Set up an SSL Connection
There are several ways to set up Secure Socket Layer (SSL) connections for IDOL Server. For example, you can:
-
Configure an SSL gateway. You configure incoming communications to a unified IDOL Server to use SSL connections, but communications between components are plain.
-
Configure SSL between all IDOL components in a unified IDOL Server. All communications into IDOL, and between components, are configured with SSL connections.
-
Configure SSL between stand-alone IDOL components.
In all cases the basic principle of configuring SSL is the same, but the exact configuration varies.
-
Set the
SSLConfigparameter to the name of the section in which you define SSL options. The configuration sections where you setSSLConfigvary depending on your setup. In general:-
For incoming ACI calls, set the
SSLConfigparameter in the[Server]section. -
For incoming Index actions, set the
SSLConfigparameter in the[IndexServer]section. -
For incoming Service actions, set the
SSLConfigparameter in the[Service]section. -
For outgoing ACI calls to IDOL components, set the
SSLConfigparameter in each component section. For example,[AgentDRE].
For example:
[Server] SSLConfig=SSLOption1
-
-
For each
SSLOptionyou define, create a new configuration section to contain the SSL options.For example:
[SSLOption1]
-
Within each SSL options section, you can specify the following SSL parameters:
SSLMethodDetermines which SSL protocol to use: TLSV1.3, TLSV1.2, TLSV1, SSLV3, or Negotiate, which uses the highest protocol supported by both client and server. Micro Focus recommends that you use TLSV1.3, unless interoperability with older systems requires use of less secure protocols.SSLCertificateThe SSL Certificate file to use to identify this component to a peer. The certificate can be in either ASN1 or PEM format. Micro Focus recommends that you use the PEM format. This parameter requires a matching SSLPrivateKeyvalue.SSLPrivateKeyThe private security key for the SSL certificate. The security key can be in either ASN1 or PEM format. This parameter requires a matching SSLCertificatevalue. The private key can be password protected. SeeSSLPrivateKeyPassword.SSLCACertificateThe Certificate Authority certificate indicating that this component trusts only communication with a peer that offers a certificate signed by the specified CAs. SSLCheckCertificateRequests a certificate signed by a trusted authority from peers.
Setting
SSLCACertificateimplicitly sets this parameter toTrue. If you setSSLCACertificatetoFalse, IDOL Server encrypts communications, but does not request certificates from peers.SSLCheckCommonNameDetermines whether the host name listed in the peer certificate (that is, the CommonName or “CN” attribute) resolves to the same IP address as the peer itself, as determined by the network connection. This parameter helps verify the identity of the peer.
For example, if the host name in a certificate is
eip.example.comand resolves to an IP address of12.3.4.56, the peer must share the same IP address.SSLPrivateKeyPasswordIf the file defined in SSLPrivateKeyis password protected, use this parameter to specify the password. The password can be in plain text or in basic or AES encryption format.