Here are some examples that show you how to configure secure connections between two DataSource applications using the Secure Sockets Layer (SSL)
The first example shows configuration for an SSL connection between Liberator and a C-based Integration Adapter, and the second example is for Liberator connecting to a Java-based Integration Adapter.
These examples of DataSource SSL configuration apply to release 6.2 and later of the following APIs and Caplin Platform components. Older versions of these APIs and components use an earlier, incompatible version of the configuration. For details, see section 12.8 "Direct connections using SSL" of the Liberator 6.0 Administration Guide.
The examples assume you know how to obtain an SSL certificate, private key and public key, and, for the Java-based Integration Adapter, that you know how to set up a Java Keystore.
- SSL connection between two C DataSource applications
- SSL connections between a Java DataSource and a C DataSource
- Configuring OpenSSL
- Specifying permitted ciphers
Assume you have two DataSource applications: a C-based integration adapter, called MyIntegrationAdapter, and a Liberator, called MyLiberator. The following configurations allow MyIntegrationAdapter to connect to MyLiberator through a secure connection using SSL. For the sake of clarity, the Liberator configuration doesn't include any data services, which you would normally include in a real setup.
C-based adapter's configuration
Peer SSL connnection configuration for MyIntegrationAdapter (the Adapter is the SSL client):
datasrc-name MyIntegrationAdapter-%h datasrc-local-label MyIntegrationAdapter add-peer remote-name MyLiberator remote-label MyLiberator addr <MyLiberators-hostname> port <MyLiberators-portnumber> ssl TRUE ssl-present-certificate %r/certs/MyIntegrationAdapterCert.pem ssl-accept-certificate %r/certs/rttpd.pem ssl-privatekey %r/certs/MyIntegrationAdapterPkey.key ssl-passwordfile %r/certs/MyIntegrationAdapterPassword.pwd end-peer ssl-config-name /etc/pki/tls/openssl.cnf
Here's an explanation of what the ssl options in MyIntegrationAdapter's add-peer are for:
TRUEtells the Adapter to initiate an SSL connection with its peer (the Liberator).
- ssl-present-certificate specifies the SSL certificate file in PEM format that MyIntegrationAdapter sends to MyLiberator when initiating the secure connection. This is the certificate that identifies MyIntegrationAdapter to MyLiberator.
- ssl-privatekey specifies the SSL private key file in PEM format associated with the certificate specified by ssl-present-certificate. MyIntegrationAdapter uses the key to decrypt messages from MyLiberator.
ssl-accept-certificate specifies the SSL certificate file in PEM format that MyIntegrationAdapter uses for certificate pinning. When the SSL connection is being established with MyLiberator, MyIntegrationAdapter compares the public key in the certificate received from the Liberator against the public key in the
ssl-accept-certificatefile. If the keys don’t match, the adapter terminates the (probably unauthorised) connection.
You can supply a chain of certificates for certificate pinning, as long as they're concatenated together into a single SSL certificate file that's supplied to ssl-accept-certificate. The certificates must be added to the file such that the highest level CA is last in the chain; for example: MyCertificate -> Intermediate-CA-1 -> Intermediate-CA-2 -> Root-CA where Root-CA is the highest level CA.
Once you've produced the certificate file, you should verify that the chain of certificates it contains is correct. You can do this with the OpenSSL verify command (use the -CAfile option).
- ssl-passwordfile specifies a file that contains a plain text (unencrypted) password used to access the private key file and the certificate files specified by
- ssl-config-name specifies the OpenSSL configuration file that’s loaded by MyIntegrationAdapter. You don't have to supply a configuration file for OpenSSL, but if you don't, OpenSSL will use its default settings.
Liberator's SSL configuration
Peer SSL connection configuration for MyLiberator (Liberator is the SSL server):
datasrc-name MyLiberator-%h datasrc-local-label MyLiberator datasrc-ssl-enable TRUE datasrc-ssl-port 25001 datasrc-ssl-certificate %r/certs/rttpd.pem datasrc-ssl-privatekey %r/certs/rttpd.key datasrc-ssl-passwordfile %r/certs/rttpd.pwd ssl-config-name /etc/pki/tls/openssl.cnf add-peer remote-name MyIntegrationAdapter remote-label MyIntegrationAdapter ssl TRUE ssl-accept-certificate %r/certs/MyIntegrationAdapterCert.pem end-peer
Here's an explanation of what MyLiberator's ssl configuration items do:
TRUEtells the Liberator to accept incoming SSL connections from Datasource peers.
- datasrc-ssl-port specifies the network port that the Liberator is to listen on for Secure Sockets Layer (SSL) connection requests from DataSource peers. You must specify a port, otherwise the Liberator won't accept incoming SSL connections, regardless of whether datasrc-ssl-enable is set to TRUE.
- datasrc-ssl-certificate specifies the certificate that the Liberator sends to an SSL client (in this case, MyIntegrationAdapter) when the client requests the server’s (Liberator’s) certificate for the SSL handshake.
- datasrc-ssl-privatekey specifies the SSL private key that the Liberator uses to decrypt the symmetric session key received from a DataSource peer (in this case, from MyIntegrationAdapter).
datasrc-ssl-passwordfile specifies a file that contains a plain text (unencrypted) password used to access the private key file and the certificate file specified by
datasrc-ssl-passwordfile.Warning: we strongly recommend that you password protect the private key file and the certificate file.
- ssl-config-name (optional) specifies the OpenSSL configuration file that’s loaded by MyLiberator
- The add-peer configuration specifies the SSL connection to MyIntegrationAdapter:
MyIntegrationAdaptermatches the datasrc-local-label in MyIntegrationAdapter's configuration.
TRUEensures that the Liberator will only accept SSL connection requests from MyIntegrationAdapter; it rejects any request for a non-secure connection.
- ssl-accept-certificate specifies the SSL certificate file that the Liberator uses for certificate pinning. When the SSL connection is being established with MyIntegrationAdapter, Liberator compares the public key in the certificate received from the MyIntegrationAdapter against the public key in the
ssl-accept-certificatefile. If the keys don’t match, the Liberator terminates the (probably unauthorised) connection.
The certificate file and the private key file must be in PEM format.
The SSL configuration is slightly different for Java adapters. Following on from the C-based configuration example above, assume that now you want to replace MyIntegrationAdapter with a Java version called MyJavaAdapter.
Java-based adapter's SSL configuration
The configuration for MyJavaAdapter (the SSL client) looks like this:
datasrc-name MyJavaAdapter-%h datasrc-local-label MyJavaAdapter datasrc-ssl-keystore %r/certs/MyJavaAdapterKeyStore.jks datasrc-ssl-passwordfile %r/certs/MyJavaAdapterPassword.pwd add-peer remote-name MyLiberator remote-label MyLiberator addr <MyLiberators-hostname> port <MyLiberators-portnumber> ssl TRUE ssl-present-certificate <alias-in-datasrc-ssl-keystore> ssl-accept-certificate <alias-in-datasrc-ssl-keystore> end-peer ssl-config-name /etc/pki/tls/openssl.cnf
Here's an explanation of the configuration above:
- Rather than putting MyJavaAdapter's SSL certificate and private key in separate files, you keep them in a Java KeyStore, along with copies of the certificates used for certificate pinning. You specify the KeyStore in datasrc-ssl-keystore.
If you want to password protect the KeyStore, specify the password file in datasrc-ssl-passwordfile.Warning: we strongly recommend that you password protect the Java Keystore.
- As in the C-based Adapter example, the ssl
TRUEoption of the add-peer tells MyJavaAdapter to initiate an SSL connection with its peer (the Liberator).
ssl-present-certificate must be present. It specifies the SSL certificate that MyJavaAdapter sends to MyLiberator when initiating the secure connection. This is the certificate that identifies MyJavaAdapter to MyLiberator. Since we're keeping the certificate in a Java KeyStore, ssl-present-certificate is just the alias of the relevant certificate in the KeyStore.
ssl-accept-certificate specifies the alias of MyLiberator's public certificate, imported into the adapter's Java KeyStore. This is the certificate that MyJavaAdapter uses for certificate pinning. When the SSL connection is being established with MyLiberator, MyJavaAdapter compares the public key in the certificate received from the Liberator against the public key for the certificate in the Java KeyStore. If the keys don’t match, the adapter terminates the (probably unauthorised) connection.
To import MyLiberator's certificate into MyJavaAdapter's keystore, execute the command below:
keytool -import -alias myliberator -file rttpd.pem -keystore MyJavaAdapterKeyStore.jks
You can supply a chain of certificates for certificate pinning, as long as they're in PKCS#7 format. You import the chain to the Java KeyStore using the KeyStore utility and the chain is then handled by the standard Java cryptography library. The certificates must be chained such that the highest level CA is last in the chain; for example: MyCertificate -> Intermediate-CA-1 -> Intermediate-CA-2 -> Root-CA where Root-CA is the highest level CA. Then set ssl-accept-certificate to the name of the lowest level certificate in the chain; in the example here, this would be to MyCertificate.
- And finally, the (optional) item ssl-config-name specifies the OpenSSL configuration file that’s loaded by MyJavaAdapter.
Liberator's SSL configuration
The Liberator (SSL server) configuration is very similar to the configuration in the previous example. Note the different adapter name and the different certificate file name in the
datasrc-name MyLiberator-%h datasrc-local-label MyLiberator datasrc-ssl-enable TRUE datasrc-ssl-port 25001 datasource-ssl-certificate %r/certs/rttpd.pem datasrc-ssl-privatekey %r/certs/rttpd.key datasrc-ssl-passwordfile %r/certs/rttpd.pwd ssl-config-name /etc/pki/tls/openssl.cnf add-peer remote-name MyJavaAdapter remote-label MyJavaAdapter ssl TRUE ssl-accept-certificate %r/certs/MyJavaAdapterCert.pem end-peer
The file MyJavaAdapterCert.pem is derived from the Java adapter's certificate stored in the adapter's keystore, MyJavaAdapter.jks. To export the certificate from the keystore, follow the steps below:
Enter the command below to export a key pair in PKCS#12 format from the keystore file MyJavaAdapter.jks, changing <alias> to the alias of MyJavaAdapter's key and certificate and <password> to the password with which to encrypt the PKCS#12 file.
keytool -importkeystore -srckeystore MyJavaAdapterKeyStore.jks \ -destkeystore MyJavaAdapter.p12 -deststoretype PKCS12 \ -srcalias <alias> -deststorepass <password> \ -destkeypass <password>
Enter the command below to convert the file MyJavaAdapter.p12 to a PEM-encoded PKCS#8 file:
openssl pkcs12 -in MyJavaAdapter.p12 -out MyJavaAdapter.pem
The private key in the PKCS#8 file is encrypted with the same password as it is in the PKCS#12 file.
Open the file MyJavaAdapter.pem, which contains both the key and certificate (or certificate chain), and copy the certificate (or certificate chain) into a new file, MyJavaAdapterCert.pem:
-----BEGIN CERTIFICATE----- MIIDhTCCAm2gAwIBAgIEQWyp/TANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJH ⋮ As7CYxDrCuleFcJxD2TaeqgtfMKs1TwZSpgnF79RpVZm2lN/D8KrMlA= -----END CERTIFICATE-----
C-based DataSource applications use the OpenSSL software to implement the security policies for secure connections with peers. You can configure OpenSSL using the following DataSource configuration items, which are defined on the page DataSource Secure Sockets Layer (SSL) configuration:
When you change the configuration of OpenSSL within Liberator, the new settings also apply to all of Liberator's HTTPS connections and Direct secure connections, as well as to secure connections between with its peers.
To ensure adequate security in a production deployment, regularly review the list of ciphers permitted for use in SSL communications. Useful sources of security resources include Qualys SSL Labs and Security/Server-side TLS in the Mozilla wiki.
To set the list of permitted ciphers, see the documentation for the datasrc-ssl-cipherlist configuration item.