Using an Internal Certificate Authority (CA)

Configure an internal certificate authority on the virtual appliance.

Adding the Certificate to the Virtual Appliance

If you are using your own certificate authority, you need to add the root and intermediate certificates to the VA.

Note
This process might also be required if your source is not automatically uploading the certificate from the VA.

Prerequisites

  • You have created at least one virtual appliance cluster

  • The certificate is on the source

Perform the following:

  1. Import the certificate and entire key chain (Root and Intermediate Certificates) to the VA as described in Importing a Certificate and Keychain to the Virtual Appliance.

  2. Restart the Connector Gateway using the following command:

    sudo systemctl restart ccg

  3. In the source, ensure that the following are true:

    • The hostname for the source matches the hostname in the virtual appliance's configuration.

    • The source is connected to the virtual appliance you configured to use TLS.

    Note
    If using Active Directory with IQService enabled, the Hostname cannot be an IP Address.

  4. Change the Port to 636.

  5. If available, enable the Use TLS option.

  6. Test the connection.

The source's certificate is auto-imported to the VA.

Replace an Expired Certificate

When your certificate has expired, you need to add the new certificate on both the source and the VA with a new name.

Prerequisites

Complete the process described in Adding the Certificate to the Virtual Appliance.

Perform the following:

  1. Add the new certificate on the source with a new name.

  2. Import the certificate and entire key chain (Root and Intermediate Certificates) to VA as described in Importing a Certificate and Keychain to the Virtual Appliance.

  3. Restart the Connector Gateway using the following commands:

    sudo systemctl restart ccg

  4. Test the connection.

    The source's certificate is auto-imported to the VA.

TLS Configuration Without DNS

If DNS is not configured for your network, you need to edit the hosts.yaml file on the virtual appliance to specify the hostname. This is because the sources that support TLS communication use IQService which cannot connect to TLS over an IP address.

Note
By default, the virtual appliance obtains the TLS certificate automatically from the source the first time it connects to the source. If you want to manually load the certificate to your virtual appliances, you need to do so before the source successfully connects to the virtual appliance.

Prerequisites

At least one virtual appliance cluster has been configured and connected successfully.

Best Practice
The instructions contained in this section are most effective when executed as a virtual appliance is being created, before configuring the proxy.yaml file. For more information, see Virtual Appliance Reference Guide​.

Perform the following:

  1. Open your virtualization platform and start the VA.

  2. Log in to the virtual appliance.

  3. Open the attached hosts.yaml file to edit it.

    Note
    For information on creating a hosts.yaml file, refer to Configuring a Hosts.yaml File.

  4. Uncomment lines 3-6 and replace 4-6 with actual values, according to the following requirements:

    • The spacing and indentation must be precise.

    • The fourth line must start with 2 spaces followed by a valid IP address matching the IP address configured for the host.

    • The fifth line must start with 2 spaces followed by a dash and 1 additional spaces. It must contain a fully-qualified hostname.

    • The sixth line must start with 2 spaces followed by a dash and 1 additional spaces. It must contain a hostname, and must match the hostname configured for the source. Both are required.

    Note
    If you have IQService configured for your source, you cannot use an IP address for a hostname.

  5. Repeat step 4 as needed for multiple entries.

  6. Copy the hosts.yaml file to the VM, using SCP, as follows:

    1. Find the IP address for the VA by running ifconfig -a.

    2. Copy the file by running the SCP command on your local workstation, as follows:

      scp <download_path>/hosts.yaml sailpoint@<ip_address>:/home/sailpoint/hosts.yaml

      Note
      If you want to manually upload a TLS certificate to your VA, do so now. See Manually Uploading a certificate to a VA for instructions.

  7. Choose one of the following:

    • If you are editing an existing virtual appliance, continue to step 8.

    • If you are configuring a new virtual appliance, continue configuring the virtual appliance here Virtual Appliance Administrator's Guide​.

  8. Enable TLS for the source.