Creating PKCS12 keystores
NLE and the NLP service are Java-based services. You must create their keystores when setting up secure connections. For an overview of the whole procedure, see Securing connections with SSL/TLS.
Creating NLE keystores
- Create a keystore on every host where NLE runs. The recommended filepath is NLE_HOME/config/caSignedNLE.p12.
- Change the keystore to JKS format. See Converting NLE keystores to JKS.
Repeat these commands on every host where the service runs.
# openssl pkcs12 -export -in caSigned.crt -inkey caSigned.key -chain -CAfile CA.crt -name nle -out caSignedNLE.p12
Enter pass phrase for caSigned.key:caSigned
Enter Export Password: caSigned
Verifying—Enter Export Password: caSigned
Argument |
Description |
---|---|
-export |
Creates the PKCS#12 file. |
-in caSigned.crt |
The file containing certificates and private keys (from generated for this host, in PEM format) from the CA organization. |
-inkey caSigned.key |
The private key for the certificates. |
-chain |
Includes the entire certificate chain of the user certificate. |
-CAfile CA.crt |
Certificate authority (CA) file for authenticating certificates. |
-name nle |
Alias name. The value must be nle. |
-out caSigned.p12 |
The output keystore. (The filename to write the PKCS#12 file in PEM format.) Configure the keystore with https.keyStore (see Configuring NLE security). |
passphrase |
The password for the private key (-inkey). You must use the same value (in this example, caSigned) for the passphrase and export password in the PKCS12 keystore, and for the deststorepass in the JKS keystore (see Converting NLE keystores to JKS). |
export password |
The password for the keystore. You must use the same value (in this example, caSigned) for the passphrase and export password in the PKCS12 keystore, and for the deststorepass in the JKS keystore (see Converting NLE keystores to JKS). Configure the password with https.keyStorePassword (see Configuring NLE security). |
Creating NLP service keystores
- Create a keystore on every host where NLP service runs. The recommended filepath is NLPS_HOME/config/caSigned.p12.
- Configure the path on each host as ${nlps.home}/config/caSigned.p12 in httpClient.keystore and server.ssl.key-store.
- Ensure each keystore has the correct permissions.
This example creates a keystore:
# openssl pkcs12 -export -in caSigned.crt -inkey caSigned.key -chain -CAfile CA.crt -name nlps -out caSigned.p12
Enter pass phrase for caSigned.key: caSigned
Enter Export Password: caSignedP12
Verifying—Enter Export Password: caSignedP12
Argument |
Description |
---|---|
-export |
Creates the PKCS#12 file. |
-in caSigned.crt |
The file containing certificates and private keys (from generated for this host, in PEM format) from the CA organization. |
-inkey caSigned.key |
The private key for the certificates. |
-chain |
Includes the entire certificate chain of the user certificate. |
-CAfile CA.crt |
Certificate authority (CA) file for authenticating certificates. |
-name nlps |
This is an alias name. Specify any value. Configure the alias as server.ssl.key-alias when configuring the service (see Configuring NLP service security). |
-out caSigned.p12 |
The output keystore. (The filename to write the PKCS#12 file in PEM format.) |
passphrase |
The password for the private key (-inkey). (This passphrase does not get used in any NLP service properties.) |
export password |
The password for the keystore. Configure the value as server.ssl.keystore-password when configuring the service (see Configuring NLP service security). |
For permissions, ensure that the keystore is readable by the nuance user or the local system account.
Windows: For each keystore file, right-click, select Properties, select the Security tab, and change the permissions so that the SYSTEM account has Read permission.
Linux: run these commands:
> chown nuance.nuance NLPS_HOME/config/caSigned.p12
> chmod 600 NLPS_HOME/config/caSigned.p12