Enable Two-Way SSL

CA Strong Authentication Administration Guide › Configuring SSL › Enable Secured Communication between arwfutil and CA AuthMinder Server › Enable Two-Way SSL

Enable Two-Way SSL

Follow these steps:

Log in to Administration Console using a Master Administrator account.
Click the Services and Server Configurations tab in the main menu.
Click the CA Strong Authentication tab in the submenu.
Under Instance Configurations, click the Trusted Certificate Authorities link to display the corresponding page.
The Trusted Certificate Authorities page appears.
Set the following information:
- In the Name field, enter the name for the SSL trust store.
- Click the Browse button to select the root certificate used by arwfutil.
Click Save.
Under Instance Configurations, click the Protocol Management link to display the corresponding page.
The Protocol Configuration page appears.
Select the Server Instance for which you want to configure the protocols.
In the List of Protocols section, click the Server Management Web Services link.
The page to configure the protocol appears.
Configure the following fields:
- Ensure that the protocol is enabled.
- In the Transport field, select SSL (2-Way).
- Select Key in HSM if you want to store the SSL key in HSM.
- (Only if you selected Key in HSM in the preceding step) Click the Browse button adjacent to the Certificate Chain (in PEM Format) field to select the CA AuthMinder root certificate.
- Click the Browse button adjacent to the P12 File Containing Key Pair field to select the CA AuthMinder root certificate.
- Enter the password for the PKCS#12 store in the P12 File Password field.
- Select the Client Store that you created in Step 6.
Click Save.
Restart the CA AuthMinder Server instance. See Restarting a Server Instance for instructions on how to restart the CA AuthMinder Server.

Navigate to the following location:

On Windows:
```
<install_location>\Arcot Systems\conf
```
On UNIX:
```
<install_location>/arcot/conf
```

Open the arcotcommon.ini file in an editor window to add the SSL configuration parameters.
1. Add the following section at the end of the file:
```
[arcot/webfort/wfutil]
Transport=
ReadTimeOut=
ServerRootPEM=
ClientP12=
ClientP12PwdKey=
ClientPEM=
```
  The following section explains these parameters:
  
  Transport
  
  The communication mode between the arwfutil utility and the CA AuthMinder Server. Following are the supported values:
  - TCP
  - 1SSL
  - 2SSL
    Default: TCP
  ReadTimeout
  
  The maximum time in milliseconds allowed for a response from CA AuthMinder Server.
  
  Default: No Default
  
  ServerRootPEM
  
  Provide the complete path for the CA certificate file of the server. The file must be in PEM format.
  
  For example:
  
  server.CACertPEMPath=<%SystemDrive%>/certs/webfort_ca.pem
  
  Default: No Default
  
  (For software encryption) ClientP12
  
  Provide the path for the client certificate, which is in p12 format.
  
  Default: No Default
  
  (For software encryption) ClientP12PwdKey
  
  Enter the key label that is used to access the client P12 password stored in the securestore.enc file.
  
  Default: No Default
  
  (For hardware encryption) ClientPEM
  
  Provide the complete path for the CA certificate file of the client. The file must be in PEM format.
  
  Default: No Default
2. Save the changes and close the file.
Verify that the CA AuthMinder Server is enabled for SSL communication by performing the following steps:
1. Navigate to the following location:
  - On Windows:
```
<install_location>\Arcot Systems\logs
```
  - On UNIX:
```
<install_location>/arcot/logs
```
2. Open the arcotwebfortstartup.log file in a text editor.
3. Search for the following section:
  Listing : [Successful listeners(Type-Port-FD)]
4. In this section, you must find the following line:
```
ServerManagement-WS............................... : [SSL-9743-<Internal_listener_identifier>-[subject [<cert_subject>] issuer [<cert_issuer>] sn [<cert_serial_number>] device [<device_name>]]]
```
5. Close the file.