This article describes where to install certificates issued by an external CA (Certificate Authority) so that they are used by XCOM when performing SSL transfers.
Release: 11.6
Component: XCOM Data Transport for Windows, XCOM Data Transport for Linux PC, XCOM Data Transport for Unix
Regardless of whether you use the sample scripts delivered with XCOM (makeca, makeclient, makeserver) or have an external CA issue your certificates, at the end of the process you will have the following files:
Note that, in each section, INITIATE_SIDE refers to the SSL client side, the one which initiates the connection, and RECEIVE_SIDE refers to the SSL server side, the one which receives the connection request from the network.
Both INITIATE_SIDE and RECEIVE_SIDE entries are required because XCOM does 2-way SSL authentication so both the SSL client and SSL server certificates are verified at the other end of the connection.
NOTES:
1. The XCOM SSL configuration requires the use of PEM encoded certificate/private key files.
2. When changing xcom.glb the XCOM service needs to be restarted. However when making any changes to the configssl.cnf file or any of the files it refers to a restart is not required because the configssl.cnf and those files are re-read each time an SSL transfer is initiated.
3. Related KB article: Is it possible to concatenate the certificates for incoming SSL transfers from different systems? In this way, you only receive from one machine.
4. Documentation:
CA XCOM™ Data Transport® for Windows 11.6 Service Packs > Administrating > Generate TLS/SSL Certificates > Configure the SSL Server
CA XCOM™ Data Transport® for Windows 11.6 Service Packs > Administrating > Generate TLS/SSL Certificates > Configure the TLS/SSL Client
5. .pem format certificate files are Base64 ASCII text files that can be read in any editor to validate contents.