Key Points

Key Points

CA DLP uses TLS and certificates to enable FIPS 140-2 compliant data transfers between machines.
CA DLP machines use a single enterprise certificate and private key across the CA DLP enterprise.
There is no authentication of individual machines. Any machine possessing the enterprise certificate and its associated private key can communicate with any CA DLP machine that uses the same certificate.

Certificates and Key Store

A self-signed root certificate and a single enterprise certificate, and associated key pairs, are generated before installing CA DLP.
A Key Store containing the root certificate, the enterprise certificate, and the private key for the enterprise certificate key pair is deployed throughout the CA DLP enterprise.
Possession of the Key Store is enough to permit any CA DLP machine to communicate with other CA DLP machines.
The critical files (keystore.dat, revocation.properties, and wigan.java.security) are stored in the CA DLP \data and \system folders. You must secure these file locations as part of the general machine hardening process after deployment.

Deployment

Advanced Encryption Mode must be enabled at install time, and if enabled must be enabled on every CA DLP machine. There is no backward compatibility with existing CA DLP installations.
There is no automatic integration with third-party Public Key Infrastructures (PKIs).
Mechanisms to replace the enterprise certificate and its key-pair are not built into CA DLP. Instead, you must use a manual process, or a third-party software distribution mechanism, in conjunction with the OpenSSL.exe utility (provided by CA).