To manage your own OpenEdge SSL server identity and make it available to SSL clients, you must generate a password-protected, alias-named private key for the server and obtain a server certificate that is authorized by a trusted CA. The trusted CA can be one of the major public CAs, including RSA, Thawte, or Verisign; or it can be any other CA that you trust for your purpose, including your own internal CA. Follow the requirements of your chosen CA in order to request and receive the server certificate that you need. Once you have the authorized server certificate, you must install it, together with the corresponding private key, as an entry in the key store of any OpenEdge server you want configured with this SSL identity.
You then must propagate to all SSL clients (if necessary) the root CA public-key certificate that corresponds to the authorized server identity. OpenEdge comes installed with the root CA certificates for the major public CAs, including RSA, Thawte, and Verisign, that you can use to authenticate servers that they authorize. If you use another CA (including your own internal CA), you must appropriately obtain (or generate) the root public-key certificate and install it in each SSL clients certificate store.
Using the OpenEdge SSL management software, you can add, list, update, and debug SSL server identities defined in both OpenEdge-managed SSL server key stores and SSL client certificate stores.
Next, you need to configure standard SSL connection parameters and properties associated with each OpenEdge client and server component using a given SSL server identity in order to initiate and maintain SSL connections between them. For any SSL server identity other than the default, you must specify the key store entry alias name and password to configure the specified identity for a given SSL server. If you need to configure a server component manually (required for starting up the OpenEdge RDBMS), you must provide an encrypted form of the key store entry password during server configuration or startup.
Note: You can provide effective server authentication using the default server identity by updating the default_server key store entry with a new trusted CA server certificate. If you do not change the default password for this update, you can continue to use any default SSL configurations without change. However, if you change the password, you must then specify the new password for each SSL server configured using the default_server key store entry.
For more information on using the OpenEdge tools for managing SSL server identities and obtaining encrypted forms of key store entry passwords, see the sections on managing OpenEdge key and certificate stores in OpenEdge Getting Started: Installation and Configuration.
The remainder of this chapter describes how to configure OpenEdge SSL clients and SSL servers for a given SSL server identity.