or create it manually with your SSL toolkit.
To create the .key
and .csr
files in Address
Manager:
Within Address Manager, in the Administration tab, under User Management, click Secure Access.
Under Server Certificate Settings, select Custom, then select Generate Certificate Signing Request.
- Fill in the Common Name, Organization, Department, City, State/Province, Country code, Email address (optional), and Comment (optional) as desired.
- Click to select the Generate Private Key checkbox.
- In Key Size, select the desired size of the encryption key. We strongly recommend you choose a Key size of at least 2048 bits.
- When you're done, click Generate.
- With the certificate generated, click Download CSR and
Download Private Key to download the newly-generated
.csr
and.key
files, respectively.
To create the .key and .csr files manually:
- Generate the private key (the .key file). To do so, run the following OpenSSL command:
Whereopenssl genrsa -des3 -out <private_key_name>.key <key_size>
<private_key_name>
is a file name for your private key, and the<key_size>
is the size (in bits). We recommend a size of at least 2048.You'll be asked for a pass phrase. You can leave the pass phrase blank if you prefer.
When you're done, you'll have a
.key
file. - Generate the
.csr
file with the following OpenSSL command:
Whereopenssl req -new -key <private_key_name>.key -out <csr_name>.csr
<private_key_name>
is the name of your private key file, and <csr_name> is the desired name for your CSR file. (Since the files have different file name extensions, these names they can be the same.) Fill in the fields as requested, one by one. The Email Address, Challenge password, and Company name are optional.
- When you're done, OpenSSL will generate the
.csr
file.
To set up the public key file (.crt
) and add the certificates to
Address Manager:
.key
) and matching
certificate signing request (.csr) files to generate the public key.- Generate the
.crt
file with the following OpenSSL command:
Where <csr_name> is the name of your CSR file andopenssl x509 -req -days 365 -in <csr_name>.csr -signkey <private_key_name>.key
<private_key_name>
is the desired name for your private key file. (Since the files have different file name extensions, these names they can be the same.)OpenSSL will generate the
.crt
file. Add the new certificate files to Address Manager:
Within Address Manager, in the Administration tab, under User Management, click Secure Access.
If you haven't already done so, enable HTTPS (under General, in HTTPS, select Enable).
- Under Server Certificate Settings, select Custom.
- Select Load Custom Certificate.
- In the Upload Certificate section, upload the
certificate files:
- Under Private Key, click
Choose File and browse to your
private key file (
.key
). - Under Domain Signed Certificate, click
Choose File and browse to your public
certificate file (
.crt
).
- Under Private Key, click
Choose File and browse to your
private key file (
Upload the extracted certificates to BlueCat Gateway as follows:
In Gateway, in the navigator area to the left, expand Administration and Configurations, then click General Configuration.
- In the Gateway section, in SSL
Certificate, click Choose file
and browse to the
.crt
file that you extracted. - In SSL Certificate Key, click Choose
file and browse to the
.key
file that you extracted. In the BAM section, click to select the Validate SSL Certificate checkbox.
- When you're done, click Save.