Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

This article describes how to do initial configuration of Protocol Gateway, using the provided enrollment templates file. 

This instruction includes configuration of VRO and TLS parameters for connection and communication with the CM server. This is configured in cm-gateway.properties and determines the following:

  • The DNS name or IP address of the CM server.
  • The name and location of the Protocol Gateway officer token.
  • The TLS trust store location.
  • The SNI (Server Name Indication) host name of CM (Optional), see heading "Configure TLS Server Name Indication (SNI) parameter" below.


Prerequisites

 Prerequisites

The following prerequisites apply:

Step-by-step instruction

Import and adapt standard configuration

 Import standard configuration

Nexus provides a template file that includes standard configurations of Protocol Gateway, as well as configurations for the SCEP and CMP protocols.  

To import the standard configurations:

  1. Open Administrator's workbench (AWB) in Certificate Manager
  2. Import the enrollmentTemplates.dat file from \CM\clients\web\pgwy\. For more information, see Import items to Certificate Manager
 Configure and sign imported elements

The imported elements are marked with a black and yellow "under construction" bar, since they are not signed yet.

In Administrator's workbench (AWB) in Certificate Manager, open each element and make needed configurations and sign the changes: 

  1. Modify VRO Certificate Procedure
    1. Change Issuing CA to the Officer and System CA
    2. Click OK and sign the updates. See Sign tasks in Certificate Manager.
  2. Modify Protocol Gateway RA Certificate Procedure:
    1. Change Issuing CA to the CA that shall issue certificates to the devices, for example Device Issuing CA.
    2. Click OK and sign the updates. See Sign tasks in Certificate Manager.
  3. For each of the following elements, select Modify, click OK and sign the updates. See Sign tasks in Certificate Manager.
    1. Protocol Gateway RA Token
    2. VRO Token Procedure
    3. VRO Officer Profile
 Issue Protocol Gateway RA soft token

To issue a Protocol Gateway RA soft token: 

  1. Open Registration Authority (RA) in Certificate Manager
  2. Issue a Protocol Gateway RA Soft Token, see Issue software token in Certificate Manager.  
    1. In File for Media, select the path and filename where the soft token shall be stored, for example \CM\server\certs\protocol-gateway-ra.p12

    2. In Procedure, select Protocol Gateway RA Token.
    3. Enter values in Country, Organization and set Common Name to Protocol Gateway RA.

    4. In Signature PIN, enter the PIN for Security officer 1.

    5. In the popup dialog, select a PIN for the soft token.

    6. When the soft token is issued, a popup window is opened where the certificate is shown. Open, select Save to file (DER), and save protocol-gateway-ra.cer as a DER.encoded certificate.

 Issue certificate for Protocol Gateway officer

The Protocol Gateway Officer that was imported, needs a certificate. In this example it is issued as a soft token. 

To issue a Protocol Gateway Officer soft token:

  1. Open Registration Authority (RA) in Certificate Manager
  2. Issue a Protocol Gateway RA Soft Token, see Issue software token in Certificate Manager.  
    1. In File for Media, select the path and filename where the soft token shall be stored, for example \CM\server\certs\protocol-gateway-ra.p12

    2. In Procedure, select VRO Token Procedure.
    3. Enter values in Country, Organization and set Common Name to Protocol Gateway Officer.

    4. In Signature PIN, enter the PIN for Security officer 1.

    5. In the popup dialog, select a PIN for the soft token.

 Promote certificate to officer

Connect the new certificate to the Protocol Gateway Officer: 

  1. Open Administrator's workbench (AWB) in Certificate Manager
  2. Modify the Protocol Gateway Officer in the Officers tab.
  3. In Certificate, click the arrow to select. Select the certificate that was just created for the Protocol Gateway Officer. 
  4. Click OK, and then Sign the update. See Sign tasks in Certificate Manager.
 Get TLS CA certificate

The CA certificate must be exported to be used in Protocol Gateway to trust the CA. 

In Administrator's workbench (AWB) in Certificate Manager,

  1. Select the Officer and System CA
  2. In the menu, select Cross > Export Certificate > Binary.
  3. Store the certificate as SystemCA.cer.
    This certificate shall be used later in the Protocol Gateway configuration.

Configure Protocol Gateway

 Copy officer and RA tokens to Protocol Gateway
  1. Copy the Protocol Gateway Officer token and the Protocol Gateway RA token to the Protocol Gateway \conf folder, for example C:\ProgramData\Nexus\cm-gateway\conf\certdir.
    1. protocol-gateway-vro.p12
      This is needed for Protocol Gateway as a virtual registration officer, when devices request certificates in an automated workflow.
       
    2. protocol-gateway-ra.p12
      This is needed for certain protocols (EST, CMP, CMC and SCEP), for example for Full PKI requests. The specified RA token is used to establish secure transactions with the end entities requesting certificates. For more information on Full PKI Requests, see the CMC specification: RFC 5272 Section 3.2.
 Trust CM host

For Protocol Gateway to trust the CM host: 

  1. Copy the TLS CA certificate SystemCA.cer to the \conf\certdir trust store folder, for example C:\ProgramData\Nexus\cm-gateway\conf\certdir.
 Set properties in CM-gateway.properties

To set properties for Protocol Gateway: 

  1. Open the file \Nexus\cm-gateway\conf\cm-gateway.properties for editing. 
  2. Modify the following properties: 
    1. Set cmhost to your CM host. 
    2. Set officer.keyfile to the Protocol Gateway Officer token file and officer.password to the related PIN.
Example: cm-gateway.properties
cmhost = localhost
cmconnections = 20
officer.keyfile = PGWYOfficer.p12
officer.password = 1234
 Configure TLS Server Name Indication (SNI) parameter

Protocol Gateway supports configuration of the TLS Server Name Indication (SNI) parameter so that the correct server certificate can be obtained by the Protocol Gateway CM client during TLS handshake. This typically applies in cases where the IP hosting the CM server also hosts other services with different host names on the same TLS port, or if the CM server is located behind a proxy or a load balancer. For more information, see RFC 6066.

To use the server name indication feature in Protocol Gateway:

  1. Open the file C:\ProgramData\Nexus\cm-gateway\conf\cm-gateway.properties for editing.
  2. Set ssl.servernameindication to your CM hostname.

Start service

 Start Protocol Gateway Tomcat service
  1. Start the Protocol Gateway by starting the Tomcat service. 

Set up protocols 

To enable and configure protocols, see Configuration examples in Protocol Gateway.

This article is valid for Certificate Manager 8.5 and later.

  • No labels