Securing Communication Between Software AG Runtime and External Clients
In the CentraSite environment, Software AG Runtime can receive requests from clients such as:
User applications using an API to communicate with the registry or repository.
Components of the
Software AG Designer.
By default, only basic communication encryption without authentication is configured.
For information on how to configure SSL-based authentication and protect Tomcat, see Tomcat 7.0 documentation and product information at
http://tomcat.apache.org/.
Software AG Runtime Properties File for SSL Communication
The file com.softwareag.catalina.connector.https.pid-CentraSite.properties located in the directory Software AG_directory/profiles/CTP/configuration/com.softwareag.platform.config.propsloader contains the properties that you need to set in order to configure Software AG Runtime for secure communication with external clients. The properties in this file define the SSL keystore and SSL truststore that Software AG Runtime uses.
Runtime properties for SSL communication in the Software AG Infrastructure Administrator's Guide. HTTPS connectors to set up the SSL environment. Note that this cross-product document refers to the properties file generically as com.softwareag.catalina.connector.https.pid-<port_number>.properties.
SSL Keystore
CentraSite comes with a sample keystore that contains self-signed certificates, which are located in Software AG_directory/profiles/CTP/configuration/tomcat/conf. The sample self-signed certificates are specific to localhost and therefore cannot be used for configuring SSL communication with CentraSite.
Acquire and provide your own server certificate and define its location with the parameter keystoreFile (replace the default value) in the Software AG Runtime properties file for SSL communication.
Note:
The CN of the certificate needs to be identical to the URL the server is addressed under, without the https://. For example, for a server reachable under https://MyWebServer:8443/, the CN needs to be MyWebServer. Software AG Runtime supports both Java keystores (keystoreType="JKS", which is the default) and PKCS#12 keystores (keystoreType="PKCS12"). Set the keystore password accordingly (parameter keystorePass in the Software AG Runtime properties file).
SSL Truststore
If you want to use client authentication for 2-way SSL, you need to set clientAuth="true" in the Software AG Runtime properties file for SSL communication and supply a truststore, which is a keystore containing the certificate chain and trust root for the client certificates for which you want to allow access.
In the properties file, you also need to provide the following properties:
truststoreFile: the name and path of the truststore file
truststorePass: the password for accessing the truststore
truststoreType: the type of the truststore
truststoreProvider: the provider of the truststore
Note on SSL Port Number
If a URL addresses a location using SSL, the URL must explicitly specify the port number of the location, even if the default port number for SSL (443) is to be used.
CentraSite comes with a sample keystore that contains self-signed certificates which are located in Software AG_directory/profiles/CTP/configuration/tomcat/conf and need be replaced if SSL-based authentication is to be used.
Acquire and provide your own server certificate and define its location with the parameter keystoreFile (replace the default value) in the Software AG Runtime properties file for SSL communication.
Note:
The CN of the certificate needs to be identical to the URL the server is addressed under, without the https://. For example, for a server reachable under https://MyWebServer:8443/, the CN needs to be MyWebServer. Software AG Runtime supports both Java keystores (keystoreType="JKS", which is the default) and PKCS#12 keystores (keystoreType="PKCS12"). Set the keystore password accordingly (parameter keystorePass in the Software AG Runtime properties file).