Creating a Citrix NetScaler application object
To enable Trust Protection Platform to manage certificates installed on NetScaler devices, you must configure the NetScaler application object. This object provides the information Trust Protection Platform needs to monitor, enroll, or provision certificates on its associated NetScaler devices.
BEST PRACTICE Consider managing object settings using a policy. For more information, see
DID YOU KNOW? When you add an installation to a certificate, you'll have the option of defining (and editing) this object during that process, which means that you don't have to log in to Policy Tree as the following procedure describes. And because the settings are the same, you can use this topic for information about each setting.
For more information, see Creating a certificate installation.
To create and configure a Citrix NetScaler application object
-
From the TLS Protect menu bar, click Policy tree.
- In the Policy tree, select the device object to which you want to add the new application object, and then click Add > Application, and then select NetScaler.
-
When the new application object page appears, then under Status, clear the Processing Disabled checkbox.
When checked, this option disables provisioning of the certificates installed on the current application. This means that Trust Protection Platform does not attempt to install, renew, process, or validate certificates on the application.
-
(Optional) In the Device Certificate box, click to select and associate a certificate with the new application.
NOTE If you don't have a certificate ready, you can do this later or you can do it on the certificate's Association tab.
To associate a certificate with the current application, you must have write permissions to the application object and either write or associate permissions to the certificate object.
For detailed information on associating a certificate with an application, see Associating a certificate with an application object.
-
Under General, do the following:
- In the Application Name field, type a name for the new application.
-
(Optional) In the Description field, type a description for the purpose of the application.
A strong description can help to provide context for other administrators who might need to manage the new application.
-
In the Contacts field, select user or group identities you want assigned to this application object (or choose the Use policy value to configure contacts using a policy).
Default system notifications are sent to the contact identities. The default contact is the master administrator.
TIP If the Identity Selector dialog is not populated when it first opens, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store, then return the list of requested users or groups. If you want to display all user or group entries, enter the wildcard character (*).
Press Shift+click to select multiple, contiguous users and groups. Press Ctrl+click to select multiple, discontiguous users and groups.
-
In the Approvers field, select user or group Identities you want to assign to approve workflows (certificate approval or injection command) for the new application.
The default approver is the master administrator. For more information on defining workflow objects, see Implementing certificate workflow management.
-
(Conditional) If your application (or certificate) object is affected by a defined workflow and you want users to use a console other than Policy Tree, click Managed By and select which administration console to use as part of the workflow.
You only need to configure this if you are using workflows and expect users to perform a task using a particular administration console. The default setting is Policy Tree.
For more information, see Specify folders and certificates to be managed by TLS Protect .
-
Under Application Information, do the following:
-
Click next to Application Credential to browse for the credential object that you want to use to authenticate with the application.
DID YOU KNOW? Credential objects store the credentials Trust Protection Platform uses to authenticate with devices, applications, and CAs. The stored credential might be a user name or private key credential; some drivers—such as F5, which is not SSH-based—can only use the user name credential for authentication.
NOTE The user account you select must have Read and Write access to the Temporary, Private Key, and Certificate directories.
For more information, see Working with system credentials.
-
-
Complete the remaining settings for the application object by referring to the following table:
Field
Policy
Description
Certificate and Private Key Settings
Installs the intermediate certificate chain when the certificate is installed on the NetScaler device.
Creates the certificate and private key in accordance with the Federal Information Processing Standard (FIPS). This setting ensures the certificate that is installed on the current NetScaler device meets the FIPS.
IMPORTANT The NetScaler device must have the FIPS module.
For more information about FIPS, see Considerations for high availability with FIPS.
Private Key Credential
The credential required to access the private key file for certificate renewal.
To select a private key password credential
-
Click to open the Credential Selector dialog.
-
Select the credential required to access the private key file for certificate renewal, and then click Select.
For more information, see Working with system credentials.
NOTE Trust Protection Platform does not include the private key password on the command line when performing key management operations. Instead, it provides the password when prompted.
Designates that the certificate, private key, and any associated root or intermediate root certificates are only copied to the file system on the NetScaler device. Trust Protection Platform does not provide the configuration required to make the certificate and private key functional on the device.
This configuration is provided for load balancing and failover environments where the NetScaler device configuration is automatically replicated to cluster or failover devices. In these environments, Trust Protection Platform only needs to transfer the certificate and private key files.
Specify the path to an existing subfolder where you want Trust Protection Platform to provision the certificate and key for your NetScaler virtual server.
During provisioning, Trust Protection Platform will provision the certificates and private key to /nsconfig/ssl/SubfolderRelativePath.
Certificate File
No
The path and filename where Trust Protection Platform installs the certificate on the NetScaler device.
IMPORTANT This setting must match the NetScaler device’s certificate file configuration. For more information, refer to your NetScaler documentation.
The user account that Trust Protection Platform uses to authenticate to the NetScaler device must have Read and Write access to the Certificate Directory.
Private Key File
No
The path and filename where Trust Protection Platform installs the private key on the NetScaler device.
This setting must match the NetScaler device’s private key file configuration. For more information, refer to your NetScaler documentation.
The user account that Trust Protection Platform uses to authenticate to the NetScaler device must have Read and Write access to the Private Key Directory.
SSL Configuration
NOTE Be sure that you've completed prerequisite tasks before configuring SSL options. See NetScaler prerequisite configuration.
TIP If you enabled Import Only under Certificate and Private Key Settings, you can't modify SSL Configuration settings.
Specify where Trust Protection Platform should install the certificate.
From the Bind Certificate To list, do one of the following:
-
Select Virtual Server, and then in Virtual Server Name, type the name of the NetScaler virtual server. This includes NetScaler Gateway Virtual Servers (beginning with Trust Protection Platform version 20.3) and NetScaler Authentication Virtual Servers (beginning with Trust Protection Platform version 24.1), where Trust Protection Platform should install the certificate.
(Optional) Select the SNI Certificate check box if you are using a single virtual server to host multiple applications.
TIP Server name indication (SNI) allows the same virtual server to host multiple applications because it can present a unique certificate for each one. When SNI is not enabled, the virtual server can only have one certificate bound to it and therefore host only one application. For more information, see Server name indication (SNI) support for validation.
- Select Service, and then in Service Name, type the name of the NetScaler service.
- Select Service Group, and then in Service Group Name, type the name of the NetScaler service group.
- (Optional) If provisioning to an admin partition, specify it in the Partition field. If left blank, the driver provisions to the default partition.
-
- When you are finished, click Save.
What's next?
After you've created an application object, here are other things you can do to manage the new application:
-
On the application's Settings sub-tab:
-
Click to push a certificate to its associated application.
For more information, see Pushing a certificate and private key to an application .
- Click Reset to stop processing the application and reset the status and stage.
- Click to reattempt installation of the certificate to its associated application, .
-
Click Validate Now to validate the applications associated certificate.
Validation requests are placed into a queue. When your validation runs, the application and its associated certificate are scanned according to the settings configured in the application object’s Validation tab.
For more information, see About certificate and application validation.
-
-
On the application object's Validation tab, you can configure validation settings for the application object.
-
On an object's General tab:
-
Click the Log sub-tab to view any events that are triggered by the template object.
-
Click the Permissions sub-tab to configure the users or groups to whom you want to grant permissions to the new object. For more information, see Permissions overview.
-