How clients use HTTPS

Note: If the client uses HTTP to connect, and, on the server side, the httpsEnabled property in the ubroker.properties file is set to one (1), the AIA instance redirects the client to retry the Web server (or JSE) connection, using an HTTPS-protocol URL that the AIA returns automatically.

When using HTTPS, OpenEdge establishes an SSL connection with the Web server (or JSE). As part of establishing the connection, OpenEdge verifies server access by comparing a digital certificate that has been installed on the server with a corresponding digital certificate installed on the client. If OpenEdge determines that the server certificate is not valid, the connection to the AIA instance is denied. These digital certificates are based on public and private encryption keys issued by a trusted Certificate Authority (CA).

When checking a certificate, any OpenEdge Internet client verifies that:

1. The server certificate is signed by one of the trusted root CA certificates installed on the client machine.

2. The certificate has not expired by comparing the current time to the timestamps included in the certificate.

This is an optional verification that ensures the host machine that the client connects to is the intended host machine. This verification is done by comparing the host name the user specified in the URL with the host name in the certificate returned by the Web server.

By default, OpenEdge performs host verification. However, when establishing a connection, a client application might indicate that host verification should not be performed. For WebClients and ABL clients, a client can indicate that host verification should not be performed by using the –nohostverify connection parameter. For Open clients, the client uses the RunTimeProperties.setNoHostVerify method on the runtimeProperties object to indicate that host verification should not be performed.

If any one of these steps determines that the certification is not valid, then the connection to the AIA instance fails.