OpenEdge Authentication Gateway configuration

The OpenEdge Authentication Gateway must have a valid HTTPS TLS (Transport Layer Security, the successor to SSL) certificate and client-key installed.

If it hasn't been done already, an administrator can perform the installation using the OpenEdge STS Key Utility. For example:

oe_install_dir/bin/stskeyutil install -url https://oeag-dns-name:oeag-port-number -file oeagserverkey.ecp

Important: Always remove the .ecp file from the server after an install to prevent unauthorized access to your configuration. Store it in a secure location in case you need it to re-configure at a later date.

Be aware of these differences between a development server (used for application development) and a production server (used for application deployment):

For development servers, the Authentication Gateway and its clients ship with a server certificate specifically crafted to allow TLS connections, but which will fail post-connection Hostname validation. Therefore, the client connections to an Authentication Gateway always must include the -nohostverify option to work. For example:

The -nohostverify option allows full server certificate validation per Public Key Cryptography Standards (PKCS) standards, but skips post-connection Hostname validation.

For production servers, the OEAG server must obtain, configure, and use a non self-signed server certificate. Therefore, it is required that the ROOT CA and any optional Intermediate CA certificates needed to validate the OEAG server's certificate be installed into the OpenEdge installation's DLC/certs directory. Install the ROOT CA and Intermediate CA certificates using only the OpenEdge supplied DLC/bin/certutil utility. Any other installation mechanism is not guaranteed to work.

oe_install_dir/bin/stsclientutil -cmd ping -url https://oeagd-dns-name:oeag-port-number [ -nohostverify ]

See OpenEdge Getting Started: OpenEdge Authentication Gateway Guide for more information about client-key generation, installation, and testing.