Universal Messaging 10.11 | Administration Guide | Universal Messaging Enterprise Manager | Cluster Administration | Setting Up Inter-Realm Communication | Setting Up Encrypted Inter-Realm Communication
 
Setting Up Encrypted Inter-Realm Communication
The assumed starting point in this scenario is that there is no cluster formed yet. All of the realms that will later form the cluster need to be configured.
The steps required are as follows:
1. If you intend to use self-signed certificates, or if you intend to use a custom truststore (which contains the public certificates associated with each Universal Messaging realm's private certificate), the keystore and the truststore must be added to the Universal Messaging JVM process.
In the file Server_Common.conf on each realm, provide details of the truststore and keystore, according to the following pattern:
wrapper.java.additional.7="-Djavax.net.ssl.trustStore=<TRUSTSTORE>
wrapper.java.additional.8=-Djavax.net.ssl.trustStorePassword=<TRUSTSTORE_PWD>
wrapper.java.additional.9="-Djavax.net.ssl.keyStore=<KEYSTORE>
wrapper.java.additional.10=-Djavax.net.ssl.keyStorePassword=<KEYSTORE_PWD>
for example
wrapper.java.additional.7="-Djavax.net.ssl.trustStore=
/webmethods/truststores/um_truststore.jks"
wrapper.java.additional.8=-Djavax.net.ssl.trustStorePassword=nirvana
wrapper.java.additional.9="-Djavax.net.ssl.keyStore=
/webmethods/keystores/um_keystore.jks"
wrapper.java.additional.10=-Djavax.net.ssl.keyStorePassword=nirvana
See the section Server Parameters in the Concepts guide for general information about setting up such parameters.
2. On each realm in the cluster, add two secure interfaces:
a. Add one interface using the NSPS protocol, to be used only for inter-realm communication.
Note:
The demo certificates generated by the Universal Messaging Certificate Generator tool (see the section How to Generate Certificates for Use) are only valid for the loopback interface (localhost / 127.0.0.1). Therefore, if you use these demo certificates, ensure that the adapter that you add is bound only on the loopback interface.
For this interface, set the following options (in the Enterprise Manager, they are located under the Basic or Certificates tabs of the interface definition screen):
*Allow for InterRealm: yes
*Allow Client Connections: no
*Enable client certificate validation: no
The reason for disabling client certificate validation is because Universal Messaging does a certificate exchange between realms already when constructing a cluster, so doing another certificate exchange at the SSL layer would be redundant.
*Specify Certificates and Truststore on the interface as you would normally.
*If you want to use a certain level of SSL / TLS (eg. TLS 1.2)
1. Pick the right algorithms for that interface.
2. Enforce the SSL level in the realm (using a JVM argument in Server_Common.conf). Example: to enforce TLS1.2 globally on the Universal Messaging server, set:
wrapper.java.additional.XX=-DSSLProtocols=TLSv1.2
b. Add one more interface using the NSPS protocol, to be used only by clients for communication with the realm. For this interface, set the following options:
*Allow for InterRealm: no
*Allow Client Connections: yes
*Enable client certificate validation: no
3. Disable the setting for inter-realm communication on the original, non-encrypted, interface.
4. Close and restart the Enterprise Manager.
5. Restart all Universal Messaging realms (to make sure all JVM arguments are activated).
6. Use the Enterprise Manager to form the cluster.