Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
This article describes how to do initial configuration of Protocol Gateway, using the provided enrollment templates file.
This instruction includes configuration of VRO and TLS parameters for connection and communication with the CM server. This is configured in cm-gateway.properties and determines the following:
- The DNS name or IP address of the CM server.
- The name and location of the Protocol Gateway officer token.
- The TLS trust store location.
The SNI (Server Name Indication) host name of CM (Optional), see heading "Configure TLS Server Name Indication (SNI) parameter" below.
Prerequisites
Expand | ||
---|---|---|
| ||
The following prerequisites apply:
|
Step-by-step instruction
Import and adapt standard configuration
Expand | ||
---|---|---|
| ||
Nexus provides a template file that includes standard configurations of Protocol Gateway, as well as configurations for the SCEP and CMP protocols. To import the standard configurations:
|
Expand | ||
---|---|---|
| ||
The imported elements are marked with a black and yellow "under construction" bar, since they are not signed yet. In Administrator's workbench (AWB) in Certificate Manager, open each element and make needed configurations and sign the changes:
|
Expand | ||
---|---|---|
| ||
To issue a Protocol Gateway RA soft token:
|
Expand | ||
---|---|---|
| ||
The Protocol Gateway Officer that was imported, needs a certificate. In this example it is issued as a soft token. To issue a Protocol Gateway Officer soft token:
|
Expand | ||
---|---|---|
| ||
Connect the new certificate to the Protocol Gateway Officer:
|
Expand | ||
---|---|---|
| ||
The CA certificate must be exported to be used in Protocol Gateway to trust the CA. In Administrator's workbench (AWB) in Certificate Manager,
|
Configure Protocol Gateway
Expand | ||
---|---|---|
| ||
|
Expand | ||
---|---|---|
| ||
For Protocol Gateway to trust the CM host:
|
Expand | |||||
---|---|---|---|---|---|
| |||||
To set properties for Protocol Gateway:
|
Expand | ||
---|---|---|
| ||
Protocol Gateway supports configuration of the TLS Server Name Indication (SNI) parameter so that the correct server certificate can be obtained by the Protocol Gateway CM client during TLS handshake. This typically applies in cases where the IP hosting the CM server also hosts other services with different host names on the same TLS port, or if the CM server is located behind a proxy or a load balancer. For more information, see RFC 6066. To use the server name indication feature in Protocol Gateway:
|
Start service
Expand | ||
---|---|---|
| ||
|
Set up protocols
To enable and configure protocols, see Configuration examples in Protocol Gateway.
This article is valid for Certificate Manager 8.5 and later.