Requirements for required SSL encryption and trusted clients

This configuration is intended for customers who:

  • Want to require SSL encryption for all connections
  • Want to protect against complex SSL-related attacks
  • Want to authenticate that the Service Manager server is a valid host
  • Want to authenticate that the Service Manager clients are valid hosts
  • Want to restrict access to the server to only those clients whose certificates are in a list of trusted clients
Certificates required
You must create or obtain the following certificates for SSL encryption.
  • Certificate authority certificate *
  • Certificate list containing the certificates of web and Windows clients that are allowed to connect to the server
  • Keystore containing the certificate authority certificate *
  • Service Manager server certificate
  • Web tier certificate
  • Windows client certificates

* A typical SSL configuration uses a single certificate authority to issue certificates for all authenticated components. If, however, you use multiple certificate authorities to sign your certificates, then you need to obtain a certificate for each certificate authority.

Private keys required
You must create or obtain the following private keys for SSL encryption.
  • Certificate authority's private key *
  • Service Manager server's private key
* This key is only necessary if you are managing your own private certificate authority.
Parameters required in the server configuration file (sm.ini)
  • keystoreFile – identify the keystore file containing the Service Manager server's certificate and private key
  • keystorePass – identify the password to the keystore file containing the Service Manager server's certificate and private key
  • ssl:1
  • ssl_reqClientAuth:2
  • ssl_trustedClientsJKS – identify the keystore file containing the list of trusted client certificates allowed to connect to the server
  • ssl_trustedClientsPwd – identify the password to the keystore file containing the list of trusted client certificates
  • sslConnector:1
  • truststoreFile – identify the keystore file containing the certificate authority's certificate
  • truststorePass – identify the password to the keystore file containing the certificate authority's certificate

Parameters required in the web tier configuration file (web.xml)

You must set the following web parameters.
  • cacerts – identify the keystore file containing the certificate authority that signed the server's certificate
  • keystore – identify the keystore containing the web tier's client certificate
  • customize-folder – specify the absolute path to a folder on the web tier host in which the webtier.properties file is located
Parameter required in the <Customize-Folder>/config/webtier.properties file
You must set the following web parameter:
keystorePassword – identify the password for the web tier's keystore

Note The keystorePassword parameter has been removed from the web tier configuration file (web.xml) since Service Manager 9.34p2. You must enter your web client keystore password in a webtier.properties file. For details, see Encryption of client keystore passwords.

Windows client preferences required
You must set the following preferences from the Window > Preferences > Service Manager > Security menu.
  • CA certificates file – identify the keystore file containing the certificate authority that signed the server's certificate
  • Keystore file – identify the keystore containing the Windows client's certificate
  • Keystore password – identify the password for the Windows client's keystore

Other requirements
You must do the following additional steps to ensure that Service Manager can use your private certificates.
  • Add your private certificate authority's certificate to a keystore that your Web and Windows clients can access
  • Ensure that the Service Manager client's host name matches the common name (CN) listed in the client's signed certificate
  • Ensure that the Service Manager server's host name matches the common name (CN) listed in the server's signed certificate

Related topics

Example: Enabling required SSL encryption and trusted clients
Example: Generating a client certificate with OpenSSL
Example: Generating a server certificate with OpenSSL

Related topics

Add a client certificate to the web tier
Add a client certificate to the Windows client
Update the cacerts keystore file

Related topics

Requirements for required SSL encryption
Requirements for required SSL encryption and client authentication
Requirements for trusted sign-on