Initial configuration of Protocol Gateway

The following prerequisites apply:

• Protocol Gateway must be installed. See Install Protocol Gateway. 

Nexus provides a template file that includes standard configurations of Protocol Gateway, as well as configurations for the SCEP and CMP protocols.  

To import the standard configurations:

1. Open Administrator's workbench (AWB). 

2. Import the enrollmentTemplates.dat file from \CM\clients\web\pgwy\. For more information, see Import items to Certificate Manager. 

The imported elements are marked with a black and yellow "under construction" bar, since they are not signed yet.

In Administrator's workbench (AWB), open each element and make needed configurations and sign the changes: 

1. Modify VRO Certificate Procedure: 

   1. Change Issuing CA to the Officer and System CA. 

   2. Click OK and sign the updates. See Sign tasks in Certificate Manager.

2. Modify Protocol Gateway RA Certificate Procedure:

   1. Change Issuing CA to the CA that shall issue certificates to the devices, for example Device Issuing CA.

   2. Click OK and sign the updates. See Sign tasks in Certificate Manager.

3. For each of the following elements, select Modify, click OK and sign the updates. See Sign tasks in Certificate Manager.

   1. Protocol Gateway RA Token

   2. VRO Token Procedure

   3. VRO Officer Profile

To issue a Protocol Gateway RA soft token: 

1. Open Registration Authority (RA) in Certificate Manager. 

2. Issue a Protocol Gateway RA Soft Token, see Issue software token in Certificate Manager.  

   1. In File for Media, select the path and filename where the soft token shall be stored, for example \CM\server\certs\protocol-gateway-ra.p12

   2. In Procedure, select Protocol Gateway RA Token.

   3. Enter values in Country, Organization and set Common Name to Protocol Gateway RA.

   4. In Signature PIN, enter the PIN for Security officer 1.

   5. In the popup dialog, select a PIN for the soft token.

   6. When the soft token is issued, a popup window is opened where the certificate is shown. Open, select Save to file (DER), and save protocol-gateway-ra.cer as a DER.encoded certificate.

The Protocol Gateway Officer that was imported, needs a certificate. In this example it is issued as a soft token. 

To issue a Protocol Gateway Officer soft token:

1. Open Registration Authority (RA) in Certificate Manager. 

2. Issue a Protocol Gateway RA Soft Token, see Issue software token in Certificate Manager.  
   

   1. In File for Media, select the path and filename where the soft token shall be stored, for example \CM\server\certs\protocol-gateway-vro.p12

   2. In Procedure, select VRO Token Procedure.

   3. Enter values in Country, Organization and set Common Name to Protocol Gateway Officer.

   4. In Signature PIN, enter the PIN for Security officer 1.

   5. In the popup dialog, select a PIN for the soft token.

Connect the new certificate to the Protocol Gateway Officer: 

1. Open Administrator's workbench (AWB). 

2. Modify the Protocol Gateway Officer in the Officers tab.

3. In Certificate, click the arrow to select. Select the certificate that was just created for the Protocol Gateway Officer. 

4. Click OK, and then Sign the update. See Sign tasks in Certificate Manager.

The CA certificate must be exported to be used in Protocol Gateway to trust the CA. 

In Administrator's workbench (AWB),

1. Select the Officer and System CA. 

2. In the menu, select Cross > Export Certificate > Binary.

3. Store the certificate as SystemCA.cer.
   This certificate shall be used later in the Protocol Gateway configuration.

1. Copy the Protocol Gateway Officer token and the Protocol Gateway RA token to the Protocol Gateway \conf folder, for example C:\ProgramData\Nexus\cm-gateway\conf\certdir.
   

   1. protocol-gateway-vro.p12
      This is needed for Protocol Gateway as a virtual registration officer, when devices request certificates in an automated workflow. 

   2. protocol-gateway-ra.p12
      This is needed for certain protocols (EST, CMP, CMC and SCEP), for example for Full PKI requests. The specified RA token is used to establish secure transactions with the end entities requesting certificates. For more information on Full PKI Requests, see the CMC specification: RFC 5272 Section 3.2.

For Protocol Gateway to trust the CM host: 

1. Copy the TLS CA certificate SystemCA.cer to the \conf\certdir trust store folder, for example C:\ProgramData\Nexus\cm-gateway\conf\certdir.

To set properties for Protocol Gateway: 

1. Open the file \Nexus\cm-gateway\conf\cm-gateway.properties for editing. 

2. Modify the following properties: 

   1. Set cmhost to your CM host. 

   2. Set officer.keyfile to the Protocol Gateway Officer token file and officer.password to the related PIN.

Example: cm-gateway.properties

cmhost = localhost
cmconnections = 20
officer.keyfile = PGWYOfficer.p12
officer.password = 1234

Protocol Gateway supports configuration of the TLS Server Name Indication (SNI) parameter so that the correct server certificate can be obtained by the Protocol Gateway CM client during TLS handshake. This typically applies in cases where the IP hosting the CM server also hosts other services with different host names on the same TLS port, or if the CM server is located behind a proxy or a load balancer. For more information, see RFC 6066.

To use the server name indication feature in Protocol Gateway:

1. Open the file C:\ProgramData\Nexus\cm-gateway\conf\cm-gateway.properties for editing.

2. Set ssl.servernameindication to your CM hostname.

• Start the Protocol Gateway by starting the Tomcat service.