SSL parameters

SOAM parameters

To configure SSL for individual connections between the Symphony client and Session Director or session manager, it is necessary to edit the sd.xml file. This section details the configurable parameters of the sd.xml file.

Session Director parameters
  • SD_SDK_TRANSPORT: protocol driver. The driver value for SSL is "TCPIPv4SSL". If this parameter is not defined, the protocol driver is TCP/IPv.4 by default.

  • SD_SDK_TRANSPORT_ARG: arguments for initializing the communication library (commLib). Arguments consist of security keys and certificates. The format for the arguments is the same as the one used in EGO_DEFAULT_TS_PARAMS and EGO_KD_TS_PARAMS. Alternatively, a variable, such as $EGO_DEFAULT_TS_PARAMS can be substituted in place of the arguments.

Session manager parameters
  • SSM_SDK_TRANSPORT: protocol driver. The driver value for SSL is "TCPIPv4SSL".

  • SSM_SDK_TRANSPORT_ARG: arguments for initializing the communication library (commLib). Arguments consist of security keys and certificates. The format for the arguments is the same as the one used in EGO_DEFAULT_TS_PARAMS and EGO_KD_TS_PARAMS. Alternatively, a variable, such as $EGO_DEFAULT_TS_PARAMS can be substituted in place of the arguments.

Client parameters
  • SDK_TRANSPORT: protocol driver. The driver value for SSL is "TCPIPv4SSL".

  • SDK_TRANSPORT_ARG: arguments for initializing the communication library (commLib). Arguments consist of security keys and certificates. The format for the arguments is the same as the one used in EGO_CLIENT_TS_PARAMS. Alternatively, the $EGO_CLIENT_TS_PARAMS variable can be substituted in place of the arguments.

EGO parameters

To configure SSL for individual connections between the EGO client and EGO, it is necessary to edit the ego.conf file on the management and client hosts as well as the egosc_conf.xml file on the EGO Service Controller host.

ego.conf parameters

This section details the configurable parameters of the ego.conf file. The SSL parameters in the ego.conf file must be configured for the VEMKD daemon and the client, whichever is applicable.

  • EGO_TRANSPORT_SECURITY: (daemon and client) turns the transport security feature on or off.

  • EGO_DEFAULT_TS_PARAMS: (daemon only) this is a general parameter consisting of subparameters defined for SSL that apply to every daemon and container in the cluster. If parameters are not defined, SSL will use anonymous DH as the cipher. The user can define daemon-specific parameters that override these default parameters. Refer to ego.conf subparameters for a list of applicable subparameters.

  • EGO_KD_TS_PORT: (daemon and client) the SSL port number of VEMKD.

  • EGO_KD_TS_PARAMS: (daemon only) the SSL parameters specific to VEMKD. Refer to ego.conf subparameters for a list of applicable subparameters.

  • EGO_CLIENT_TS_PARAMS: (client only) the SSL parameters specific to the client. Refer to ego.conf subparameters for a list of applicable subparameters.

ego.conf subparameters

EGO_DEFAULT_TS_PARAMS, EGO_KD_TS_PARAMS, and EGO_CLIENT_TS_PARAMS contain the following configurable subparameters:

  • CERTIFICATE: (daemon only) the location of the certificate file. Certificate files with the PEM file format are supported. For information about generating certificates using openssl, refer to http://www.openssl.org/docs/apps/openssl.html.

  • CIPHER: (daemon and client) the cipher list used by SSL. The client and server will negotiate the cipher list and select the first shared one. The default list is ADH-DES-CBC3-SHA.

  • CAFILE: (client only) the location of the Certification Authority (CA) certificate. The client reads this file and trusts the CA within the file. This parameter is used in cases where there is only one certificate file.

  • CAPATH: (client only) the directory where the CA certificates are stored. This parameter is used when there are multiple CA files. It is a path that points to the directory where the files are stored.

  • PRIVATE_KEY: (daemon only) the location of the private key file.

  • SERVER_AUTH: (client only) defines whether client should authenticate the server and how to authenticate.

    Syntax:

    SERVER_AUTH=NONE|HOST|{string}name{string}…

    NONE: no server authentication is required. This is the default value.

    HOST: per host certificate, check the connected host with the subject CN (common name) in the certificate.

    {string}name{string}…:

    This format enables certificate verification on a per cluster, daemon or application basis.

    "name" can be either a name of a daemon (such as VEMKD) or an application (such as SOATesting). The string is the subject CN in the certificate. The first {string} is the default value for daemons/applications whose names are not defined here.

    Note:

    All Symphony daemons have reserved names. An application cannot have the same name as a Symphony daemon. For example, you cannot define a Symphony application with the name "vemkd".

    For Example:

    1. SERVER_AUTH={Platform EGO}: only default is provided. All daemons share the same certificate of "Platform EGO".

    2. SERVER_AUTH=vemkd{Platform vemkd}egosc{Platform Service Controller}: value is provided for each daemon. Client will check VEMKD certificate with "Platform vemkd", and EGOSC certificate with "Platform Service Controller".

    3. SERVER_AUTH={Platform EGO}SOATesting{SOA Testing}: both default and name-value pair are provided. Symphony client of SOATesting will check SSM certificate with "SOA Testing". All other clients check daemon certificate against "Platform EGO".

egosc_conf.xml parameters

The egosc_conf.xml file contains one configurable SSL parameter.

  • ESC_TS_PARAMS: the SSL parameters for the EGO Service Controller. ESC_TS_PARAMS uses the same subparameters as EGO_KD_TS_PARAMS but they are applicable only to the Service Controller.