SDX 6.4.0 Release Notes > Configuring the Keystore for TLS Certificates and Keys

Configuring the Keystore for TLS Certificates and Keys

A keystore is a database of keys and certificates from trusted entities. To use SDX Configuration Editor to configure the TLS keystore on the SAE:

1. In the navigation pane, select a configuration file for the SAE that you want to configure.
2. Select the Router tab, expand the JUNOS Router Driver section, and then expand the Keystore section.
3. Edit or accept the default values in the fields.

See Keystore Fields for the JUNOS Router Driver.

4. Select File > Save.
5. Right-click the configuration file, and select SDX System Configuration > Export to LDAP Directory.

Keystore Fields for the JUNOS Router Driver

In SDX Configuration Editor, you can edit the Keystore fields in the JUNOS Router Driver section in the Router pane in an SAE configuration file.

Keystore Location

• Location of the keystore that contains the key/certificate pair that the SAE sends to the router. If the SAE requires client authentication, it also specifies the location of the CA certificate that was used to sign the certificate that the router sends to the SAE.
• Value—Path and name of the keystore
• Guidelines—The value of this field must match the value of the -keystore argument that you entered with the keytool command when you created the server certificate for the SAE.

See Creating a Certificate Signing Request for the SAE Server Certificate.

• Default—/opt/UMC/sae/keystore/keystore.pkcs12
• Property name—Router.junos.keystore.location

Keystore Password

• Password required for the keystore.
• Value—Password; must be at least six characters
• Guidelines—The value of this field must match the value of the -keypass and -storepass arguments that you entered with the keytool command when you created the server certificate for the SAE.

See Creating a Certificate Signing Request for the SAE Server Certificate.

• Default—No value
• Example—{BASE64}c2FlS2V5c3RvcmU=
• Property name—Router.junos.keystore.storePass

Need Client Authentication

• Specifies whether or not the SAE requests a client certificate from the router.
• Value

• Yes—The SAE asks the router for a client certificate when a connection to the router is established.
• No—The SAE does not ask the router for a client certificate when a connection to the router is established.

• Default—Yes
• Property name—Router.junos.keystore.needClientAuth

Keystore Implementation

• Implementation type of the keystore.
• Value

• JKS (JKS is the standard Java keystore implementation)
• PKCS12 (Public Key Cryptography Standard #12)

• Default—PKCS12
• Property name—Router.junos.keystore.type

Certificate Algorithm

• Implementation type of the certificates contained in the keystore.
• Value—SUN509
• Default—SUNX509, which is the type defined in X.509, the ITU-T standard for Public Key Infrastructure (PKI).
• Property name—Router.junos.keystore.certType