Device Adapter TLS Configuration

Connections to the IdAM Device Adapter REST API can be made through:

• HTTP on port 80 
• HTTPS on port 443

By selecting to connect via HTTPS, the IdAM factory default settings will include a self-signed certificate.

If the existing SSL key in the Device Adapter is manually deleted, the IdAM Device Adapter re-generates a new key-pair and a self-signed certificate.

To replace the generated self-signed certificate setup with your own TLS certificates generated by your trusted CA, follow the Update Device Adapter TLS Certificate steps below.

Prerequisites

The following is required before you get started.

• Acquire the SSL private key file in PEM format, then remove any passphrase and name it server.key.

• Acquire the corresponding certificate in PEM format and name it server.pem.

• If your setup requires an external CA certificate, use that file in PEM format and name it ca.pem.

• If your setup is using a self-signed certificate, copy and/or duplicate the server.pem and use it as ca.pem.

• Ensure that your workstation has direct access to the Sequence Controller network.

Waring

Ensure to use the defined filenames since the auto-creation of a self-signed certificate requires these exact names.

Update Device Adapter TLS Certificate

To replace the generated self-signed certificate with your own certificates generated by your trusted CA, update the Device Adapter certificate by uploading your file(s) via the Sequence Controller.

1. Copy the file(s) to the Sequence Controller by uploading your files (server.key, server.pem, ca.pem) via the Secure copy protocol (SCP) to the Sequence Controller directory /tmp. The default credentials are:

   • User: idam.

   • Password: PrimeKey.

2. Enable SSH access to the Sequence Controller using the default IP address 192.168.5.92 and credentials above, and run the command sudo su to get elevated  root privileges:
   

   sudo su -

   CODE
3. Copy the files from the Sequence Controller to the Device Adapter Machine (IP address 100.127.255.2), via IdAM's internal network.
   

   scp -i /root/.ssh/id_* /tmp/server.key /tmp/server.pem /tmp/ca.pem 100.127.255.2:/etc/httpd/ssl

   POWERSHELL
4. SSH to the Device Adapter. For example:
   

   ssh -i /root/.ssh/id_* root@100.127.255.2
   # after successful login in the prompt should look like: 
   root@DeviceAdapter/100.127.255.2 [~]#_

   POWERSHELL
5. Change the access rights and ownership.
   

   chmod 600 /etc/httpd/ssl/*
   chown root: /etc/httpd/ssl/ 

   POWERSHELL
6. Restart the Apache daemon.
   

   systemctl restart httpd

   TEXT
   The command should return without output.
7. To test the connection in the Device Adapter network to verify the new certificates, see Test TLS connection to Device Adapter.
8. Run the following to make the new configuration persistent:
   

   writeConfig.sh

   CODE

The change of the Device Adapter TLS certificate is now complete.