Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This article describes how to do initial configuration of Protocol Gateway, using the provided enrollment templates file.  


Prerequisites

 Prerequisites

The following prerequisites apply:

Step-by-step instruction

Import and adapt standard configuration

 Import standard configuration

Nexus provides a template file that includes standard configurations of Protocol Gateway, as well as configurations for the SCEP and CMP protocols.  

To import the standard configurations:

  1. Open Administrator's workbench (AWB) in Certificate Manager
  2. Import the enrollmentTemplates.dat file from \CM\clients\web\pgwy\. For more information, see Import items to Certificate Manager
 Configure and sign imported elements

The imported elements are marked with a black and yellow "under construction" bar, since they are not signed yet.

In Administrator's workbench (AWB) in Certificate Manager, open each element and make needed configurations and sign the changes: 

  1. Modify VRO Certificate Procedure
    1. Change Issuing CA to the Officer and System CA
    2. Click OK and sign the updates. See Sign tasks in Certificate Manager.
  2. Modify Protocol Gateway RA Certificate Procedure:
    1. Change Issuing CA to the CA that shall issue certificates to the devices, for example Device Issuing CA.
    2. Click OK and sign the updates. See Sign tasks in Certificate Manager.
  3. For each of the following elements, select Modify, click OK and sign the updates. See Sign tasks in Certificate Manager.
    1. Protocol Gateway RA Token
    2. VRO Token Procedure
    3. VRO Officer Profile
 Issue Protocol Gateway RA soft token

To issue a Protocol Gateway RA soft token: 

  1. Open Registration Authority (RA) in Certificate Manager
  2. Issue a Protocol Gateway RA Soft Token, see Issue software token in Certificate Manager.  

    1. In File for Media, select the path and filename where the soft token shall be stored., for example \CM\server\certs\protocol-gateway-ra.p12 

    2. In Procedure, select Protocol Gateway RA Token.

    3. Enter values in Country, Organization and set Common Name to Protocol Gateway RA.

    4. In SIgnature PIN, enter the PIN for Security officer 1.

    5. In the popup dialog, select a PIN for the soft token.

    6. When the soft token is issued, a popup window is opened where the certificate is shown. Open, select Save to file (DER), and save protocol-gateway-ra.cer as a DER.encoded certificate.

 Issue certificate for Protocol Gateway officer

The Protocol Gateway Officer that was imported, needs a certificate. In this example it is issued as a soft token. 

To issue a Protocol Gateway Officer soft token:

  1. Open Registration Authority (RA) in Certificate Manager
  2. Issue a Protocol Gateway RA Soft Token, see Issue software token in Certificate Manager.  

    1. In File for Media, select the path and filename where the soft token shall be stored, for example \CM\server\certs\VRO.p12.

    2. In Procedure, select VRO Token Procedure.

    3. Enter values in Country, Organization and set Common Name to Protocol Gateway Officer.

    4. In SIgnature PIN, enter the PIN for Security officer 1.

    5. In the popup dialog, select a PIN for the soft token.

 Promote certificate to officer

Connect the new certificate to the Protocol Gateway Officer: 

  1. Open Administrator's workbench (AWB) in Certificate Manager
  2. Modify the Protocol Gateway Officer
  3. In Certificate, click the arrow to select. Select the certificate that was just created for the Protocol Gateway Officer. 
  4. Click OK, and then Sign the update. See Sign tasks in Certificate Manager.
 Get TLS CA certificate

The CA certificate must be exported to be used in Protocol Gateway to trust the CA. 

In Administrator's workbench (AWB) in Certificate Manager,

  1. Select the Officer and System CA
  2. In the menu, select Cross > Export Certificate > Binary.
  3. Store the certificate as SystemCA.cer.
    This certificate shall be used later in the Protocol Gateway configuration.

Configure Protocol Gateway

 Copy officer and RA tokens to Protocol Gateway
  1. Copy the Protocol Gateway Officer token and the Protocol Gateway RA token to the Protocol Gateway \conf folder, for example C:\ProgramData\Nexus\cm-gateway\conf\certdir.
    1. protocol-gateway-vro.p12
      This is needed for Protocol Gateway as a virtual registration officer, when devices request certificates in an automated workflow.       
    2. protocol-gateway-ra.p12
      This is needed for certain protocols (EST, CMP, CMC and SCEP), for example for Full PKI requests. The specified RA token is used to establish secure transactions with the end entities requesting certificates. For more information on Full PKI Requests, see the CMC specification: RFC 5272 Section 3.2.
 Trust CM host

For Protocol Gateway to trust the CM host: 

  1. Copy the TLS CA certificate SystemCA.cer to the \conf\certdir trust store folder, for example C:\ProgramData\Nexus\cm-gateway\conf\certdir.
 Set CM-gateway.properties

To set properties for Protocol Gateway: 

  1. Open the file \Nexus\cm-gateway\conf\cm-gateway.properties for editing. 
  2. Modify the following properites: 
    1. Set cmhost to your CM host. 
    2. Set officer.keyfile to the Protocol Gateway Officer token file and officer.password to the related PIN.
Example: cm-gateway.properties
cmhost = localhost
cmconnections = 20
officer.keyfile = PGWYOfficer.p12
officer.password = 1234

Start service

 Start Protocol Gateway Tomcat service
  1. Start the Protocol Gateway by starting the Tomcat service. 

Set up protocols 

To configure protocols, see Configure protocols in Protocol Gateway.


  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions