Entire Access and OpenSSL

With Entire Access OpenSSL can be used to secure the communication between the Entire Access client and the Entire Access server. In general, when an Entire Access server is enabled for SSL then the Entire Access client and the Entire Access server establish a secured communication channel and all data traffic is done encrypted on this channel. The most common Entire Access client in this context is Natural.


When Entire Access in SSL mode is to be used, the following prerequisites must apply:

  • OpenSSL 1.1.x must be available on the client and on the server platform.

  • Entire Access Version 9.1.3 or above must be used for the client and the server.

  • An Entire Access server must be available. Especially in cases where only an Entire Access client is used and where the network routing is done via database vendor specific software, the Entire Access OpenSSL feature cannot be used.

Configure OpenSSL

When the SSL mode of Entire Access is to be used an OpenSSL kit of version 1.1.x must be available on the platforms where the Entire Access server and the clients will run. The OpenSSL kit is not part of Entire Access and must be compiled and installed separately when required.

OpenSSL must be configured and compiled in shared mode so that especially the following two libraries are available for Entire Access during runtime:

  • On Linux and UNIX platforms:
    libssl.so and libcrypto.so must be available in the library search path.

  • On Windows platforms:
    The 32-bit versions of libssl-1_1.dll and libcrypto-1_1.dll must be available in the search PATH.

To use OpenSSL with Entire Access a digital certificate and a private key file for the Entire Access server are necessary. OpenSSL offers a command line utility openssl that is (among other functions) capable of generating self-signed certificates and private key files. Refer to the official OpenSSL documentation for a detailed description.

Configure the Entire Access Server

To configure an Entire Access server in SSL mode, the following steps must be performed:

  • Obtain a digital certificate and a private key file. Both are used by the Entire Access server to initiate a secured communication channel.

  • Start the Entire Access server process serversingle with an additional parameter -e certificate_file private_key_file which specifies the certificate file and the private key file with full paths. By providing this parameter the Entire Access server automatically starts in SSL mode and can only be connected by a client also capable of SSL mode.

    On Linux and UNIX platforms the script osxopr.sh has been enhanced for specifying the certificate file and private key file parameters when starting a new Entire Access server.

    On Windows platforms the provided batch scripts and the service configuration file contain examples of starting a server in SSL mode.

Configure the Entire Access Client

To enable an Entire Access client, such as Natural, for connecting an Entire Access server in SSL mode, the two OpenSSL libraries mentioned above must be available in the search path of the client. Provided this requirement is met, the Entire Access client automatically starts an encrypted communication with the Entire Access server.

Server Validation

In cases where it is required to enable the client to validate the server certificate before initiating the communication, the following steps must be perfomed:

  1. Add a new environment variable TRIM_HOME pointing to the Entire Access installation base directory, which is <InstallDir>/EntireAccess. This variable is already pre-defined on Linux systems but must be added manually for Windows installations.

  2. Edit the net.ini file delivered with each Entire Access installation inside the directory ${TRIM_HOME}/lib (or %TRIM_HOME%\lib on Windows) and add a new line specifying the location of a certificate trust store file

    ssl_certfile <mypath>/<mycertstore>

    The certificate trust store file will be used to validate the server certificate. The certificates must be in PEM format and must not be pass-phrase protected. The following example specifies that the client will use a certificate trust store stored in the crt.txt file:

    ssl_certfile /etc/certs/crt.txt

The server validation is only available with the full installation of the Entire Access product and not with the OXC client kit.