Use the following steps to load the DNCA with
one or more SSL keys.
About this task
To load DNCA with one or more SSL keys:
Procedure
-
Obtain a PEM file for each SSL key. You normally run this step on the web server that is
containing the SSL keys. The Network Capture software needs the SSL key to be in PEM format and
the file name to end with a .pem extension. The PEM file is an ASCII text file that is
containing the SSL key in an encoded form. Following is the example of an SSL key in PEM
format:
-----BEGIN RSA PRIVATE KEY-----
MII ... (many lines of encoding here)
....
-----END RSA PRIVATE KEY-----
If the web server does not store its private keys in PEM format, then you must export the
keys and possibly convert them to PEM format. For exporting procedures, see the section Exporting the SSL private key.
- Transfer the PEM files to directory
/usr/local/dncauser/etc
on
the DNCA host machine. - Log on to the DNCA host machine as user root
and change to directory
/usr/local/dncauser/etc
.
- Encrypt the PEM files to produce a PTL file.
- Use the
Discover pem2ptl
command to
generate the PTL files for one or more PEM files. For example, if
you have two PEM files named server1.pem
and server2.pem
,
you can generate PTL files for both using the following command:
Discover pem2ptl server1.pem server2.pem
The previous command creates files named server1.ptl
and server2.ptl
in
the same directory as the PEM files.
- The
Discover pem2ptl
command does not create PTL
files if they exist. The command sets the ownership and permissions
of the resulting PTL files to allow only the user dncauser
to
access the files.
- If you have an older release of the
Discover-DNCA
package
that does not provide the Discover pem2ptl
command,
use the following commands for each PEM file you want to encrypt,
replacing server1.pem
with the name of your PEM file:
/usr/local/dncauser/bin/tltenc -in server1.pem
chmod u=rw,go= server1.ptl
chown dncauser server1.ptl
To convert many PEM files, use the ls
and xargs
commands
to encrypt them. The following command line must be typed on one line.
It uses the ls
command to generate a list of file
names. The vertical bar allows the xargs
command
to use this list and run the tltenc utility by using each file name
in the list.
ls -1 server1.pem server2.pem server3.pem | xargs -L 1 -t \
/usr/local/dncauser/bin/tltenc -in
After you run the previous command, use the following
commands to set the ownership and permissions of all PTL files. It
is safe to use wildcards because the ownership and permissions are
the ones that are needed by the DNCA to access any PTL file.
chmod u=rw,go= *.ptl
chown dncauser *.ptl
- Remove the PEM files from the DNCA host machine.
Wait until you confirm that DNCA is successfully decoded
SSL connections before you delete the PEM files.
Results
After the SSL keys are loaded onto the DNCA
host machine and encrypted into PTL files, configure DNCA
to use the PTL files. When you must configure a few PTL files, use
the SSL Keys tab in the web console. When you
configure PTL files, you can find it easier to use a text editor like
nano or vi to edit the configuration file directly.