TLS Encryption

In the context of:

ESCWA
ESCWA has a network endpoint which clients use to communicate with. Those communications are not inherently secure and can expose sensitive data in communications across the network.

Transport Layer Security (TLS) can be used to secure these communications through encryption. The process network endpoint will only accept secure TLS communications.

Directory Server
A Directory Server has a network endpoint which other Enterprise Server processes will use to communicate with it. Those communications are not inherently secure and can expose sensitive data in communications across the network.

Transport Layer Security (TLS) can be used to secure these communications through encryption. The process network endpoint will only accept secure TLS communications.

Communications Process
A Communications Process has a network endpoint which other Enterprise Server processes will use to communicate with it. Those communications are not inherently secure and can expose sensitive data in communications across the network.

Transport Layer Security (TLS) can be used to secure these communications through encryption. The process network endpoint will only accept secure TLS communications.

Listener
A Listener has a network endpoint which clients which other Enterprise Server processes will use to communicate with it. Those communications are not inherently secure and can expose sensitive data in communications across the network.

Transport Layer Security (TLS) can be used to secure these communications through encryption. The process network endpoint will only accept secure TLS communications.

Configuration options

ESCWA

To secure a network endpoint you will require the following, as a minimum:

  • A TLS certificate.
  • A TLS key with a passphrase.

To ensure the ESCWA network endpoint is TLS enabled, use ESCWA to perform the following steps:

  1. Click

    This opens the Enterprise Server Administration Configuration dialog box.

  2. Expand Server Settings
  3. Click TLS Settings.
  4. Check Enable TLS.
  5. In the Certificate File field, type the location of the TLS certificate on the machine where this process runs.
  6. In the Keyfile field, type the location of the TLS key on the machine where this process runs.
  7. In the Keyfile Password field, type the TLS key passphrase.
  8. Click Apply.
  9. Restart the ESCWA process.
Directory Server

To secure a network endpoint you will require the following, as a minimum:

  • A TLS certificate.
  • A TLS key with a passphrase.

To ensure a Directory Server network endpoint is TLS enabled, use ESCWA to perform the following steps:

  1. In the top menu bar, click Native.
  2. In the Native Navigation pane, expand Directory Server.
  3. Click the directory server you require, then click Properties > Connection.

    This takes you to the Connection Properties page.

  4. Check Enable TLS.
  5. Check Use Custom Certificates.
  6. In the Certificate File field, type the location of the TLS certificate on the machine where this process runs.
  7. In the Keyfile field, type the location of the TLS key on the machine where this process runs.
  8. In the Keyfile Password field, type the TLS key passphrase.
  9. Click Apply.
  10. Restart the Directory Server process.

The MF_ROOT_CERT environment variable will need to be set for processes to communicate with the Directory Server. See Securing Communications between ESCWA and MF Directory Server using TLS and Securing Communications Process to MF Directory Server using TLS for more information.

Communications Process

To secure a network endpoint you will require the following, as a minimum:

  • A TLS certificate.
  • A TLS key with a passphrase.

To ensure a region's Communications Process network endpoint is TLS enabled, use ESCWA to perform the following steps:

  1. In the top menu bar, click Native.
  2. In the Native Navigation pane, expand Directory Server.
  3. Click the region you require.
  4. Click General > Listeners.

    This opens the Communications Server Properties page.

  5. In the Native Listener Navigation pane, click the Communications Process you require.
  6. Expand Configure.
  7. Click TLS Settings.
  8. Check Enable TLS.
  9. In the Certificate File field, type the location of the TLS certificate on the machine where this region runs.
  10. In the Keyfile field, type the location of the TLS key on the machine where this region runs.
  11. In the Server CA Root Certificate File field, type the location of the server CA root certificate on the machine where this region runs.
  12. Click Apply.

Next time the region is started, the network endpoint will have TLS security. The certificate and keyfile passphrases will need to be set in the mf-server.dat configuration file. See To Configure the Passphrase in a File for more information.

Listener

To secure a network endpoint you will require the following, as a minimum:

  • A TLS certificate.
  • A TLS key with a passphrase.

To ensure a region's Listener network endpoint is TLS enabled, use ESCWA to perform the following steps:

  1. In the top menu bar, click Native.
  2. In the Native Navigation pane, expand Directory Server.
  3. Click the region you require.
  4. Click General > Listeners.

    This opens the Communications Server Properties page.

  5. In the Native Listener Navigation pane, click the listener you require.
  6. Click TLS Settings.
  7. Check Enable TLS.
  8. In the Certificate File field, type the location of the TLS certificate on the machine where this region runs.
  9. In the Keyfile field, type the location of the TLS key on the machine where this region runs.
  10. Click Apply.

Next time the region is started, the network endpoint will have TLS security. The certificate and keyfile passphrases will need to be set in the mf-server.dat configuration file and the Certificate Authority root location will need to be set in the mf-client.dat configuration file. See To Configure the Passphrase in a File and Securing Communications between ESCWA and ESMAC using TLS for more information.

Parent topic: Configuration Report