GlobalSign MSSL CA

Prerequisites

To configure a GlobalSign MSSL CA account in AppViewX, you will need:
  • SSL URL
  • GlobalSign administrator account
  • Manager and Staff in charge user roles

    For links to detailed instructions to get the above information from GlobalSign MSSL, see the References section.

  • Internet access or a proxy configuration for the AppViewX server. Refer the Managing Proxy Settings documentation in the Platform guides.

Configuring GlobalSign MSSL

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Certificate Authority.
  2. From the displayed CA, Select GlobalSign.
    The GlobalSign home page is displayed.
  3. Click the GlobalSign MSSL tab.
  4. Click the Configure Now button or +Add icon from the middle or top-right of the page respectively.
    The GlobalSign MSSL configuration page is displayed.
  5. Update the following details in the General Information section as described in the table.
    Table 1. General Information - Field Description Table
    Fields Description
    *CA Account name A unique name to identify the CA setting. No special characters other than ‘.’, ‘-’,’_’ are allowed. The name should not start with special characters.
    *Purpose/Usage Certificate Type for which CLM actions will be enabled. For example, server and clients
    Proxy Required Enable this field if the CA communication needs to happen via Proxy. The proxy details configured in general settings will be used for communication.
    Data Center (AppViewX's CA agent) Select the data center through which the CA communication needs to happen.
    *: Mandatory fields
  6. Update the following details in the CA Configuration section as described in the table.
    Fields Description
    *SSL URL Base URL of the SSL API
    *User Name Provide a username of the GCC to communicate with the CA.
    *Password Provide a password for the GCC to communicate with the CA.
    *: Mandatory fields
  7. Once all the details are configured, click Save.
    In the CA instance inventory, the connection status is initially set to In Progress. Twice after this, this status is automatically checked and refreshed every 5 seconds. Once the CA instance is successfully configured, the status is updated to Success. Status checks after the first two times have to be done via a manual refresh.
    Note: In case the connection fails, you can manually verify the connection status by clicking the Check button in the Connection Status field.
  8. In GlobalSign MSSL, we can now fetch profiles and domains by clicking on the Fetch Profiles and Domain button.
    Note: The supported CSR key types are RSA 2048-8192, ECC P-256, ECC P-384 .

Manually Validating the GlobalSign MSSL Connection Status

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Certificate Authority.
  2. From the displayed CA, Select GlobalSign.
    The GlobalSign home page is displayed.
  3. In the Status column of the grid with the listed accounts, click GlobalSign MSSL from the left pane of the page.
    The GlobalSign MSSL home page is displayed.
  4. In the Status column of the grid with the listed accounts, click Check to validate the CA setting that is created.
    CA communication will be validated and the Connection Status will be shown as either Success or Failure

Limitations

Once the GlobalSign MSSL settings are added, validation needs to be done to check whether the connection between AppViewX and GlobalSign MSSL is properly configured.
Case/Ticket number Fix Description
CA Setting Update Users need to click on the Cancel button once the MSSL domain/profile. ID details are fetched from the GlobalSign MSSL account.
If the user clicks the Update button, MSSL domain/profile ID details will be removed from the associated policy. The steps to follow to update CA settings are as follows:
  1. On the GlobalSign MSSL CA settings page, after adding/editing values, click the Update button.
  2. Navigate back to updated CA settings and click the Fetch Profiles and Domain button.
  3. Click the Cancel button instead of Update to bypass the existing issue.
Default CA policy mapping The default CA policy is defined with all available values selected and validity data is mapped based on commonly used validity. Hence, it will not have values equivalent to API documents or CA portals. This can be modified or updated in the application accordingly to the default CA policy if changes are required.
Email Address The email address provided in the email address field on the enrollment page is not considered as the primary email value during CLM actions, instead, the email address field defined in the contact information of the logged-in user will be used. The help info message besides the Email address field on enroll/edit page is as – “If the user email address is configured, that will be used for GlobalSign CA approval actions. If the user email is not configured, then the email address provided in this field will be used" - the second part is not valid anymore.