This document covers following topics:
Trust files are used for a secure connection between the Natural Web I/O Interface server and the Natural Web I/O Interface client . Server authentication cannot be switched off. A trust file is always required.
A trust file contains the certificates that you trust. These can be certificates of a CA (Certificate Authority) such as VeriSign, or self-signed certificates.
For information on the steps that are required on the Natural Web I/O Interface server and how to generate a self-signed certificate which needs to be imported to the client, see SSL Support .
To establish a secure connection, you have to proceed as described in the topics below.
To create your own trust file, you can use, for example, the keytool utility
in the bin directory of the Java Runtime Environment (JRE). Here are
some helpful examples:
Create a password-protected keystore containing a private key and self-signed certificate:
keytool -genkey -alias foo -keyalg RSA -keystore truststore.jks - keysize 2048
You will be prompted for a password. You must set a password.
keytool -genkey -alias foo -keyalg RSA -keystore truststore.jks - keysize 2048 -storepass your-password
The password is provided inline.
Both commands
create a key pair (private key and self-signed certificate),
store it under the alias foo,
save it in a file named truststore.jks,
protect the file with a password.
Import a certificate:
keytool -import -alias "name-for-ca" -keystore truststore.jks -storepass "your-password" -file server.cert.crt
Note
You must provide an alias, and you should use a meaningful name for the
alias. You can add multiple certificates to your trust file, but each one must have a
unique alias.
List the certificates in a trust file:
keytool -list -v -keystore truststore.jks
Delete a certificate from a trust file:
keytool -delete -alias "name-for-ca" -keystore truststore.jks
When you modify the trust file or its password, you must restart the application server so that your modification takes effect.
Invoke the configuration tool and proceed as follows:
In the global settings for all defined sessions, define the SSL trust file path and, if required, the SSL trust file password . See also Global Settings in Natural Client Configuration Tool .
With the server authentication, the Natural Web I/O Interface client checks whether the certificate of the Natural Web I/O Interface server is known. If it is not known, the connection is rejected.
When a trust file is not defined in the configuration tool, the Natural Web I/O Interface client tries to read the file calist from the lib/security directory of the Java Runtime Environment (JRE). The default password for this file is "changeit" .
Define a session and set the session option Use SSL to Yes . See also Overview of Session Options in Natural Client Configuration Tool .
