Concatenate certificates for incoming XCOM SSL transfers from different systems

book

Article ID: 27401

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Windows XCOM Data Transport - Linux PC XCOM Data Transport - z/OS

Issue/Introduction

Is it possible to concatenate the certificates for incoming SSL transfers from different systems? In this way, you only receive from one machine.

Environment

Release: 11.6
Component: XCOM..01300-11.6-XCOM Data Transport-for AIX

Resolution

When SSL transfers do their handshaking, certificates get exchanged.

Each side decides depending on the VERIFY_CERTIFICATE parm's value whether to verify the partner's certificate.

The verification process is to check if the just received certificate signature is genuine. The verification process does this check by using the signing CA's certificate. If it cannot find this certificate, it is not certain if the signature is genuine.

We recommend you do not have too many different CAs that can sign XCOM certificates and concatenate each CAs certificate into one pem-file which then gets used.

Define one configssl.cnf for one system, e.g. one on PCxxxx and one on HOSTWEB.

In this file specify:

[CA]
INITIATE_SIDE = d:\xcomr11\ssl\certs\cassl.pem
RECEIVE_SIDE = d:\xcomr11\ssl\certs\cassl.pem

Indicate which CA certificates XCOM uses to verify the signatures of incoming partner-certificates.

INITIATE_SIDE means which file to use when XCOM is acting as SSL-client, i.e. the initiating XCOM partner.

RECEIVE_SIDE means which file to use when XCOM is acting as SSL-server, i.e. the passive XCOM partner.

The section:

[CA_DIRECTORY]
INITIATE_SIDE = d:\xcomr11\ssl\certs
RECEIVE_SIDE = d:\xcomr11\ssl\certs

has to be defined for reasons of compatibility with OpenSSL and for XCOM as it is now, does not mean a lot. Specify your certs directory here.

The section:

[CERTIFICATE]
INITIATE_SIDE = d:\xcomr11\ssl\certs\clientcert.pem
RECEIVE_SIDE = d:\xcomr11\ssl\certs\servercert.pem

tells XCOM which certificate (that stands for this particular XCOM) to send to the partner XCOM to identify itself.

INITIATE_SIDE and RECEIVE_SIDE are meant in the same sense as described above.

And finally, the section:

[PRIVATEKEY]
INITIATE_SIDE = d:\xcomr11\ssl\private\clientkey.pem
RECEIVE_SIDE = d:\xcomr11\ssl\private\serverkey.pem

tells XCOM where it finds the private keys for its certificates. This private key must suit the public key which is contained in the certificate described in section CERTIFICATE.

INITIATE_SIDE and RECEIVE_SIDE are meant in the same sense as described above.

Should one particular XCOM get into contact with a 'new'/unknown partner you must add/concatenate the CA certificate of the CA which signed this new partner's certificate to the already used pem-file defined in section CA. There is no need for a new configssl.cnf.

Additional Information

Does XCOM support having multiple sets of SSL certificates (different CAs)