Implementing TLS with RSA Cipher Suites

You can use a u tility, such as OpenSSL, to create the necessary certificates or you can use one of the following existing Certificate Authorities to create certificates:

	NOTE: OpenSSL can also be downloaded from www.openssl.org Steps 2-9 following this NOTE are steps for generating certificates using OpenSSL. Skip these steps if you plan to use the existing Certificate authorities listed above.

Create the following directory structure to manage certificates:

$ mkdir /home/aaa/ca
$ cd /home/aaa/ca
$ mkdir certs private
$ touch index.txt
$ echo “01” > serial

Copy onpenssl.cnf from the www.openssl.org web site.

Make the following changes in openssl.cnf (or changes as required for your network):

dir = /home/aaa/ca
default_days = 365
default_crl_days = 365

OpenSSL requires a seed value for creating certificates. The seed value can be stored at:
(ps-ef ; date) > $HOME/.rnd

Create a root certificate with the following command:

$ openssl req -new -x509 -days 365 -keyout ./private/cakey.pem -out ./cacert.pem -config ./openssl.cnf

Execute the command above and you prompted for a PEM pass phrase or password to protect the certificate and your organization details. For the Common Name field, enter “ Your Organization Name Root CA”

Create a certificate request for the Peer for which TLS is being configured. If the Peer fully-qualified-domain-name is aaah.home.com, it is important that the certifiacte common name be set to aaah.home.com. Use the following command to create the certificate:

$ openssl req -new -keyout aaah_rsa_key.pem -out aaah_rsa_req.pem -days 365 -config openssl.cnf

A pem password is prompted. This password protects the certificate private key. For common name enter aaah.home.A challenge password is not entered.

Create a certificate for server peer aaah.home.com. Use the following command to create the certificate:

$ openssl ca -policy -policy_anything -crldays 365 -days 365 -out aaah_rsa_cert.pem -config openssl.cnf -infiles aah_rsa_req.pem

When prompted for a PEM password, enter the password you entered when creating the Root CA certificate. Sign and commit the certificate when prompted.

Remove password protection from the aaah certification key file with the following command:

$ openssl rsa -in aaah_rsa_key.pem -out aaah_rsa_key.out.pem

Distribute the generated certificate files, using OpenSSL for steps 2-9,or using the existing Certificate Authority, to the security directory for aaah.home.com:

$ cp cacert.pem /etc/opt/aaa/diameter/security/ca_list.pem
$ cp aaah_rsa_key_out.pem /etc/opt/aaa/diameter/security/rsa_key.pem
$ cp aaah_rsa_cert.pem /etc/opt/aaa/diameter/security/rsa_cert.pem

aaah.home.com is assumed to be local host and that is why it is copied locally, otherwise, FTP or remotely copy the files to the aaah.home.com host.

Access the Mobile AAA server manager.

Select Peers  from the Navigation frame.

Either select the New peer link and then create a new peer or select an existing peer’s link. The peer name must match the TLS certificate common name created in previous steps.

When creating the new peer or modifying an existing peer, the Identity Port must match the port in the peer’s Diameter Identity and the Connection Port must match the TLS port that the peer uses to listen for requests.

Select TLS from the Security drop-down list.

Select the Create button.

Select the Save button.

Repeat all the previous steps for each peer that you wish to establish a TLS connection to a an RSA certificate.