With Entire Access OpenSSL can be used to secure the communication between the Entire Access client and the Entire Access server. In general, when an Entire Access server is enabled for SSL then the Entire Access client and the Entire Access server establish a secured communication channel and all data traffic is done encrypted on this channel. The most common Entire Access client in this context is Natural.
When Entire Access in SSL mode is to be used, the following prerequisites must apply:
OpenSSL 1.1.x must be available on the client and on the server platform.
Entire Access Version 9.1.2 or above must be used for the client and the server.
An Entire Access server must be available. Especially in cases where only an Entire Access client is used and where the network routing is done via database vendor specific software, the Entire Access OpenSSL feature cannot be used.
When the SSL mode of Entire Access is to be used an OpenSSL kit of version 1.1.x must be available on the platforms where the Entire Access server and the clients will run. The OpenSSL kit is not part of Entire Access and must be compiled and installed separately when required.
OpenSSL must be configured and compiled in shared mode so that especially the following two libraries are available for Entire Access during runtime:
On Linux and UNIX platforms:
libcrypto.so must be
available in the library search path.
On Windows platforms:
The 32-bit versions of
libcrypto-1_1.dll must be available in the search PATH.
To use OpenSSL with Entire Access a digital certificate and a
private key file for the Entire Access server are necessary. OpenSSL offers a
command line utility
openssl that is (among other functions)
capable of generating self-signed certificates and private key files. Refer to
the official OpenSSL
documentation for a detailed description.
To configure an Entire Access server in SSL mode, the following steps must be performed:
Obtain a digital certificate and a private key file. Both are used by the Entire Access server to initiate a secured communication channel.
Start the Entire Access server process
with an additional parameter
-e certificate_file private_key_file
which specifies the certificate file and the private key file with full paths.
By providing this parameter the Entire Access server automatically starts in
SSL mode and can only be connected by a client also capable of SSL mode.
On Linux and UNIX platforms the script osxopr.sh has been enhanced for specifying the certificate file and private key file parameters when starting a new Entire Access server.
On Windows platforms the provided batch scripts and the service configuration file contain examples of starting a server in SSL mode.
Configuring an Entire Access client (like Natural) for connecting an Entire Access server in SSL mode is rather easy. When OpenSSL is installed on the client platform and if the appropriate version of Entire Access is used, the Entire Access client automatically determines the SSL mode of the Entire Access server and opens either an SSL or a non-SSL connection accordingly. There is no additional configuration necessary on the client site.