The CA Access Gateway (formerly CA Secure Proxy Server) is used as a reverse proxy to connect users via the SPS to backend servers. The connections from SPS to the backend servers will often be over SSL (ie accessed using HTTPS:) and the SPS may be required to present a client certificateto the backend server as part of the SSL handshake. This article shows how to setup the client SSL certificate in SPS.
The SPS may be required to authenticate to the backend server using a client X.509 certificate. TO do this the SPS needs to store the client certificate and the private key securely and then present them to the backend server when required.
all (windows, linux, solaris)
For CA Access Gateway when connecting to a backend server, some configurations require not just an SSL connection, but also that the SPS identifies itself with a client X.509 certificate. These instructions are how to create and install the client certificate.
The requirements are mostly spelt out in the server.conf file :
# SSL client authentication is enabled.
# Location of the Key file : <install-dir>\SSL\clientcert\key\
# Location of public certs : <install-dir>\SSL\clientcert\certs\
# NOTE: Only put DER encoded, password encrypted pkcs8 keyfile.
# Client pass phrase should be encrypted using EncryptUtil tool.
The points to take away are :
· Both the cert and the keyfile need to be DER encoded,
· The keyfile has to be DER encoded and encrypted (it cannot be in the clear)
· SPS does a search and loads all certs in clientcert/certs directory.
Here are the steps :
Create the Cert Request
..\bin\openssl req -out client2-CSR.csr -new -newkey rsa:2048 -nodes -keyout client2-privateKey.key -config ..\bin\openssl.cnf
Sign the Request
For this you send it to the Certificate Authority to sign and send you back the certificate from the request.
Generally for testing purposes your IT department will have some process for creating "test" certificates.
In my case I have a small test CA I have small batch file CA that can do it gives a client2-CERT.pem
(check what you get sometimes you have a .cer extension but the content is actually base64encoded PEM format).
Convert cert to DER encoding
..\bin\openssl x509 –in client2-Cert_x509.pem -out client2-Cert_x509.cer -outform der
Convert private key to encrypted pkcs#8 DER encoding
..\bin\openssl.exe pkcs8 -in client2-privateKey.key -topk8 -v2 des3 -out client2-privateKey-DER.key -outform DER
Put files in right location:
Place DER encoded client cert in : <install-dir>\SSL\clientcert\certs\
Place encrypted DER encoded private key in : <install-dir>\SSL\clientcert\key\
Generate Encrypted Password for server.conf file:
Encrypted string: U2FsdGVkX18VcMWDmBEJG7CL2edypl03V6Ig1F3gON4=
Modify the server.conf file :
Restart SPS and check the server.log file:
All being well, you should see :
[17/Mar/2016:00:43:54-948] [INFO] - NoodleFileKeyStore.java : Loading 1 root certificates.
[17/Mar/2016:00:43:54-980] [INFO] - NoodleFileKeyStore.java : Successfully loaded keyfile.
[17/Mar/2016:00:43:54-995] [INFO] - Password is password
[17/Mar/2016:00:43:54-995] [INFO] - loaded priv key
[17/Mar/2016:00:43:55-433] [INFO] - RSASSLConfig.java : Successfully loaded keystore.
The client and CA Certificate that were generated and used in this example are attached to this document.
Java SE Debugging SSL/TLS Connections
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download
Details about SSL/TLS
Test Certificate Authority I used to sign the certificates