Creating an Imperva MX application object

This section describes the configuration settings needed to enable Trust Protection Platform to install an SSL certificate key pair on an Imperva SecureSphere Management Server.

You can also provision certificates in bulk to Imperva using the sample Adaptable Bulk Provisioning PowerShell script. See Using sample Adaptable Bulk Provisioning PowerShell scripts.

BEST PRACTICE  Consider managing object settings using a policy. For more information, see Managing applications using policies.

To create and configure an Imperva MX application object

  1. From the TLS Protect menu bar, click Policy tree.

  2. In the Policy tree, select the device object to which you want to add the new application object, and then click Add > Application, and then select Imperva.

  3. When the new application object page appears, then under Status, clear the Processing Disabled checkbox.

    When checked, this option disables provisioning of the certificates installed on the current application. This means that Trust Protection Platform does not attempt to install, renew, process, or validate certificates on the application.

  4. (Optional) In the Device Certificate box, click to select and associate a certificate with the new application.

    NOTE  If you don't have a certificate ready, you can do this later or you can do it on the certificate's Association tab.

    To associate a certificate with the current application, you must have write permissions to the application object and either write or associate permissions to the certificate object.

    For detailed information on associating a certificate with an application, see Associating a certificate with an application object.

  5. Under General, do the following:

    1. In the Application Name field, type a name for the new application.

    2. (Optional) In the Description field, type a description for the purpose of the application.

      A strong description can help to provide context for other administrators who might need to manage the new application.

    3. In the Contacts field, select user or group identities you want assigned to this application object (or choose the Use policy value to configure contacts using a policy).

      Default system notifications are sent to the contact identities. The default contact is the master administrator.

      TIP  If the Identity Selector dialog is not populated when it first opens, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store, then return the list of requested users or groups. If you want to display all user or group entries, enter the wildcard character (*).

      Press Shift+click to select multiple, contiguous users and groups. Press Ctrl+click to select multiple, discontiguous users and groups.

    4. In the Approvers field, select user or group Identities you want to assign to approve workflows (certificate approval or injection command) for the new application.

      The default approver is the master administrator. For more information on defining workflow objects, see Implementing certificate workflow management.

    5. (Conditional) If your application (or certificate) object is affected by a defined workflow and you want users to use a console other than Policy Tree, click Managed By and select which administration console to use as part of the workflow.

      You only need to configure this if you are using workflows and expect users to perform a task using a particular administration console. The default setting is Policy Tree.

      For more information, see Specify folders and certificates to be managed by TLS Protect .

  6. Under Application Information, do the following:

    1. Click next to Application Credential to browse for the credential object that you want to use to authenticate with the application.

      DID YOU KNOW?  Credential objects store the credentials Trust Protection Platform uses to authenticate with devices, applications, and CAs. The stored credential might be a user name or private key credential; some drivers—such as F5, which is not SSH-based—can only use the user name credential for authentication.

      NOTE  The user account you select must have Read and Write access to the Temporary, Private Key, and Certificate directories.

      For more information, see Working with system credentials.

      DID YOU KNOW?  The Connection Method is the protocol that Trust Protection Platform uses to connect to the server and manage the certificates installed on that server. In an application object's settings, this field is typically read-only.

    2. Click the Connection Method list, click the protocol to use—HTTPS or SSH—and then in the Port field, specify the associated port number.

    3. (Conditional) In the SSH Port field, specify the port number that Trust Protection Platform should use to communicate with the appliance via an SSH connection.

      The default SSH port assignment is 22.

    4. (Optional) In the Port field, type the port that Trust Protection Platform should use to communicate with the server where the application is installed.

      Trust Protection Platform uses the SSH protocol to communicate with the application server installed on Linux or Windows. The default SSH port assignment is port 22.

  1. Complete the settings for the application object by referring to the following table:

    Field

    Policy

    Description

    Imperva MX Settings

     

    The following are additional settings specific to the Imperva MX key tool. They are referenced only when you associate a certificate with subordinate Imperva MX Application objects.

    User Credentials

     

    This is a separate credential from the Application credential; it's needed to login as the console user (same as the Imperva SecureSphere management console user) on the Imperva MX application.

    SSL Key Tool

     

    This is the path to the ExternalAPIClient.jarClosed The ExternalAPIClient.jar is a Java library that Imperva installs with their product. It is a client application that allows for remote administration of the Imperva application and Venafi's driver relies upon it to import private keys (from a PKCS#12 that was previously SFTP’d to the system) and bind them to service groups. The actual SSH CLI command the driver executes looks like this: java -jar /opt/SecureSphere/server/bin/ExternalAPIClient.jar -ip 192.168.6.1 -port 8083 -username admin -command ssl-keys-upload -csvfile /tmp/f46484ae-2264-44e0-8606-db7776d4d523.csv file that contains the CLI command needed for the certificate key installation. The value here is defaulted to a location Trust Protection Platform normally expects to find this file.

    Private Consumer

     

    This section specifies the Imperva MX settings that are associated with the SSL Certificate's private key when it's imported into the Imperva MX database through the key tool. These values relate to the Site, Group and Service objects in the tree structure you see in the Imperva SecureSphere Management Server.

    Site

    Enter the Site name that will be assigned to the associated SSL Certificate's private key when it's imported via the key tool. For example: support.company.net.

    Server Group

    Enter the Server Group name that will be assigned to the associated SSL Certificate's private key when it's imported via the key tool. For example: Apache Tomcat.

    Service

    Enter the Service name that will be assigned to the associated SSL Certificate's private key when it's imported via the key tool. For example: IIS.

    Private Key Name

     

    This is the name that Trust Protection Platform assigns to the private key when it's imported. It's a combination of the associated Certificate's common name, serial number and a hash value of the certificate to ensure uniqueness. No value will show in this read-only field until Trust Protection Platform has provisioning a key to the Imperva MX application.
  2. When you are finished, click Save.

What's next?

After you've created an application object, here are other things you can do to manage the new application:

  • On the application's Settings sub-tab:

    • Click to push a certificate to its associated application.

      For more information, see Pushing a certificate and private key to an application .

    • Click Reset to stop processing the application and reset the status and stage.
    • Click to reattempt installation of the certificate to its associated application, .

    • Click Validate Now to validate the applications associated certificate.

      Validation requests are placed into a queue. When your validation runs, the application and its associated certificate are scanned according to the settings configured in the application object’s Validation tab.

      For more information, see About certificate and application validation.

  • On the application object's Validation tab, you can configure validation settings for the application object.

  • On an object's General tab:

    • Click the Log sub-tab to view any events that are triggered by the template object.

    • Click the Permissions sub-tab to configure the users or groups to whom you want to grant permissions to the new object. For more information, see Permissions overview.

Related Topics Link IconRelated Topics