Initial configuration of Protocol Gateway

This article is valid for Certificate Manager 8.5 and later.

This article describes how to do initial configuration of Protocol Gateway, using the provided enrollment templates file.

This instruction includes configuration of VRO and TLS parameters for connection and communication with the CM server. This is configured in cm-gateway.properties and determines the following:

The DNS name or IP address of the CM server.
The name and location of the Protocol Gateway officer token.
The TLS trust store location.
The SNI (Server Name Indication) host name of CM (Optional), see heading "Configure TLS Server Name Indication (SNI) parameter" below.

The following prerequisites apply:

Protocol Gateway must be installed. See Install Protocol Gateway.

Import and adapt standard configuration

Nexus provides a template file that includes standard configurations of Protocol Gateway, as well as configurations for the SCEP and CMP protocols.

To import the standard configurations:

Open Administrator's workbench (AWB).
Import the enrollmentTemplates.dat file from \CM\clients\web\pgwy\. For more information, see Import items to Certificate Manager.

The imported elements are marked with a black and yellow "under construction" bar, since they are not signed yet.

In Administrator's workbench (AWB), open each element and make needed configurations and sign the changes:

Modify VRO Certificate Procedure:
1. Change Issuing CA to the Officer and System CA.
2. Click OK and sign the updates. See Sign tasks in Certificate Manager.
Modify Protocol Gateway RA Certificate Procedure:
1. Change Issuing CA to the CA that shall issue certificates to the devices, for example Device Issuing CA.
2. Click OK and sign the updates. See Sign tasks in Certificate Manager.
For each of the following elements, select Modify, click OK and sign the updates. See Sign tasks in Certificate Manager.
1. Protocol Gateway RA Token
2. VRO Token Procedure
3. VRO Officer Profile

To issue a Protocol Gateway RA soft token:

Open Registration Authority (RA) in Certificate Manager.
Issue a Protocol Gateway RA Soft Token, see Issue software token in Certificate Manager.
1. In File for Media, select the path and filename where the soft token shall be stored, for example \CM\server\certs\protocol-gateway-ra.p12
2. In Procedure, select Protocol Gateway RA Token.
3. Enter values in Country, Organization and set Common Name to Protocol Gateway RA.
4. In Signature PIN, enter the PIN for Security officer 1.
5. In the popup dialog, select a PIN for the soft token.
6. When the soft token is issued, a popup window is opened where the certificate is shown. Open, select Save to file (DER), and save protocol-gateway-ra.cer as a DER.encoded certificate.

The Protocol Gateway Officer that was imported, needs a certificate. In this example it is issued as a soft token.

To issue a Protocol Gateway Officer soft token:

Open Registration Authority (RA) in Certificate Manager.
Issue a Protocol Gateway RA Soft Token, see Issue software token in Certificate Manager.
1. In File for Media, select the path and filename where the soft token shall be stored, for example \CM\server\certs\protocol-gateway-ra.p12
2. In Procedure, select VRO Token Procedure.
3. Enter values in Country, Organization and set Common Name to Protocol Gateway Officer.
4. In Signature PIN, enter the PIN for Security officer 1.
5. In the popup dialog, select a PIN for the soft token.

Configure Protocol Gateway

Start service

Set up protocols

To enable and configure protocols, see Configuration examples in Protocol Gateway.