Setting the Address Manager and Gateway server certificate - Adaptive Applications - BlueCat Gateway - 23.3.2

Cloud Discovery & Visibility Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
23.3.2

In order to use Cloud Discovery & Visibility on systems with HTTPS, you'll need to set up an SSL/TLS certificate for BlueCat Address Manager (BAM) and Gateway to communicate with each other. You'll do so by manually uploading custom certificates yourself.

Certificates are composed of a private key (a .key file) and a public key (a .crt) and . Basic steps are summarized below. For more details, see the Address Manager Administration Guide and the Gateway Administration Guide.

Using custom certificates

Gateway also supports custom certificates for communications with Address Manager. You can use a certificate you already have from a certificate authority, or a certificate that you created yourself. When creating your own certificate, you'll generate a new randomized private .key file, create a .csr file from it (a Certificate Signing Request), then use the CSR to create the public certificate file (.crt).

Note: You'll need an SSL toolkit to set up your own custom certificate. The following instructions assume you're using OpenSSL, a multi-featured open source SSL toolkit.

To create the .key and .csr files, you can either use BlueCat Address Manager, or create it manually with your SSL toolkit.

To create the .key and .csr files in Address Manager:

  1. Within Address Manager, in the Administration tab, under User Management, click Secure Access.

  2. Under Server Certificate Settings, select Custom, then select Generate Certificate Signing Request.

    1. Fill in the Common Name, Organization, Department, City, State/Province, Country code, Email address (optional), and Comment (optional) as desired.
    2. Click to select the Generate Private Key checkbox.
    3. In Key Size, select the desired size of the encryption key. We strongly recommend you choose a Key size of at least 2048 bits.
    4. When you're done, click Generate.
  3. With the certificate generated, click Download CSR and Download Private Key to download the newly-generated .csr and .key files, respectively.

To create the .key and .csr files manually:

  1. Generate the private key (the .key file). To do so, run the following OpenSSL command:
    openssl genrsa -des3 -out <private_key_name>.key <key_size>
    Where <private_key_name> is a file name for your private key, and the <key_size> is the size (in bits). We recommend a size of at least 2048.

    You'll be asked for a pass phrase. You can leave the pass phrase blank if you prefer.

    When you're done, you'll have a .key file.

  2. Generate the .csr file with the following OpenSSL command:
    openssl req -new -key <private_key_name>.key -out <csr_name>.csr
    Where <private_key_name> is the name of your private key file, and <csr_name> is the desired name for your CSR file. (Since the files have different file name extensions, these names they can be the same.)
  3. Fill in the fields as requested, one by one. The Email Address, Challenge password, and Company name are optional.

  4. When you're done, OpenSSL will generate the .csr file.

To set up the public key file (.crt) and add the certificates to Address Manager:

Note: You must already have a private key (.key) and matching certificate signing request (.csr) files to generate the public key.
  1. Generate the .crt file with the following OpenSSL command:
    openssl x509 -req -days 365 -in <csr_name>.csr -signkey <private_key_name>.key -out <crt_name>.crt
    Where <csr_name> is the name of your CSR file and <private_key_name> is the desired name for your private key file. (Since the files have different file name extensions, these names they can be the same.)

    OpenSSL will generate the .crt file.

  2. Add the new certificate files to Address Manager:

    1. Within Address Manager, in the Administration tab, under User Management, click Secure Access.

    2. If you haven't already done so, enable HTTPS (under General, in HTTPS, select Enable).

    3. Under Server Certificate Settings, select Custom.
    4. Select Load Custom Certificate.
    5. In the Upload Certificate section, upload the certificate files:
      • Under Private Key, click Choose File and browse to your private key file (.key).
      • Under Domain Signed Certificate, click Choose File and browse to your public certificate file (.crt).
  3. Upload the extracted certificates to BlueCat Gateway as follows:

    1. In Gateway, in the navigator area to the left, expand Administration and Configurations, then click General Configuration.
    2. In the BAM section, click to select the Validate SSL Certificate checkbox.
    3. In SSL Certificate, click Choose file and browse to the .crt file that you extracted.
    4. When you're done, click Save.