EMA supports to provision keystore and trust store certificates for WRTC and push the data to the WRTC, as a part of configuration request invoked by WRTC node during node registration.
To import CA certificate from EMS to WRTC server it has to be in .P12 format (PKCS).
Perform the following tasks to update the cluster configuration for WRTC Certificate Management:
- Login to EMA.
Navigate Monitoring > Dashboard > CertificateProfile.
The Certificate Management page displays.
You would view a list of sample Keystore and Truststore certificates that are shipped with the product.
Select any specific Keystore or Truststore certificate to view the details of that certificate.
- Perform the following steps to add a Keystore or a Truststore certificate:
- To add a Keystore certificate, click Add Keystore Certificate option. Add Keystore page is displayed.
Browse the certificate you want to add from your local machine, provide a certificate name, and Passphrase as follows:
Click the Save button. Certificate is added successfully message is displayed.
You can now view the Keystore Certificate that you have added in the existing list.
- Select a Keystore from the list and click Change Keystore Password, to change the Keystore password
- To add a Truststore certificate, click Add Truststore Certificate option.
Add Truststore page is displayed.
Browse the certificate you want to add from your local machine and provide a certificate name as follows:
- Click the Save button. Certificate is added successfully message is displayed.
You can now view the Truststore that you have added in the existing list.
- Select a Truststore from the list and click Change Truststore Password, to change the Truststore password.
- You can delete any specific certificate by selecting the Delete option.
- Click Apply Saved Changes to complete the configuration.
Once the certificate is imported, you can verify the same by executing the following command in the WRTC instance:
Enter the correct
keystore.jks password to view the content of the imported certificate.
Associating the Certificate to TLS Profile
When a TLS connection is established, a handshaking, known as the TLS Handshake Protocol, occurs. During this handshake, the client and server agree on various parameters used to establish the connection's security. First, the client sends a cipher suite list, a list of the cipher suites that it supports, in order of preference. Then the server replies with the cipher suite that it has selected from the client cipher suite list. Each named cipher suite defines a key exchange algorithm, a bulk encryption algorithm, a message authentication code (MAC) algorithm, and a pseudorandom function (PRF).
Perform the following tasks to associate a certificate to the TLS profile:
Navigate to All > WRTC Data Model > Profiles > TLS Profile.
The TLS Profile page displays.
Select any specific TLS Profile from the list to view the details of that TLS Profile.
- Perform the following steps to add a TLS Profile:
- Click New TLS Profile option. Create New TLS Profile page is displayed.
Provide a TLS Profile Name, TLS Handshake Timeout Duration, Cipher suites and Server Certificate from the Keystore certificate list as follows:
TLS Profile name must be maximum of 23 characters.
TLS Handshake Timeout Duration range is 0 - 4294967295. The default value is 5.
A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol.
Click the Save button. TLS Profile (Object) is created successfully message is displayed.
You can now view the TLS Profile that you have created in the existing list.
- You can delete any specific profile by selecting the Delete option.
Click Apply Saved Changes to complete the configuration.