By enabling support in Tealeaf servers for the X.509 public key infrastructure (PKI) standard, you can secure communications between the Tealeaf servers and other Tealeaf services, and help protect the Tealeaf environment and data from potential attackers. Use the information in this section to learn how enable the X.509 public key infrastructure (PKI) standard to secure communications in Tealeaf.
Keep the following in mind before you enable secure communications:
- When presenting certificates from a browser, you must copy the valid *.p12 and add it to the browser.
- The steps for enabling secure communications can vary between browsers.
- A valid password is required to import the
*.p12
into a browser.The password for importing the
*.p12
is the same password that you used when you created*.p12
.
Make sure that you coordinate the steps for securing communications between the PCA and other Tealeaf services with the steps for securing communications between the Tealeaf servers and other Tealeaf services You can start with either the PCA or the Tealeaf servers, but the step for enabling communications needs to be done simultaneously on both the PCA and Tealeaf servers.
Site administrators are encouraged to take advantage of this feature to protect your Tealeaf environment and data from potential attackers.
Implementing support for X.509 certificates for secure communication in Tealeaf requires you to complete the following tasks in the specified order.
- Upgrade all Tealeaf servers, including PCA servers, to the latest version.
- Create or acquire an X.509 certificate with associated private key and key password, stored in PKCS#12 (PFX) format.
The certificate may be created either with a Tealeaf tool or using your organization's own public key infrastructure.
- Import the certificate onto all Tealeaf servers using the supplied tools.
- Enable the X.509 protocol on all Tealeaf servers using the supplied tools. This requires stopping and restarting the Tealeaf services.
Creating an X.509 certificate
You can create a self-signed X.509 certificate using tlstool.exe, or you can create an X.509 certificate using your organization's certificate infrastructure. You create only one certificate for your entire site.
The method that you choose to create the X.509 certificate depends on your organization's security requirements.
- On Windows Server 2012 R2, to create a self-signed X.509 site certificate, go to the Tools folder and run:
.\TLSTool.exe create -site TCXcert.pfx password
- On other Windows servers, to create a self-signed X.509 site certificate, run the following command on a Tealeaf server as follows:
<install_directory>\Tools\TLSTool.exe create -site path password
where path is the path name where you want the certificate file to be created, and password is the password used to encrypt the private key.
Note: The password must consist entirely of ASCII characters.<install_directory>\Tools\TLSTool.exe create -site "C:\test\TCXcert.pfx" password123
- Use an X.509 certificate that is created with your organization's certificate infrastructure.
The following conditions must be met:
- The certificate must have a subject name of
Tealeaf CX
and be suitable for use by both TLS 1.2 clients and servers. - The certificate must be stored in a single file in
PKCS#12
format containing both the certificate and its associated private key. - The private key must be protected by a password consisting entirely of ASCII characters.
- The certificate must have a subject name of
Importing the X.509 site certificate
You can import the X.509 site certificate to a Tealeaf server.
<install_directory>\Tools\TLSTool.exe import -import path password
where path is the path name where the certificate file resides, and password is the password used to encrypt the private key.
After you imported the X.509 site certificate onto the servers, you can enable secure communication.
Enabling secure communications
Servers that use X.509 are not be able to communicate with servers that do not use X.509.
For Windows, perform the following procedure to enable secure communications between Tealeaf servers that use X.509 and Tealeaf servers that don't.
- Stop all Tealeaf services.
- Run the following command to enable secure communications:
<install_directory>\Tools\TLSTool.exe enable
- Restart all Tealeaf services.
- Configure the target HBR or transport service for secure communications as well.
Disabling secure communications
You can disable secure communication between Tealeaf servers running on Windows.
The following procedure describes how to disable secure communications between Tealeaf servers running on Windows.
- Stop all Tealeaf services.
- Run the following command to disable secure communications:
<install_directory>\Tools\TLSTool.exe disable
- Restart all Tealeaf services.