Configure Server Verification for TLS

To enable server verification, you must set verify_server=yes in the assignment files of both TLS server and clients, and specify the certificates and public key used for encryption.

Note:  The following procedure uses the USYS$TLS_PARAMS setting but you can choose to define a connection profile instead. For more information, see Configure Multiple TLS Connections.

  1. In the TLS server’s assignment file:
    1. Set TLS the connector option verify_server=yes with USYS$TLS_PARAMS.
    2. Specify a server certificate using the server_certificate option, and the key using the server_key option.

      For example, the Uniface Router is always a TLS server, so edit the urouter.asn assignment file.

      If the certificate and key are concatenated in the same file, you need to specify that file with both the server_certificate and server_key options. If neither parameter is specified, it is assumed that the certificate and key are located in usys:server.crt and usys:server.key, respectively.

      If the key file is password protected, specify the password using the server_key_password option.

      ; urouter.asn
 [DRIVER_SETTINGS]
 USYS$TLS_PARAMS verify_server=yes, %\
                 server_certificate=D:\certificates\server.crt, %\
                 server_key=D:\certificates\server.key, %\
                 server_key_password=sk_pa5sWord
    3. If the TLS server is an exclusive server, and the client application has not disabled peer name verification, verification will fail because the default host name of the exclusive server is its IP address, not its host name.

      You must therefore add the /hostrc switch for all USTs that specify exclusive servers in the [SERVERS] section of the Uniface Router assignment file. This switch ensures that the host name and not the IP address is used for the connection between the client application and the exclusive server.

  2. In the TLS client assignment files:
    1. Set the option verify_server=yes.

      For example, all shared Uniface Servers started by the Uniface Router and all Uniface applications that use these servers are TLS clients, so edit their assignment settings: 

      ; myapp.asn and userver.asn
[DRIVER_SETTINGS]
USYS$TLS_PARAMS verify_server=yes, verify_server_name=dns:*.mycompany.com, %\
                ca_certificate=D:\certificates\server.crt
    2. Specify the certificate needed to validate the TLS server's certificate using the ca_certificate option.

      If the server certificate is self-signed, the ca_certificate specified for the TLS clients must be the same as the server_certificate that is specified in the TLS server assignment file.

      If the certificate is in a trust store, you can specify the location using ca_location instead of using ca_certificate.

    3. Specify one or more names with verify_server_name that can be used to check that the server name matches the name in the certificate. This provides more certainty of the peer name matching than relying on the default server name. For more information, see Default Peer Name.
    4. In TLS client application files, modify the paths to use the TLS connector (instead of the TCP connector).
      [PATHS]
$DATA      TLS:Host+14001|user|password|ust