PreviousNextUp[Front page] [Index]

Editing System Parameters

Engine-Server TLS Settings

All communication between Certifier Engine and Certifier Server instances is secured with TLS to provide authentication, integrity, and confidentiality for the communications. This is especially important in large-scale deployments where SSH Tectia Certifier functionality, such as CA signing functions, enrollment services and administration, are distributed to several hosts.

One CA of the system has to be used as the internal authority who issues the TLS certificates for Certifier Server instances. Also the Certifier Engine needs to have an own TLS certificate which it uses for authentication when it connects to the Certifier Server. These parameters can be configured on the System Parameters page.

To access this page, click System Configuration on the menu, and click the Edit System Parameters option.


gui-systemparameters-44.gif
Figure : The System Parameters page

Select the CA that is used to issue the TLS certificates for Certifier components, in the Server CA field. The SSH Certifier Internal CA created during the installation is the preferred default choice.

To view the CA settings, click View CA.

Note: Whichever CA is used, its policy should be Automatically issue requests for valid server entity, as the Certifier Engine and Certifier Servers need to renew their certificates in regular intervals to stay operational.

To view Certifier Engine's TLS certificate, click View Certificate button. You can also change it to another certificate by clicking the Change button, and then searching for another certificate-private key pair in the database.

To issue a new TLS certificate with a new validity period and possibly new fields, click the Reissue Certificate button.

Click the Commit button to take changes into use.

Multi Approval Settings

Multi approval is part of the dual admin control feature of SSH Tectia Certifier.

By default, multi approval is disabled. Before activating the feature, make sure there are enough active operator accounts in the system. This is because adding a new operator under multi approval requires approval from a specified number of operators before the new operator can be added. SSH Tectia Certifier contains only one operator after the initial setup.

When multi approval is in use, all add, modify, delete, and write operations except certain HSM-related operations require dual/multiple operator approval.

To enable Multi Approval, select the corresponding check box. Enter the Number of Approvals needed before a change set can be commited.

Select the Multi Approval Scope. If Multi approval required for system service configuration is selected, all system level operations (for example, new root CA creation, server and service configuration) require multi approval process.

If all CAs require multi approval, click All CAs require multi approval. If only some CAs require multi approval, click Multi approval for only selected CAs, select the CAs from the drop-down list, and click Add. Or click Multi approval for all except selected CA, select the CAs that do not require multi approval, and click Add.

Click the Commit button to take changes into use.

For information on how to handle change sets when multi approval is in use, see Section Viewing and Approving Pending Change Sets.


PreviousNextUp[Front page] [Index]