Set up an SSL Connection
There are several ways to set up Secure Socket Layer (SSL) connections for IDOL Server. For example, you can:
-
Configure an SSL gateway. You configure incoming communications to a unified IDOL Server to use SSL connections, but communications between components are plain.
-
Configure SSL between all IDOL components in a unified IDOL Server. All communications into IDOL, and between components, are configured with SSL connections.
-
Configure SSL between stand-alone IDOL components.
In all cases the basic principle of configuring SSL is the same, but the exact configuration varies.
-
Set the
SSLConfig
parameter to the name of the section in which you define SSL options. The configuration sections where you setSSLConfig
vary depending on your setup. In general:-
For incoming ACI calls, set the
SSLConfig
parameter in the[Server]
section. -
For incoming Index actions, set the
SSLConfig
parameter in the[IndexServer]
section. -
For incoming Service actions, set the
SSLConfig
parameter in the[Service]
section. -
For outgoing ACI calls to IDOL components, set the
SSLConfig
parameter in each component section. For example,[AgentDRE]
.
For example:
[Server] SSLConfig=SSLOption1
-
-
For each
SSLOption
you define, create a new configuration section to contain the SSL options.For example:
[SSLOption1]
-
Within each SSL options section, you can specify the following SSL parameters:
SSLMethod
Determines which SSL protocol to use: TLSV1.3, TLSV1.2, TLSV1, SSLV3, or Negotiate, which uses the highest protocol supported by both client and server. Micro Focus recommends that you use TLSV1.3
, unless interoperability with older systems requires use of less secure protocols.SSLCertificate
The SSL Certificate file to use to identify this component to a peer. The certificate can be in either ASN1 or PEM format. Micro Focus recommends that you use the PEM format. This parameter requires a matching SSLPrivateKey
value.SSLPrivateKey
The private security key for the SSL certificate. The security key can be in either ASN1 or PEM format. This parameter requires a matching SSLCertificate
value. The private key can be password protected. SeeSSLPrivateKeyPassword
.SSLCACertificate
The Certificate Authority certificate indicating that this component trusts only communication with a peer that offers a certificate signed by the specified CAs. SSLCheckCertificate
Requests a certificate signed by a trusted authority from peers.
Setting
SSLCACertificate
implicitly sets this parameter toTrue
. If you setSSLCACertificate
toFalse
, IDOL Server encrypts communications, but does not request certificates from peers.SSLCheckCommonName
Determines whether the host name listed in the peer certificate (that is, the CommonName or “CN” attribute) resolves to the same IP address as the peer itself, as determined by the network connection. This parameter helps verify the identity of the peer.
For example, if the host name in a certificate is
eip.example.com
and resolves to an IP address of12.3.4.56
, the peer must share the same IP address.SSLPrivateKeyPassword
If the file defined in SSLPrivateKey
is password protected, use this parameter to specify the password. The password can be in plain text or in basic or AES encryption format.