This article describes where to install certificates issued by an external CA (Certificate Authority) so that they are used by XCOM when performing SSL transfers.
Release: 11.6
Component: XCOM Data Transport for Windows, XCOM Data Transport for Linux PC, XCOM Data Transport for Unix
Regardless of whether the sample scripts delivered with XCOM (makeca, makeclient, makeserver) are used or an external CA has issued the certificates, at the end of the process there will be the following files:
Those files are functionally equivalent to the ones created when running the XCOM sample scripts and need to go to the exact same places, as determined by XCOM config files. The rules are as follows:
Note that, in each section, INITIATE_SIDE refers to the SSL client side, the one which initiates the connection, and RECEIVE_SIDE refers to the SSL server side, the one which receives the connection request from the network.
Both INITIATE_SIDE and RECEIVE_SIDE entries are required because XCOM does 2-way SSL authentication so both the SSL client and SSL server certificates are verified at the other end of the connection.
NOTES:
1. The XCOM SSL configuration requires the use of PEM encoded certificate/private key files.
2. When changing xcom.glb the XCOM service needs to be restarted. However when making any changes to the configssl.cnf file or any of the files it refers to a restart is not required because the configssl.cnf and those files are re-read each time an SSL transfer is initiated.
3. Related KB article: Concatenate certificates for incoming XCOM SSL transfers from different systems
4. XCOM for Windows 11.6 doc. page: Configure the TLS/SSL Server and Client
5. .pem format certificate files are Base64 ASCII text files that can be read in any editor to validate contents.