Connect CDC uses secure socket layer (SSL) Java classes for encrypted communications between the Listener and the various component of Connect CDC components (i.e Moncon, Director, and Console). The protocols used are compliant with Transport Layer Security (TLS) 1.2 and mutual TLS (mTLS) is used for mutual authentication. Each customer can generate their public/private key pair along with a self-signed certificate. The steps to generate a self-signed certificate and enable TLS are described below.
Generate Self-Signed certificate
C:\PreciselyConnect\ConnectCDCV58>kernel\configuretls.cmd
Creating certificate file C:\Users\Administrator\.cdc\certs\connect-cdc-keystore.p12...
Exporting certificate C:\Users\Administrator\.cdc\certs\connect-cdc.crt from Keystore file: C:\Users\Administrator\.cdc\certs\connect-cdc-keystore.p12
Importing certificate C:\Users\Administrator\.cdc\certs\connect-cdc.crt into Trustore file: C:\Users\Administrator\.cdc\certs\connect-cdc-trustore.p12 with alias connect-cdc
Certificate generation complete.
Enabling TLS configuration...
Updating file: C:\PreciselyConnect\ConnectCDCV58\kernel/wrapper.conf
Updating file: C:\PreciselyConnect\ConnectCDCV58\director/omnient.ini
Updating file: C:\PreciselyConnect\ConnectCDCV58\kernel/startmoncon.cmd
Updating file: C:\PreciselyConnect\ConnectCDCV58\kernel/startconsole.cmd
Updating file: C:\PreciselyConnect\ConnectCDCV58\kernel/startlistener.cmd
This utility will by default create a keytsore and trustore PKCS12 file in the folder $HOME/.cdc/certs folder a long a .crt file that stores the certificate. Also a certs.json file is created that contains the keytstore and trustore passwords. Following the certificate creation, the list of config files shown in the example are also updated to configure connect cdc to run in secured mode.
Configure TLS manually
- Use keytool to generate a self-signed certificate. For example,
keytool -genkeypair -alias connect-agent -keyalg RSA -keysize ${KEY_SIZE} -storetype ${STORE_TYPE} -keystore ${KEYSTORE_FILE} -validity <num_days> -storepass "${TRUSTSTORE_PASSWORD}" ${KEYPWD_OPTION} -dname "CN=CommonName, OU=OrganizationalUnit, O=Organization, L=Locality,ST=StateOrProvinceName,C=CountryName"
- Export the certificate. For example,
keytool -export -alias connect-cdc -file connect-cdc.crt -keystore ${KEYSTORE_FILE} -storepass "${TRUSTSTORE_PASSWORD}" -storetype ${STORE_TYPE}
- Import the certificate to a truststore to trust it. For example,
keytool -import -alias connect-cdc-trust -file connect-cdc.crt -keystore ${TRUSTORE_FILE} -storepass "${TRUSTSTORE_PASSWORD}" ${KEYPWD_OPTION} -storetype ${STORE_TYPE} -noprompt
Note: The keystore and truststore files can be same or different files. - Configure kernel/wrapper.conf file and add these properties:
wrapper.java.additional.4=-Dwrapper-debug=false wrapper.java.additional.5=-Dconfiguration.file=../conf/cdc_connect.properties
- Adjust director/omnient.ini and add this property:
SelfSignedCertificate=C:\Users\Administrator\.cdc\certs\cert.json
- Adjust the following files and add:
kernel/startmoncon.cmd kernel/startconsole.cmd kernel/startlistener.cmd
Add these properties:-Dconnect.cdc.tls.config_file="C:\Users\Administrator\.cdc\certs\cert.json" -Dssle
- Create certs.json file with the following content:
{ "connectTLS": { "certificateInfo": { "keyStoreType": "PKCS12", "keyStorePassword": "g/+sbUmgwitP7EOa", "keyCertificateAlias": "connect-cdc", "keyStoreFile": "C:/Users/gfostine/.cdc/certs/connect-cdc-keystore.p12", "trustStoreType": "PKCS12", "trustStorePassword": "858jnCbq5b1v8BPE", "trustStoreFile": "C:/Users/gfostine/.cdc/certs/connect-cdc-trustore.p12" } } }
To set the security and encryption option for the model in Connect CDC Director, from the context menu of the model, go to Model Properties and click the XML/Encryption tab.
Similarly, to set the option for the host that differs from the model in general, go to the Host Properties tab from the context menu of the host. The tab provides the same options with the addition of the model default option.
The Host Properties must specify encryption, if encryption was used to start the Connect CDC Listener during installation. If they do not match, connections are refused, that is, encrypted model connections to a non-encrypted Listener fail and vice versa.
The monitoring and control tools use whatever the model properties option is for security. For example, if the model has authentication and not encryption specified, then Connect CDC MonCon has the same security options enabled.
Encryption was set up in the Connect CDC Listener during installation. After installation is complete, re-install to change the security options.
If problems occur with SSL, check the following:
-
Installation should have placed certification file omnicert in the /kernel and /director directories. This file needs to reside in both to enable successful authentication.
-
The classpath set in omnient.ini must point to the correct location of these files: omni.jar, jsse.jar, jnet.jar, and jcert.jar.