Set up the transport service for SSL encryption

To encrypt the communication between the Passive Capture host machine and the Tealeaf transport service, you must obtain an SSL certificate. Then configure the Passive Capture software and the transport service to use it.

The certificate must be 2048-bit private key.
The certificate is installed on both the PCA and the transport service machine. The PCA requires the certificate for startup, and the transport service uses the certificate for managing secure connections with the PCA.
Note: Transmitting through SSL between the PCA and the transport service requires more processing and can impact overall throughput.

Obtain the SSL certificate. If you create your own self-signed certificate, you must create a 2048-bit private key.
1. The Tealeaf-pca package creates a self-signed certificate for you to use when you configure SSL encryption of the network communication between the Passive Capture host machine and the transport service . This self-signed certificate contains the host name of the host machine at the time of the package installation.
2. The following certificate and key files are created by the Tealeaf-pca package:
  - /usr/local/ctccap/etc/tealeaf-tts.crt (certificate file)
  - /usr/local/ctccap/etc/tealeaf-tts.key (key file)
  - /usr/local/ctccap/etc/tealeaf-tts.pem (combined certificate and key file in DOS EOL)
You can choose to use the above PEM file or create your own.
1. After you generate the certificate and private key files, use the script /usr/local/ctccap/bin/crlf.sh to generate a single DOS-EOL ASCII file that is needed by the transport service.
  
  For example, if your private key is in file example.key and your certificate is in file example.crt, use the following command to generate a single DOS EOL file named example.pem.
```
/usr/local/ctccap/bin/crlf.sh example.key example.crt > example.pem
```
2. The resulting file contains a private key, so you must restrict its ownership and permissions by using the chmod and chown commands.
Transfer the single DOS EOL PEM file to the machine that is running the transport service. Ideally, you must restrict its access to just the transport service.

Note: The certificate must be installed on the root installation directory.
If required, you can use the Archive Reader to verify that the certificate is valid and usable.
On the transport service server, edit your TealeafCaptureSocket.cfg file.

You can also perform configuration changes through the Pipeline Editor in TMS, which provides centralized versioning and assignment of configuration files. Edit the raw transport service configuration file and insert the values in the [Globals] section.
1. Add or edit the following directives in the [Globals] section to the path name of the PEM file. If the files are not in the installation directory, then specify the full path to the files.
```
CertificateFile=css-cert.pem
PrivateKeyFile=css-cert.pem
```
2. Using our sample example.pem, you would change css-cert.pem to produce the following results:
```
CertificateFile=example.pem
PrivateKeyFile=example.pem
```
3. In the [Globals] section, insert the port number to which the transport service listens for SSL traffic. Insert the following code :
```
SSLPort=1967:DataDrop
```
  - 1967 is the port number to which the transport service listens for SSL traffic. This value is the default value. You can change it, as needed.
    Note: This port number must not be used by any other pipeline or component to listen for traffic.
  - DataDrop is the first session agent in the pipeline that is configured to process the received SSL traffic.
Log in to the Passive Capture configuration web UI and click the Delivery tab.
1. In the Target Recipients section, click Add.
2. The Add Recipient for Hit Delivery page is displayed. Enter the host address and port in the corresponding fields, select the Secure check box, and then click OK.
  
  Note: The entered port must match the SSL listening port on the transport service. The default for SSL transport is 1967.
The Add Certificate for Secure Delivery page is displayed. Paste in the certificate, and click OK to save the changes. The certificate is the piece of ASCII text that begins with the following line:
```
-----BEGIN CERTIFICATE-----
 
```
and extends up to and including the following line:
```
-----END CERTIFICATE-----
```
Copy and paste everything from (and including) the BEGIN line up to (and including) the END line.
Restart the PCA.
Restart the transport service.

Test the SSL certificate used by the transport service

Before you deploy the SSL certificate to the machine that is hosting the Tealeaf transport service, verify that the certificate is valid and usable using the archive reader.

Leave the SSL certificate installed on the PCA.
In the ArchiveReader.cfg file in the installation directory on the machine that is hosting the transport service, locate the [Socket] section.
To configure the socket to use SSL, enter or set the following code:
```
USESSL=True
```
Set the Server to be localhost.
Configure the following values to file name of the certificate that is installed in the root installation directory. Remove the hash mark (#) before the configuration line to enable it.
```
CertificateFile=css-cert.pem
PrivateKeyFile=css-cert.pem
```
Save the file.
Use the archive reader to submit hits to the transport service.
In the TMS Pipeline Status tab, verify that hits are being captured and processed by the appropriate pipeline.
If hits are being captured and processed, the SSL certificate is working properly.
You can now apply the configuration changes to the [Globals] section of the TealeafCaptureSocket.cfg.

PCA security

Test the SSL certificate used by the transport service

Comments

PCA security

Test the SSL certificate used by the transport service

Related articles