Example: Certificate Manager (CM) REST API configuration in Protocol Gateway
This article describes a configuration example of the Certificate Manager (CM) REST API in Protocol Gateway.
Access to the Rest API requires use of TLS with certificate-based client authentication and a API request is signed using an officer certificate.
Prerequisites
Protocol Gateway must be installed. See Install Protocol Gateway.
Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway.
Tomcat must be configured for TLS client authentication. See Configure Tomcat for TLS client authentication in Protocol Gateway.
Configure REST API
Create certificate procedure for CM REST API devices
If a new certificate procedure is needed for REST API devices, then create one according to Create certificate procedure in Certificate Manager with the following settings:
Set Issuing CA to Device Issuing CA.
Set Format to rfc5280.
Create token procedures for CM REST API devices
Token procedures must be set up for the needed REST API use cases, in this example one for PKCS#7 responses and one for PKCS#12 responses.
Create two new token procedures Ior REST API devices, according to Create token procedure in Certificate Manager with the following settings:
For PKCS#12 responses:
Set Procedure name to Device Token Procedure.
In Storage profile, select PKCS12.
In Issuer certificates, select to Store all or Do not store any.
For PKCS#12 responses:
Set Procedure name to Device Token Procedure P10.
In Storage profile, select PKCS10.
In Issuer certificates, select to Store all or Do not store any.
Set REST API properties
To set the properties for the REST API:
Open \Nexus\cm-gateway\conf\api.properties for editing.
Modify the following properties:
Enable the REST API by setting
start
totrue
.Set the token procedures for the needed use cases. For example, set token procedures for
handler.30
andhandler.31
to the token procedues that were created in the previous step.
For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.
If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
Save the file.
Example: api.properties
start = true
# Process PKCS10 request -> PKCS7 response
handler.30.filter = certificates/pkcs10
handler.30.format = api/certificates-pkcs10
handler.30.tokenprocedure = Device Token Procedure P10
# Process PKCS10 request -> PKCS12 response
handler.31.filter = certificates/pkcs12
handler.31.format = api/certificates-pkcs12
handler.31.tokenprocedure = Device Token Procedure
Restart Tomcat
Restart the Tomcat service.
Verify REST API
Prepare test of REST API
To verify the REST API:
Copy the file SO1.p12 to \Nexus\testclients\temp.
Copy the file SystemCA.cer to \Nexus\testclients\certs.
Configure the REST API test client:
Open the file com.nexussafe.cm.test.app.APIClient.properties for editing:
Set
p12.keyToken.keyFile
totemp/SO1.p12
.Set
p12.keyToken.password
to1234
.
Create a sample CSR
To create a PKCS#10 certificate signing request (CSR):
Enter sample data in the input fields.
Click Generate.
A CSR is created.Copy the CSR content and paste it into a new file, for example csr.p10.
Verify REST API with Test client
To verify the REST API:
In the command prompt, start an interactive session, by typing the command:
Example: Generate CMP request
java –jar testtools.jar APIClient interactive
Run the following command to send the CSR to CM:
Example: Generate CMP request
pkcs10-pkcs7 csr.p10
Save cert.cer.