OpenEdge Application Server:<br />Administration SSL-enabled AppServer operation

You have the option of configuring any AppServer instance to require Secure Sockets Layer (SSL) client connections. You can maintain both SSL-enabled and non-SSL AppServer instances, but a given instance supports only one type of connection, either secure or nonsecure.

Security derives from the client authentication of the server’s identity via a Public Key Infrastructure (PKI) and a symmetric data encryption system. To configure an AppServer instance for SSL operation, you must:

Obtain and install a server private key and a public key certificate. OpenEdge provides built-in keys and certificates that are suitable for use on development or demonstration servers; for production machines, you should obtain server certificates from an internal or public Certificate Authority (CA).

Specify an alias and password for access to the private key/digital certificate.

Disable session caching, or enable it with a specified timeout.

To perform these configuration tasks, you can use the Progress Explorer (in Windows only) or manually edit the ubroker.properties file.

Note: You can use the mergeprop utility installed with OpenEdge to manually edit the ubroker.properties file. For information on using mergeprop, see OpenEdge Getting Started: Installation and Configuration .

To connect to an SSL-enabled AppServer, a client application must have access to a digital (public key) certificate (often called a CA Root Certificate) that can authenticate with the digital certificate used by the server, and the client must use a secure protocol.

AppServer operating modes and SSL

Supporting SSL tunneling imposes significant overhead on client/server transactions. To minimize the impact of this overhead, OpenEdge uses SSL tunneling between the client and either the AppServer agent or the AppServer broker, but not both, according to the operating mode in which the AppServer runs:

Session-managed — For the session-managed modes (state-reset and state-aware), the client makes an SSL connection to the AppServer agent, after its initial connection to the broker. Because this initial client-broker connection does not carry customer-level information, SSL tunneling is not necessary.

Session-free — For the session-free modes (stateless and state-free), the client makes an SSL connection to the AppServer broker, which is the single primary server connection. SSL tunneling is not necessary for the transmission of data between the broker and the AppServer agent, because this connection is local to a single system and therefore is not exposed to the network.