PingIntelligence

Configure SSL for external APIs

ASE supports both TLS 1.2 and SSLv3 for external APIs. OpenSSL is bundled with ASE, following are the version details:

  • RHEL 7 : OpenSSL 1.0.2k-fips 26 Jan 2017

  • Ubuntu 16LTS : OpenSSL 1.0.2g 1 Mar 2016

You can configure SSL in ASE for client side connection using one of the following methods:

  • Method 1: Using CA-signed certificate

  • Method 2: Using self-signed certificate

  • Method 3: Importing an existing certificate

The steps provided in this section are for certificate and key generated for connections between the client and ASE as depicted in the illustration below:

fjt1564009007147

In a cluster setup:

  1. Stop all the ASE cluster nodes

  2. Configure the certificate on the management node

  3. Start the cluster nodes one by one for the certificates to synchronize across the nodes

Method 1: Use CA-signed certificate

To use Certificate Authority (CA) signed SSL certificates, follow the process to create a private key, generate a Certificate Signing Request (CSR), and request a certificate as shown below:

wrh1564009007993

ASE internally validates the authenticity of the imported certificate.

To use a CA-signed certificate:

  1. Create a private key. ASE CLI is used to create a 2048-bit private key and to store it in the keystore.

    /opt/pingidentity/ase/bin/cli.sh create_key_pair -u admin -p
    Warning: create_key_pair will delete any existing key_pair, CSR and self-signed certificate
    Do you want to proceed [y/n]:y
    Ok, creating new key pair. Creating DH parameter may take around 20 minutes. Please wait
    Key created in keystore
    dh param file created at /opt/pingidentity/ase/config/certs/dataplane/dh1024.pem
  2. Create a CSR. ASE takes you through a CLI-based interactive session to create a CSR.

    /opt/pingidentity/ase/bin/cli.sh create_csr -u admin -p
    Warning: create_csr will delete any existing CSR and self-signed certificate
    Do you want to proceed [y/n]:y
    please provide following info
    Country Code >US
    State > Colorado
    Location >Denver
    Organization >Pingidentity
    Organization Unit >Pingintelligence
    Common Name >ase
    Generating CSR. Please wait...
    OK, csr created at /opt/pingidentity/ase/config/certs/dataplane/ase.csr
  3. Upload the CSR created in step 2 to the CA signing authority’s website to get a CA signed certificate.

  4. Download the CA-signed certificate from the CA signing authority’s website.

  5. Use the CLI to import the signed CA certificate into ASE. The certificate is imported into the keystore.

    /opt/pingidentity/ase/bin/cli.sh import_cert <CA signed certificate path> -u admin -p
    Warning: import_cert will overwrite any existing signed certificate
    Do you want to proceed [y/n]:y
    Exporting certificate to API Security Enforcer...
    OK, signed certificate added to keystore
  6. Restart ASE by first stopping and then starting ASE.

Method 2: Use self-signed certificate

A self-signed certificate is also supported for customer testing.

To create a self-signed certificate

  1. Create a private key. ASE CLI is used to generate a 2048-bit private key which is in the /opt/pingidentity/ase/config/certs/dataplane/dh1024.pem directory.

    /opt/pingidentity/ase/bin/cli.sh create_key_pair -u admin -p
    Warning: create_key_pair will delete any existing key_pair, CSR and self-signed certificate
    Do you want to proceed [y/n]:y
    Ok, creating new key pair. Creating DH parameter may take around 20 minutes. Please wait
    Key created in keystore
    dh param file created at /opt/pingidentity/ase/config/certs/dataplane/dh1024.pem
  2. Create a CSR file:

    /opt/pingidentity/ase/bin/cli.sh create_csr -u admin -p
    Warning: create_csr will delete any existing CSR and self-signed certificate
    Do you want to proceed [y/n]:y
    please provide following info
    Country Code >US
    State >colorado
    Location >Denver
    Organization >PI
    Organization Unit >TEST
    Common Name >yoursiteabc.com
    Generating CSR. Please wait...
    OK, csr created at /opt/pingidentity/ase/config/certs/dataplane/ase.csr
  3. Create a self-signed certificate. Use the CLI to produce a self-signed certificate using the certificate request located in/pingidentity/ase/config/certs/dataplane/ase.csr

    /opt/pingidentity/ase/bin/cli.sh create_self_sign_cert -u admin -p
    Warning: create_self_sign_cert will delete any existing self-signed certificate
    Do you want to proceed [y/n]:y
    Creating new self-signed certificate
    OK, self-sign certificate created in keystore
  4. Restart ASE by stopping and starting.

Method 3: Import an existing certificate and key pair

To install an existing certificate, complete the following steps and import it into ASE. If you have intermediate certificate from CA, then append the content to your server crt file.

  1. Import key pair:

    /opt/pingidentity/ase/bin/cli.sh import_key_pair private.key -u admin -p
    Warning: import_key_pair will overwrite any existing certificates
    Do you want to proceed [y/n]:y
    Exporting key to API Security Enforcer...
    OK, key pair added to keystore
  2. Import the .crtfile in ASE using the import_cert CLI command

    /opt/pingidentity/ase/bin/cli.sh import_cert server-crt.crt -u admin -p
    Warning: import_cert will overwrite any existing signed certificate
    Do you want to proceed [y/n]:y
    Exporting certificate to API Security Enforcer...
    OK, signed certificate added to keystore
  3. Restart ASE by stopping and starting.