With Entire Access OpenSSL can be used to secure the communication between the Entire Access client and the Entire Access server. In general, when an Entire Access server is enabled for SSL then the Entire Access client and the Entire Access server establish a secured communication channel and all data traffic is done encrypted on this channel. The most common Entire Access client in this context is Natural.
When Entire Access in SSL mode is to be used, the following prerequisites must apply:
OpenSSL 1.1.x must be available on the client and on the server platform.
Entire Access Version 9.1.3 or above must be used for the client and the server.
An Entire Access server must be available. Especially in cases where only an Entire Access client is used and where the network routing is done via database vendor specific software, the Entire Access OpenSSL feature cannot be used.
When the SSL mode of Entire Access is to be used an OpenSSL kit of version 1.1.x must be available on the platforms where the Entire Access server and the clients will run. The OpenSSL kit is not part of Entire Access and must be compiled and installed separately when required.
OpenSSL must be configured and compiled in shared mode so that especially the following two libraries are available for Entire Access during runtime:
On Linux and UNIX platforms:
libssl.so
and libcrypto.so
must be
available in the library search path.
On Windows platforms:
The 32-bit versions of libssl-1_1.dll
and
libcrypto-1_1.dll
must be available in the search PATH.
To use OpenSSL with Entire Access a digital certificate and a
private key file for the Entire Access server are necessary. OpenSSL offers a
command line utility openssl
that is (among other functions)
capable of generating self-signed certificates and private key files. Refer to
the official OpenSSL
documentation for a detailed description.
To configure an Entire Access server in SSL mode, the following steps must be performed:
Obtain a digital certificate and a private key file. Both are used by the Entire Access server to initiate a secured communication channel.
Start the Entire Access server process serversingle
with an additional parameter -e certificate_file private_key_file
which specifies the certificate file and the private key file with full paths.
By providing this parameter the Entire Access server automatically starts in
SSL mode and can only be connected by a client also capable of SSL mode.
On Linux and UNIX platforms the script osxopr.sh has been enhanced for specifying the certificate file and private key file parameters when starting a new Entire Access server.
On Windows platforms the provided batch scripts and the service configuration file contain examples of starting a server in SSL mode.
To enable an Entire Access client, such as Natural, for connecting an Entire Access server in SSL mode, the two OpenSSL libraries mentioned above must be available in the search path of the client. Provided this requirement is met, the Entire Access client automatically starts an encrypted communication with the Entire Access server.
In cases where it is required to enable the client to validate the server certificate before initiating the communication, the following steps must be perfomed:
Add a new environment variable
TRIM_HOME
pointing to the Entire Access
installation base directory, which is
<InstallDir>/EntireAccess. This variable is already pre-defined on
Linux systems but must be added manually for Windows installations.
Edit the net.ini file delivered with each Entire Access installation inside the directory ${TRIM_HOME}/lib (or %TRIM_HOME%\lib on Windows) and add a new line specifying the location of a certificate trust store file
ssl_certfile <mypath>/<mycertstore>
The certificate trust store file will be used to validate the server certificate. The certificates must be in PEM format and must not be pass-phrase protected. The following example specifies that the client will use a certificate trust store stored in the crt.txt file:
ssl_certfile /etc/certs/crt.txt
Note:
The server validation is only available with the full
installation of the Entire Access product and not with the OXC client
kit.