With Entire Access SSL can be used to secure the communication between the Entire Access client and the Entire Access server. In general, when an Entire Access server is enabled for SSL then the Entire Access client and the Entire Access server establish a secured communication channel and all data traffic is done encrypted on this channel. The most common Entire Access client in this context is Natural.
When Entire Access in SSL mode is to be used, the following prerequisites must apply:
On Linux platforms, OpenSSL 1.1.x or OpenSSL 3.0.x must be available on the client and on the server platform.
On Windows platforms, the Windows built-in SChannel (Secure Channel) API is used for performing security related operations, so no other additional software is necessary.
An Entire Access server must be available. Especially in cases where only an Entire Access client is used and where the network routing is done via database vendor specific software, the Entire Access SSL feature cannot be used.
When using the SSL mode of Entire Access on Linux platforms, an OpenSSL kit of version 1.1.x or 3.0.x must be available for the machines where the Entire Access server and the clients will run. The OpenSSL kit is not part of Entire Access and must be compiled and installed separately when required.
OpenSSL must be configured and compiled in shared mode, so that
the libssl.so and libcrypto.so libraries are
available for Entire Access during runtime and are present in the in the
library search path.
On Windows platforms, the built-in SChannel API is used for performing SSL related tasks, so that no additional software needs to be installed. SChannel will also interoperate with clients or servers on Linux platforms which use OpenSSL.
To use SSL with Entire Access, a digital certificate and a private key are necessary. Please generate a certificate and a key in PEM format and put the certificate and the key into one single file which can then be used for starting the Entire Access server. For Entire Access servers on Windows platforms, the key must be an RSA key.
OpenSSL offers a command line utility openssl that is
(among other functions) capable of generating self-signed certificates and
private key files and can convert between the different formats. Refer to the
official OpenSSL
documentation for a detailed description.
To configure an Entire Access server in SSL mode, the following steps must be performed:
Obtain a digital certificate and a private key in PEM format.
Both are used by the Entire Access server to initiate a secured communication
channel. Put the certificate and the private key into one single file, for
instance certificate_file.
Start the Entire Access server process serversingle
with an additional parameter -e certificate_file which specifies
the certificate file with full path. By providing this parameter the Entire
Access server automatically starts in SSL mode and can only be connected by a
client also capable of SSL mode.
On Linux platforms the script osxopr.sh has been enhanced for specifying the certificate file parameter when starting a new Entire Access server.
On Windows platforms the provided batch scripts and the service configuration file contain examples of starting a server in SSL mode.
To enable an Entire Access client, such as Natural, for connecting an Entire Access server in SSL mode, you must first do the following:
On Linux platforms, make sure the two OpenSSL libraries mentioned above are available in the search path of the client.
On Windows platforms, no additional software is necessary.
The Entire Access client automatically starts an encrypted communication with the Entire Access server.
In cases where it is required to enable the client to validate the server certificate before initiating the communication, the following steps must be perfomed:
Add a new environment variable
TRIM_HOME pointing to the Entire Access
installation base directory, which is
<InstallDir>/EntireAccess. This variable is already pre-defined on
Linux systems but must be added manually for Windows installations.
Edit the net.ini file delivered with each Entire Access installation inside the directory ${TRIM_HOME}/lib (or %TRIM_HOME%\lib on Windows) and add a new line specifying the location of a certificate trust store file
ssl_certfile <mypath>/<mycertstore>
The certificate trust store file will be used to validate the server certificate. The certificates must be in PEM format and must not be pass-phrase protected. The following example specifies that the client will use a certificate trust store stored in the crt.txt file:
ssl_certfile /etc/certs/crt.txt
Note
The server validation is only available with the full
installation of the Entire Access product and not with the OXC client
kit.
