Setting Up a Secure Connection With ULDP

To set up proper encryption with ULDP, you need to provide the API with a keystore at startup. The keystore contains the certificate and private key for authenticating with LogLogic LMI, and also an anchor of trust or certification authority (CA) to authenticate the server, unless you have chosen the noServerAuthentication option.

You can use the PKI of your choice to generate the keystore and its certificate. For testing purposes, the following procedure creates a minimal PKI. For actual implementation, refer to the documentation of the certificates that you use.

Procedure

  1. Create a keystore that contains a new CA, for example: CA.ks. 
    keytool -genkeypair -alias CA -keyalg RSA -sigalg SHA256withRSA -storetype JKS -keystore CA.ks
  2. Export the root certificate into a file. 
    keytool -exportcert -alias CA -keystore CA.ks -rfc -file CA.cert
  3. Create a keystore for the ULDP client API. 
    keytool -genkeypair -alias ULDP_client -keyalg RSA -sigalg SHA256withRSA -storetype JKS -keystore client.ks -dname "CN=client IP address"
    Note: The value of dname can be arbitrary and no validation is performed in LogLogic LMI. It is best practice to use an IP address that identifies the client.
  4. Import the CA certificate into the client keystore. 
    keytool -importcert -alias CA -keystore client.ks -file CA.cert
  5. Create a CSR from the client keystore. 
    keytool -certreq -rfc -alias ULDP_client -keystore client.ks -file ULDP_client.csr
  6. Sign the CSR with the CA. 
    keytool -gencert -infile ULDP_client.csr -alias CA -keystore CA.ks -validity 365 -outfile ULDP_client.cert –rfc
    You can choose the validity arbitrarily. Ensure that the date on the host system is correct in order to produce a valid certificate.
  7. Import the certificate in the client keystore. 
    keytool -importcert -file ULDP_client.cert -keystore client.ks -alias ULDP_client
    The client keystore for the ULDP library is now ready. Repeat steps Step 3-Step 7 to create additional keystores for other clients, if needed.
  8. Generate a CSR from the LogLogic LMI certificate. 
    system secureuldp create csr
    Then copy and paste the contents of the certificate signing request into a file on the local machine, for example, lmi.csr.
  9. Sign the LogLogic LMI CSR. 
    keytool -gencert -alias CA -infile lmi.csr -outfile lmi.cert -validity 365 -keystore CA.ks -rfc
  10. Import the CA root certificate into LogLogic LMI. 
    system secureuldp install rootCA
    Then copy and paste the contents of CA.cert into the terminal.
  11. Import the LogLogic LMI certificate. 
    system secureuldp install certificate
  12. When calling the ULDP API, use the following methods on the UldpConnectionSettings object: 
    setUseAuthentication(); 
.setKeystorePath("location of client.ks"); 
.setKeystorePassword("keystore password");
  13. On the LogLogic LMI GUI, navigate to Home > Administration > System Settings, and:
    1. Select Enable Secure ULDP to enable secure ULDP on the appliance.
    2. Click Update.