Release 10.1A: OpenEdge Development:
Programming Interfaces

Configuring SSL servers and clients

OpenEdge provides utilities to create and manage key and certificate stores that enable your OpenEdge servers and clients to use the full capabilities of SSL. For all OpenEdge clients and servers, OpenEdge also installs built-in key and certificate stores that provide a simple, default SSL implementation for applications that require a minimal level of SSL support. SSL servers and clients have different SSL configuration requirements. So, if your SSL server is also an SSL client of some other SSL server, you must configure your application for both.

Note: Be very sure you need SSL before using this option. SSL incurs more or less heavy performance penalties, depending on resources and load.

Configuring SSL servers

For an SSL server, you must have installed a private key and digital (public key) certificate that uniquely identifies your 4GL socket server as an SSL server and allows all communications to be encrypted between it and any SSL client. You can use the default key and certificate store provided by OpenEdge without any additional work. This provides default encryption services between all OpenEdge clients and servers and there by eliminates the need for client-server authentication to complete SSL connections.

However, to create a complete SSL implementation that supports all the features of SSL, you must obtain a unique private key and server digital certificate from an industry-recognized certificate authority (a CA such as Verisign, RSA, or Thawte) or create them yourself, as your own private CA, using server certificate administration software that you obtain on your own. Once you have the required private key and digital certificate, you can install it confidentially on your server system using the pkiutil command-line tool provided by OpenEdge. At this point your 4GL socket server is ready to enable SSL connections.

For more information on OpenEdge SSL support, CA’s, keys, digital certificates, and using pkiutil, see OpenEdge Getting Started: Core Business Services .

Configuring SSL clients

For an SSL client, you must have installed a public key certificate that allows the client to authenticate and encrypt communications with a specific SSL server that it connects to. You can obtain the required public key certificate for a given SSL server from the CA that issued the server’s private key. Once you have the public key certificate, you can install it on your client system using the certutil command-line tool provided by OpenEdge. At this point your 4GL socket client is ready to make an SSL connection to an SSL server.

For more information on OpenEdge SSL support, public key certificates, and using certutil, see OpenEdge Getting Started: Core Business Services .