Configuring secure connections between mobile access services and SafeLinx Clients

You can use transport layer security (TLS) to encrypt connections between SafeLinx Clients and a mobile access service. To support secure connections from SafeLinx Clients, you install an X.509 certificate on the SafeLinx Server, and then configure an HTTPS mobile network connection (MNC) to use that certificate. You can also specify whether the service uses standard TLS ciphers to encrypt the connection, or if it must use ciphers that are FIPS 140-2 approved.

Before you begin

Add a mobile network connection of the type http-tcp-lan or tcp-lan.

About this task

To configure TLS connections for an MNC, use the GSKit to request and add a certificate. After you obtain a certificate, edit the properties for the MNC to reference the key database file in which you store the certificate.

During TLS protocol negotiations, the SafeLinx Server presents an X.509 certificate to SafeLinx Clients as proof of its identity. The certificate is stored in a Cryptographic Message Syntax (CMS) key database file on the SafeLinx Server. You can use the default key database file, http.trusted.kdb, or create your own file. The key database is secured with a stash password that is encrypted and stored in a stash password file. The default stash password file is http.trusted.sth. The default stash password is trusted.

When you first test secure connections, you might choose to generate and use a self-signed certificate. However, to secure connections in a production environment, it is best to use third-party certificates.

After you receive a signed certificate into the key database, use the SafeLinx Administrator to configure the MNC to enable TLS and use the new certificate.

Procedure

  1. Obtain a certificate for the HTTPS MNC, and add it to the default key database (http.trusted.kdb), or to another key database of your choosing.

    For information about obtaining a certificate from a third-party certificate authority, see Requesting an X.509 certificate from a third-party certificate authority.

    For information about adding certificates to a key database file, see Adding certificates to a key database file.

  2. From the SafeLinx Administrator, right-click the HTTP MNC that you want to configure and then click Properties.
  3. Open the Service page and in the Service URL field, verify that the protocol identifier is set to https.
    For example, https://safelinx.renovations.com.
  4. To require SafeLinx Clients to use secure protocols to connect to the mobile access service through this MNC, open the SSL page, and then select Use secure connection.
  5. Verify the information in the File name of key database and File name of stash password fields.

    The SafeLinx Server provides default versions of a key database file (http.trusted.kdb) and a stash password file (http.trusted.sth). If you use files other than the default files, replace the default entry in each field with the correct file name. If you place your files in a directory other than the default SafeLinx Server installation directory, type the full path for each file.

  6. Specify the ciphers that the SafeLinx Server uses to negotiate TLS connections with SafeLinx Clients. Choose one of the following options and then select the individual ciphers that can be used to encrypt connections.
    • Click Use only FIPS 140-2 approved ciphers to require the use of cryptographic modules that are certified by the US government in Federal Information Processing Standards (FIPS) publication 140-2, Security requirements for cryptographic modules.
    • Click Use standard ciphers to use the default TLS cryptographic standards to secure connections.
  7. Click OK to save your changes and then restart the SafeLinx Server.