Connections > REST V2 connection properties > Secure communication with TLS authentication
  

Secure communication with TLS authentication

Configure TLS authentication to establish one-way or two-way secure communication between the Secure Agent and the REST API over TLS.
To establish one-way secure communcation, perform the following steps:
  1. 1Generate the truststore. For more information on the steps, see Generate a Truststore.
  2. 2Configure the REST V2 connection for one-way SSL. You can specify the truststore file and truststore password in the connection, or set them in the JVM options of the Secure Agent.
To establish two-way secure communcation, you must first configure one-way secure communication, and then perform the following steps:
  1. 1Generate the keystore. For more information on the steps, see Generate a Keystore.
  2. 2Configure the REST V2 connection for two-way SSL. You can specify the keystore file and keystore password in the connection, or set them in the JVM options of the Secure Agent.
If you specify keystore and truststore properties in the connection and in the JVM options, the Secure Agent processes the certificates based on the properties configured in the connection.

Generate a truststore

To generate a truststore, you need a server certificate. Get the server certificate and perform the following steps to generate the truststore:
  1. 1Import the server certificate to the following file path:
    2. <Secure Agent installation directory>\jre\lib\security\cacerts
  2. 2To generate the truststore, run the following command from the command line:
    3. keytool -importcert -alias <Specify alias name here> -file <Specify server certificate here> -keystore <Specify the name of custom truststore to be generated> -storepass <Specify password for the custom truststore>
    For example, keytool -importcert -alias RESTV2CACert -file ca.pem -keystore sampletruststore -storepass JKSTrustStorePassword
    In the example, a truststore file is generated by the name sampletruststore and password JKSTrustStorePassword.

Generate a keystore

To generate a keystore, you need a client certificate and a client private key. Get the client certificate and client private key, and then perform the following steps to generate the keystore:
  1. 1Import the certificate to the following file path:
    2. <Secure Agent installation directory>\jre\lib\security\cacerts
  2. 2To generate the keystore, run the following command from the command line:
    3. openssl pkcs12 -export -in <Specify client certificate here> -inkey <Specify client private key here> -name "<Specify any name here>" -passout pass:<Specify password for the keystore to be generated> -out <Specify name for the keystore with p12 extension>
    For example, openssl pkcs12 -export -in /home/samplefolder/certs/client-cert.pem -inkey /home/samplefolder/certs/client-key.pem -name "restclient" -passout pass:PKCSKeyStorePassword -out samplekeystore.p12
    In the example, a keystore file by the name samplekeystore.p12 is generated in the PKCS12 format.
    To convert the keystore file from .p12 format to .jks format, run the following command from the command line:
    keytool -importkeystore -srckeystore <Specify name of the p12 keystore file> -srcstoretype pkcs12 -srcstorepass <Specify password for generated p12 keystore file> -destkeystore <Specify name for the JKS keystore file> -deststoretype JKS -deststorepass <Specify password for the JKS keystore file>
    Note: Ensure that the password specified in -srcstorepass must be the same as the -deststorepass.
    For example, keytool -importkeystore -srckeystore samplekeystore.p12 -srcstoretype pkcs12 -srcstorepass PKCSKeyStorePassword -destkeystore keystore -deststoretype JKS -deststorepass PKCSKeyStorePassword
    In the example, a keystore file is generated by the name samplekeystore and password PKCSKeyStorePassword.

Configuring one-way or two-way secure communication

You can configure a connection for one-way or two-way SSL.

Configuring the connection for one-way SSL

You can either specify the name of the truststore file and truststore password in the TrustStore File Name and TrustStore Password fields in the connection properties. Alterntaively, you can set the truststore file name and truststore password in the JVM options in the Secure Agent properties.
  1. 1Click Administrator > Runtime Environments, and select an agent.
  2. 2Select Type as DTM under System Configuration Details.
  3. 3Add the following JVM options:

Configuring the connection for two-way SSL

You can either specify the name of the keystore file and keystore password in the KeyStore File Name and KeyStore Password connection properties. Alternatively, you can set the keystore file and keystore password in the JVM options in the Secure Agent properties.
To use two-way SSL, you must first configure one-way SSL, and then perform the following steps to configure two-way SSL:
  1. 1Click Administrator > Runtime Environments, and select an agent.
  2. 2Select Type as DTM under System Configuration Details.
  3. 3Add the following JVM options: