Set up an SSL Connection
There are several ways to set up Secure Socket Layer (SSL) connections for IDOL Server. For example, you can:
-
Configure an SSL gateway. You configure incoming communications to a unified IDOL Server to use SSL connections, but communications between components are plain.
-
Configure SSL between all IDOL components in a unified IDOL Server. All communications into IDOL, and between components, are configured with SSL connections.
-
Configure SSL between stand-alone IDOL components.
In all cases the basic principle of configuring SSL is the same, but the exact configuration varies.
-
Set the SSLConfig parameter to the name of the section in which you define SSL options. The configuration sections where you set SSLConfig vary depending on your setup. In general:
-
For incoming ACI calls, set SSLConfig in the
[Server]
section. -
For incoming Index actions, set SSLConfig in the
[IndexServer]
section. -
For incoming Service actions, set SSLConfig in the
[Service]
section. -
For outgoing ACI calls to IDOL components, set SSLConfig in each component section. For example,
[AgentDRE]
.
For example:
[Server] SSLConfig=SSLOption1
-
-
For each
SSLOption
you define, create a new configuration section to contain the SSL options.For example:
[SSLOption1]
-
Within each SSL options section, you can specify the following SSL parameters:
SSLMethod Determines which SSL protocol to use: TLSV1.3, TLSV1.2, TLSV1, SSLV3, or Negotiate, which uses the highest protocol supported by both client and server. OpenText recommends that you use TLSV1.3
, unless interoperability with older systems requires use of less secure protocols.SSLCertificate The SSL Certificate file to use to identify this component to a peer. The certificate can be in either ASN1 or PEM format. OpenText recommends that you use the PEM format. This parameter requires a matching SSLPrivateKey value. SSLPrivateKey The private security key for the SSL certificate. The security key can be in either ASN1 or PEM format. This parameter requires a matching SSLCertificate value. The private key can be password protected. See SSLPrivateKeyPassword. SSLCACertificate The Certificate Authority certificate indicating that this component trusts only communication with a peer that offers a certificate signed by the specified CAs. SSLCheckCertificate Requests a certificate signed by a trusted authority from peers.
Setting SSLCACertificate implicitly sets this parameter to
True
. If you set SSLCACertificate toFalse
, IDOL Server encrypts communications, but does not request certificates from peers.SSLCheckCommonName Determines whether the host name listed in the peer certificate (that is, the CommonName or “CN” attribute) resolves to the same IP address as the peer itself, as determined by the network connection. This parameter helps verify the identity of the peer.
For example, if the host name in a certificate is
eip.example.com
and resolves to an IP address of12.3.4.56
, the peer must share the same IP address.SSLPrivateKeyPassword If the file defined in SSLPrivateKey is password protected, use this parameter to specify the password. The password can be in plain text or in basic or AES encryption format.