Enable SSL Encryption

Contents
cminderpim14
Contents
You configure encryption settings when you install
Privileged Identity Manager
. After installation, you can use the sechkey utility to change SSL encryption. You may also need to change the value of configuration settings.
To avoid communication problems, use the same encryption method on all computers that run
Privileged Identity Manager
components.
Follow these steps:
  1. Stop
    Privileged Identity Manager
    .
    If you are changing the encryption settings on a an Enterprise Management Server, also stop the
    Privileged Identity Manager
    Web Service.
  2. Change the value of the communication_mode configuration setting in the crypto section to
    one
    of the following:
    • all_modes
      Specify this value if you want to enable both symmetric and SSL encryption. This value lets the computer communicate with all
      Privileged Identity Manager
      components.
      If you specify this value,
      Privileged Identity Manager
      uses SSL encryption each time that it tries to communicate with another
      Privileged Identity Manager
      component. If SSL fails, it then uses symmetric encryption. This value lets you migrate your
      Privileged Identity Manager
      deployment from a symmetric encryption environment to an SSL encryption environment.
    • use_ssl
      Specify this value to enable SSL encryption only. This value lets the computer communicate with only the
      Privileged Identity Manager
      components that use SSL encryption.
    (Windows) If you are working with a third-party program that uses the
    Privileged Identity Manager
    SDK, the crypto section is located at the
    Privileged Identity Manager
    SDK registry path that you defined during installation.
  3. (Recommended) Configure SSL communication to do
    one
    of the following:
    If you do not configure SSL encryption further, you can use the default
    Privileged Identity Manager
    X.509 certificates to encrypt and authenticate communication between
    Privileged Identity Manager
    components. However, we recommend that you change the default certificates instead.
  4. Start
    Privileged Identity Manager
    :
    • If you are changing the encryption settings on an  Enterprise Management Server, also start the
      Privileged Identity Manager
      Web Service.
    • If you are working with a third-party program that uses the
      Privileged Identity Manager
      SDK, restart the process that uses the
      Privileged Identity Manager
      SDK.
    SSL encryption is enabled.
Use Third-Party Root and Server Certificates
If you use SSL encryption, you can use third-party root and server certificates to encrypt and authenticate communication between
Privileged Identity Manager
components.
You need the following files to use third-party root and server certificates:
  • root.pem
    Root certificate
  • server.pem
    Server certificate
  • server.key
    Private key for the server certificate
    If you use OU password-protected server certificates, you also need the password for the private key for the server certificate.
Because the server certificates are already created, you do not need the private key for the root certificate.
Follow these steps:
  1. Verify that
    Privileged Identity Manager
    services are stopped and that SSL is enabled.
  2. Replace the root certificate. Do
    one
    of the following:
    • Copy the new root certificate to the location specified in the ca_certificate configuration setting in the crypto section.
    • Edit the value of the ca_certificate configuration setting in the crypto section to specify the full path to the new root certificate.
      If you install the root certificate in a new directory, write
      Privileged Identity Manager
      FILE rules to protect the new directory.
  3. Replace the server certificate. Do
    one
    of the following:
    • Copy the new server certificate to the location specified in the subject_certificate configuration setting in the crypto section.
    • Edit the value of the subject_certificate configuration setting in the crypto section to specify the full path to the new server certificate.
    If you install the server certificate in a new directory, write
    Privileged Identity Manager
    FILE rules to protect the new directory.
  4. Replace the server key. Do
    one
    of the following:
    • Copy the new server key to the location specified in the private_key configuration setting in the crypto section.
    • Edit the value of the private_key configuration setting in the crypto section to specify the full path to the new server key.
      If you install the server key in a new directory, write
      Privileged Identity Manager
      FILE rules to protect the new directory.
  5. If you use OU password-protected certificates do the following:
    1. Verify that the value of the fips_only configuration setting in the crypto section is 0.
      You cannot use password-protected certificates if
      Privileged Identity Manager
      is operating in FIPS-only mode.
    2. Store the password for the server certificate private key on the computer as follows:
      sechkey -g -subpwd private_key_password
      Note:
      You must have the ADMIN attribute to use sechkey.
    3. Verify that
      Privileged Identity Manager
      can use the stored password to open the private key:
      sechkey -g -verify
      If
      Privileged Identity Manager
      cannot open the key, repeat Step b and specify the correct password.
For more information about the sechkey utility, see the
Reference Guide
.
  1. Start
    Privileged Identity Manager
    :
    • If you are changing the encryption settings on an Enterprise Management Server, also start the
      Privileged Identity Manager
      Web Service.
    • If you are working with a third-party program that uses the
      Privileged Identity Manager
      SDK, restart the process that uses the
      Privileged Identity Manager
      SDK.
    SSL encryption is enabled.
Use a Server Certificate You Generate from a Third-Party Root Certificate
If you use SSL encryption, you can create server certificates from third-party root certificates. You use these certificates to encrypt and authenticate communication between
Privileged Identity Manager
components.
You can create a password-protected server certificate; if you do,
Privileged Identity Manager
uses a specified password to protect the private key for the server certificate.
You need the following files to create a server certificate from a third-party root certificate:
  • root.pem
    Root certificate
  • root.key
    Private key for the root certificate
Follow these steps:
  1. Verify that
    Privileged Identity Manager
    services are stopped and that SSL is enabled.
  2. If you use OU password-protected certificates, verify that the value of the fips_only configuration setting in the crypto section is 0.
    You cannot use password-protected certificates if
    Privileged Identity Manager
    is operating in FIPS-only mode.
  3. Delete every file
    except
    sub_cert_info in the following directory, where
    ACInstallDir
    is the directory in which you installed
    Privileged Identity Manager
    :
    ACInstallDir/data/crypto
    Do not delete the sub_cert_info file.
    The default server certificate and default key for the server certificate are deleted.
  4. Replace the root certificate. Do
    one
    of the following:
    • Copy the new root certificate to the location specified in the ca_certificate configuration setting in the crypto section.
    • Edit the value of the ca_certificate configuration setting in the crypto section to specify the full path to the new root certificate.
      If you install the root certificate in a new directory, write
      Privileged Identity Manager
      FILE rules to protect that directory.
  5. Use the sechkey utility to generate a server certificate.
For more information about the sechkey utility, see the
Reference Guide
. You must have the ADMIN attribute to use sechkey. If you are working with a third-party program that uses the
Privileged Identity Manager
SDK, append the -s option to the sechkey command when you run sechkey.
  1. (Optional) Delete the private key for the root certificate.
    If you do not want to create another server certificate from the root certificate, you can delete the private key for the root certificate.
  2. Start
    Privileged Identity Manager
    :
    • If you are changing the encryption settings on an Enterprise Management Server, also start the
      Privileged Identity Manager
      Web Service.
    • If you are working with a third-party program that uses the
      Privileged Identity Manager
      SDK, restart the process that uses the
      Privileged Identity Manager
      SDK.
    SSL encryption is enabled.
Example: Use sechkey to Create a Server Certificate
This example creates a server certificate from a third-party root certificate. This example uses the default
Privileged Identity Manager
certificate information file. The private key for the root certificate is named custom_root.key and located at /opt/CA/AccessControl/data/crypto:
sechkey -e -sub -in "/opt/CA/AccessControl/data/crypto/sub_cert_info" -priv /opt/CA/AccessControl/data/crypto/custom_root.key
Password-Protected Server Certificates
You can configure
Privileged Identity Manager
to use a password-protected server certificate; if you do,
Privileged Identity Manager
uses a specified password to protect the private key for the server certificate.
Privileged Identity Manager
stores the password in the crypto.dat file in the
ACInstallDir
/Data/crypto directory, where
ACInstallDir
is the directory in which you installed
Privileged Identity Manager
. The crypto.dat file is hidden, encrypted, read-only, and protected by
Privileged Identity Manager
. If
Privileged Identity Manager
is stopped, only the superuser can access the password.
If you create a password-protected server certificate, sechkey does not encrypt the certificate. If you create a server certificate that is not password-protected, sechkey encrypts the certificate using AES256 and the
Privileged Identity Manager
encryption key.