Certificates settings (located under General configuration) let you set up the following TLS/SSL certificates:
Custom SSL certificates for HTTPS communications: Gateway requires TLS/SSL certificates to communicate over HTTPS networks. While Gateway will automatically generate new, self-signed certificates when needed, you can instead use your own custom SSL certificates (such as certificates signed by an appropriate certificate authority).
For more details on the use of Custom SSL certificates, see Setting up custom SSL certificates for HTTPS connections.
Custom SSL certificates for communications with BlueCat Address Manager (BAM): Gateway requires TLS/SSL certificates to communicate with Address Manager over HTTPS networks. You can set up and validate custom separate SSL certificates for use during these communications.
Custom SSL certificates are most useful in secure environments where only port 443 is open for HTTPS connectivity and port 80 is closed, disabling HTTP.
TSIG key for cookies: A client-specific key used to encrypt cookies passed between BlueCat Gateway and the client browser.
Secret key for password encryption: A secret key used to encrypt passwords for other BlueCat Gateway features, like Mail and MongoDB. The secret key can be any string.
Best practices for security are to always encrypt passwords that are stored in files.
Tip: When building custom workflows, workflow developers can use this key to encrypt or decrypt passwords. Since the secret key is configurable by administrators, they can change it without the need to modify the workflow itself. For more details, see util module.
To upload TLS/SSL certificates and TSIG keys from the Gateway UI:
-
Open the General configuration window, then expand the Certificates section. (Click the Navigator button if necessary, then click . Click Certificates at the bottom to expand the Certificates settings.)
-
To upload SSL certificates for Gateway HTTPS communications from the Gateway UI, in the Gateway section, do the following:
Either drag the TLS/SSL certificate to use for HTTPS connections (a
.crt
file) onto the TLS/SSL Certificate box area, or click in the box area to browse to the file.Note: We recommend that all certificates across your entire system use strong Advanced Encryption Standard protocols, such as Elliptic Curve Diffie-Hellman (ECDH) with 128 bits of keyspace.Either drag the TLS/SSL key to use for HTTPS connections (a
.key
file) onto the TLS/SSL certificate key box area, or click in the box area to browse to the file.
Note: You can also install Gateway HTTPS certificates manually, outside of Gateway. For more details, see Setting up custom SSL certificates for HTTPS connections. To upload a custom SSL certificate for communications with Address Manager (BAM), in the BAM section, do the following:
-
If you want Gateway to validate the SSL certificate that you upload, select the Validate TLS/SSL Certificate check box.
-
Either drag the SSL certificate to use for BAM communications (a
.crt
file) onto the TLS/SSL Certificate box area, or click in the box area to browse to the file.After the SSL certificate is uploaded, if you asked Gateway to validate the certificate, it is automatically validated against all listed BAMs. The certificate must be valid for at least one of those BAMs.
CAUTION:Uploading a new SSL certificate (or replacing an existing updated SSL certificate) will log out all active HTTP, HTTPS, and UI sessions for all users. If you proceed and click Save, all active user sessions will be forcibly logged out.
-
To set up a TSIG Key for encrypting cookies, in the Other section, do the following:
-
Either drag the desired TSIG key file (a
.key
file) onto the TSIG key box area, or click in the box area to browse to the file.This file will be used to encrypt cookies passed between BlueCat Gateway and the client browser
-
Set the Secret key to a value unique to the client.
-
When you're done, to accept the changes, click Save at the bottom of the page. (Or click Cancel to exit without saving the changes.)