Configuring Certificates settings - Platform - BlueCat Gateway - 25.3.0

Gateway Administration Guide
ft:locale
en-US
Product name
BlueCat Gateway
Version
25.3.0

Certificates settings (on the General configuration page) let you set up the following:

  • TLS/SSL certificates for Gateway HTTPS communications

    Gateway requires TLS/SSL certificates to communicate over HTTPS networks. While Gateway will automatically generate new, self-signed certificates when needed, you can instead use your own custom SSL certificates (such as certificates signed by an appropriate certificate authority).

    For more details on the use of Custom SSL certificates, see Setting up custom SSL certificates for HTTPS connections.

  • TLS/SSL certificates for communications between Gateway and Address Manager or Micetro

  • TSIG keys for browser cookie encryption

  • A Secret key for use by custom workflows and cases where multiple instances of Gateway are behind a load balancer

    The secret key is used to encrypt passwords for other BlueCat Gateway features, like Mail and MongoDB. It is also used when using multiple Gateway instances behind a load balancer.

    Tip: When building custom workflows, workflow developers can use this key to encrypt or decrypt passwords. Since the secret key is configurable by administrators, they can change it without the need to modify the workflow itself. For more details, see util module.

To upload TLS/SSL certificates for Gateway HTTPS communications:

  1. Open the General configuration window, then expand the Certificates section. (Click Settings at the bottom of the navigator on the left, expand Configurations, then click General configuration. Click Certificates to scroll to the Certificates section.)

  2. Under Gateway TLS/SSL certificate, either drag the certificate to use for HTTPS connections (a .crt file) onto the TLS/SSL Certificate box area, or click in the box area to browse to the file.

    Note: We recommend that all certificates across your entire system use strong Advanced Encryption Standard protocols, such as Elliptic Curve Diffie-Hellman (ECDH) with 128 bits of keyspace.

    For more details on using custom SSL certificates, see Setting up custom SSL certificates for HTTPS connections.

  3. Under Gateway TLS/SSL certificate key, either drag the TLS/SSL key to use for HTTPS connections (a .key file) onto the TLS/SSL certificate key box area, or click in the box area to browse to the file.

  4. When you're done, click Save changes.

    To cancel your changes, click Cancel.

Tip: You can also install Gateway HTTPS certificates manually, outside of Gateway. For more details, see To manually install certificate files outside of Gateway.

To upload a custom SSL certificate for communications with Address Manager or Micetro:

  1. Open the General configuration window, then expand the Certificates section. (Click Settings at the bottom of the navigator on the left, expand Configurations, then click General configuration. Click Certificates to scroll to the Certificates section.)

  2. Under BlueCat Address Manager/Micetro TLS/SSL certificate, configure the following:

    1. If you want Gateway to validate the SSL certificate that you upload, tick the Validate TLS/SSL Certificate check box.

    2. Either drag the SSL certificate to use for BAM/Micetro communications (a .crt file) onto the TLS/SSL Certificate box area, or click in the box area to browse to the file. This must be a root certificate from the Certificate Authority (not the server certificate).

      After the SSL certificate is uploaded, if you asked Gateway to validate the certificate, it is automatically validated against all listed BAM/Micetro instances. The certificate must be valid for at least one of those instances.

      CAUTION:
      Uploading a new SSL certificate (or replacing an existing updated SSL certificate) will log out all active HTTP, HTTPS, and UI sessions for all users. If you proceed and click Save changes, all active user sessions will be forcibly logged out.

  3. When you're done, click Save changes.

    To cancel your changes, click Cancel.

To set up the Gateway TSIG key:

  1. Open the General configuration window, then expand the Certificates section. (Click Settings at the bottom of the navigator on the left, expand Configurations, then click General configuration. Click Certificates to scroll to the Certificates section.)

  2. In the TSIG key box area, either drag the desired TSIG key file (a .key file) onto the TSIG key box area, or click in the box area to browse to the file.

    This file will be used to encrypt cookies passed between BlueCat Gateway and the client browser

  3. When you're done, click Save changes.

    To cancel your changes, click Cancel.

To set or change the Secret key:

  1. Open the General configuration window, then expand the Certificates section. (Click Settings at the bottom of the navigator on the left, expand Configurations, then click General configuration. Click Certificates to scroll to the Certificates section.)

  2. Scroll down and set Secret key to the desired value.

    The secret key can be any string.

    Tip: When building custom workflows, workflow developers can use this key to encrypt or decrypt passwords. Since the secret key is configurable by administrators, they can change it without the need to modify the workflow itself. For more details, see util module.

  3. When you're done, click Save changes.

    To cancel your changes, click Cancel.