Skip to main content
Skip table of contents

Initial configuration of Protocol Gateway

This article is valid for Certificate Manager 8.5 and later.

This article describes how to do initial configuration of Protocol Gateway, using the provided enrollment templates file. 

This instruction includes configuration of VRO and TLS parameters for connection and communication with the CM server. This is configured in cm-gateway.properties and determines the following:

  • The DNS name or IP address of the CM server.

  • The name and location of the Protocol Gateway officer token.

  • The TLS trust store location.

  • The SNI (Server Name Indication) host name of CM (Optional), see heading "Configure TLS Server Name Indication (SNI) parameter" below.

Prerequisites

The following prerequisites apply:

Import and adapt standard configuration

Import standard configuration

Nexus provides a template file that includes standard configurations of Protocol Gateway, as well as configurations for the SCEP and CMP protocols.  

To import the standard configurations:

  1. Open Administrator's workbench (AWB)

  2. Import the enrollmentTemplates.dat file from \CM\clients\web\pgwy\. For more information, see Import items to Certificate Manager

Configure and sign imported elements

The imported elements are marked with a black and yellow "under construction" bar, since they are not signed yet.

In Administrator's workbench (AWB), open each element and make needed configurations and sign the changes: 

  1. Modify VRO Certificate Procedure

    1. Change Issuing CA to the Officer and System CA

    2. Click OK and sign the updates. See Sign tasks in Certificate Manager.

  2. Modify Protocol Gateway RA Certificate Procedure:

    1. Change Issuing CA to the CA that shall issue certificates to the devices, for example Device Issuing CA.

    2. Click OK and sign the updates. See Sign tasks in Certificate Manager.

  3. For each of the following elements, select Modify, click OK and sign the updates. See Sign tasks in Certificate Manager.

    1. Protocol Gateway RA Token

    2. VRO Token Procedure

    3. VRO Officer Profile

Issue Protocol Gateway RA soft token

To issue a Protocol Gateway RA soft token: 

  1. Open Registration Authority (RA) in Certificate Manager

  2. Issue a Protocol Gateway RA Soft Token, see Issue software token in Certificate Manager.  

    1. In File for Media, select the path and filename where the soft token shall be stored, for example \CM\server\certs\protocol-gateway-ra.p12

    2. In Procedure, select Protocol Gateway RA Token.

    3. Enter values in Country, Organization and set Common Name to Protocol Gateway RA.

    4. In Signature PIN, enter the PIN for Security officer 1.

    5. In the popup dialog, select a PIN for the soft token.

    6. When the soft token is issued, a popup window is opened where the certificate is shown. Open, select Save to file (DER), and save protocol-gateway-ra.cer as a DER.encoded certificate.

Issue certificate for Protocol Gateway officer

The Protocol Gateway Officer that was imported, needs a certificate. In this example it is issued as a soft token. 

To issue a Protocol Gateway Officer soft token:

  1. Open Registration Authority (RA) in Certificate Manager

  2. Issue a Protocol Gateway RA Soft Token, see Issue software token in Certificate Manager.  

    1. In File for Media, select the path and filename where the soft token shall be stored, for example \CM\server\certs\protocol-gateway-vro.p12

    2. In Procedure, select VRO Token Procedure.

    3. Enter values in Country, Organization and set Common Name to Protocol Gateway Officer.

    4. In Signature PIN, enter the PIN for Security officer 1.

    5. In the popup dialog, select a PIN for the soft token.

Promote certificate to officer

Connect the new certificate to the Protocol Gateway Officer: 

  1. Open Administrator's workbench (AWB)

  2. Modify the Protocol Gateway Officer in the Officers tab.

  3. In Certificate, click the arrow to select. Select the certificate that was just created for the Protocol Gateway Officer. 

  4. Click OK, and then Sign the update. See Sign tasks in Certificate Manager.

Get TLS CA certificate

The CA certificate must be exported to be used in Protocol Gateway to trust the CA. 

In Administrator's workbench (AWB),

  1. Select the Officer and System CA

  2. In the menu, select Cross > Export Certificate > Binary.

  3. Store the certificate as SystemCA.cer.
    This certificate shall be used later in the Protocol Gateway configuration.

Configure Protocol Gateway

Copy officer and RA tokens to Protocol Gateway
  1. Copy the Protocol Gateway Officer token and the Protocol Gateway RA token to the Protocol Gateway \conf folder, for example C:\ProgramData\Nexus\cm-gateway\conf\certdir.

    1. protocol-gateway-vro.p12
      This is needed for Protocol Gateway as a virtual registration officer, when devices request certificates in an automated workflow. 

    2. protocol-gateway-ra.p12
      This is needed for certain protocols (EST, CMP, CMC and SCEP), for example for Full PKI requests. The specified RA token is used to establish secure transactions with the end entities requesting certificates. For more information on Full PKI Requests, see the CMC specification: RFC 5272 Section 3.2.

Trust CM host

For Protocol Gateway to trust the CM host: 

  1. Copy the TLS CA certificate SystemCA.cer to the \conf\certdir trust store folder, for example C:\ProgramData\Nexus\cm-gateway\conf\certdir.

Set properties in CM-gateway.properties

To set properties for Protocol Gateway: 

  1. Open the file \Nexus\cm-gateway\conf\cm-gateway.properties for editing. 

  2. Modify the following properties: 

    1. Set cmhost to your CM host. 

    2. Set officer.keyfile to the Protocol Gateway Officer token file and officer.password to the related PIN.

Example: cm-gateway.properties
CODE
cmhost = localhost
cmconnections = 20
officer.keyfile = PGWYOfficer.p12
officer.password = 1234

Configure TLS Server Name Indication (SNI) parameter

Protocol Gateway supports configuration of the TLS Server Name Indication (SNI) parameter so that the correct server certificate can be obtained by the Protocol Gateway CM client during TLS handshake. This typically applies in cases where the IP hosting the CM server also hosts other services with different host names on the same TLS port, or if the CM server is located behind a proxy or a load balancer. For more information, see RFC 6066.

To use the server name indication feature in Protocol Gateway:

  1. Open the file C:\ProgramData\Nexus\cm-gateway\conf\cm-gateway.properties for editing.

  2. Set ssl.servernameindication to your CM hostname.

Start service

Start Protocol Gateway Tomcat service
  • Start the Protocol Gateway by starting the Tomcat service. 

Set up protocols 

To enable and configure protocols, see Configuration examples in Protocol Gateway.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.