Configure the TLS Connector to Use Certificates

To configure the TLS connector to use certificates to secure the connection and encrypt the data, you must enable server verification. If required, you can also enable client verification.

In both cases, this is a matter of setting TLS connector options in the appropriate assignment files.

  1. Obtain or generate the required certificates and their keys and make them available on the machine that will be verified. These are not included as part of the Uniface installation or distribution.
    • For a CA-signed certificate, make the CA certificate available on the machine that will do the verification. You can purchase certificates from a trusted third-party CAs, such as Symantec, Verizon, Let's Encrypt, CAcert, and many other organizations, both commercial and non-profit.
    • For a self-signed certificate, make the certificate available on both the TLS server and TLS client machines. For more information, see Create a Self-Signed Certificate

    Note:  All certificates and keys must be in PEM format.

    Uniface looks for the default certificates server.crt and ca-bundle.crt in the \common\usys directory of your Uniface installation, and personal.crt in the current working directory. However, certificates can be in the trust store or concatenated as a single CA certificate file in another location.

    You can specify the locations of keys and certificates using TLS configuration options (server_certificate, server_key, client_certificate, client_key, and ca_certificate), or redirect them to different paths in the [FILES] section of the assignment file. When specifying relative paths in connector options, the paths are relative to Uniface's current working directory.

  2. Configure your Uniface Router and its servers and client applications to use the TLS connector instead of the TCP/IP connector. To do so, replace TCP: with TLS: in the connection string of all paths that lead to the specific Uniface Router. This can include database paths, and the $DEFAULT_NET and $DNP settings. For example:

    [PATHS]
$SRV = TLS:ServerHost+13004:SecureProfile|user|password|Server1

    For more information, see Network Connection Strings

  3. Configure the TLS server (the Uniface Router) and TLS client for server verification. The TLS server needs access to its certificate and key, and the TLS client needs access to the trusted CA certificate with which the server certificate was signed.
    • In the assignment file of the TLS server, set the following connector options:
      • verify_server=yes
      • server_certificate=ServerCertificateFile
      • server_key=ServerKeyFile
      • server_key_password=ServerKeyFilePassword (optional)

      If the certificate and key are concatenated in the same file, you need to specify that file with both the server_certificate and server_key options. If neither parameter is specified, it is assumed that the certificate and key are located in usys:server.crt and usys:server.key, respectively.

    • In the assignment file of the TLS clients:
      • verify_server=yes
      • verify_server_name=ServerNameList | no (optional)
      • ca_certificate=CaCertificateFile or ca_location=CaHashedTrustStore
    • If the key file is password protected, specify the password using the server_key_password option.

    For more information, see Configure Server Verification for TLS.

  4. Optionally configure the TLS client and server for client verification. The TLS client needs access to its certificate and key, and the TLS server needs access to the trusted CA certificate with which the client certificate was signed. The name of the client is also verified against the name in the server, so one or more client names must be specified, or peer name verification must be disabled.
    • In the assignment file of the TLS server, set the following connector options:
      • verify_client=yes
      • verify_client_name=ServerNameList | no
      • ca_certificate=CaCertificateFile or ca_location=CaHashedTrustStore
    • In the assignment file of the TLS clients:
      • verify_client=yes
      • client_certificate=ClientCertificateFile
      • client_key=ClientKeyFile
      • client_key_password=ClientKeyFilePassword (optional)

      If the certificate and key are concatenated in the same file, you only need to specify that file with both the client_certificate and client_key options. If neither parameter is specified, it is assumed that the certificate and key are located in personal.crt and personal.key, respectively.

      For more information, see Configure Client Verification for TLS.

Related Topics