Implementation and requirements

Introduction

The NSP secures communication among system components using Transport Layer Security, or TLS. TLS also secures the NSP communication with clients and external systems.

The NSP supports the use of a custom TLS certificate that you provide, as described in Using a custom TLS certificate, or a certificate signed by a public root certification authority (CA). The NSP installation software includes a tool for automated TLS artifact generation and distribution, as described in Using a PKI server.

Note: An NSP system upgrade preserves the TLS keystore and truststore files.

NSP system TLS requirements

The private key and certificate files used in an NSP deployment must be in unencrypted PEM format.

If the NSP system uses advertised hostnames, the SAN field of the TLS certificate must include the hostnames advertised on the client and internal interfaces of the NSP cluster.

If an integrated NFM-P system uses hostnames, the NSP must use only DNS to resolve the hostnames.

See NSP TLS configuration for information about how to deploy TLS in an NSP system.

NFM-P TLS requirements

Custom certificate deployment is supported for an integrated NFM-P system that uses external IP addresses or hostnames.

If an NFM-P main server uses a hostname for communication with other components, the hostname specified using samconfig must be the hostname of the main server station, and must be the hostname that you include in the SAN field of the TLS certificate.

Note: A short hostname is valid only if DNS can resolve the hostname.