Administration GuideSet Up Encryption › Configure a DSA to Use SSL

Previous Topic: How to Encrypt Communications between JXweb and the Directory

Next Topic: Configure the DXtools to Use SSL

Configure a DSA to Use SSL

From CA Directory r12 SP2 onwards, each DSA handles its own SSL and TLS authentication, encryption, and decryption. SSLD is no longer installed.

The SSL functionality that used to provide certificate authentication in the SSLD external to the DSA, has been incorporated into each DSA.

To automatically migrate the old SSL configuration to the new configuration settings, upgrade CA Directory to the latest version.

You can migrate your SSL configuration without upgrading the entire product. These steps describe how to do this.

Follow these steps:

  1. Display the current SSLD settings, use the following command: 
    ssld start ssld-name
  2. Stop the DSA.
  3. Create a new configuration file to hold the new set ssl command. We recommend that you save the file as dsaname.dxc and store it in DXHOME/config/ssld
  4. Use the existing settings to write a new set ssl command in the new configuration file: 
    set ssl = {
cert-dir = CertificationDirectory 
ca-file = CertificateAuthorityFile
};

    Note: The port, debug, and threads commands are no longer needed.

    Note: You can find the default SSL settings in DXHOME/config/ssld/default.dxc.

    If you do not set a cipher, the DSA uses the default ciphers. You can check the available ciphers using the console command get ciphers. For a list of ciphers currently supported, see the section Encryption Formats for SSL. For more information about ciphers, see the OpenSSL site.

  5. Make the new SSL configuration known to the appropriate DSA by sourcing ssld/dsaname.dxc in the dsaname.dxi file, as follows: 
    source "../ssld/dsaname.dxc";
  6. Remove the ssld-port setting from the DSA knowledge file.
  7. Start the DSA.

Example: Compare old-style SSLD settings and the new set ssl command

The following example compares the two ways of configuring SSL functionality.

The command ssld start test shows the following parameters:

port      2112
certfiles /opt/CA/Directory/dxserver/samples/ssl/certs
ca        /opt/CA/Directory/dxserver/samples/ssl/certs/gary_michael.pem
debug     3
threads   0
protocol  TLS
cipher    ALL:!EXPORT40:!ADH
FIPS 140-2 enabled
hsm_pin   2345
hsm_lib   /opt/CA/Directory/dxserver/bin/tlsclient
hsm_slot  1

Use these parameters to create the following set ssl command:

set ssl = {
cert-dir = "/opt/CA/Directory/dxserver/samples/ssl/certs"
ca-file = "/opt/CA/Directory/dxserver/samples/ssl/certs/gary_michael.pem"
cipher = "ALL:!EXPORT40:!ADH"
protocol = tls
fips = true
pin = 2345
lib = "/opt/CA/Directory/dxserver/bin/tlsclient"
slot = 1
};

Note: The port, debug, and threads command are no longer needed.

Example: Configure SSL for a new Democorp DSA

This example shows how to set up SSL for the sample Democorp DSA

  1. Create the Democorp DSA.
  2. Create a PEM certificate and add the trusted root CA in the relevant files and folders.

    To automatically create a PEM certificate for each DSA present on the system and add the root CA signing certificate into the trusted.pem file, use the following command:

    dxcertgen certs
  3. Create a new text file and add the following command to it: 
    set ssl = { 
cert-dir = "config/ssld/personalities" 
ca-file = "config/ssld/trusted.pem"  
};
  4. Save the new configuration file as dsaname.dxc in DXHOME/config/ssld.
  5. Update the Democorp DSA initialization file in DXHOME/config/servers to source the Democorp-SSL.dxc file. 
    # access controls 
clear access;
source "../access/default.dxc"; 
# ssl
source "../ssld/Democorp.dxc"; 
# replication agreements (rarely used)
# source "../replication/";
  6. Stop and start your the Democorp DSA: 
    stop democorp 
 ...
start democorp 
 ...

You can now bind to your Democorp DSA using an SSL connection.

More information:

Commands for SSL