Creating an SSL-Enabled Interface
To add an SSL-enabled interface using the Enterprise Manager, first create an nsps or nhps interface as described in
Creating Interfaces.
The following image shows an nhps (HTTPS) interface listening on port 9443.
Click the
Certificates tab. You can see that the values for the
Key store path and
Trust store path fields are automatically specified. In the Universal Messaging download, we provide a utility called Certificate Generator that can generate sample .jks files containing certificates bound to localhost, for the server, the client, and the truststore used by JSSE. In this example, we use the sample jks files to demonstrate how to create an SSL interface. For detailed information about generating certificates, see
How to Generate Certificates for Use.
The Key store path field should contain something similar to:
c:\SoftwareAG_directory\UniversalMessaging\server\umserver\bin\server.jks
which should be the path to the sample Java keystore for the server, bound to localhost.
The Trust store path field should contain something similar to the following:
c:\SoftwareAG_directory\UniversalMessaging\server\umserver\bin\nirvanacacerts.jks
Then specify the value password for Key Store Passwd and CA Store Passwd. This is the password for both the server keystore and the CA (truststore) keystore.
Next, go to the Basic tab and select the Autostart Interface option to start the interface automatically when the Universal Messaging realm server starts.
Note:
If you intend to use an SSL interface for inter-realm communication, you should ensure that the
Allow for InterRealm option is selected and the
Allow Client Connections option is cleared. Alternatively, if you intend to use an SSL interface for communication between clients and the realm, you should ensure that the
Allow for InterRealm option is cleared and the
Allow Client Connections option is selected. For information about inter-realm communication, see
Setting Up Inter-Realm Communication.
Click Apply to save your changes and start the interface. If the network interface fails to start, inspect the Universal Messaging log file.
There is no limit to the number of network interfaces that can be added to a realm and each can have its own configuration, such as SSL chains, applied. This enables you to isolate customers from each other while still using only one Universal Messaging realm server.
In this example we have used our own sample Java keystores, which will only work when using the loopback interface of your realm server host. If you want to provide SSL capabilities for remote connections, you must ensure you have your own keystores and valid certificate chains.
Client Certificate Validation
If you select Enable Client Cert Validation on the Interfaces > Certificates tab, clients that connect to the interface must supply their client certificate. This will be a file with a name like client.jks, which can be created in a way similar to the server.jks and nirvanacacerts.jks files mentioned above.
If you want to connect to such an interface using the Enterprise Manager, you must specify the name of the client certificate file in the configuration file UniversalMessaging\java\umserver\bin\nenterprisemgr.conf, in the line that defines the -DCKEYSTORE parameter, for example:
wrapper.java.additional.7="-DCKEYSTORE=%CKEYSTORE%"
If you do not require client certificate validation for this interface, clear the Enable Client Cert Validation option. In this case, the -DCKEYSTORE parameter is still required, but its value must be set to null:
wrapper.java.additional.7="-DCKEYSTORE="