--- title: Configure SSL for client side connection or external APIs description: ASE supports both TLS 1.2 and SSLv3 for external APIs. OpenSSL is bundled with ASE. The following are the version details: component: pingintelligence version: 5.1 page_id: pingintelligence:pingintelligence_production_deployment:pingintelligence_configure_ssl_client_side_connection canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/pingintelligence_production_deployment/pingintelligence_configure_ssl_client_side_connection.html revdate: April 3, 2024 section_ids: enable-sslv3: Enable SSLv3 method-1-using-ca-signed-certificate: "Method 1: Using CA-signed certificate" method-2-use-self-signed-certificate: "Method 2: Use self-signed certificate" method-3-import-an-existing-certificate-and-key-pair: "Method 3: import an existing certificate and key-pair" --- # Configure SSL for client side connection or external APIs ASE supports both TLS 1.2 and SSLv3 for external APIs. OpenSSL is bundled with ASE. The following are the version details: * RHEL : OpenSSL 1.0.2k-fips 26 Jan 2017 * Ubuntu : OpenSSL 1.0.2g 1 Mar 2016 You can configure SSL in ASE for client side connection using one of the following methods: * **Method 1**: Using CA-signed certificate * **Method 2**: Using self-signed certificate * **Method 3**: Importing an existing certificate The steps provided in this section are for certificate and key generated for connections between the client and ASE as depicted in the illustration below: ![nxz1564009151008](../_images/nxz1564009151008.png) In a cluster setup: 1. Stop all the ASE cluster nodes 2. Configure the certificate on the management node. For more information on management node, see [API Security Enforcer Admin Guide](../api_security_enforcer/pingintelligence_administering_ase_cluster.html). 3. Start the cluster nodes one by one for the certificates to synchronize across the nodes ## Enable SSLv3 By default, SSLv3 is disabled due to security vulnerabilities. To change the default and enable SSLv3, stop ASE and then change `enable_sslv3` to true in `ase.conf` file. Restart ASE to activate SSLv3 protocol support. SSLV3 is only supported for client to ASE connections, not ASE to backend server connections. ``` ; SSLv3 enable_sslv3=true ``` ## Method 1: Using CA-signed certificate To use Certificate Authority (CA) signed SSL certificates, follow the process to create a private key, generate a Certificate Signing Request (CSR), and request a certificate as shown below: ![hth1564009151581](../../5.2/_images/hth1564009151581.png) | | | | - | ---------------------------------------------------------------------- | | | ASE internally validates the authenticity of the imported certificate. | To use a CA-signed certificate: 1. Create a private key. ASE CLI is used to create a 2048-bit private key and to store it in the keystore. ``` /opt/pingidentity/ase/bin/cli.sh create_key_pair -u admin -p Warning: create_key_pair will delete any existing key_pair, CSR and self-signed certificate Do you want to proceed [y/n]:y OK, creating new key pair. Creating DH parameter may take around 20 minutes. Please wait Key created in keystore dh param file created at /opt/pingidentity/ase/config/certs/dataplane/dh1024.pem ``` 2. Create a CSR. ASE takes you through a CLI-based interactive session to create a CSR. ``` /opt/pingidentity/ase/bin/cli.sh create_csr -u admin -p Warning: create_csr will delete any existing CSR and self-signed certificate Do you want to proceed [y/n]:y please provide following info Country Code >US State > Colorado Location >Denver Organization >Pingidentity Organization Unit >Pingintelligence Common Name >ase Generating CSR. Please wait... OK, csr created at /opt/pingidentity/ase/config/certs/dataplane/ase.csr ``` 3. Upload the CSR created in step 2 to the CA signing authority's website to get a CA signed certificate. 4. Download the CA-signed certificate from the CA signing authority's website. 5. Use the CLI to import the signed CA certificate into ASE. The certificate is imported into the keystore. ``` /opt/pingidentity/ase/bin/cli.sh import_cert -u admin -p Warning: import_cert will overwrite any existing signed certificate Do you want to proceed [y/n]:y Exporting certificate to API Security Enforcer... OK, signed certificate added to keystore ``` 6. Restart ASE by first stopping and then starting ASE. ## Method 2: Use self-signed certificate A self-signed certificate is also supported for customer testing. **To create a self-signed certificate** 1. Create a private key. ASE CLI is used to generate a 2048-bit private key which is in the `/opt/pingidentity/ase/config/certs/dataplane/dh1024.pem`directory. ``` [.codeph]``/opt/pingidentity/ase/bin/cli.sh create_key_pair -u admin -p`` ``` ``` Warning: create_key_pair will delete any existing key_pair, CSR and self-signed certificate Do you want to proceed [y/n]:y OK, creating new key pair. Creating DH parameter may take around 20 minutes. Please wait Key created in keystore dh param file created at /opt/pingidentity/ase/config/certs/dataplane/dh1024.pem ``` 2. Create a self-signed certificate. Use the CLI to produce a self-signed certificate located in `/pingidentity/ase/config/certs/dataplane/ase.csr` ``` /opt/pingidentity/ase/bin/cli.sh create_self_sign_cert -u admin -p Warning: create_self_sign_cert will delete any existing self-signed certificate Do you want to proceed [y/n]:y Creating new self-signed certificate OK, self-sign certificate created in keystore ``` 3. Restart ASE by stopping and starting. ## Method 3: import an existing certificate and key-pair To install an existing certificate, complete the following steps and import it into ASE. If you have intermediate certificate from CA, then append the content to your server `.crt` file. 1. Create the key from the existing `.pem` file: ``` openssl rsa -in private.pem -out private.key ``` 2. Convert the existing `.pem` file to a `.crt` file: ``` openssl x509 -in server-cert.pem -out server-cert.crt ``` 3. Import key pair from step 2: ``` /opt/pingidentity/ase/bin/cli.sh import_key_pair private.key -u admin -p Warning: import_key_pair will overwrite any existing certificates Do you want to proceed [y/n]:y Exporting key to API Security Enforcer... OK, key pair added to keystore ``` 4. Import the `.crt` file in ASE using the `import_cert` CLI command: ``` /opt/pingidentity/ase/bin/cli.sh import_cert server-crt.crt -u admin -p Warning: import_cert will overwrite any existing signed certificate Do you want to proceed [y/n]:y Exporting certificate to API Security Enforcer... OK, signed certificate added to keystore ``` 5. Restart ASE by stopping and starting. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can also configure for Management APIs. For more information on configuring SSL for management APIs, see [Configure SSL for Management APIs](../api_security_enforcer/pingintelligence_configure_ssl_for_management_apis.html). |