Communications Process

To create a new communication process, click * New Comms Server.

To view the listeners associated with a communications process, click the communications process in the communications process list.

To display all the configurable properties of the communication process, click Configure.

Auto Start
Check this to automatically start the communications process when the enterprise server instance starts.
Status
Displays the current status of the communications process:
  • Started
  • Stopped
  • Disabled
  • Blocked
  • Not Responding - This means any listener whose status is unknown because the server it is registered with is not responding to the server monitor.
  • Not Started - This means any listener with a status other than Started.
  • Not Stopped - This means any listener with a status other than Stopped.
Requested Status
The requested status of the communications process. If the region is running, at least one communications process must be started.
Process ID
Displays the process ID of this communications process.
Actual Address
Displays the network address or addresses used by the communications process to accept incoming client requests. The format is:

protocol:hostname or ip-address:port

where:

protocol
This can be tcp or tcpssl.
hostname or ip-address
This can be a single hostname or multiple IP addresses that can be either IPv4 or IPv6.
Note: Specifying 0.0.0.0 binds on all available IPv4 addresses. Specifying :: binds on all available IPv6 addresses. Specifying * binds on all available IPv4 and IPv6 addresses.
port
This must be a valid port or an asterisk * which indicates that the address is dynamically assigned for the communications process when it starts.
To add additional addresses, expand CONFIGURE and then click the + icon. To remove an addresses, click the - icon.
Status Log
Displays most recent event for that communications server.

Configure

Protocol
Protocol can be tcp or tcpssl.
Hostname or IP Address
A hostname, IPv4, or IPv6 Address to accept incoming client requests. Specify * to listen on all available addresses.
Port
A port to accept incoming client requests. Specify * to pick an unused port at start up.
Custom Configuration
Specify optional textual configuration information.

TLS Settings

For an enterprise server instance, you can create a secure Communications Process control listener to encrypt the communications it handles. To do this, click TLS SETTINGS, this expands the TLS Settings group.

You must specify the following fields:

Enable TLS
Enables Transport Layer Security (TLS) for this communications process.
Certificate File
The location, on disk, of the certificate. If multiple certificates are used, separate the paths with a semicolon ';'.
Keyfile
The location, on disk, of the keyfile. If multiple keyfiles are used, separate the paths with a semicolon ';'.
Server CA Root Certificate File
Location on disk of the server CA root certificate. This root certificate is used when the Directory Server communicates with a TLS enabled Communications Process. MFDS uses this to verify if it trusts the Communications Process' certificate chain, and therefore trusts the Communications Processed server certificate itself.
Note: The following certificate file formats are supported DER, CER, PKCS #7, PKCS #8, PKCS #12 and PEM and following key file formats PKCS #8, PKCS #12 and PEM.

Advanced TLS Settings

Optionally, click Advanced to expand the advanced group of options:
Client Authentication
Select one of the client authentication types:
Accept all clients

Allow all clients to communicate with the server without being checked for a TLS/SSL certificate.

Request client certificate, and verify if present

Requests the client for a certificate, and to verify the returned certificate. If the client does not return a certificate, communication continues between the client and server. If a certificate is returned and it fails to verify, communication stops. If you select this, you must specify the CA root certificates file.

Require client certificate, and verify

Always require a client certificate and to verify it. This ensures that the client is trusted. If a certificate is not returned or it cannot be verified, communication between the client and server is stopped. If you select this, you must specify the CA root certificates file.

Honor Server Cipher List
By default, the TLS Honor Server Cipher List is checked. This forces clients to use the protocols and cipher suites specified in order of their priority.
Protocols
The list of TLS protocols to be used, in order of precedence. Each specified protocol is preceded by one of the following operators:
!
Exclude. Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.
+
Add. Add the protocol to the existing collection.
-
Delete. Delete the protocol from the existing collection.
For example, to only use TLS1.1 and TLS1.2, type -ALL+TLS1.1+TLS1.2
Note: The Protocols field now supports TLS1.3.
Cipher Suites
Specifies the priority of cipher suites to be used. The cipher suite priority is formed using a combination of keywords and keyword modifiers for a space-separated string:
!
Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
+
Add. Add the cipher suite to the end of the collection.
-
Delete. Delete the cipher suite from the existing collection.
By default, the following cipher suite list is used:
kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
TLS1.3 Cipher Suites
The list of cipher suites to be used with TLS1.3 separated by a colon ':'. For example:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Diffie-Hellman Minimum Group Size
Specifies the size in bits of the modulus length of the Diffie-Hellman group.
Note: Micro Focus recommends a minimum modulus size of 2048 bits.
Key Exchange Cipher Groups
The key exchange cipher groups to be used, separated by semicolons ';'.

For example:

secp521r1;secp384r1;prime256v1;secp256k1;secp224r1;secp224k1;prime192v1
TLS1.3 Middlebox Compatibility
Enables workaround for TLS1.3 on networks with incompatible middleboxes, for example, routers and firewalls. Disabling this can improve performance on compatible networks but might result in dropped connections otherwise.