Page tree

Skip to end of metadata
Go to start of metadata

You can use Transport Layer Security (TLS) 1.2 with server certificate validation to secure communication between the Application Server and the authentication component, which can be an Atrium SSO Server or an external LDAP Server.

If these components are communicating in HTTPS mode, then TLS 1.2 is enabled by default. Complete the following steps to enable server certificate validation:

Important

If you have installed the Application Server components on multiple computers, repeat steps II and III on each computer.

I. Procure the server security certificate

Procure a Certificate Authority (CA) signed server certificate for the authentication component from the system administrator of your organization. For example, <AuthCert>.crt.

II. Install the security certificate 

The Application Server uses the cotruststore.ts truststore to communicate with other components. This truststore is bundled along with the Server installation, and is located in the <Server Installation Directory>/secure directory.

Complete the following steps on the Application Server to import the security certificate into its truststore file:

  1. Log on to the computer where the Server is installed. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory. Add this directory path to the PATH environment variable by running the following command:

     

    export PATH= <Server Installation Directory>/jre/bin:$PATH
  2. Navigate to the <Server Installation Directory>/secure directory and import the CA-trusted certificates that are allowed by JRE by running the following command:

    keytool -importkeystore -srckeystore <Server Installation Directory>/jre/lib/security/cacerts -destkeystore cotruststore.ts -srcstorepass changeit -deststorepass <cotruststorepassword>

    Note

    Importing the CA-trusted certificates that are allowed by JRE must be done at least once before you import other certificates.

    The <cotruststorepassword> is the password for cotruststore.ts truststore.

  3. Navigate to the <Server Installation Directory>/secure directory and import the procured certificates by running the following command:

    keytool -importcert -trustcacerts -file <path>/<CertificateName>.cert -keystore cotruststore.ts -alias <CertificateName>

    Parameter description

    Replace all instances of <CertificateName> by the appropriate certificate name.

  4. After the message: Enter keystore password, enter a password for the truststore. 

  5. After the message: Trust this certificate [no], enterYes.

III. Configure the components to enable TLS

Complete the following configuration steps on the Application Server:

  1.  Navigate to the <Server Installation Directory>/tools directory and run the switchTLSmode.pl script.

    #Example
    perl switchTLSmode.pl -on -tspwd -flow auth

     Click here for switchTLSmode.pl command details

    #Syntax 
    switchTLSmode.pl [-h or --help] [ -on|-off ] [ -dbport port ] [ -tspwd ] [-flow internal,auth,codb,externaldb,all]

     

    Parameter reference
    -h or --help: Prints the help for the command.

    -on|off: on option enables TLS mode of communication. off option disables TLS mode of communication.

    -dbport: Provide the port number that is configured for the database communication. (This option is required only when the database port is changed.)

    -tspwd: Provide the truststore password. The default password is: changeit. It is recommended to change this password.

    -flow: Provide the communication channel for which you want to enable or disable TLS 1.2 with server certificate validation based on your value for the -on|off parameter.

    internal: Enables or disables TLS 1.2 with server certificate validation for communication among the internal Capacity Optimization components.

    auth: Enables or disables TLS 1.2 with server certificate validation for communication between the authentication component (Atrium Single Sign-On Server or LDAP server) and Application Server.

    codb: Enables or disables TLS 1.2 with server certificate validation for communication between internal database (Oracle/PostgreSQL) and internal Capacity Optimization components.

    externaldb: Enables or disables TLS 1.2 with server certificate validation for communication between external database and ETL Engine Server.

    all: Enables or disables TLS 1.2 with server certificate validation communication for all the supported channels.


  2. After the message Enter the truststore password and press Enter, enter the truststore password. 

TLS 1.2 with server certificate validation is enabled between the authentication component and the Application Server.