Configure TLS communication to PAM Utility Servers using SSL certificates
search cancel

Configure TLS communication to PAM Utility Servers using SSL certificates

book

Article ID: 246619

calendar_today

Updated On: 08-02-2022

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

How to configure secure communication to PAM Utility Servers using TLS 1.2 (or higher) using SSL certificates generated by their Certificate Authority?

Environment

Release : 4.1.x

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

RFI (Request For Information)

Resolution

Note this Feature F124359 is currently not supported and slated to supported in PAM service Pack 4.1.2 to be released early December 2022. Consider the document below as a related document for the time being as the upcoming  feature F124359 will support Utility Servers.

Setting up Custom Certificates for Server Control Agents and DMS/DH.

DMS/DH should be replaced with OnePAM, upload/setup Certificates as per F124359 Feature (to be released in December 2022)

  1. Obtain a Certificate that can be used as Root Certificate to sign key pair’s generated for DH or Endpoints Or Prepare a self-signed certificate for use as a root CA.
    Generate Self Signed Certificate
    One will need to respond to prompts as desired and can choose different settings (for key length for instance). Once it is ready that certificate must be propagated to all endpoints (DH including) that will need to use SSL-based communication amongst themselves.
    For instance,  /usr/bin/openssl req -newkey rsa:2048 -keyout my_root.pem -x509 -days 365 -out my_root.pem -nodes
  2. Copy the root certificate to each machine to the location, where PIM looks for it (as per settings in seos.ini).  
    cp  my_root.pem  /opt/CA/PAMSC/data/crypto/def_root.pem (Default location of root cert)
  3. Generate endpoint's own certificate using sechkey. sechkey is a utility distributed with Endpoint software.
    That is based on templates that are prepared during endpoint's installation (available fields there can be filled out differently)
    /opt/CA/PAMSC/bin/sechkey -e -sub -in /opt/CA/PAMSC/data/crypto/sub_cert_info -priv /opt/CA/PAMSC/data/crypto/def_root.pem
  4. Repeat steps 2-3 above for all machines involved. 
    For DH running on a machine without access to the command line, this set of files can be prepared elsewhere and then uploaded to its designated location via some available interface (OnePAM)
  5. Now all these endpoints can talk to each other using one's own certificates rather than ones generated by PIM using its own default root CA.

 

Additional Information

None.

Powered by Wolken Software