Prerequisites for a cyberelements Cleanroom Cluster platform¶
Machine¶
Both physical and virtual machines can be used to install cyberelements Cleanroom.
The product does not perform any virtualization, so the embedded virtualization option does not need to be enabled for virtual machines.
OS¶
cyberelements Cleanroom runs on 64-bit Debian 12 (Bookworm) machines.
It is recommended to use machines without a graphical interface and to limit the installed components to the SSH server.
CPU¶
A CPU with 4 cores will cover most use cases for the product.
RAM¶
Attention
The RAM values given below are indicative only, as there are many variables that can affect RAM consumption (product features used or elements installed in parallel with the product on the machine).
RAM consumption generally depends on the number of simultaneous users that the platform can accommodate:
- Between 1 and 5 simultaneous users: 2 GB of RAM minimum, 4 GB recommended.
- Between 5 and 20 simultaneous users: 4 GB of RAM minimum.
- For 20 or more simultaneous users: 8 GB of RAM minimum.
RAM consumption depends on the number of simultaneous sessions as well as the types of applications being used.
Typical values are as follows:
- Between 1 and 5 simultaneous users: 2 GB of RAM minimum, 4 GB recommended.
- Between 5 and 20 simultaneous users: 4 GB of RAM minimum.
- For 20 or more simultaneous users: 8 GB of RAM.
Note that an agentless RDP or VNC application can consume up to 400 MB per application launched.
When these types of applications are used extensively, it is recommended to monitor RAM usage in order to adjust its size accordingly.
RAM consumption depends on the number of HTML5 applications open simultaneously.
The base server must have 2 GB for the system to function, plus 50 MB per concurrent HTML5 application.
If the HTML5 Gateway role is combined with an Edge Gateway server, then add 50 MB per concurrent HTML5 application to the RAM recommendation for the Edge Gateway server.
Disk¶
We recommend partitioning the disk using LVM to provide greater flexibility if the machine's size needs to be revised during use.
Different types of servers have different disk usage patterns, with volumes that also differ. Below is the information by server type:
This server will have increasing volume in the following directories:
/var/log/: directory containing the various system logs./var/lib/postgresql/15/main/: directory containing local database data./var/ipdiva/: directory containing product-specific data.
Isolating the different directories in different partitions is not mandatory but recommended. You can follow these instructions:
| Mount point | Options | Minimum size (GB) |
|---|---|---|
/boot |
nosuid,nodev,noexec | 1 |
/opt |
nosuid,nodev | 1 |
/tmp |
nosuid,nodev | 4 |
/srv |
nosuid,nodev | 1 |
/home |
nosuid,nodev,noexec | 6 |
/usr |
nodev | 6 |
/var |
nosuid | 5 |
/var/log |
nosuid,nodev,noexec | 5 |
/var/tmp |
nosuid,nodev,noexec | 2 |
swap |
No option | Depending on RAM (half less) |
/ |
No option | 2 GB or more depending on the available disk space |
Example
For a server with 4 GB of RAM (which requires 2 GB of swap), the disk space required with the previous partitioning is a minimum of 35 GB.
This server will experience increased volume in the following directories:
/var/log/: directory containing the various system logs./var/lib/ipdiva/carerecord/recording/: directory containing archives currently being recorded; this is therefore a temporary storage directory./var/lib/ipdiva/carerecord/archives/: default directory containing the product's graphic archives./var/ipdiva/care/sshrecord/: default directory containing the product's non-graphic (SSH) archives.
Isolating the different directories in different partitions is not mandatory but recommended. You can follow these instructions:
| Mount point | Options | Minimum size (GB) |
|---|---|---|
/boot |
nosuid,nodev,noexec | 1 |
/opt |
nosuid,nodev | 1 |
/tmp |
nosuid,nodev | 4 |
/srv |
nosuid,nodev | 1 |
/home |
nosuid,nodev,noexec | 6 |
/usr |
nodev | 6 |
/var |
nosuid,nodev | 5 |
/var/log |
nosuid,nodev,noexec | 5 |
/var/tmp |
nosuid,nodev,noexec | 2 |
swap |
No option | Depending on RAM (half less) |
/ |
No option | 2 GB or more depending on the available disk space |
Example
For a server with 4 GB of RAM (which requires 2 GB of swap), the disk space required with the previous partitioning is a minimum of 35 GB.
However, it is strongly recommended to allocate more disk space for temporary or long-term graphic archives with the /var mount point unless the archives are outsourced.
This server will have increasing volume in the following directories:
/var/log/: directory containing the various system logs./home/systanciahtml5share/: temporary storage directory for files exchanged with HTML5 applications.
Isolating the different directories in different partitions is not mandatory but recommended. You can follow these instructions:
| Mount point | Options | Minimum size (GB) |
|---|---|---|
/boot |
nosuid,nodev,noexec | 1 |
/opt |
nosuid,nodev | 1 |
/tmp |
nosuid,nodev | 4 |
/srv |
nosuid,nodev | 1 |
/home |
nosuid,nodev,noexec | 6 |
/usr |
nodev | 6 |
/var |
nosuid,nodev | 5 |
/var/log |
nosuid,nodev,noexec | 5 |
/var/tmp |
nosuid,nodev,noexec | 2 |
swap |
No option | Depending on RAM (half less) |
/ |
No option | 2 GB or more depending on the available disk space |
Example
For a server with 4 GB of RAM (which requires 2 GB of swap), the disk space required with the previous partitioning is a minimum of 35 GB.
Network¶
A cyberelements Cleanroom Cluster platform will require:
- 2 real IP addresses per Mediation Controller server (carried by the same network interface)
- 3 virtual IP addresses for the cluster to function
- 1 IP address per Edge Gateway or HTML5 Gateway machine
Additional information
The real and virtual IP addresses of the Mediation Controller servers must all belong to the same subnet.
Incompatibilities with the use of virtual IPs
Virtual IPs have load balancing managed with IPVS (IP Virtual Server).
Load balancing requires several prerequisites to function properly:
- Disable Reverse Path Forwarding (RPF) features for Mediation Controllers and IPs carried by these machines.
- Assign an
E1000Enetwork adapter rather thanVMXNET3on VMware for Mediation Controller servers.
Mediation Controller servers are usually placed in a DMZ, but they can also be placed in a private DMZ or hosted on a public cloud. This will depend on the platform's use case (for example: remote access for service providers or securing internal access to protected areas).
Edge Gateway servers are usually placed in the LAN, in VLANs that allow them to communicate with target resources.
HTML5 Gateway servers can be placed either in the LAN or in the DMZ. This documentation provides for the installation of the HTML5 Gateway component on Edge Gateway servers, i.e., in the LAN.
To better identify the different machine addresses, they will be referred to as follows in the documentation:
| IP Address Name | Meaning |
|---|---|
RIP_MED_WEB_MASTER |
Primary IP address of the MASTER Mediation Controller server, which provides access to the Web consoles. |
RIP_MED_WEB_SLAVE |
Primary IP address of the SLAVE Mediation Controller server, which provides access to the Web consoles. |
RIP_MED_SSL_MASTER |
Second IP address of the MASTER Mediation Controller server used by the SSL Router component. |
RIP_MED_SSL_SLAVE |
Second IP address of the SLAVE Mediation Controller server used by the SSL Router component. |
VIP_MED_WEB |
Virtual IP address of the Mediation Controller cluster, which provides access to the web consoles. |
VIP_MED_SSL |
Virtual IP address of the Mediation Controller cluster, which provides access to the SSL Router. |
VIP_MED_ZEO |
Virtual IP address of the Mediation Controller cluster, enabling access to an internal product configuration database. |
IP_GW |
IP address of the Edge Gateway server. |
IP_HTML5_GW |
IP address of the HTML5 Gateway server. |
Information
The flow information provided assumes that the Mediation Controller servers are located in the DMZ and that the Edge Gateway servers, which also act as HTML5 Gateways, are located in the LAN.
The IP addresses of the Mediation Controller can either be public IP addresses directly assigned to the Mediation Controller server or public IP addresses that are NATed to private IP addresses (recommended).
| Source | Destination | Destination port | Comments |
|---|---|---|---|
| User workstation | VIP_MED_WEB |
TCP 443 (if using the standard port) | Allow access to web consoles and applications running directly in the browser. |
| User workstation | VIP_MED_SSL |
TCP 443 (if using the standard port) | Establish a TLS tunnel to encrypt the flow passing through the cyberelements Cleanroom client. |
IP_GW |
VIP_MED_WEB |
TCP 443 (if using the standard port) | When the Edge Gateway is located on a remote network. Connection to the Edge Gateway pairing system. |
IP_GW |
VIP_MED_SSL |
TCP 443 (if using the standard port) | When the Edge Gateway is located on a remote network. Connection to the SSL router to establish a TLSv1.3 tunnel and route product communications through it. |
| Source | Destination | Destination port | Comments |
|---|---|---|---|
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
Debian repositories | TCP 80 | Required for installing dependencies for cyberelements Cleanroom and for keeping the system up to date. The documentation and virtual appliances use ftp.fr.debian.org and security.debian.org. |
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
packages.microsoft.com |
TCP 443 | Microsoft repository for installing and updating MS SQL drivers. Only required if access to an MS SQL database is desired (virtual appliances have MS SQL drivers). |
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
NTP time server | UDP 123 | Optional if the server needs to synchronize its clock with a server in the DMZ. By default, the Debian pools are used: 0.debian.pool.ntp.org, 1.debian.pool.ntp.org, 2.debian.pool.ntp.org et 3.debian.pool.ntp.org. |
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
SMTP server | TCP 25, 465, 587 | Required if an SMTP server must be used for sending emails and is located in the WAN. |
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
DNS server | UDP 53 | Required for DNS resolution. It can be located in the WAN or DMZ. |
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
api.neomia.ai |
TCP 443 | (Optional) Connection to the MFA product’s APIs using behavioral biometrics Neomia Pulse. |
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
EU: keepersecurity.euUS: keepersecurity.comAU: keepersecurity.com.auCA: keepersecurity.caJP: keepersecurity.jp |
TCP 443 | (Optional) Connection to the vault Keeper EPM depending on its location. |
| Source | Destination | Destination port | Comments |
|---|---|---|---|
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
NTP time server | UDP 123 | If the server needs to synchronize its clock with a server in the DMZ. |
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
SMTP server | TCP 25, 465, 587 | Required if an SMTP server must be used for sending emails and is located in the DMZ. |
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
Database server | TCP 1433, 5432, or any other custom port | Required if you want to use an external database located in the DMZ. |
RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
DNS server | UDP 53 | Required for DNS resolution. It can be located in the DMZ or the WAN. |
Additional information
Mediation Controller servers must be able to communicate with each other from and to any of their addresses, regardless of the protocol.
| Source | Destination | Destination port | Comments |
|---|---|---|---|
IP_GW |
Debian repositories | TCP 80 | Required for installing dependencies for cyberelements Cleanroom and for keeping the system up to date. The documentation and virtual appliances use ftp.fr.debian.org and security.debian.org. |
IP_GW |
DNS server | UDP 53 | Required for DNS resolution. Optional if a DNS server is available on the LAN or DMZ. |
IP_GW |
NTP time server | UDP 123 | Optional if the server needs to synchronize its clock with a server in the LAN or DMZ. By default, the Debian pools are used: 0.debian.pool.ntp.org, 1.debian.pool.ntp.org, 2.debian.pool.ntp.org et 3.debian.pool.ntp.org. |
IP_GW |
SMS provider | TCP 443 | (Optional) Connection to the APIs of SMS providers supported by cyberelements Cleanroom. |
| Source(s) | Destination | Destination port | Comments |
|---|---|---|---|
IP_GWIP_HTML5_GW |
VIP_MED_WEBRIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
TCP 443 (if using the standard port) | Connection to the Edge Gateway pairing system. |
IP_GWIP_HTML5_GW |
VIP_MED_SSLRIP_MED_SSL_MASTERRIP_MED_SSL_SLAVE |
TCP 443 (if using the standard port) | Connection to the SSL Router to establish a TLSv1.3 tunnel and route product communications through it. |
| Client workstation | VIP_MED_WEBRIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
TCP 443 (if using the standard port) | Connection to the product's various web consoles. |
| Client workstation | VIP_MED_SSLRIP_MED_SSL_MASTERRIP_MED_SSL_SLAVE |
TCP 443 (if using the standard port) | Establish a TLS tunnel to encrypt the flow passing through the cyberelements Cleanroom client. |
| Administrator workstation | RIP_MED_WEB_MASTERRIP_MED_WEB_SLAVE |
TCP 22 | SSH connection to the Mediation Controller server. |
| Source | Destination | Destination port | Comments |
|---|---|---|---|
IP_GW |
DNS server | UDP 53 | Required for DNS resolution. Optional if a DNS server is used to the WAN or DMZ. |
IP_GW |
LDAP or AD servers | TCP 389 or 636 | cyberelements Cleanroom connection to an LDAP or AD server. |
IP_GW |
AD servers | TCP 139 and 445 | AD account password rotation, used only if rotation via LDAPS is not possible. |
IP_GW |
RDP servers | TCP/UDP 3389 (if using standard port) | Connection from cyberelements Cleanroom to RDP servers. |
IP_GW |
SSH servers | TCP 22 (if using the standard port) | Connection from cyberelements Cleanroom to SSH servers. |
IP_GW |
VNC servers | TCP 5900 (if using the standard port) | Connection from cyberelements Cleanroom to VNC servers. |
IP_GW |
Web servers | TCP 80 or 443 (if using the standard port) | Connection from cyberelements Cleanroom to Web servers. |
IP_GW |
Citrix Storefront servers | TCP 443 (if using the standard port) | Connection from cyberelements Cleanroom to Citrix Storefront servers. |
IP_GW |
Citrix application servers | TCP 1494 | Connection from cyberelements Cleanroom to Citrix application servers (launching an application or desktop with the ICA client). |
IP_GW |
File servers | TCP 139 and 445 | Connection from cyberelements Cleanroom to file servers. |
IP_GW |
Database server | TCP 1433, 5432, or any other custom port | Required if you want to use an external database located on the LAN (for example, to transfer the Vault database). |
IP_GW |
RDP servers | TCP 139 and 445 | Deployment of the recording agent via the administration console. |
| Client workstation | IP_GW |
TCP [port defined by the administrator] | Direct SSH access connection. |
| Client workstation | IP_GW |
TCP 3389 | Direct RDP access connection. |
| RDP servers | IP_GW |
TCP 8443 | Connection between the recording agent and the Edge Gateway to upload the user session recording. |
| Administrator workstation | IP_GW |
TCP 22 | SSH connection to the Edge Gateway server. |
Database¶
cyberelements Cleanroom uses different databases (DB) for its operation.
-
System configuration database. This database is used to store all the settings for the
/systemadministration interface and must be nameddefault.Attention!
You must create the
defaultdatabase before connecting to cyberelements Cleanroom (it is not created automatically). -
Organization configuration database. Each organization created on the Mediation Controller server will require a different DB to contain all the organization settings and logs.
- Vault database. Each organization created triggers the creation of a specific DB for the product vault, which is stored by default on the Mediation Controller server. This database can be outsourced to the LAN provided that an Edge Gateway can access it.
When using external databases (nominal case in Cluster), the supported database types are:
- PostgreSQL version 15 for all 3 databases.
- Microsoft SQL Server and its supported versions without maintenance extension for organizational configuration databases and vault outsourcing.
License¶
The Mediation Controller server requires a license to function.
The license can be obtained from Systancia using the following license request form: Request a license
Certificates¶
cyberelements Cleanroom uses TLS encryption for internal communications and HTTPS to secure web access, requiring the use of various x509 certificates. The information below summarizes the different certificates required, their purpose, and the minimum settings.
Certificate security constraint
Regardless of the certificate used, ensure that it complies with OpenSSL security level 2, which can be summarized as follows:
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits.
- The certificate signature must not be MD5 or SHA-1 (SHA-512 is preferred).
This server uses five different certificates:
- A web certificate to enable HTTPS.
- A certificate for the SSL Router component responsible for setting up TLS tunnels and routing traffic between them.
- A certificate for the Watchdog component responsible for monitoring the proper functioning of the SSL Router.
- A certificate for the cyberelements Cleanroom client to enable it to connect to the SSL router and establish a TLSv1.3 tunnel.
- A certificate for inter-server exchanges between Mediation Controllers (only for the
SLAVEserver).
Web certificate
Recommendation
The web certificate should preferably be issued by a public Certification Authority (CA) that is recognized as trustworthy.
This will ensure that users do not receive any alerts related to the certificate used (provided that it is valid and covers the name with which the user initiated the connection) without any additional action. The use of a certificate issued by an internal PKI requires the deployment of the CA certificate on user workstations.
The web certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 398 days (13 months).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The value of the
Common Nameattribute must be the DNS name (or wildcard) for which the certificate is intended. - The
Key Usageattribute must have the valuescritical,digitalSignatureandkeyEncipherment. - The
Extended Key Usageattribute must have theid-kp-serverAuthvalue (OpenSSL uses theserverAuthvalue). - The
Subject Alternative Nameattribute must contain at least one entry corresponding to the primary DNS name; other entries may be added to cover other DNS names or IP addresses.
Accepted certificate format: P12 or PEM (with two files, one for the certificate and one for the private key).
SSL router certificate
The SSL Router certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The value of the
Common Nameattribute must be the IP address or a DNS name redirecting toIP_MED_SSL. - The
Key Usageattribute must have the valuescritical,digitalSignatureandkeyEncipherment. - The
Extended Key Usageattribute must have the valueserverAuth.
Accepted certificate format: P12.
Watchdog certificate
The Watchdog certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have a value that is an identification name for the Watchdog, for example “Watchdog”. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12.
cyberelements Cleanroom client certificate
The cyberelements Cleanroom client certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have a value that is a customer identification name, for example “cyberelements-cleanroom-client”. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12 with a password of at least 8 alphanumeric characters (special characters, accented letters, or hyphens are not supported).
Interserver certificate
The Cleanroom interserver cyberelements certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have an identification name as its value, for example “interserver-cleanroom”. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12 with a password of at least 8 characters without special characters.
This server uses two different certificates:
- A certificate for authenticating the Edge Gateway component with the SSL Router.
- A certificate for the recording service so that recording agents can connect to it.
Information
An Edge Gateway server can have multiple Edge Gateway instances, requiring as many certificates as there are Edge Gateway instances (except in the specific case of cluster architecture).
However, an Edge Gateway server has only one recording service, so only one certificate per machine will be required.
Edge Gateway certificate
The Edge Gateway certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have a value that identifies the logical Edge Gateway. This name takes the following form<GW_NAME>@<ORGANIZATION_NAME>, where<GW_NAME>corresponds to the name of the Edge Gateway (as entered in the administration console) and<ORGANIZATION_NAME>corresponds to the name of the organization to which the Edge Gateway will connect. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12.
Recording service certificate
The recording service certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The value of the
Common Nameattribute must be the FQDN name or at least the name of the Edge Gateway machine. - The
Key Usageattribute must have the valuescritical,digitalSignatureandkeyEncipherment. - The
Extended Key Usageattribute must have the valueserverAuth.
Accepted certificate format: P12.
This server uses a single certificate: the one for authenticating the HTML5 Gateway component with the SSL Router.
Information
An HTML5 Gateway server can have multiple instances of HTML5 Gateway, requiring as many certificates as there are instances of HTML5 Gateway (except in the specific case of cluster architecture).
HTML5 Gateway certificate
The HTML5 Gateway certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have a value that identifies the logical Edge Gateway. This name takes the following form<HTML5_GW_NAME>@<ORGANIZATION_NAME>, where<HTML5_GW_NAME>corresponds to the name of the Edge Gateway (as entered in the administration console) and<ORGANIZATION_NAME>corresponds to the name of the organization to which the Edge Gateway will connect. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12.
For direct access operation, the direct recording agent uses a certificate to authenticate itself with the recording service of an Edge Gateway.
The certificate must comply with the following constraints for its attributes:
- The certificate's validity period must not exceed 1095 days (3 years).
- The hash function used for the signature must be part of the SHA-2 family; we recommend SHA-512.
- The certificate and the certificates of its certification authorities must have a private key of at least 2048 bits with RSA, DSA, and DH encryption; for elliptic curve keys (ECC), they must be at least 224 bits. We recommend a size of 4096 bits for RSA and an ECDSA
secp384r1curve size of 384 bits. - The
Common Nameattribute must have a value that is the short name, FQDN, or any other name that will uniquely identify the machine. This name is used to identify and track actions performed on the machine. - The
Key Usageattribute must have the valuescriticalanddigitalSignature. - The
Extended Key Usageattribute must have the valueclientAuth.
Accepted certificate format: P12.