Table of Contents
Advertisement
E. SSL Communications between ZoneRanger and Ranger
Gateway
Communication between joined ZoneRangers and Ranger Gateways, and redundant ZoneRangers is
secured using the Secure Sockets Layer (SSL) protocol. SSL provides both encryption and
authentication. At the beginning of each SSL session both parties involved in the session authenticate
each other by exchanging SSL certificates. In order for the session to be established, each party (i.e. a
ZoneRanger or a Ranger Gateway) must validate the other party's SSL certificate based on the following
criteria:
•
The SSL certificate presented by the remote party must have been signed by a certificate
authority that the receiving party is configured to trust.
•
The distinguished name associated with the SSL certificate presented by the remote party must
identify a subject/entity that the receiving party is configured to trust.
By default, each ZoneRanger is configured with a certificate issued by the Tavve internal certificate
authority, with the following distinguished name:
CN=ZoneRanger,OU=Engineering,O=Tavve,L=Morrisville ST=North Carolina,C=US
Similarly, each Ranger Gateway is configured with a certificate with the following distinguished name:
CN=RangerGateway,OU=Engineering,O=Tavve,L=Morrisville,ST=North Carolina,C=US
The given distinguished names essentially identify two subjects: the generic ZoneRanger subject and the
generic RangerGateway subject. ZoneRangers are configured, by default, to allow communication with
both subjects, in order to support communication with joined Ranger Gateways, and with redundant
peers. Ranger Gateways are configured only to allow communication with the ZoneRanger subject.
This initial SSL configuration is provided so that ZoneRangers and Ranger Gateways are able to
communicate right out of the box. In environments where a high degree of security is required, it is
recommended that the Ranger Gateways and ZoneRangers be reconfigured to use customer-specific
certificates. The process to replace the Tavve SSL configuration for both the ZoneRanger and Ranger
Gateway with customer specific security credentials is as follows:
1. Replace ZoneRanger SSL Certificate
Using the Administration > SSL Certificate page on the ZoneRanger, install the new public
key certificate and private key specific to your security environment. The SSL Certificate can
be in PKCS #12, X509, or Keystore format. If a problem occurs, the original Tavve SSL
certificate may be restored.
2. Replace Ranger Gateway SSL Certificate
Using the
and private key specific to your security environment. The SSL certificate can be in PKCS #12,
X509, or Keystore format. If a problem occurs, the original Tavve SSL certificate may be
restored.
3. Update ZoneRanger Certificate Authorities and Trusted Subjects
Using the Configuration > Ranger Gateway page SSL Trust tab on the ZoneRanger, first add
the distinguished name identified in the SSL certificate which was installed on the Ranger
Gateway by using the Add Subject button
14
In the terminology of SSL certificates, a distinguished name is used to identify a subject or entity. The
Ranger Gateway and ZoneRanger user interfaces do not differentiate between a subject and a subject's
distinguished name. As such, when configuring a list of trusted subjects, the values that are entered are
in fact the distinguished names of the subjects that are to be trusted.
ZoneRanger 5.5 User's Guide
command on the Ranger Gateway, install the new public key certificate
configSSL
14
. The default Subjects may be removed if desired.
370
Hide quick links:
Advertisement
Table of Contents
