skip to main content
Configuring Security for OpenAccess SDK : Configuring OpenAccess SDK security : Configuring SSL : Configuring SSL server authentication
 
Configuring SSL server authentication
When the OpenAccess SDK Client makes a connection request, the OpenAccess SDK server presents its public certificate for the OpenAccess SDK Client to accept or deny. The OpenAccess SDK Client checks the issuer of the certificate against a list of trusted Certificate Authorities (CAs) that resides in an encrypted file on the client known as a truststore. Optionally, the OpenAccess SDK Client may check the subject (owner) of the certificate. If the certificate matches a trusted CA in the truststore (and the certificate’s subject matches the value that the application expects), an encrypted connection is established between the client and server. If the certificate does not match, the connection fails and the OpenAccess SDK Client throws an exception.
To check the issuer of the certificate against the contents of the truststore, the OpenAccess SDK Client must be able to locate the truststore and unlock the truststore with the appropriate password.
Alternatively, you can configure the OpenAccess SDK Client to trust any certificate sent by the database server, even if the issuer is not a trusted CA. Allowing the OpenAccess SDK Client to trust any certificate sent from the server is useful in test environments because it eliminates the need to specify truststore information on each client in the test environment. If the OpenAccess SDK Server is configured to trust any certificate sent from the server, the issuer information in the certificate is ignored.
For SSL server authentication, the OpenAccess SDK Server sends a public certificate to the server to accept or deny. The OpenAccess SDK Server stores its private key with its public certificate in an encrypted file known as a keystore. The OpenAccess SDK Server must be able to locate the keystore and unlock the keystore with the appropriate keystore password.
Specify values for the ServiceSSLKeyStore and ServiceSSLKeyStorePasswordFile service attributes. For example:

ServiceSSLKeyStore=C:\Certficates\MyKeyStore
and

ServiceSSLKeyStorePasswordFile=MyKeystorePassword
For OpenAccess SDK Server, the keystore is a PKCS#12 encoded file. To decode or read this PKCS#12 encoded file, a password that is stored in the keystore password file is used. It is up to the OpenAccess SDK administrator to keep this keystore password file in a secure directory. The PKCS #12 keystore contains only one certificate. To gain access to the certificate and its private key, the OpenAccess SDK must provide only the keystore password and CA certificates. The file extension of the keystore must be .pfx or .p12.