1.1.5.4.1 Configuring Certificates
Certificate information must be configured in order for the GWWS server to create an TLS listen endpoint, or to use X.509 certificates for authentication and/or message signature. All GWWS servers defined in the same deployment file shares the same certificate settings, including the private key file, trusted certificate directory, and so on.
<Certificate>/<PrivateKey> sub-element. The private key file must be in PEM file format and stored locally. TLS clients can optionally be verified if the <Certificate>/<VerifyClient> sub-element is set to true.
Note:
By default, theGWWS server does not verify TLS clients.
If TLS clients are to be verified, and/or the X.509 certificate authentication feature is enabled, a set of trusted certificates must be stored locally and located by the GWWS server. There are two ways to define GWWS server trusted certificates:
- Include all certificates in one PEM format file and define the
file path using the
<
<Certificate>/<TrustedCert>sub-element. - Save separate certificate PEM format files in one directory and define the directory path using the <
<Certificate>/<CertPath>sub-element.Note:
The "cn" attribute of a distinguished name is used as a key for certificate lookup. Wildcards used in a name are not supported. Empty subject fields are not allowed. This limitation is also found in Oracle Tuxedo.
The following example shows a SALTDEPLOY file segment configuring GWWS server certificates.
Example 1-14 Configuring Certificates In the SALTDEPLOY File
<Deployment ..>
...
<System>
<Plugin>
<Interface lib=”plugin_1.so” />
<Interface lib=”plugin_2.so” />
</Plugin>
</System>
</DeploymentParent topic: Configuring System-Level Resources