[NET_SETTINGS]

Use the [NET_SETTINGS] section of the assignment file to define TLS connection profiles, and their required keys or certificates. These can be used to configure different TLS connector paths.

Syntax

[NET_SETTINGS]
ConnectionProfile  ConnectorOptions

For example:

[NET_SETTINGS]
SrvCert verify_server=yes, ca_cert=usys:mycacert.crt 

Arguments

  • ConnectionProfile—name of a TLS connector configuration
  • ConnectorOptions—comma-separated list of TLS connector options to use for the configuration. For more information, see TLS Connector Options.

    Note: When specifying options with an equals sign (=), there must be no spaces surrounding the = sign, otherwise an error is returned.

Use

Use in the assignment files of client applications, Uniface Servers, and Uniface Routers.

Description

The TLS client and TLS server must have a matching entry in their assignment files, meaning that the profile name must be the same in both the TLS client and TLS server assignment files, and the CA certificate specified in the client profile must be the one used to verify the server certificate and public key specified in the Uniface Router.

The number of profiles that can be defined for a Uniface Router is restricted to a maximum of 4, because each profile requires its own port and a Uniface Router can listen to a maximum of 4 ports. If the TCP connector is also used, the maximum is 3, and if the USYS$TLS_PARAMS is also defined, the maximum is 2.

There is no such restriction on the number of profile in the [NET_SETTINGS] section in client and Uniface Server files.

Example: Matching Profiles in TLS Client and Server

This example shows the connection parameters for a matching connection profile, SrvCert, in a client application and the Uniface Router. For example, client assignment file contains the following settings for connecting to a Uniface Server.

;client.asn
[NET_SETTINGS]
SrvCertCallout 1 verify_server=yesCallout 2, ca_cert=usys:mycacert.crt Callout 3

[PATHS]
$SRV    TLS:server1.mydomain+13002:SrvCert|user|password|MyUst 

The assignment file of the Uniface Router contains the following settings:

; urouter.asn
[NET_SETTINGS]
SrvCertCallout 1 verify_server=yesCallout 2, srv_cert=usys:myserver1.crt, %\
            srv_key=usys:myserver1.key Callout 4

[SERVERS]
MyUST=userver.exe /asn=userver.asn /dnp=TLS:+13001
  1.  The name of the connection profile is the same for client and Uniface Router.
  2.  Both assignment files contain the TLS connector option verify_server which instructs the TLS connector to perform server verification.
  3.  The connection profile of the client contains the ca_cert option, which specifies the certificate used to verify the Uniface Router's certificate and public key.
  4.  The connection profile of the Uniface Router contains the options srv_cert and srv_key, which specify the server certificate and key to be verified.

Multiple Paths with Different Profiles

In this example, paths $TLS1 to $TLS3 use connection profiles defined in [NET_SETTINGS], but path $TLS4 uses USYS$TLS_PARAMS since their is no profile name in this path. USYS$TLS_PARAMS must specify at least shared_key, verify_client , or verify_server). Otherwise, the connection fails with a network error.

[NET_SETTINGS]
 PskEnc shared_key=Very S3cret
 Srv1Cert verify_server=yes, %\
          ca_cert=usys:ca_cert.crt
 Srv2Cert verify_server=yes, %\
          srv_cert=usys:myserver1.crt, %\
          srv_key=usys:myserver1.key

 [PATHS]
 $TLS1      TLS:host1+13001:PskEnc|user|pwd
 $TLS2      TLS:host2+13001:Srv1Cert|user|pwd
 $TLS3      TLS:host3+13001:Srv2Cert|user|pwd
 $TLS4      TLS:host4+13001|user|pwd