Configuring and Administering CA XCOM Gateway › Configure CA XCOM Gateway › Configure Global Parameters Offline › Set Up CA XCOM Data Transport Client Authentication

Set Up CA XCOM Data Transport Client Authentication

When CA XCOM Data Transport needs to transfer files into or out of CA XCOM Gateway, the local CA XCOM Data Transport server connects to the Gateway Server and uses web service requests to request access to CA XCOM Gateway’s file storage area and to access existing CA XCOM Gateway files or import new ones.

To ensure data security, it is important to prevent software, other than your own CA XCOM Data Transport servers, from connecting to CA XCOM Gateway and acting as if it were a valid CA XCOM Data Transport server in order to illicitly gain access to files that are stored in CA XCOM Gateway.

One way to provide this protection is by configuring your firewall, to allow incoming connections to CA XCOM Gateway only from machines within your local network, which need access to CA XCOM Gateway.

However, for more rigorous protection, CA XCOM Gateway can be configured to validate client connections from CA XCOM Data Transport to ensure the authenticity of the connecting software.

To activate this authentication

1. Identify the CA XCOM Data Transport servers that need to transfer files into or out of CA XCOM Gateway; for example, CA XCOM Data Transport servers that will be specified as the local machine within policy defined TRANSFERCONTAINER xml.

   Note: In a straightforward configuration, only a single CA XCOM Data Transport Server needs to access CA XCOM Gateway files and this normally runs on the same machine as the CA XCOM Gateway server.

2. Ensure that each of the CA XCOM Data Transport servers identified above has been configured with a Gateway Client Certificate, which has been obtained from a trusted certificate authority (that is, these certificates must not be self-signed). Further, when requesting these certificates from the certificate authority, you must specify a CN= (common name) value of the subject distinguished name that is a domain name which will be resolved (by DNS or by the hosts file) to the IP address of the machine on which the CA XCOM Data Transport server will run.

   For more information about configuration of the Gateway Client Certificate, see the CA XCOM Data Transport Administration Guide.

3. Update the xcom-globals.xml file to add a <TRANSPORTDOMAIN DN=”…”/> element within the <CERTIFICATE> element, for each identified CA XCOM Data Transport server. The DN= value must specify the same domain name that is contained in that CA XCOM Data Transport server’s Gateway Client Certificate. Also change the <CERTIFICATE AUTHENTICATE=”NO”> attribute value to “YES”.

When client authentication has been enabled, the following validation occurs whenever a CA XCOM Data Transport server connects to the CA XCOM Gateway server:

• The CA XCOM Data Transport server presents its Gateway Client Certificate to CA XCOM Gateway.
• CA XCOM Gateway authenticates the validity of this certificate by ensuring that all certificates have been signed, in the chain of certificates back to the trusted certificate authority.
• CA XCOM Gateway extracts the domain name from the certificate’s CN= attribute and ensures that this domain name is defined by a <TRANSPORTDOMAIN DN=”..”> element within the global parameters.
• CA XCOM Gateway performs a DNS lookup on the domain name and ensures that the client is connecting either from this domain’s IP address or from the local machine (that is, IP address 127.0.0.1).
• If any of the above checks fail, the client connection is refused.