Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
- System security
- Encryption of configuration file settings
- Encryption of operator passwords
- Encryption of client keystore passwords
- Randomly generated master keys
- Inactivity timer
- Lockout feature
- System quiesce: Login restrictions
- Mandanten file security
- Multicompany mode
- Script utilities
- Security tables
- Secure Sockets Layer (SSL) encryption and server certificates
- Support of the HTTP Strict Transport Security protocol
- Trusted sign-on
- Common Access Card (CAC) sign-on
- SAML Single Sign-On
- FIPS mode
- Tokenization
Secure Sockets Layer (SSL) encryption and server certificates
Service Manager supports Secure Hypertext Transfer Protocol (HTTPS), which encrypts and decrypts message requests and responses. Service Manager uses Secure Sockets Layer (SSL) for encryption only and relies on the server to authenticate each operator's user name and password. Service Manager supports SSL for the following connections:
- SSL on the Service Manager server to encrypt all communications between clients and the server.
- SSL on Service Manager clients to verify the client's identity and limit server connections to these identified clients
Enabling SSL on the Service Manager server
The primary reason to enable SSL on the Service Manager server is to protect operator user names and passwords that Service Manager clients send with each request as part of an HTTP Basic Authorization header. You can enable SSL on the Service Manager server but not require each client to present an individual client certificate. When you enable SSL on the server only, clients connect to the server using anonymous SSL.
Enabling SSL on Service Manager clients
The primary reason to enable SSL on Service Manager clients is to restrict access to the server to only those clients known and identified by the server. Enabling client-side SSL requires creating or purchasing signed certificates for each Service Manager client. The Service Manager Web Tier can share a single signed certificate for all Web Client connections. If you enable client-side SSL, we recommend you also enable server-SSL to encrypt all communications between clients and the server.
Client/server SSL handshake process
During the client/server handshake process, the client looks at the server certificate, determines which certificate authority signed the certificate, and compares the certificate signature to a list of trusted certificate authorities identified in the cacerts
file. Service Manager includes a sample server certificate signed by a fictitious certificate authority and also includes a modified cacerts
file that includes the certificate for the fictitious certificate authority.
The client also compares the IP address or host name of the server to the address encrypted in the server certificate. If they do not match, an alert appears and the user can stop the connection. When you start a new installation of Service Manager, it suppresses the alerts. To ensure a secure environment, remove the sample server certificate, install an actual certificate, and modify the cacerts
file to list the appropriate certificate authority.
What are PEM files?
Privacy Enhanced Mail (PEM) files are a type of Public Key Infrastructure (PKI) file used for keys and certificates. PEM, initially invented to make e-mail secure, is now an Internet security standard. Service Manager uses OpenSSL libraries to encrypt and decrypt SOAP messages over HTTP and requires certificates and keys in PEM format. The typical PEM files are:
- key.pem contains the private encryption key
- cert.pem contains certificate information
Because it is a standard, any PKI implementation can use .pem files as a repository for keys or certificates. OpenSSL supports a variety of standard formats in addition to .pem, including Distinguished Encoding Rules (DER) and X.509. OpenSSL has several utility functions that can convert these formats.
What is a cacerts file?
The cacerts
file is a collection of trusted certificate authority (CA) certificates. Oracle includes a cacerts
file with its SSL support in the Java™ Secure Socket Extension (JSSE) tool kit and JDK. It contains certificate references for well-known Certificate authorities, such as VeriSign™. Its format is the "keystore" format defined by Oracle. An administrator can edit the cacerts
file with a command line tool (also provided by Oracle) called keytool. For more information about keytool, see the Oracle website.
Note The default password for the cacerts file supplied by Oracle is changeit
. You must use this password to view the contents or to import a new certificate. For security reasons, change the default password.
The essential requirement is that the certificate authority that signed the Service Manager server’s certificate must be in the list of certificate authorities named in this file. To use a self-issued server certificate created with OpenSSL or a tool such as Microsoft Certificate Server™, you must import the certificate for this private certificate authority into the cacerts
file that the client uses for SSL. If you do not import the certificate, SSL connections fail because the Java SSL implementation does not recognize the certificate authority.
Related topics
Example: Enabling required SSL encryption
Example: Enabling required SSL encryption and client authentication
Example: Enabling required SSL encryption and trusted clients
Example: Enabling trusted sign-on
Example: Generating a client certificate with OpenSSL
Example: Generating a server certificate with OpenSSL
Example: Viewing the contents of a cacerts file
Trusted sign-on
Add a client certificate to the web tier
Add a client certificate to the Windows client
Update the cacerts keystore file
Use keytool to create a certificate request
Use keytool to create a private key
Requirements for required SSL encryption
Requirements for required SSL encryption and client authentication
Requirements for required SSL encryption and trusted clients
Requirements for trusted sign-on