Page tree

Skip to end of metadata
Go to start of metadata

You can use Transport Layer Security (TLS) 1.2 with server certificate validation to secure communication between the Apache front-end web server (Apache Httpd) and the following product components:

  • Application Server
    • Web Server 
    • Data Hub
    • Primary Scheduler
    • Service Container
  • ETL Engine Server (Local and Remote)  :  Scheduler

 

If these components are communicating in HTTPS mode, then TLS 1.2 is enabled by default. Complete the following steps to enable server certificate validation:

Important

  • If you have installed the Application Server components on multiple computers, repeat steps II and III on each computer.
  • If you have multiple instances of the front-end web server, repeat all steps for each instance.

I. Procure the security certificate

Copy the certificate <CertificateName>.crt for the front-end web server from the following location:

<Server Installation Directory>/3rd_party/apache2/pki/tls/certs/

For more information about creating an SSL certificate for the front-end web server, see Create an SSL certificate.  

II. Install the security certificate 

The Application Server and ETL Engine Server use cotruststore.ts truststore to communicate with other components. The truststore is bundled along with the Server installation, and is located in the <Server Installation Directory>/secure directory.

Complete the following procedure on the Application Server and ETL Engine Server:

  1. Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory. Add this directory path to the PATH environment variable by running the following command:

    export PATH= <Server Installation Directory>/jre/bin:$PATH
  2. Navigate to the <Server Installation Directory>/secure directory and import the CA-trusted certificates that are allowed by JRE by running the following command:

    keytool -importkeystore -srckeystore <Server Installation Directory>/jre/lib/security/cacerts -destkeystore cotruststore.ts -srcstorepass changeit -deststorepass <cotruststorepassword>

    Note

    Importing the CA-trusted certificates that are allowed by JRE must be done at least once before you import other certificates.

    The <cotruststorepassword> is the password for cotruststore.ts truststore.

  3. Go to <Server Installation Directory>/secure directory and import the procured certificates by running the following command:

    keytool -importcert -trustcacerts -file <path>/<CertificateName>.cert -keystore cotruststore.ts -alias <CertificateName>

    Parameter reference

    Replace all instances of <CertificateName> by the appropriate certificate name.

  4. After the message Enter keystore password, enter a password for the truststore. 

  5. After the message Trust this certificate [no], enter Yes.

III. Configure the product components to use TLS

Complete the following steps on all the computers that have the Application Server components and ETL Engine Server installed:

  1.  Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.

    #Example
    switchTLSmode.pl -on -tspwd -flow internal

     Click here for switchTLSmode.pl command details

    #Syntax 
    switchTLSmode.pl [-h or --help] [ -on|-off ] [ -dbport port ] [ -tspwd ] [-flow internal,auth,codb,externaldb,all]

     

    Parameter reference
    -h or --help: Prints the help for the command.

    -on|off: on option enables TLS mode of communication. off option disables TLS mode of communication.

    -dbport: Provide the port number that is configured for the database communication. (This option is required only when the database port is changed.)

    -tspwd: Provide the truststore password. The default password is: changeit. It is recommended to change this password.

    -flow: Provide the communication channel for which you want to enable or disable TLS 1.2 with server certificate validation based on your value for the -on|off parameter.

    internal: Enables or disables TLS 1.2 with server certificate validation for communication among the internal Capacity Optimization components.

    auth: Enables or disables TLS 1.2 with server certificate validation for communication between the authentication component (Atrium Single Sign-On Server or LDAP server) and Application Server.

    codb: Enables or disables TLS 1.2 with server certificate validation for communication between internal database (Oracle/PostgreSQL) and internal Capacity Optimization components.

    externaldb: Enables or disables TLS 1.2 with server certificate validation for communication between external database and ETL Engine Server.

    all: Enables or disables TLS 1.2 with server certificate validation communication for all the supported channels.

2. After the message Enter the truststore password and press Enter, enter the truststore password. 

The communication channels between the internal product components are now TLS 1.2 enabled with server certificate validation.