CA Risk Authentication Administration Guide › Configure SSL › Enable SSL Between CA Advanced Authentication and CA Risk Authentication Server › For Rule Configurations Activities › Two-Way SSL

Two-Way SSL

To set up two-way SSL between the Risk Evaluation SDK and CA Risk Authentication Server, you must first upload the root certificates for the CAs trusted by CA Risk Authentication, then configure the CA Risk Authentication Native (SSL) protocol by using CA Advanced Authentication, and finally configure the riskfort.risk-evaluation.properties file.

To configure two-way SSL between Java SDK and CA Risk Authentication Server:

1. Enable the application server where Java SDKs are deployed for SSL communication.

   Refer to your application server vendor documentation for detailed information.

2. Log in to CA Advanced Authentication using a Master Administrator account.
3. Activate the Services and Server Configurations tab in the main menu.
4. Ensure that the CA Risk Authentication tab is active.
5. Under the Instance Configuration section, click the Protocol Configuration link to display the Protocol Configuration page.
6. Under System Configuration, click the Trusted Certificate Authorities link to display the CA Risk Authentication Server Trusted Certificate Authorities page.
7. Set the following information on the page:
   • In the Name field, enter the name for the SSL trust store.
   • Click the Browse button adjacent to the first Root CAs field and navigate to and select the root certificate of the application server where Java SDKs are deployed.
8. Click the Save button.
9. Under the Instance Configuration section, click the Protocol Configuration link to display the Protocol Configuration page.
10. Select the Server Instance for which you want to configure the SSL.
11. In the List of Protocols section, click the Native (SSL) protocol link to display the page for configuring the protocol.
12. Configure the following fields:
    • Ensure that the Protocol Status is Enabled.

      If not, then select the Change Protocol Status option and then from the Action list, select Enable.

    • Ensure that the Port is set to the correct SSL port value.
    • Select SSL from the Transport list.
    • If you want to store the SSL key on an HSM, then select the Key in HSM option.
    • Click the Browse button adjacent to the Server Certificate Chain field to select the CA Risk Authentication Server root certificate.
    • (Only if you did not select the Key in HSM option) Click the Browse button adjacent to the Server Private Key field to select the CA Risk Authentication Server private key.
    • Select the Client Store that you created in Step 7.
13. Click the Save button.
14. Restart CA Risk Authentication Server:
    • On Windows: Click the Start button, navigate to Settings, Control Panel, Administrative Tools, and Services. Double-click CA Risk Authentication Service from the listed services.
    • On UNIX Platforms: Navigate to <install_location>/arcot/bin/ and specify the ./riskfortserver start command in the console window.
15. Navigate to the following location:
    • Windows:

      <install_location>\Arcot Systems\sdk\java\properties\
      

    • Unix-Based Platforms:

      <install_location>/arcot/sdk/java/properties/
      

16. Open the riskfort.risk-evaluation.properties file in an editor window of your choice.

    Note: Refer to appendix, "Configuration Files and Options" in CA CA Risk Authentication Installation and Deployment Guide for more information on the riskfort.risk-evaluation.properties file.

    1. Set the following parameters:
       • TRANSPORT_TYPE= SSL (By default, this parameter is set to TCP.)
       • CA_CERT_FILE= <absolute_path_to_Server_root_certificate_in_PEM_format>

       For example, you can specify one of the following:

       • CA_CERT_FILE=<install_location>/certs/<ca_cert>.pem
       • CA_CERT_FILE=<install_location>\\certs\\<ca_cert>.pem

       For example, you can specify CA_CERT_FILE= <install_location>/certs/<ca_cert>.pem.

    Important! In the absolute path that you specify, ensure that you use \\ or / instead of \. This is because the change might not work, if you use the conventional \ that is used in Windows for specifying paths.

    1. Save the changes and close the file.
17. Restart the application server where your Java SDK is deployed.
18. Verify that CA Risk Authentication Server is enabled for SSL communication by performing the following steps:
    1. Navigate to the following location:
    2. Open the arcotriskfortstartup.log file in a text editor.
    3. Check for the following line:

       Started listener for [RiskFort Native (SSL)] [7681] [SSL] [RiskFort]
       

       If you located this line, then two-way SSL was set successfully.

    4. Close the file.