In order to use Cloud Discovery & Visibility on systems with HTTPS, you'll need to set up an SSL/TLS certificate for BlueCat Address Manager (BAM) and Gateway to communicate with each other. You'll do so by manually uploading custom certificates yourself.
Certificates are composed of a private key (a .key
file) and a public
key (a .crt
) and . Basic steps are summarized below. For more details,
see the Address Manager Administration Guide and the Gateway Administration
Guide.
Using custom certificates
Gateway also supports custom certificates for communications with Address Manager.
You can use a certificate you already have from a certificate authority, or a
certificate that you created yourself. When creating your own certificate, you'll
generate a new randomized private .key
file, create a
.csr
file from it (a Certificate Signing Request), then use the
CSR to create the public certificate file (.crt
).
To create the .key
and .csr
files, you can either
use BlueCat Address Manager, or create it manually with your SSL toolkit.
To create the .key
and .csr
files in Address
Manager:
Within Address Manager, in the Administration tab, under User Management, click Secure Access.
Under Server Certificate Settings, select Custom, then select Generate Certificate Signing Request.
- Fill in the Common Name, Organization, Department, City, State/Province, Country code, Email address (optional), and Comment (optional) as desired.
- Click to select the Generate Private Key checkbox.
- In Key Size, select the desired size of the encryption key. We strongly recommend you choose a Key size of at least 2048 bits.
- When you're done, click Generate.
- With the certificate generated, click Download CSR and
Download Private Key to download the newly-generated
.csr
and.key
files, respectively.
To create the .key and .csr files manually:
- Generate the private key (the .key file). To do so, run the following OpenSSL command:
Whereopenssl genrsa -des3 -out <private_key_name>.key <key_size>
<private_key_name>
is a file name for your private key, and the<key_size>
is the size (in bits). We recommend a size of at least 2048.You'll be asked for a pass phrase. You can leave the pass phrase blank if you prefer.
When you're done, you'll have a
.key
file. - Generate the
.csr
file with the following OpenSSL command:
Whereopenssl req -new -key <private_key_name>.key -out <csr_name>.csr
<private_key_name>
is the name of your private key file, and <csr_name> is the desired name for your CSR file. (Since the files have different file name extensions, these names they can be the same.) Fill in the fields as requested, one by one. The Email Address, Challenge password, and Company name are optional.
- When you're done, OpenSSL will generate the
.csr
file.
To set up the public key file (.crt
) and add the certificates to
Address Manager:
.key
) and matching
certificate signing request (.csr) files to generate the public key.- Generate the
.crt
file with the following OpenSSL command:
Where <csr_name> is the name of your CSR file andopenssl x509 -req -days 365 -in <csr_name>.csr -signkey <private_key_name>.key -out <crt_name>.crt
<private_key_name>
is the desired name for your private key file. (Since the files have different file name extensions, these names they can be the same.)OpenSSL will generate the
.crt
file. Add the new certificate files to Address Manager:
Within Address Manager, in the Administration tab, under User Management, click Secure Access.
If you haven't already done so, enable HTTPS (under General, in HTTPS, select Enable).
- Under Server Certificate Settings, select Custom.
- Select Load Custom Certificate.
- In the Upload Certificate section, upload the
certificate files:
- Under Private Key, click
Choose File and browse to your
private key file (
.key
). - Under Domain Signed Certificate, click
Choose File and browse to your public
certificate file (
.crt
).
- Under Private Key, click
Choose File and browse to your
private key file (
Upload the extracted certificates to BlueCat Gateway as follows:
- In Gateway, in the navigator area to the left, expand Administration and Configurations, then click General Configuration.
- In the BAM section, click to select the Validate SSL Certificate checkbox.
- In SSL Certificate, click Choose
file and browse to the
.crt
file that you extracted. - When you're done, click Save.