This document describes various sample SSL scenarios using Encryption for Entire Net-Work.
For each scenario described in this section, the client-side alterations you need to make to your Kernel and Entire Net-Work Client access and connection definitions are given.
The scenarios that are described are:
To configure simple encryption for an Entire Net-Work Client:
If the database access URL for the target database is written to the Directory Server by an LUW Entire Net-Work configured for SSL access, no configuration for the client is required. The client will load SSL once it finds the protocol SSL in the URL and communication will be encrypted.
If the database access is manually configured in the Entire Net-Work Client configuration, set the target access entry to "SSL" using Adabas Manager by using the protocol drop-down menu and save the entry.
To configure simple encryption for an Entire Net-Work Server:
Access the Entire Net-Work Server Kerne lAccess definitions in the Adabas Manager.
For each Server Access definition that needs to support SSL, verify that the Protocol type for the entry is SSL and that appropriate port numbers are specified.
Edit the definition and specify valid values for the SSL CERT_FILE, KEY_FILE, and CERT_PSSWD parameters in the Additional Parameters field. In the following example, xxcert.pem is the certificate file, xxkey.pem is the certificate key file, and "pempswd" is the Public Encryption Method (PEM) password:
&CERT_FILE=xxcert.pem&CERT_PSSWD=pempswd&KEY_FILE=xxkey.pem
Save the definition.
Note:
In all the following scenarios, the Client Authentication
parameters are best configured manually by first configuring an Adabas Client
Access definition to the database target. Use Adabas Manager to add the entry
and edit the entry as described in the following
sections.
To perform client-only authentication for an Entire Net-Work Client:
Access the Entire Net-Work Client access definition to Adabas databases in Adabas Manager.
Ensure the Protocol field in the Host address line is SSL.
Specify values for the CERT_FILE, KEY_FILE, and CERT_PSSWD parameters in the Additional Parameters field. For example:
&CERT_FILE=testcert.pem&KEY_FILE=testkey.pem&CERT_PSSWD=pempswd
Save the definition.
To perform client-only authentication for an Entire Net-Work Server:
Access the Entire Net-Work Server Kernel Access definitions in Adabas Manager.
For each Client Access definition that needs to support SSL client-only authentication, verify that the Protocol type is SSL and that an appropriate port number is specified.
In the Additional Parameters field for the entry, specify valid values for the CAFILE, CAPATH, CERT_FILE, KEY_FILE, CERT_PSSWD, and VERIFY parameters in the Additional Parameters field. The VERIFY parameter must be set to "3" for client authentication.
Save the definition.
To perform server-only authentication for an Entire Net-Work Client:
Access the Entire Net-Work Client Access definition to Adabas databases in Adabas Manager. Find the appropriate Connection definition.
Ensure the Protocol type is SSL..
Specify values for the CAFILE, CAPATH, and VERIFY parameters in the Additional Parameters field. For example:
&CAFILE=cacert.pem&CAPATH=path&VERIFY=1
Save the definition.
To perform server-only authentication for a Kernel to Kernel
connection:
Access the Kernel Access definitions in Adabas Manager. Find the appropriate Connection definition.
Ensure the Protocol type is SSL.
Specify values for the CAFILE, CAPATH, and VERIFY parameters in the Additional Parameters field. For example:
&CAFILE=cacert.pem&CAPATH=path&VERIFY=1
Save the definition.
To perform server-only authentication for an Entire Net-Work Server:
Access the Entire Net-Work Server Kernel Access definitions in Adabas Manager.
For each Client Access definition that needs to support SSL server-only authentication, verify that Protocol type is SSL and that an appropriate port number is specified.
In the Additional Parameters field for the entry, specify valid values for the CERT_FILE, KEY_FILE, and CERT_PSSWD parameters in the Additional Parameters field. In the following example, where xxcert.pem is the certificate file, xxkey.pem is the certificate key file, and "pempswd" is the Public Encryption Method (PEM) password:
&CERT_FILE=xxcert.pem&CERT_PSSWD=pempswd&KEY_FILE=xxkey.pem
Save the definition.
To perform client and server authentication for an
Entire Net-Work Client:
Access the Entire Net-Work Client Access definitions in Adabas Manager.
Ensure the Protocol field in the Host address line is SSL.
Specify values for the CAFILE, CAPATH, CERT_FILE, KEY_FILE, CERT_PSSWD, and VERIFY parameters in the Additional Parameters field. For example:
&CAFILE=cacert.pem&CAPATH=path&CERT_FILE=xxcert.pem&KEY_FILE=xxkey.pem&CERT_PSSWD=pempswd&VERIFY=1
&CERT_FILE=testcert.pem&KEY_FILE=testkey.pem&CERT_PSSWD=pempswd
Save the definition.
To perform client and server authentication for an
Entire Net-Work Server:
Access the Entire Net-Work Server Kernel Access definitions in Adabas Manager.
For each Access definition that needs to support SSL client and server authentication, verify that either the Protocol type is SSL and that appropriate port numbers are specified.
For Server Access, specify valid values for the CERT_FILE, KEY_FILE, and CERT_PSSWD parameters in the Additional Parameters field. In the following example, xxcert.pem is the certificate file, xxkey.pem is the certificate key file, and "pempswd" is the Public Encryption Method (PEM) password:
&CERT_FILE=xxcert.pem&CERT_PSSWD=pempswd&KEY_FILE=xxkey.pem
For E-business SSL Client Access, specify valid values for the CAFILE, CAPATH, CERT_FILE, KEY_FILE, CERT_PSSWD, and VERIFY parameters in the Additional Parameters field. The VERIFY parameter must be set to "3" for client authentication.
Save the definition.
To perform client or server authentication from a client or a
server when the certificates and certificate authorities are not in the current
directory:
Complete the authentication steps described in other scenarios in this section, but specify the path to the certificate authority and certificate files in the CAFILE, CERT_FILE, and KEY_FILE parameters.
Note:
If parameter CAFILE includes path information, the
value of CAPATH should be ".".
To perform client or server authentication from a client or a
server without specifying the Public Encryption Method password directly in the
URL:
Complete the authentication steps described in other scenarios in this section, but specify the fully-qualified file name of a file that contains the password in the CERT_PSSWD parameter. For example:
&CAFILE=cacert.pem&CAPATH=path&CERT_FILE=xxcert.pem&KEY_FILE=xxkey.pem&CERT_PSSWD=FILE://C:/certs/certpswd.txt&VERIFY=3