In most cases, there is no need to change settings in the client application,
except the case when you want to apply client certificates to restrict access to your file storage server.
Here are the steps:
- An administrator creates a CA certificate of their own.
- This certificate becomes a CA, trusted by corporate Сargador.
- In the cargador [.win | linux].conf you should define the following parameter:
- /config/tcpServer/foreignGate/ssl/mode : enable=always
- In the same file the following is set:/config/tcpServer/foreignGate/ssl/verifyCA : true
- You should issue your own certificate and sign it by your CA.
- Apply certificate to your file storage from Cerebro interface.
- The parties which need to have access to your Cargador service, must be provided with the CA signed certificates as well. These certificates must be used while registering their file storage in Cerebro.
- Attention! From now on, your storage will only be accessible by users from companies which own your certificate.
This model uses client certificates for corporate file storage authentication. You, as well as your partners, specify certificates signed by your CA when registering a file storage in Cerebro database. When attempting to connect, SSL will check if a client certificate is signed by your particular CA.
When generating a certificate, the OU (Organization Unit) field has a special meaning. It encodes usage restrictions for the certificate. Namely, the ability to use the file storage to which the certificate is assigned as an uploading point. This tool allows you to specify who can use your corporate Cargador to upload files and for which projects. The format of the field is:
OU=upload:[*<-любой проект>] | [имя проекта1][:имя проекта2]...
Project names are case-insensitive.
Be careful when creating a self-signed certificate – make sure to give yourself a permission to upload files on any project:
To add a certificate, log in Cerebro, open Administrator window (Main menu/Tools/Administrator…) and switch to the File Storages tab.
Select a file storage and press Import a new certificate button. A new window will appear where you will be able to select certificate and a private key. You may change or delete a certificate at any time.
If you want your business partners from other companies to use your file storage, you must provide them with certificates and private keys created for them and signed by your CA. The partners, in their turn, must log in Cerebro and add your file storage there, specifying its address and applying their certificates. When issuing a certificate you may set its expiration date, if needed.
<< Previous. Next >>