Certificate Management

MineMarket can be configured to use the Secure Sockets Layer (SSL) protocol for encrypted communication between the MineMarket Service and all clients. Clients include the MineMarket Clients, the MineMarket Marketing Service, the MineMarket Export and Reports Service, the MineMarket Data Mart Service, the MineMarket Data Agents, the MineMarket Data Mart Service, and the MineMarket Excel Uploader.

Datamine recommends using the SSL protocol.

To use SSL, you need to:

Enable the Use SSL setting in the configuration of the MineMarket Service and all clients. This setting is enabled by default.
Use the following SSL certificates and keys:
- root.crt—The certificate authority (CA) certificate used to sign the server and client certificates. This file must be the same on the MineMarket Server and all clients.
- server.crt—The server certificate, which must be issued to the host name of the MineMarket Server; that is, the name or IP address of the server on which the MineMarket Service runs, and that matches the MineMarket Service Hostname entered in the Application Configuration Editor.
- server.key—The private key for the server certificate.
- client.crt—The client certificate, which is presented to the server to prove that the client is trusted for communication. Datamine recommends that each client has its own certificate; however, this is not required.
- client.key—The private key for the client certificate.

Obtaining Certificates

Certificates may be provided by Datamine, or you may request certificates from a CA, or you may generate self-signed certificates.

Production and Testing Environments

Certificates can be provided by Datamine as part of your licence agreement.

Note: Datamine expects that MineMarket is running in a secured and isolated network environment. However, if the MineMarket Server and clients are not exposed to the public internet, using purchased certificates from an external CA may be difficult. External CAs have stringent requirements for proof of ownership before issuing certificates. Self-signed certificates are sufficient to protect internal communication between the MineMarket Service and clients. If your organisation already has a CA that can be used to sign additional certificates, that CA can be used as root.crt.

Demonstration Environments

MineMarket includes a set of self-signed certificates and keys. These certificates and keys have an expiry date and only work with a complete installation of MineMarket on a server identified as localhost. Generate self-signed certificates if required.

Storing Certificates

Certificates and their keys must be accessible yet secure:

root.crt—Must be accessible to the logon users of the MineMarket Service and all clients.
server.crt—Must be accessible to the logon users of the MineMarket Service. This file should not be included in the keystore for client installations.
server.key—Must be accessible to the logon users of the MineMarket Service and must be kept secure. Other users should not have access to this file.
client.crt—Must be accessible to the logon users of the applicable clients.
client.key—Must be accessible to the logon users of the applicable clients. Other users should not have access to this file.

Specify the keystore location in the configuration of the MineMarket Service and all clients. The default location is .\keystore.

Important: Other files, such as root.key and server.csr and client.csr (if created), should not be added to the MineMarket keystore location.

Creating Certificates

Note: This activity is only required if you are not using provided certificates.

The following activity steps use OpenSSL, which is a third-party tool available from https://wiki.openssl.org/index.php/Binaries or https://kb.firedaemon.com/support/solutions/articles/4000121705. The steps are current for OpenSSL 3.1.1. Further documentation is available from https://www.openssl.org/.

Note: Copying examples from the PDF version of this documentation may include hard line breaks. Remove the hard line breaks in a text editor before running the commands.

Install and configure OpenSSL:

Unzip or install OpenSSL on a secure machine to a folder with restricted access.
Add the folder that has the openssl.exe file to the Windows Path environment variable.
Open Windows Command Prompt with administrator permissions.
Use the change directory (cd) command to navigate to the secure folder where you want to create the certificates and keys.
To test that OpenSSL is available in the Windows Path environment variable, enter the following command.
Copy
```
openssl -help
```
A list of possible arguments for OpenSSL displays.
Depending on the version of OpenSSL that you install, you may need to enter the following command, changing the path to the installed location as required. This step is not required if you use the FireDaemon OpenSSL.
Copy
```
set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg
```

To create the CA (root) key and certificate:

Enter the following command to generate the CA key.
Copy
```
openssl genrsa -passout pass:<password> -des3 -out root.key 4096
```
Where <password> is a password specific to the CA key.
Important: The password and root.key should be stored securely.
Enter the following command to generate the CA certificate.
Copy
```
openssl req -passin pass:<password> -new -x509 -days 365 -key root.key -out root.crt -subj "/C=AU/ST=Queensland/L=Brisbane/O=Datamine/OU=MineMarket/CN=MineMarketCA"
```
Where:
- <password> is the CA key password. Use this same password when generating the server and client certificates and keys.
- 365 is the number of days of certificate validity.
- /C= is followed by your 2-letter country code.
- /ST= is followed by the name of your state.
- /L= is followed by the name of your city (location).
- /O= is followed by the name of your company (organisation).
- /OU= is followed by the name of the department (organisation unit) to which the root certificate belongs.
- /CN= is followed by a common name by which to identify the certificate.

To create the server key and certificate:

Enter the following command to generate the server key.

Copy

openssl genrsa -passout pass:<password> -des3 -out server.key 4096

Enter the following command to generate a server signing request.
Copy
```
openssl req -passin pass:<password> -new -key server.key -out server.csr -subj "/C=AU/ST=Queensland/L=Brisbane/O=Datamine/OU=MineMarket/CN=<SERVER_NAME>" -addext "subjectAltName = DNS:<SERVER_NAME>"
```
Where:
- /C=, /ST=, /L=, /O= and /OU= are as described for root.crt.
- /CN= is followed by the host name of the MineMarket Server.
- DNS: is followed by the host name of the MineMarket Server.

Enter the following command to self-sign the server certificate.

Copy

openssl x509 -req -passin pass:<password> -days 365 -in server.csr -CA root.crt -CAkey root.key -set_serial 01 -out server.crt

Where 365 is the number of days of certificate validity.

Enter the following command to remove the password from the server key.
Copy
```
openssl rsa -passin pass:<password> -in server.key -out server.key
```

To create the client key and certificate:

Enter the following command to generate the client key.

Copy

openssl genrsa -passout pass:<password> -des3 -out client.key 4096

Enter the following command to generate a server signing request.
Copy
```
openssl req -passin pass:<password> -new -key client.key -out client.csr -subj "/C=AU/ST=Queensland/L=Brisbane/O=Datamine/OU=MineMarket/CN=MineMarket"
```
Where:
- /C=, /ST=, /L=, /O= and /OU= are as described for root.crt.
- /CN= is followed by the name of the client machine or a common name for all clients if all clients are using the same client certificate.

Enter the following command to self-sign the client certificate.

Copy

openssl x509 -passin pass:<password> -req -days 365 -in client.csr -CA root.crt -CAkey root.key -set_serial 01 -out client.crt

Where 365 is the number of days of certificate validity.

Enter the following command to remove the password from the client key.
Copy
```
openssl rsa -passin pass:<password> -in client.key -out client.key
```