Configuring SSL

This document covers following topics:


General Information

Trust files are used for a secure connection between the Natural Web I/O Interface server and the Natural Web I/O Interface client. Server authentication cannot be switched off. A trust file is always required.

A trust file contains the certificates that you trust. These can be certificates of a CA (Certificate Authority) such as VeriSign, or self-signed certificates.

For information on the steps that are required on the Natural Web I/O Interface server and how to generate a self-signed certificate which needs to be imported to the client, see SSL Support.

To establish a secure connection, you have to proceed as described in the topics below.

Creating Your Own Trust File

To create your own trust file, you can use, for example, Sun's keytool utility which can be found in the bin directory of the Java Runtime Environment (JRE). Here are some helpful examples:

  • Create an empty, password-protected trust file:

    keytool -genkey -alias foo -keystore truststore.jks -storepass "your-passwort"
    keytool -delete -alias foo -keystore truststore.jks
  • Import a certificate:

    keytool -import -alias "name-for-ca" -keystore truststore.jks -storepass "your-passwort" -file server.cert.crt

    You should use a meaningful name for the alias.

  • List the certificates in a trust file:

    keytool -list -v -keystore truststore.jks
  • Delete a certificate from a trust file:

    keytool -delete -alias "name-for-ca" -keystore truststore.jks

When you modify the trust file or its password, you have to restart the application server so that your modification takes effect.

Defining SSL Usage in the Configuration File

Invoke the configuration tool and proceed as follows:

  1. In the global settings for all defined sessions, define the SSL trust file path and, if required, the SSL trust file password. See also Global Settings in Using the Configuration Tool.

    With the server authentication, the Natural Web I/O Interface client checks whether the certificate of the Natural Web I/O Interface server is known. If it is not known, the connection is rejected.

    When a trust file is not defined in the configuration tool, the Natural Web I/O Interface client tries to read the file calist from the lib/security directory of the Java Runtime Environment (JRE). The default password for this file is "changeit".

  2. Define a session and set the session option Use SSL to Yes. See also Overview of Session Options in Using the Configuration Tool.