Configuring and Administering CA XCOM Management CenterConfigure SSL Communication › Communication Between the CA XCOM Interface Server and CA XCOM Data Transport Servers

Previous Topic: Communication Between the CA XCOM Management Center Server and the CA XCOM Interface Server

Next Topic: Using CA XCOM Management Center Through the Internet

Communication Between the CA XCOM Interface Server and CA XCOM Data Transport Servers

CA XCOM Interface Server communicates with the local CA XCOM Data Transport Server, using web services, to schedule transfers on behalf of CA XCOM Management Center and to monitor their progress. For enhanced security, the SSL (Secure Sockets Layer) protocol can be requested for this control communication between the two server components.

When SSL communication is required, it can be requested by means of the SSL=YES attribute within the TRANSFERCONTAINER xml. Usually the CA XCOM Interface Server and its allied CA XCOM Data Transport Server are installed on the same machine and secure communication between these servers might not be deemed necessary. However, secure SSL communication is always recommended if the CA XCOM Interface Server and its local CA XCOM Data Transport Server are to reside on separate server machines.

To employ SSL communication between the CA XCOM Interface Server and local CA XCOM Data Transport Server, it is first necessary to configure the CA XCOM Interface Server to give it access to the client certificate of the local CA XCOM Data Transport Server.

To configure the CA XCOM Interface Server

  1. Generate an SSL client certificate for the CA XCOM Data Transport Server, as described in the CA XCOM Data Transport Administration Guide.
  2. Using the following steps, create a keystore for the CA XCOM Interface Server to use on the same machine where this server is located.
  3. Import the SSL client certificate into the designated keystore, using the keytool utility.

    Note: The facilities offered by the keytool utility program are fully documented on the http://java.sun.com web site (http://java.sun.com/docs/books/tutorial/security/toolsign/step3.html).

    To run the keytool utility, open the command prompt (Start->run->cmd), and execute the keytool utility by entering a command in the following format:

    "{InterfaceServerInstallDirectory}\jre\bin\keytool.exe" -import -trustcacerts -alias {alias id} -keystore “{keystore path/file}” -storepass “{keystore password}” -file "{certificate path/file}"
    {InterfaceServerInstallDirectory}

    The path for the folder into which the CA XCOM Interface Server was installed, for example, c:\Program Files\CA\XCOMIF.

    {alias id}

    A unique alias ID that you want to assign to the SSL certificate. This can be any ID that is different from that of any existing certificate within the same keystore.

    {keystore path/file}

    The directory path for the keystore location and keystore file name.

    You can specify the path and name of a file that does not presently exist, in which case keytool creates the new keystore.

    {keystore password}

    The current password of the existing keystore, or the password to be assigned to a new keystore.

    {certificate path/file}

    The directory path and file name of the CA XCOM Data Transport client certificate that you want to import; for example, “C:\Program Files\CA\XCOM\Ssl\cassl.pem”.

  4. Lastly, the xcom-globals.xml file must be updated to specify the location of the keystore to be used by CA XCOM Interface Server.
    1. Add a <KEYSTORE> element to the <INTERFACESERVER> section of the xcom-globals.xml file and within this element include only a PATH= attribute identifying the location of the new keystore, for example:

      Before:

      <GLOBALPARAMETERS>
. . .
    <INTERFACESERVER QUERYCOUNT="9999">
        <LOG LEVEL="INFO" 
           PATH="C:\Program Files\CA\XCOMIF/Logs"/>
. . .
    </INTERFACESERVER>
</GLOBALPARAMETERS>

      After:

      <GLOBALPARAMETERS>
. . .
    <INTERFACESERVER QUERYCOUNT="9999">
        <KEYSTORE 
           PATH="C:\Program Files\CA\Webserver.keystore"/>
        <LOG LEVEL="INFO" 
           PATH="C:\Program Files\CA\XCOMIF/Logs"/>
. . .
    </INTERFACESERVER>
</GLOBALPARAMETERS>
    2. Save the updated xcom-globals.xml file.
    3. Use the XcomConfiguration.jar program to add the PASSWORD= and KEY= attributes.

      XcomConfiguration.jar can be located in the ‘lib’ subdirectory of the JBOSS_HOME\server directory, for example, C:\Program Files\JBoss\server\default\lib.

      • To execute this program, at the command prompt enter the command line: 
            java -jar “{libdirectory}\XcomConfiguration.jar”
      • When prompted, enter the path of the folder that contains the xcom-globals.xml file that is to be updated by the utility program.
      • When prompted to enter the password for Interface Keystore, type the password for the new keystore and press enter.
      • At all of the other prompts, press enter in order to leave all other passwords unchanged.
      • Review the updated xcom-globals.xml file, in which the <KEYSTORE> element that was added above, should now include a PASSWORD and a KEY attribute, inserted by the utility program.

Important! After saving the updated xcom-globals.xml file, you need to restart CA XCOM Interface Server for the changes to become effective.