SSL Communications

This section describes how to handle SSL communications between the different components of the architecture.

For purposes of confidentiality and data integrity, communication between the different components of the architecture can be secured using SSL V3.

The minimum versions of components that support SSL are:

• UVMS V4
• UVC V4 (direct, Web start and Web console/gateway)
• DUAS V6 and the associated managers
• Reporter V4

Only communications between the UVMS nodes and with an external database cannot be secured by SSL.

Architecture

The architecture can be represented as follows:

Figure 10 : Architecture SSL

In this architecture: each server

• Must support SSL technology
• Must have a pair of public/private key locally generated
• Must possess a certificate (X509 V3) delivered by a certificate authority

Each client and each server must have confidence in the certificate authority that signed the certificate.

Certificates

Server certificate:

Originally X509 certificates were generated for a specific hostname. The name of the machine is defined in the "Security Principal" field of the certificate.

For example:

CN=frwpmdev13.automic.com,O=AUTOMIC Software GmbH,L=PARIS,C=FR

However it's possible to define a certificate that is valid for several domains, for example to reduce the cost of the certificates.

• Wildcard certificates

  The first way is to use wildcard in the CN.

  For example:

  CN=*.AUTOMIC.com,O=AUTOMIC Software GmbH,L=PARIS,C=FR

  In that specific case, the certificate covers all machines in the domain automic.com.

  * is the only wildcard authorized.

• Subject Alternative Names

  The second way is to add Subject Alternative Names (SANs) to the certificate. An X509 certificate contains a field called "Subject Alternative Names".

  This is a list of authorized domains for this certificate. When this list is defined, the client should ignore the CN of the "Security Principal" field and only check that the hostname of the server is indeed defined in the list.

  Wildcard are supported in SANs.

  Adding a certificate that contains a lot of SANs can slow down establishing the connection with the server.

CA Certificate:

Certificate chains can be managed by adding additional CA certificates.

Operation

All certificates delivered to servers on the same declared UVMS must be signed by the same certificate authority.

All certificates must be the Web Server type.

It is assumed that all client applications (UVC standalone or webstart, UVMS commands and Reporter commands) trust the same certificate authority.

When a client communicates with an SSL server, it must trust the certificate authority that signed the certificate:

• UVMS: trusted certificates are imported with the unissl Command command.
• UVC (standalone or webstart): a certificate signed by UVMS is automatically downloaded in the first SSL connection UVMS. The user has to approve (or not), then it is loaded into the UVC truststore.
• UVC Web console: the CA certificate must be imported with the unissl command.
• Reporter/DUAS: the certificates must be imported by the unissl command.

Certificates with limited validity must be removed before their expiration in order not to disrupt communications and new certificates shall be installed.

• UVMS

  UVMS must be the first architecture server to be configured to support SSL.

  The SSL communication port is specified during installation (default 4443).

  Even when configured with SSL, UVMS is still able to communicate clearly with all the architectural elements that do not support SSL (or for which SSL is not configured).

  UVMS supports DER and Base 64 certificates. It supports a simple certificate (.cer or .crt file) and the certificates chain (.p7b file).

  Refer to UVMS SSL Configuration

• UVC

  If SSL is configured on UVMS, the user chooses the mode of UVC communication with UVMS (SSL or unencrypted) in the login screen.

  In order for UVC to connect in SSL with a DUAS or Reporter node (SSL configured), UVC must be connected to UVMS in SSL.

  The UVC Web Console supports DER and Base 64 simple certificates (.cer or .crt file).

  Refer to UVC SSL Configuration

• DUAS

  The SSL configuration of a DUAS V6 node can only be achieved if UVMS is configured in SSL.

  If SSL is activated on a DUAS V6 node, all the communications must be or will be in SSL format.

  DUAS supports Base 64 simple certificates (.cer or .crt file).

  The DUAS SSL configuration is described in the Dollar Universe Administration Guide.

• Reporter

  If SSL is activated on Reporter, all incoming communications must be in SSL format.

  If SSL is not activated on Reporter, all incoming communications must be clear.

  In order for Reporter to extract data from DUAS V6 nodes configured in SSL, it must be configured in SSL.

  If Reporter is configured in SSL, the following communications will be in SSL format:

  • Reporter <-> UVMS
  • Reporter -> DUAS V6 / SSL
  • CLI Reporter -> Reporter
  • UVC -> Reporter

  If Reporter is configured in SSL, the following communications must be uncoded:

  Reporter -> DUAS V6 non SSL

  • Reporter -> DUAS V5
  • Reporter -> UniJob V1

  Reporter supports DER and Base 64 certificates. It supports the simple certificate (.cer or .crt file) and the chain certificate (.p7b file).

  The Reporter SSL configuration is described in the Reporter Administration Guide.