Key Points

Key Points

CA Data Protection uses TLS and certificates to enable FIPS 140-2 compliant data transfers between machines.
CA Data Protection machines use a single enterprise certificate and private key across the CA Data Protection enterprise.
There is no authentication of individual machines. Any machine possessing the enterprise certificate and its associated private key can communicate with any CA Data Protection machine that uses the same certificate.

Certificates and Key Store

A self-signed root certificate and a single enterprise certificate, and associated key pairs, are generated before installing CA Data Protection.
A Key Store containing the root certificate, the enterprise certificate, and the private key for the enterprise certificate key pair is deployed throughout the CA Data Protection enterprise.
Possession of the Key Store is enough to permit any CA Data Protection machine to communicate with other CA Data Protection machines.
The critical files (keystore.dat, revocation.properties, and wigan.java.security) are stored in the CA Data Protection \data and \system folders. You must secure these file locations as part of the general machine hardening process after deployment.

Deployment

Advanced Encryption Mode must be enabled at install time, and if enabled must be enabled on every CA Data Protection machine. There is no backward compatibility with existing CA Data Protection installations.
There is no automatic integration with third-party Public Key Infrastructures (PKIs).
Mechanisms to replace the enterprise certificate and its key-pair are not built into CA Data Protection. Instead, you must use a manual process, or a third-party software distribution mechanism, in conjunction with the OpenSSL.exe utility (provided by CA).