You can configure Secure Socket Layer (SSL) communications in IDOL in a number of different ways. For details about the configuration parameters available, refer to the IDOL Server Reference.
You can set these configuration parameters in different locations for different components, and in some cases for different ports of the same component (for example the ACI and Index port). In each case, you set the SSLConfig
parameter to the name of a configuration section that contains the SSL configuration parameters for that component.
[Server] SSLConfig=SSLOptions [SSLOptions] SSLMethod=...
In most cases, you can share one set of SSL options for multiple use (for example, incoming and outgoing connections to different components). In some scenarios a component might need to use different SSL settings to communicate with different components.
For a minimal SSL setup you must set SSLMethod
, SSLPrivateKey
, and SSLCertificate
. This configuration provides encryption without authentication.
The following example configuration sets up all of the ACI Servers to accept only SSL connections, so that all traffic between them is encrypted.
For this configuration, every ACI Server must have the following configuration:
[Server] SSLConfig=SSLEncryptionOnly [SSLEncryptionOnly] SSLMethod=TLSV1.2 SSLPrivateKey=/path/to/privatekey SSLCertificate=/path/to/certificate
Those components with an index port also have:
[IndexServer] SSLConfig=SSLEncryptionOnly
You must configure the components to use SSL to talk to each other. For example, in a DAH you may need to add something like:
[DAHEngine0] Host=12.3.4.56 Port=9000 SSLConfig=SSLEncryptionOnly
The following example setup enforces that all certificates that the client and server use are signed by a trusted Certificate Authority, and that the certificates are used only on the machines they were intended for.
[Server] SSLConfig=SSLOptions [SSLOptions] SSLMethod=SSLv23 SSLPrivateKey=/path/to/privatekey SSLCertificate=/path/to/certificate SSLCheckCommonName=True SSLCACertificate=/path/to/certificate.authority.certificate
If you try to access an ACI Server through a Web browser then you must import a similarly signed certificate into your browser certificate store.
There are three ways of configuring SSL through IDOL Proxy:
StandaloneProxy mode. In this mode, IDOL Proxy distributes actions, and each component is configured separately, often on separate machines. In this case, you configure IDOL Proxy with the SSL settings for communications with each component.
[Server] SSLConfig=SSLOptions StandAloneProxy=True [Content] Host=anothermachine ACIPort=9992 SSLConfig=SSLOptions ...
SSL gateway. In this mode, only the IDOL Proxy uses SSL communications, and child components use plain HTTP. To provide encryption, you must ensure that all external requests go through IDOL Proxy.
[Server] SSLConfig=SSLOptions [IndexServer] SSLConfig=SSLOptions
Full SSL. In this mode, all components run in SSL mode.
In this case, you must also configure the Agentstore component with the SSLIDOLComponents
configuration parameter, as well as SSLConfig
.
[Server] SSLIDOLComponents=True SSLconfig=SSLOptions [IndexServer] SSLConfig=SSLOptions [DataDRE] SSLConfig=SSLOptions [AgentDRE] SSLConfig=SSLOptions [Agent] SSLConfig=SSLOptions IndexSSLConfig=SSLOptions [Viewing] SSLConfig=SSLOptions
If you want SSL on the service port, you can also add:
[Service] SSLConfig=SSLOptions [DIHEngineN] ServiceSSLConfig=SSLOptions
Components can request a license from an SSL-enabled License Server by using the following configuration:
[License] SSLConfig=SSLOptions
ACI servers log the list of available ciphers on startup if they are configured to run in SSL mode.
|