Implementation and requirements
Introduction
The NSP uses Transport Layer Security, or TLS, to secure communication among system components, and for communication with clients and external systems. The TLS setting, whether enabled or disabled, must be the same on all NSP components.
The NSP supports the use of a custom TLS certificate that you provide, as described in Using a custom TLS certificate, or a certificate signed by a public root certification authority (CA). The NSP installation software includes a tool for automated TLS artifact generation and distribution, as described in Using a PKI server.
Note: If you intend to enable or disable TLS in an existing NSP system, you must stop, configure, and start the components in a specific order. To reduce the maintenance period and associated NSP system outage duration, see “Workflow: stop and start DR NSP clusters” in the NSP System Administrator Guide. The workflow describes how to perform a “graceful” shutdown and startup of DR NSP clusters and the ancillary NSP components in each data center.
Note: An NSP system upgrade preserves the TLS keystore and truststore files, which are used if no PKI server is specified during the upgrade.
Note: Auxiliary database security is independent of general NSP cluster or NFM-P internal system security, as described in Auxiliary database TLS.
NSP system TLS requirements
The private key and certificate files used in an NSP deployment must be in unencrypted PEM format.
If the NSP system uses advertised hostnames, the SAN field of the TLS certificate must include the hostnames advertised on the client and internal interfaces of the NSP cluster.
If an integrated NFM-P system uses hostnames, the NSP must use only DNS to resolve the hostnames.
See NSP TLS configuration for information about how to deploy TLS in an NSP system.
NFM-P TLS requirements
Custom certificate deployment is supported for an integrated NFM-P system that uses external IP addresses or hostnames.
If an NFM-P main server uses a hostname for communication with other components, the hostname specified using samconfig must be the hostname of the main server station, and must be the hostname that you include in the SAN field of the TLS certificate.
Note: A short hostname is valid only if DNS can resolve the hostname.
Auxiliary database TLS
The NSP and NFM-P system configurations each include a section specific to auxiliary database security that you must configure in advance of configuring TLS on an auxiliary database.
Note: The auxiliary database security setting in the NSP cluster, NFM-P main server, and auxiliary database configurations must match.