Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Setting up a TLS connection for TCP listeners and forwarders

You can set up Transport Layer Security (TLS) connections to provide communication security across the network for BMC Defender Server listeners and forwards that use the Transmission Control Protocol (TCP). You configure a standard TLS client-server setup, in which a server presents the client with a server certificate. The client is not required to present a certificate, but if a Secure Sockets Layer (SSL) handshake is required, you can configure the client to present a client certificate to the server connection.

The BMC Defender Server network components behave as follows:

  • TCP listeners act as network servers that attempt to open a listening port and accept incoming TCP connections.
  • TCP forwarders act as network clients that attempt to make outgoing TCP connections.

When you select the TCP-TLS protocol for a TCP listener, you must configure the TLS options to set up the connection. For a TCP forwarder, the TLS connection is optional.

Before you begin

Prepare an SSL certificate. To use the built-in utility to generate the certificate, see Creating-and-installing-a-self-signed-SSL-certificate.)

To set up a TLS connection

  1. Navigate to the System > Network > Config page.
  2. Click to add or edit a network forwarder or a network listener.
  3. For the Protocol, select TCP-TLS.
    The following options are displayed:
    TLS Options.png

  4. Complete the following options:

    Option

    Description

    SSL/TLS Certificate File

    Complete file path and name (including the file extension) of the certificate

    If you create an SSL certificates with BMC Defender Server, it is automatically stored in the installationDirectory\system\certs directory. Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender.

    The certificate file must be in PEM format, as defined in RFCs 1421 through 1424. The input file can include the public certificate or an entire certificate chain including public key, private key, and root certificates.

    For listeners, this option is required.

    For forwarders, complete this option if a client certificate is required to complete an SSL handshake.

    Certificate Private Key File

    If the private key is not part of the certificate file, the complete file path and name (including the file extension) of the private key

    The private key file usually has the extension key.pem and must be in PEM format.

    Certificate Private Key Password File

    If a certificate private key is used, the complete file path and name (including the file extension) of a text file with the key password

    Only the first line of the text file is relevant and is read as the private key password. The file must have a .txt extension and be in plain ASCII text.

    Certificate Revocation List File

    Complete file path and name (including the file extension) of the certificate revocation list file

    The file generally comes from a certificate authority that initially issued the certificate that is being revoked. The file must be in PEM format.

    Diffie-Hellman Parameters File

    If a perfect forward secrecy cipher suite is required, the complete file path and name (including the file extension) of the input parameters for the Diffie-Hellman key exchange

    If you select a perfect forward secrecy cipher suite (see Open SSL Ciphers later in this table), you must set up Diffie-Hellman parameters and provide an input file to significantly speed up the key negotiation process. The parameters are sent for every Diffie-Hellman key exchange, as described in RFC 5114. The file must be in PEM format.

    Trusted Certificate Authority Directory

    Complete path to the directory that contains trusted certificate-authority certificates

    The certificates in the directory perform verification (in addition to the system certificate-authority files). Each file in the directory must contain a single certificate, and the files must be named using the subject’s hash and an extension of .0.

    Use Operating System CA Store Files

    Indicator whether to use the certificate-authority store location on the operating system to verify the TLS certificates

    Enable the setting to use all the operating system level certificate authorities.

    Open SSL Ciphers

    (Optional) List of SSL cipher suites

    Select one or more SSL cipher suites to negotiate a TLS connection. The other side of the connection must support the selected cipher suites.

    If you do not select a cipher suite, the TLS client and server automatically negotiate the best cipher suite.

    Min SSL Protocol

    Minimum protocol version for the TLS cipher suite negotiation

    Max SSL Protocol

    Maximum protocol version for the TLS cipher suite negotiation

    Verify Mode

    Certificate verification mode

    If None (the default value) is selected, then no certificate verification is performed. The other settings enable strict verification according to the SSL protocols.

  5. Click Save.
    The network component is displayed in the list with the TCP-TLS protocol.

    Note

    You might need to wait a few minutes for the settings to be active.


Related topic

Using BMC Defender Server applications

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*