Certificates in the ESA

Describes the digital certificates used in communicating with the ESA.

Digital certificates are used to encrypt online communication and authentication between two entities. For two entities exchanging sensitive information, the one that initiates the request for exchange can be called the client. The one that receives the request and constitutes the other entity can be called the server.

The authentication of both the client and the server involves the use of digital certificates issued by the trusted Certificate Authorities (CAs). The client authenticates itself to a server using its client certificate. Similarly, the server also authenticates itself to the client using the server certificate. Thus, certificate-based communication and authentication involves a client certificate, server certificate, and a certifying authority that authenticates the client and server certificates.

Protegrity client and server certificates are self-signed by Protegrity. However, you can replace them by certificates signed by a trusted and commercial CA. These certificates are used for communication between various components in ESA.

The certificate support in Protegrity involves the following:

  • The ability to replace the self-signed Protegrity certificates with CA based certificates.

    For more information about replacing the self-signed Protegrity certificates with CA based certificates, refer to the section Changing Certificates.

  • The retrieval of username from client certificates for authentication of user information during policy enforcement.

  • The ability to download the server’s CA certificate and upload it to a certificate trust store to trust the server certificate for communication with ESA.

Points to remember when uploading the certificates:

  • ESA supports the upload of certificates with strength equal to 4096 bits. You can upload a certificate with strength less than 4096 bits but the system will show you a warning message.

    Custom certificates for Insight must be generated using a 4096 bit key.

  • When uploading, make sure the certificate version is v3. Uploading certificates with version lower than v3 is not supported.

  • When uploading, make sure that the certificate uses the RSA Keys. Certificates with other keys are not supported.

The various components within the Protegrity Data Security Platform that communicate with and authenticate each other through digital certificates are:

  • ESA Web UI and ESA
  • ESA and Protectors
  • Protegrity Appliances and external REST clients

Using Certificates with Protegrity

As illustrated in the figure, the use of certificates within the Protegrity systems involves the following:

  1. Communication between ESA Web UI and ESA

    In case of a communication between the ESA Web UI and ESA, ESA provides its server certificate to the browser. In this case, it is only server authentication that takes place in which the browser ensures that ESA is the trusted server.

  2. Communication between ESA and protectors

    In case of a communication between ESA and protectors, certificates are used to mutually authenticate both the entities. The server and the client i.e. ESA and the protector respectively ensure that both are trusted entities. The protectors could be hosted on customer business systems or it could be a Protegrity Appliance.

  3. Communication between Protegrity Appliances and external REST clients

    Certificates ensure the secure communication between the customer client and Protegrity REST server or between the customer client and the customer REST server.

Last modified : November 18, 2024