About Certificates and Key Files

Release Notes › New and Changed Features in r12.1 SP1 › About Certificates and Key Files

About Certificates and Key Files

For FIPS 140-2 support, the upgrade to CA Enterprise Log Manager r12.1 SP1 converts existing P12 format certificates to PEM format certificates. This conversion results in the generation of the following files:

Certificate file with a .cer extension
Key file with a .key extension

Key files are not encrypted, and it is up to the user to secure them from unauthorized access on both server and agent hosts. The CA Enterprise Log Manager soft-appliance uses various operating system hardening techniques to protect keys and certificates stored in the file system. CA Enterprise Log Manager does not support the use of external key storage devices.

CA Enterprise Log Manager uses the following certificates and key files:

Certificate/Key File Name	Location	Description
CAELMCert	/opt/CA/SharedComponents/iTechnology (You can refer to this directory using the shorter variable name, $IGW_LOC.)	All CA Enterprise Log Manager services use this certificate for communications between CA Enterprise Log Manager servers, and between CA Enterprise Log Manager servers and the CA EEM server. An entry for this certificate, and its corresponding key file, exists in the main configuration file, CALM.cnf. The tag pairs begin <Certificate> and <KeyFile> respectively.
CAELM_AgentCert	$IGW_LOC on the agent host server	Agents use this certificate to communicate with any CA Enterprise Log Manager server. The CA Enterprise Log Manager Management server provides this certificate to the agent. The certificate is valid for any CA Enterprise Log Manager server within a given application instance.
itpamcert	IT PAM server	This certificate is used for communications with IT PAM. See the CA IT PAM documentation for additional information.
rootcert	$IGW_LOC	This certificate is a self-signed, root certificate signed by iGateway during installation.
iPozDsa	$IGW_LOC	The CA EEM server, both local and remote, uses this certificate. See the CA EEM documentation for additional information.
iPozRouterDsa	$IGW_LOC	The CA EEM server, both local and remote, uses this certificate. See the CA EEM documentation for additional information.
iTechPoz-trusted	/opt/CA/Directory/dxserver/ config/ssld	CA Directory uses this certificate.
iTechPoz-<hostname>- Router	/opt/CA/Directory/dxserver/ config/ssld	CA Directory uses this certificate.

More information:

OS Hardening

Email CA Technologies about this topic