Loading DNCA with SSL Key Files

Use the following steps to load the DNCA with one or more SSL keys.

About this task

To load DNCA with one or more SSL keys:

Procedure

Obtain a PEM file for each SSL key. You normally run this step on the web server that is containing the SSL keys. The Network Capture software needs the SSL key to be in PEM format and the file name to end with a .pem extension. The PEM file is an ASCII text file that is containing the SSL key in an encoded form. Following is the example of an SSL key in PEM format:
```
-----BEGIN RSA PRIVATE KEY-----
MII ... (many lines of encoding here)
....
-----END RSA PRIVATE KEY-----
```
If the web server does not store its private keys in PEM format, then you must export the keys and possibly convert them to PEM format. For exporting procedures, see the section Exporting the SSL private key.
Transfer the PEM files to directory /usr/local/dncauser/etc on the DNCA host machine.
Log on to the DNCA host machine as user root and change to directory /usr/local/dncauser/etc.
Encrypt the PEM files to produce a PTL file.
1. Use the Discover pem2ptl command to generate the PTL files for one or more PEM files. For example, if you have two PEM files named server1.pem and server2.pem, you can generate PTL files for both using the following command:
```
Discover pem2ptl server1.pem server2.pem
```
  The previous command creates files named server1.ptl and server2.ptl in the same directory as the PEM files.
  - The Discover pem2ptl command does not create PTL files if they exist. The command sets the ownership and permissions of the resulting PTL files to allow only the user dncauser to access the files.
2. If you have an older release of the Discover-DNCA package that does not provide the Discover pem2ptl command, use the following commands for each PEM file you want to encrypt, replacing server1.pem with the name of your PEM file:
```
/usr/local/dncauser/bin/tltenc -in server1.pem
chmod u=rw,go= server1.ptl
chown dncauser server1.ptl
```
  To convert many PEM files, use the ls and xargs commands to encrypt them. The following command line must be typed on one line. It uses the ls command to generate a list of file names. The vertical bar allows the xargs command to use this list and run the tltenc utility by using each file name in the list.
```
ls -1 server1.pem server2.pem server3.pem | xargs -L 1 -t \
/usr/local/dncauser/bin/tltenc -in
```
  After you run the previous command, use the following commands to set the ownership and permissions of all PTL files. It is safe to use wildcards because the ownership and permissions are the ones that are needed by the DNCA to access any PTL file.
```
chmod u=rw,go= *.ptl
chown dncauser *.ptl
```
Remove the PEM files from the DNCA host machine. Wait until you confirm that DNCA is successfully decoded SSL connections before you delete the PEM files.

Results

After the SSL keys are loaded onto the DNCA host machine and encrypted into PTL files, configure DNCA to use the PTL files. When you must configure a few PTL files, use the SSL Keys tab in the web console. When you configure PTL files, you can find it easier to use a text editor like nano or vi to edit the configuration file directly.