Install external CA (Certificate Authority) issued certificates for CA XCOM

book

Article ID: 48329

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Windows XCOM Data Transport - Linux PC

Issue/Introduction

This article describes where to install certificates issued by an external CA (Certificate Authority) so that they are used by CA XCOM when performing SSL transfers.

Environment

Release: 11.6
Component: CA XCOM Data Transport for Windows, CA XCOM Data Transport for Linux PC, CA XCOM Data Transport for Unix

Resolution

Regardless of whether you use the sample scripts delivered with XCOM (makeca, makeclient, makeserver) or have an external CA issue your certificates, at the end of the process you will have the following files:

  • A CA certificate which identifies the CA and signs the certificates issued by it

  • Two pairs of files, each one containing a private key and its corresponding certificate, one to be used when initiating a SSL transfer. The other to be used when another XCOM initiates an SSL transfer to us

    These files are functionally equivalent to the ones you create when running the XCOM sample scripts and need to go to the exact same places, as determined by XCOM config files. The rules are as follows:

  • File %XCOM_HOME%\config\xcom.glb has the XCOM_CONFIG_SSL parameter, which names the SSL configuration file which by default is %XCOM_HOME%\config\configssl.cnf. This file indicates where the certificate and key files reside.
    XCOM_CONFIG_SSL can also be set in transfer .cnf/.xml files or on the command line and doing so will override the xcom.glb file parameter value setting.

  • The file containing the CA certificate is named in the [CA] section. This should contain the signing CA certificate for this server plus other CA certificates for XCOM partners which take part in secure transfers. 

  • The path containing the file is named in the [CA_DIRECTORY] section. This needs to be set although it's certainly redundant.

  • The files containing the SSL client and SSL server certificates (including the public key) are named in the [CERTIFICATE] section

  • The files containing the SSL client and SSL server private keys are named in the [PRIVATEKEY] section

Note that, in each section, INITIATE_SIDE refers to the SSL client side, the one which initiates the connection, and RECEIVE_SIDE refers to the SSL server side, the one which receives the connection request from the network.
Both INITIATE_SIDE and RECEIVE_SIDE entries are required because XCOM does 2-way SSL authentication so both the SSL client and SSL server certificates are verified at the other end of the connection.

Additional Information

NOTES:
1. The XCOM SSL configuration requires the use of PEM encoded certificate/private key files.

2. When changing xcom.glb the XCOM service needs to be restarted. However when making any changes to the configssl.cnf file or any of the files it refers to a restart is not required because the configssl.cnf and those files are re-read each time an SSL transfer is initiated.

3. Related KB article: Is it possible to concatenate the certificates for incoming SSL transfers from different systems? In this way, you only receive from one machine.

4. Documentation:
CA XCOM DATA TRANSPORT FOR WINDOWS 11.6 SERVICE PACKS > Administrating > Generate TLS/SSL Certificates > Configure the SSL Server
CA XCOM DATA TRANSPORT FOR WINDOWS 11.6 SERVICE PACKS > Administrating > Generate TLS/SSL Certificates > Configure the TLS/SSL Client

5. .pem format certificate files are Base64 ASCII text files that can be read in any editor to validate contents.