ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Does XCOM support having multiple sets of SSL certificates (different CAs)

book

Article ID: 228081

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Windows

Issue/Introduction

Need to migrate to new CA issuing authority. The issue is the majority of applications that transfer to this host also transfer to other hosts which may not have the same trust certificate. Can XCOM have two sets of certificates in certs and private folders - old CA issuing authority and new CA issuing authority?

Environment

Release : 11.6

Component : CA XCOM Data Transport for Windows

Resolution

1. The XCOM configssl.cnf file (directory "%XCOM_HOME%\config\") only supports the use of a single file .pem in each of its "[...]" sections for parameters INITIATE_SIDE & RECEIVE_SIDE.
So for the [CA] section which checks certificates for incoming partners, it cannot have multiple copies of the file cassl.pem.
However, concatenating the certificates into a single cassl.pem file is the way that XCOM can support multiple certificates and this KB article covers it: Concatenate certificates for incoming XCOM SSL transfers from different systems

2. Follow-on question
As well as concatenating certificates into the "%XCOM_HOME%\ssl\certs\cassl.pem" file can multiple CAs certificates for the same CN be appended to these files:
"%XCOM_HOME%\ssl\certs\clientcert.pem"
"%XCOM_HOME%\ssl\certs\servercert.pem"
"%XCOM_HOME%\ssl\private\clientkey.pem"
"%XCOM_HOME%\ssl\private\serverkey.pem"
XCOM Engineering ran some tests concatenating different root certificates into the "[CA]" file cassl.pem.
They found that transfers were successful as long each partner had all root certificates in their cassl.pem file. The sequence of certificates doesn't seem to matter i.e. they can be concatenated in any order.
They did not need to regenerate any certificate/key files for client (clientcert.pem, clientkey.pem) or server (servercert.pem, serverkey.pem), so there is no need to have to consider concatenation in those files.


In summary, there are 3 options:
a. As a best practice for keeping the environment secure, consider having root certificates the same and updated across systems.
b. If #1 is not possible at this time, per Engineering's tests, if it is feasible, concatenate the cassl.pem files to a single file on both sides of the transfer i.e. both sides have all root certificates in that file.
c. Though it is not recommended, a potential workaround is to temporarily disable certificate verification until all root certificates are in sync. i.e. in the configssl.cnf file need to change the [VERIFY_CERTIFICATE] section from default YES to NO.
XCOM performs 2-way SSL authentication for a secure transfer and like the other parameters in the configssl.cnf file, [VERIFY_CERTIFICATE] has both INITIATE_SIDE & RECEIVE_SIDE values.
INITIATE_SIDE refers to when the XCOM server initiates the transfer (SSL client). When the XCOM server initiates the transfer (SSL client) the value of INITIATE_SIDE controls whether it will check the certificate of the XCOM partner (SSL Server) when it receives it.
RECEIVE_SIDE refers to when the XCOM server receives the transfer (SSL server). When the XCOM server receives the transfer (SSL server) the value of RECEIVE_SIDE controls whether it will check the certificate of the XCOM partner (SSL Client) when it receives it.