Creating an SSL-Enabled Interface
To add an SSL-enabled interface using the Enterprise Manager, first create an nsps or nhps interface as described in Creating Interfaces.
The following image shows an nhps (HTTPS) interface listening on port 9443.
Click the Certificates tab. The values for the Key store path and Trust store path fields are specified by default. The example uses sample jks files to show how to create an SSL interface. For detailed information about generating certificates, see Generating Certificates.
The Key store path field must contain something similar to:
c:\SoftwareAG_directory\UniversalMessaging\server\umserver\bin\server.jkswhich is the path to the sample Java keystore for the server, bound to localhost.
The Trust store path field must contain something similar to the following:
c:\SoftwareAG_directory\UniversalMessaging\server\umserver\bin\nirvanacacerts.jksThen specify the value
password for
Key Store Passwd and
CA Store Passwd. This is the password for both the
server keystore and the CA (truststore) keystore.
Next, go to the Basic tab and select the Autostart Interface option to start the interface automatically when the Universal Messaging realm server starts.
Click Apply to save your changes and start the interface. If the network interface fails to start, inspect the Universal Messaging log file.
There is no limit to the number of network interfaces that can be added to a realm and each can have its own configuration, such as SSL chains, applied. This enables you to isolate customers from each other while still using only one Universal Messaging realm server.
The sample Java keystores work only when you use the loopback interface of your realm server host. If you want to provide SSL capabilities for remote connections, you must have your own keystores and valid certificate chains.
Connecting to an NHPS Interface
To connect to an nhps interface on a Universal Messaging server in the Enterprise Manager, you configure the following truststore and client keystore properties in the Software AG_directory\UniversalMessaging\java\instance_name\bin\Admin_Tools_Common.conf file of the server:
set.default.CAKEYSTORE=<path_to_truststore>- Required.-
set.default.CAKEYSTOREPASSWD=<truststore_password>- Required. set.default.CKEYSTORE=<path_to_client_keystore>- Required only when client authentication is enabled.set.default.CKEYSTOREPASSWORD=<keystore_password>- Required only when client authentication is enabled.
The certificates must be in .jks (java keystore) or PKCS12 format.
In addition, optionally, you can configure an nhps url to which clients connect by default. You specify the url as a value of the -DRNAME property in the nenterprisemgr.conf file of the server, for example:
wrapper.java.additional.3=-DRNAME=nhps://umserver:8000When you connect an NSPS client to an NSPS or NHPS interface, you must consider the following. The Java Client API implementation of the NSPS protocol does not support RFC 6125, which means that the client does not perform hostname validation against the list of "Subject Alternative Names" specified in the keystore of the server. This limitation exists because of a dependency on the JAVA JSSE and SSLSocket, which can only validate the hostname when using the HTTPS protocol.
Enabling Client Authentication
You use the Enable Client Cert Validation check box on the Interfaces > Certificates tab to enable or disable client authentication for an nhps interface on a Universal Messaging server. If you enable client authentication, you must specify the client keystore certificate and kesystore password as properties in the Admin_Tools_Common.conf file of the server instance.