Previous Topic: Algorithms UsedNext Topic: FIPS Support Limitations


About Certificates and Key Files

For FIPS 140-2 support, the upgrade to CA User Activity Reporting Module r12.1 SP1 converts existing P12 format certificates to PEM format certificates. This conversion results in the generation of the following files:

Key files are not encrypted, and it is up to the user to secure them from unauthorized access on both server and agent hosts. The CA User Activity Reporting Module soft-appliance uses various operating system hardening techniques to protect keys and certificates stored in the file system. CA User Activity Reporting Module does not support the use of external key storage devices.

CA User Activity Reporting Module uses the following certificates and key files:

Certificate/Key File Name

Location

Description

CAELMCert

/opt/CA/SharedComponents/iTechnology

 

(You can refer to this directory using the shorter variable name, $IGW_LOC.)

All CA User Activity Reporting Module services use this certificate for communications between CA User Activity Reporting Module servers, and between CA User Activity Reporting Module servers and the CA EEM server.

An entry for this certificate, and its corresponding key file, exists in the main configuration file, CALM.cnf. The tag pairs begin <Certificate> and <KeyFile> respectively.

CAELM_AgentCert

$IGW_LOC on the agent host server

Agents use this certificate to communicate with any CA User Activity Reporting Module server. The CA User Activity Reporting Module Management server provides this certificate to the agent. The certificate is valid for any CA User Activity Reporting Module server within a given application instance.

itpamcert

IT PAM server

This certificate is used for communications with IT PAM. See the CA IT PAM documentation for additional information.

rootcert

$IGW_LOC

This certificate is a self-signed, root certificate signed by iGateway during installation.

iPozDsa

$IGW_LOC

The CA EEM server, both local and remote, uses this certificate. See the CA EEM documentation for additional information.

iPozRouterDsa

$IGW_LOC

The CA EEM server, both local and remote, uses this certificate. See the CA EEM documentation for additional information.

iTechPoz-trusted

/opt/CA/Directory/dxserver/
config/ssld

CA Directory uses this certificate.

iTechPoz-<hostname>-
Router

/opt/CA/Directory/dxserver/
config/ssld

CA Directory uses this certificate.

More information:

OS Hardening