Deployment GuideSecure Private TunnelAbout the Secure Private Tunnel › Generating Authentication Certificates

Previous Topic: Certificate Management

Next Topic: Configure the Secure Private Tunnel

Generating Authentication Certificates

This section provides instructions for creating signed certificates for the routing gateway and its parent server. But first note the following:

Certificate scripts

CA DLP provides two scripts to generate authentication certificates for the routing gateway and its parent server:

Find these scripts in the \Support\SPT folder on your CA DLP distribution media.

Java.exe

These instructions require that CA DLP is already installed on both the routing gateway and its parent server. They also use the java.exe utility, installed on an isolated, standalone CA DLP installation, to create and request certificates. Find this file in the \Support\SPT folder on your CA DLP distribution media.

To generate authentication certificates

  1. Designate a standalone computer as your secure certificate management machine

    You will generate the authentication certificates on this machine.

  2. Copy java.exe to the certificate management machine

    These instructions use java.exe to create and request certificates. On the certificate management machine, copy java.exe to the \System\jre160_07\Bin subfolder in the CA DLP installation folder. You will run java.exe from this subfolder.

  3. Create a folder to hold the certificates and key store files

    On the certificate management machine, create a folder to hold the authentication certificates and key store files. You can create the folder anywhere on the certificate management machine and you can give it any name. This is your ‘certificate folder’; you will run the certificate scripts from this folder.

  4. Run the MakeRootCertificateStore.cmd script to generate a root certificate and key store file

    This script generates a self-signed certificate, CAcert.crt, that will be used to sign the certificates for the routing gateway and its parent server. It also creates a key store file to hold the certificate, CAStore.jks.

    Important! The information in this key store must be kept secure because it enables anyone to create valid signed certificates to allow communication over the secure private tunnel!

    1. Run this script from the certificate folder defined in step 3. The command syntax is: 
      MakeRootCertificateStore <CAStorePassword> <CAKeyPassword>

      where:

      <CAStorePassword> is the password for the CAStore.jks key store.

      <CAKeyPassword> is the password for the root certificate.

      Note: Note that the passwords must each contain at least six characters. For example, to generate a root certificate with the password CAKeyPwd, stored in a key store with the password CAStorePwd, run this command:

      MakeRootCertificateStore CAStorePwd CAKeyPwd
    2. Check the contents of the certificate. To do this, browse to the certificate folder defined in step 3. Right-click CAcert.crt in Windows Explorer and choose Open, but do not install this certificate.
  5. Run the MakeMachineCertificateStore.cmd script to generate a certificate and key store file for the parent server

    This script generates a signed certificate and key store file for the parent server.

    1. Run this script from the certificate folder defined in step 3. The command syntax is: 
      MakeMachineCertificateStore <MachineStore> <MachineCN> <MachinePW> <CAStorePW> <CAKeyPW>

      where:

      <MachineStore> is the key store file for the parent server (with no .jks file extension).

      <MachineCN> is the common name of the certificate used by the parent server. The name must not contain spaces.

      <MachinePW> is the password for the parent server’s key store file.

      <CAStorePW> is the password for the root key store created in step 4.a

      <CAKeyPW> is the password for the root certificate created in step 4.a.

      Note: All passwords must each contain at least six characters. For example, to generate a certificate CustomerCMS in a file store CMSKeyStore.jks with a password of CMSPword, run this command:

      MakeMachineCertificateStore CMSKeyStore CustomerCMS CMSPword CAStorePwd CAKeyPwd
    2. The script automatically outputs the certificate chain. Check the output to confirm that the chain is correct and that the certificate CustomerCMS has been signed by the certificate authority (in this case, signed with the root certificate created in step 4.a).
  6. Run the MakeMachineCertificateStore.cmd script to generate a certificate and key store file for the routing gateway

    Rerun this script to generate a signed certificate and key store file for the routing gateway.

    1. Run this script from the certificate folder defined in step 3. As before, the command syntax is: 
      MakeMachineCertificateStore <MachineStore> <MachineCN> <MachinePW> <CAStorePW> <CAKeyPW>

      But this time the parameters take the following values:

      <MachineStore> is the key store file for the routing gateway (with no .jks file extension).

      <MachineCN> is the common name of the certificate used by the routing gateway. The name must not contain spaces.

      <MachinePW> is the password for the routing gateway’s key store file.

      <CAStorePW> is the password for the CAStore.jks key store created in step 4.a.

      <CAKeyPW> is the password for the root certificate created in step 4.a.

      Note: All passwords must each contain at least six characters. For example, to generate a certificate RoutingGW in a file store GWKeyStore.jks with a password of GWPword, run this command:

      MakeMachineCertificateStore <GWKeyStore> <RoutingGW> <GWPword> <CAStorePW> <CAKeyPW>
    2. The script automatically outputs the certificate chain. Check the output to confirm that the chain is correct and that the certificate RoutingGW has been signed by the certificate authority (in this case, signed with the root certificate created in step 4.a.
  7. Transfer the key store files to the routing gateway and its parent server
    1. From the certificate folder, copy the parent server’s key store (CMSKeyStore.jks in step 5.a to the \system subfolder on the parent server. Find this subfolder in the CA DLP installation folder.
    2. From the certificate folder, copy the routing gateway’s key store (GWKeyStore.jks in step 6.a to the \system subfolder on the routing gateway. Find this subfolder in the CA DLP installation folder.
  8. Edit startup.properties on the routing gateway and its parent server

    Configure the startup.properties file on the parent server, for example:

    spt.serverport=56097
spt.hosts=XP-GW-07:56096,10.0.0.17:56096
spt.keystore=CMSKeyStore.jks
spt.clientCNlist=RoutingGW

    Configure the startup.properties file on the routing gateway, for example:

    spt.serverport=56096
spt.hosts=CMS-HARDY:56097, 199.0.0.1:56097
spt.keystore=GWKeyStore.jks
spt.clientCNlist=CustomerCMS
  9. Save the key store passwords on the routing gateway and its parent server
    1. Set the parent server’s key store password (defined in step 5.a into the encrypted database.properties file. From a command prompt in the \system subfolder in the CA DLP installation folder on the parent server, run: 
      wgninfra -exec wigan/infrastruct/serviceutil/SocketRedir SetKeyStorePassword CMSPword

      where:

      wigan/infrastruct/serviceutil/SocketRedir

      is the path and name of the Java class used by the secure private tunnel. To confirm that the password has been successfully set, go to the \data\log subfolder and check the CA DLP command_<date>.log file for the entry: ‘Successfully Set Secure Private Tunnel KeyStore password.’

    2. Set the routing gateway’s key store password (defined in step 6.a into the database.properties file. From a command prompt in the \system subfolder in the CA DLP installation folder on the routing gateway, run: 
      wgninfra -exec wigan/infrastruct/serviceutil/SocketRedir SetKeyStorePassword GWPword

      As above, confirm that the password has been successfully set. Go to the \data\log subfolder and check the CA DLP command_<date>.log file for the entry: ‘Successfully Set Secure Private Tunnel KeyStore password.’

  10. Restart the CA DLP infrastructure service

    Restart this service on both the routing gateway and its parent server. This causes tunnel configuration messages to be written to the CA DLP Activity log on each machine (viewable in the Administration console). We also recommend that you check the System logs to confirm there are no problems.

More information:

Example startup.properties Files