4.2.2.1. Procedure – Encrypting the communication between PNS and the authentication agent (Linux)

Steps: 

1. Create a CA (for example, Satyr_CA) using the Management Console (MC). This CA will be used to sign the certificates shown by the PNS firewalls to the authentication agents.

2. Export the CA certificate into PEM format.

3. Generate certificate request(s) for the PNS firewall(s) and sign it with the CA created in Step 1.

   Note
   Every firewall should have its own certificate. Do not forget to set the firewall as the Owner host of the certificate.

4. Distribute the certificates to the firewalls.

5. Install the Authentication Agent (AA) application to the workstations and import to each machine the CA certificate exported in Step 2.

   To import the CA certificate complete the following steps:

   1. Create the /etc/satyr/ca directory:

      mkdir /etc/satyr/ca

   2. Copy the certificate exported into PEM format in Step 2 into the /etc/satyr/ca directory.

   3. Verify the hash of the CA certificate:

      openssl x509 -in /etc/satyr/ca/cacert.pem -hash -noout

   4. Create a symlink to the certificate file using the hash received in the above step. Add the .0 suffix (or the next free suffix if .0 is already taken) to the file as an extension, for example,

      ln -s /etc/satyr/ca/cacert.pem /etc/satyr/ca/6d2962a8.0

   5. Restart the Satyr Multiplexer daemon:

      /etc/init.d/satyr-mpxd restart

      The authentication client is now ready to accept encrypted connections from PNS.

6. Create the appropriate outband authentication policies in MC and reference them in the services of PNS. For details, see Chapter 15, Connection authentication and authorization in Proxedo Network Security Suite 1.0 Administrator Guide.