Configuring and Administering CA XCOM Gateway › Configure CA XCOM Gateway › Configure SSL Communication › Communication Between the CA XCOM Interface Server and CA XCOM Data Transport Servers

Communication Between the CA XCOM Interface Server and CA XCOM Data Transport Servers

The CA XCOM Interface Server communicates with the local CA XCOM Data Transport server, using web services, in order to schedule transfers on behalf of CA XCOM Gateway and to monitor their progress. For enhanced security, SSL (Secure Sockets Layer) protocol can be requested for this control communication between the two server components.

When SSL communication is required, it can be requested by means of the SSL=”YES” attribute within the TRANSFERCONTAINER xml that is configured for CA XCOM Gateway’s policies. Usually the CA XCOM Interface Server and its allied CA XCOM Data Transport server are installed on the same machine and secure communication between these servers might not be deemed necessary. However, secure SSL communication is always recommended if the CA XCOM Interface Server and its local CA XCOM Data Transport server are to reside on separate server machines.

To use SSL communication between the CA XCOM Interface Server and the local CA XCOM Data Transport server, it is first necessary to configure the CA XCOM Interface Server to give it access to the client certificate of the local CA XCOM Data Transport server. The following steps outline the procedure to do this:

1. Generate an SSL client certificate for the CA XCOM Data Transport server, as described in the CA XCOM Data Transport Administration Guide.
2. Establish a keystore for the CA XCOM Interface Server to use on the same machine where this server is located.

   During the installation of CA XCOM Gateway, a keystore for CA XCOM Gateway’s use will have already been created or defined. It is acceptable for CA XCOM Interface Server to share the use of the same keystore, and this is the recommended approach when CA XCOM Gateway and the CA XCOM Interface Server reside on the same machine.

   However, if a separate keystore is to be designated for use solely by the CA XCOM Interface Server, a new keystore can be created during the following step.

3. Import the SSL client certificate into the designated keystore, using the keytool utility.

   Note: The facilities offered by the keytool utility program are fully documented on the http://java.sun.com web site (http://java.sun.com/docs/books/tutorial/security/toolsign/step3.html).

   To run the keytool utility, open the command prompt (Start->run->cmd), and execute the keytool utility by entering a command in the following format:

   "{InterfaceServerInstallDirectory}\jre\bin\keytool.exe" -import -trustcacerts -alias {alias id} -keystore “{keystore path/file}” -storepass “{keystore password}” -file "{certificate path/file}"
   

   {InterfaceServerInstallDirectory}

   The path for the folder into which the CA XCOM Interface Server was installed; for example, c:\Program Files\CA\XCOMIF.

   {alias id}

   A unique alias ID that you want to assign to the SSL certificate. This can be any ID that is different from that of any existing certificate within the same keystore.

   {keystore path/file}

   The directory path for the keystore location and keystore file name.

   If the CA XCOM Interface Server is to share use of CA XCOM Gateway’s existing keystore, you can find the location of that keystore by viewing the xcom-globals.xml file, and locating the <KEYSTORE PATH=”…”> attribute.

   If a separate keystore is to be designated for use by the CA XCOM Interface Server, you can specify the path and name of a file that does not presently exist, in which case keytool creates the new keystore.

   {keystore password}

   The current password of the existing keystore, or the password to be assigned to a new keystore.

   {certificate path/file}

   The directory path and file name of the CA XCOM Data Transport client certificate that you want to import; for example, “C:\Program Files\CA\XCOM\Ssl\cassl.pem”.

4. Lastly, the xcom-globals.xml file must be updated to specify the location of the keystore to be used by the CA XCOM Interface Server.

   If the CA XCOM Gateway keystore is being shared by the CA XCOM Interface Server, do the following:

   1. Locate the existing <KEYSTORE> element within the <CERTIFICATE> element of the <GATEWAYSERVER> section of the xcom-globals.xml file.
   2. Copy this <KEYSTORE> element into the <INTERFACESERVER> section of the xcom-globals.xml file.

Example:

Before:

<GLOBALPARAMETERS>
    <GATEWAYSERVER MAXPAGEROWS="9999" DEFAULTPAGEROWS="20">
        <CERTIFICATE AUTHENTICATE="NO" ACTIVEID="gateway01">
            <KEYSTORE KEY="1A89F05E"
               PASSWORD="94EC5AB676F549C87501" 
               PATH="C:\Program Files\CA\Gateway.keystore"/>
            <TRANSPORTDOMAIN DN="*"/>
        </CERTIFICATE>
. . .
    <INTERFACESERVER QUERYCOUNT="9999">
        <LOG LEVEL="INFO" 
           PATH="C:\Program Files\CA\XCOMIF/Logs"/>
. . .
    </INTERFACESERVER>
</GLOBALPARAMETERS>

After:

<GLOBALPARAMETERS>
    <GATEWAYSERVER MAXPAGEROWS="9999" DEFAULTPAGEROWS="20">
        <CERTIFICATE AUTHENTICATE="NO" ACTIVEID="gateway01">
            <KEYSTORE KEY="1A89F05E"
               PASSWORD="94EC5AB676F549C87501" 
               PATH="C:\Program Files\CA\Gateway.keystore"/>
            <TRANSPORTDOMAIN DN="*"/>
        </CERTIFICATE>
. . .
    <INTERFACESERVER QUERYCOUNT="9999">
        <KEYSTORE KEY="1A89F05E"
           PASSWORD="94EC5AB676F549C87501" 
           PATH="C:\Program Files\CA\Gateway.keystore"/>
        <LOG LEVEL="INFO" 
           PATH="C:\Program Files\CA\XCOMIF/Logs"/>
. . .
    </INTERFACESERVER>
</GLOBALPARAMETERS>

If a new keystore has been created for the CA XCOM Interface Server, separate from the CA XCOM Gateway keystore, do the following:

1. Add a <KEYSTORE> element to the <INTERFACESERVER> section of the xcom-globals.xml file and within this element include only a PATH= attribute, identifying the location of the new keystore.

Example:

<GLOBALPARAMETERS>
. . .
    <INTERFACESERVER QUERYCOUNT="9999">
        <KEYSTORE 
           PATH="C:\Program Files\CA\Gateway.keystore"/>
        <LOG LEVEL="INFO" 
           PATH="C:\Program Files\CA\XCOMIF/Logs"/>
. . .
    </INTERFACESERVER>
</GLOBALPARAMETERS>

1. Save the updated xcom-globals.xml file.
2. Use the XcomConfiguration.jar program to add the PASSWORD= and KEY= attributes.

   XcomConfiguration.jar can be located in the ‘lib’ subdirectory of the JBOSS_HOME\server directory; for example:

   C:\Program Files\JBoss\server\default\lib

   • To execute this program, at the command prompt enter the following command line:

         java -jar "{libdirectory}\XcomConfiguration.jar"
     

   • When prompted, enter the path of the folder that contains the xcom-globals.xml file that is to be updated by the utility program.
   • When prompted to enter the password for Interface Keystore, type the password for the new keystore and press enter.
   • At all of the other prompts, press enter to leave all other passwords unchanged.
   • Review the updated xcom-globals.xml file, where the <KEYSTORE> element, added above, should now include a PASSWORD and a KEY attribute, inserted by the utility program.

Important! After saving the updated xcom-globals.xml file, you need to restart the CA XCOM Interface Server for the change to become effective.