Configuring SSL Messaging

This section discusses the procedure to configure SSL messaging on the TA system. TA uses Java Messaging Service (JMS) to implement communications among its components.

Obtaining Server Keys and Certificates

You need a pair of server keys and a certificate for each of the components:

  • Client Manager

  • Primary Master

If you plan to use a Remote Master, you need a pair of server keys and a certificate.

If you are setting up a fault-tolerant system, you also need a pair of server keys and a certificate for each of the components:

  • Backup Master

  • Fault Monitor

These servers require keys and certificates to be stored in Java Keystore (JKS) files.

You may generate key and certificate by yourself or obtain them from a trusted certificate authority (CA) using one of methods described below.

Generating Keys and Certificates

There are various tools that allow you to generate keys and certificates, among them the Java Keytool that comes with JRE installation.

Example: Java Keytool Example:
generating key & certificate in a keystore keytool
-keystore my_keystore -alias my_alias -genkey -keyalg RSA

You can use the keys and certificates you generate to implement and test quickly. However, to set up a production grade server, We recommend a well-known certificate authority (CA) to sign the keys and certificates.

Obtaining a Key and Certificate from a Trusted CA

There are many trusted CA's, such as AddTrust, Entrust, GeoTrust, RSA Data Security, Thawte, VISA, ValiCert, Verisign, beTRUSTed. Each CA has its own instructions that should be followed (look for JSSE section), but all will involve a step to generate a certificate signing request (CSR).

Example: Java Keytool Example:
generating CSR keytool
-certreq -alias my_alias -keystore my_keystore -file my_csr.CSR

Exporting and Importing a Certificate

When SSL messaging is enabled, each TA server will only send messages to and accept messages from the servers it trusts. To authorize messaging between two servers, you must ensure one server's certificate is registered in the other's trust store and vice versa. Java Keytool provides certificate import and export options to help you accomplish this goal.

Example: Java Keytool Example: Export certificate from a key store to a file
keytool -export -alias my_alias -file my_cer.cer -keystore my_keystore -storepass my_keystore_password

Example: Java Keytool Example: importing certificate from a file to a trust store
keytool -import -v -trustcacerts -alias my_alias -file my_cer.cer -keystore my_truststore -storepass my_truststore_password

Each of the sections describes the configuration for each TA server. It will indicate what other TA server's certificates must be imported into the TA server's trust store.