Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*
Creating and installing a self-signed SSL certificate
In this topic
- Was this page helpful?
- Comments
Networking configuration options for network forwarders and listeners
Limited support BMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contactBMC Support. BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.
BMC AMI Command Center for Security 6.1 ... Using Using BMC Defender Server applications
You can set up Transport Layer Security (TLS) connections to provide communication security across the network for BMC Defender Server listeners and forwards that use the Transmission Control Protocol (TCP). You configure a standard TLS client-server setup, in which a server presents the client with a server certificate. The client is not required to present a certificate, but if aSecure Sockets Layer (SSL) handshake is required, you can configure the client to present a client certificate to the server connection.
TheBMC Defender Server network components behave as follows:
- TCP listeners act as network servers that attempt to open a listening port and accept incoming TCP connections.
- TCP forwarders act as network clients that attempt to make outgoing TCP connections.
When you select the TCP-TLS protocol for a TCP listener, you must configure the TLS options to set up the connection. For a TCP forwarder, the TLS connection is optional.
Before you begin
Prepare an SSL certificate. To use the built-in utility to generate the certificate, seeCreating and installing a self-signed SSL certificate.)
To set up a TLS connection
- Navigate to the System > Network > Config page.
- Click to add or edit a network forwarder or a network listener.
- For the Protocol, select TCP-TLS.
The following options are displayed:
Complete the following options:
Option Description SSL/TLS Certificate File
Complete file path and name (including the file extension) of the certificate
If you create an SSL certificates with BMC Defender Server, it is automatically stored in the installationDirectory\system\certsdirectory. Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender.
The certificate file must be in PEM format, as defined in RFCs 1421 through 1424. The input file can include the public certificate or an entire certificate chain including public key, private key, and root certificates.
For listeners, this option is required.
For forwarders, complete this option if a client certificate is required to complete an SSL handshake.
Certificate Private Key File
If the private key is not part of the certificate file, the complete file path and name (including the file extension) of the private key
The private key file usually has the extension key.pem and must be in PEM format.
Certificate Private Key Password File
If a certificate private key is used, the complete file path and name (including the file extension) of a text file with the key password
Only the first line of the text file is relevant and is read as the private key password. The file must have a .txt extension and be in plain ASCII text.
Certificate Revocation List File
Complete file path and name (including the file extension) of the certificate revocation list file
The file generally comes from a certificate authority that initially issued the certificate that is being revoked. The file must be in PEM format.
Diffie-Hellman Parameters File
If a perfect forward secrecy cipher suite is required, the complete file path and name (including the file extension) of the input parameters for the Diffie-Hellman key exchange
If you select a perfect forward secrecy cipher suite (see Open SSL Ciphers later in this table), you must set up Diffie-Hellman parameters and provide an input file to significantly speed up the key negotiation process. The parameters are sent for every Diffie-Hellman key exchange, as described in RFC 5114.The file must be in PEM format.
Trusted Certificate Authority Directory
Complete path to the directory that contains trusted certificate-authority certificates
The certificates in the directory perform verification (in addition to the system certificate-authority files). Each file in the directory must contain a single certificate, and the files must be named using the subject’s hash and an extension of .0.
Use Operating System CA Store Files
Indicator whether to use the certificate-authority store location on the operating system to verify the TLS certificates
Enable the setting to use all the operating system level certificate authorities.
Open SSL Ciphers
(Optional) List of SSL cipher suites
Select one or more SSL cipher suites to negotiate a TLS connection. The other side of the connection must support the selected cipher suites.
If you do not select a cipher suite, the TLS client and server automatically negotiate the best cipher suite.
Min SSL Protocol
Minimum protocol version for the TLS cipher suite negotiation
Max SSL Protocol
Maximum protocol version for the TLS cipher suite negotiation
Verify Mode
Certificate verification mode
If None (the default value) is selected, then no certificate verification is performed. The other settings enable strict verification according to the SSL protocols.
Click Save.
The network component is displayed in the list with the TCP-TLS protocol.Note
You might need to wait a few minutes for the settings to be active.
Related topic
Using BMC Defender Server applications
Was this page helpful? Yes NoSubmitting... Thank you
Last modified by Sara Kamen on Jul 22, 2020
task
Log in or register to comment.
Creating and installing a self-signed SSL certificate
Networking configuration options for network forwarders and listeners