C# Client SSL Configuration
Universal Messaging fully supports SSL encryption. This section describes how to use SSL in your Universal Messaging C# client applications.
Note:
You cannot use TLS 1.3 with your C# client applications. The Universal Messaging API for .NET is built and tested against the .NET Framework 4.5, which supports TLS versions up to 1.2 but does not support TLS 1.3.
Once you have created an SSL enabled interface you will need to create certificates for the server and client (if using client certificate authentication). The Universal Messaging download contains a generator to create some example Java key store files to be used by the Universal Messaging server but may also be converted to Public-Key Cryptography Standards (PKCS) files for use with a Universal Messaging C# client. To convert from .jks to .p12 you can use keytool.exe (supplied with java). The command to do so is shown below:
keytool -importkeystore -srckeystore client.jks -destkeystore client.p12
-srcstoretype JKS -deststoretype PKCS12
Please refer to this guide to create your own client certificates. However please remember that in order to run a Universal Messaging C# client, the certificate provided must be in PKCS format.
Running a Universal Messaging C# Client
A client can use anonymous SSL, but when the Universal Messaging SSL interface is configured for client validation, only trusted clients can connect with a valid certificate. To enable or disable client certificate validation at the realm server, you can use the Universal Messaging Enterprise Manager. Highlight the SSL enabled interface in the "Interface" tab for your realm then open the "Certificates" tab and check or uncheck the box labelled "Enable Client Cert Validation". Hit the Apply button, and restart the interface.
When client certificate validation is enabled, the client is required to have a certificate so that the server can validate the client. If the server certificate is self signed (as the certificates created using the generator are), the client must also have a trust store to validate the server certificate.
The location of the key stores and the relevant passwords need to be specified in nConstants. This can be done by adding the client certificate and trust store to the windows certificate store. The location of the client certificate can also be set by setting the certificate property (defined in nConstants) in the application code or by setting CERTPATH (the location of the certificate) and CERTPASS (the private key password) as environment variables. For more information, see SSL Concepts.
Adding Certificates to the Windows Certificate Store
if you wish to add certificates to the Windows certificate store, follow these instructions.
The default password for the certificates created using the generator is "nirvana".
To add the client certificate:
Open the Start menu, click on Run and enter "certmgr.msc".
In the new window, expand the "Personal" folder and right click on the "Certificates" folder.
Select "All Tasks->Import..."
Follow the Instructions and import the client certificate (client.p12)
To add the trust store:
Open the Start menu, click on Run and enter "certmgr.msc".
In the new window, expand the "Trusted Root Certification Authorities" folder and right click on the "Certificates" folder.
Select "All Tasks->Import..."
Follow the Instructions and import the trust store (nirvanacacerts.p12)
You will now be able to connect to a realm using nsps and nhps.