Configuring secure connections between mobile access services and SafeLinx Clients

You can use transport layer security (TLS) to encrypt connections between SafeLinx Clients and a mobile access service. To support secure connections from SafeLinx Clients, you install an X.509 certificate on the SafeLinx Server and then configure an HTTPS mobile network connection (MNC) to use that certificate. You can also specify whether the service uses standard TLS ciphers to encrypt the connection or if it must use ciphers that are FIPS 140-2 approved.

Before you begin

Add a mobile network connection of the type http-tcp-lan or tcp-lan.

About this task

To configure TLS connections for an MNC, use a key management tool such as OpenSSL to request and add a certificate. After you obtain a certificate, edit the properties for the MNC to reference the PKCS12 keystore file in which you store the certificate.

During TLS protocol negotiations, the SafeLinx Server presents an X.509 certificate to SafeLinx Clients as proof of its identity. The certificate is stored in a Cryptographic Message Syntax (CMS) PKCS12 keystore file on the SafeLinx Server. You can use the default keystore file, sl-default.p12, or create your own file. The keystore file is secured with a password. The default password is trusted.

When you first test secure connections, you might choose to generate and use a self-signed certificate. However, to secure connections in a production environment, it is best to use third-party certificates.

After you receive a signed certificate into the PKCS12 keystore file, use the SafeLinx Administrator to configure the MNC to enable TLS and use the new certificate.

Procedure

  1. Request a certificate for the HTTPS MNC, and add it to the default PKCS12 keystore file (sl-default.p12) or to another PKCS12 keystore file. For information, see Generating a server certificate from a certificate authority.
  2. From the SafeLinx Administrator, right-click the HTTP MNC that you want to configure and then click Properties.
  3. Open the Service page and in the Service URL field, verify that the protocol identifier is set to https.
    For example, https://safelinx.renovations.com.
  4. To require SafeLinx Clients to use secure protocols to connect to the mobile access service through this MNC, open the TLS page, and then select Use secure connection.
  5. Verify the information in the PKCS12 keystore file and Keystore password fields.
  6. Specify the ciphers that the SafeLinx Server uses to negotiate TLS connections with SafeLinx Clients. Choose one of the following options and then select the individual ciphers that can be used to encrypt connections.
    • Click Use only FIPS 140-2 approved ciphers to require the use of cryptographic modules that are certified by the US government in Federal Information Processing Standards (FIPS) publication 140-2, Security requirements for cryptographic modules.
    • Click Use standard ciphers to use the default TLS cryptographic standards to secure connections.
  7. Click OK to save your changes and then restart the SafeLinx Server.