Installing security certificates for the ACL Connector for Analytics Exchange
The ACL Connector for Analytics Exchange supports Secure Sockets Layer (SSL) encryption on the connections between client machines and AX Server. If SSL is enabled, the connector uses OpenSSL to encrypt all data moving across the network connections between client machines and the server.
To configure SSL using certificates, you must generate a set of SSL certificates on the server machine. You can generate one of the following certificate types for the SSL connection:
- Self-signed certificate
- Certificate Authority (CA) certificate
Before you begin
Download and install OpenSSL and then add the path to the openssl.exe executable to your PATH environment variable.
Note
Like many open source software projects, the OpenSSL project does not distribute any code in binary form. Instead you must download the project source code and build the binary or locate a binary that is distributed for your operating system from a third-party source.
For more information, see the OpenSSL documentation.
Generating an SSL certificate for self-signing
Use OpenSSL to generate a key file and certificate file on the server machine. Self-signed certificates are useful during development or testing, when you do not need to purchase a commercial certificate.
- Open a command prompt and then create the C:\newcerts directory.
md C:\newcerts
-
Change to the new directory and generate a server key file and server certificate file.
cd C:\newcerts openssl req -x509 -newkey rsa:4096 -keyout server-key.pem -out server-cert.pem -days 365 -nodes
You are prompted for information which is incorporated into the certificate, such as Country, City, Company Name, and so on. Make a note of the information you enter as you may get prompted for this information again at a later stage.
Note
The -nodes argument removes password-protection for the private key so you do not need to enter a password when you restart the server.
Result the self-signed certificate is created. You require server-key.pem and server-cert.pem during the installation of the ACL Connector for Analytics Exchange on the AX Server machine. Client users do not require a certificate file when using this option.
Generating an SSL certificate with a Certificate Authority (CA)
Like self-signed certificates, Certificate Authority (CA) certificates ensure no third-party can easily access the connection. However, CA certificates provide additional trust because an independent, trustworthy certificate authority validates the server's authenticity.
Create the server private key
- Open a command prompt and then create the C:\newcerts directory.
md C:\newcerts
-
Change to the new directory and generate a new key.
cd C:\newcerts openssl genrsa -out server-key-withPass.pem
- Generate a certificate signing request.
openssl req -new -key server-key-withPass.pem -out signingReq.csr
You are prompted for information which is incorporated into the certificate, such as Country, City, Company Name, and so on. Make a note of the information you enter as you may get prompted for this information again at a later stage. When asked for an email address, provide a valid email address so that the Certificate Authority can send the certificate via this address.
- Verify the information in the signingReq.csr file and then send the file to the Certificate Authority as a request.
Result if the request is successful, the Certificate Authority sends you a certificate using the email address you provided in the signing request. The email you receive includes an encrypted CA certificate and a link to an encrypted CA intermediate certificate.
Copy both certificates to a text file, with the non-intermediate certificate followed by the intermediate certificate and then save the file as CA-cert.pem. You require this file for the following section.
Create and sign the server certificate
- Gather the following files that were generated in the previous section and copy the three files to C:\newcerts:
- server-key-withPass.pem
- signingReq.csr
- CA-cert.pem
- Open a command prompt and change to C:\newcerts:
cd C:\newcerts
- Create the server certificate:
openssl CA -in signingReq.csr -out server-cert.pem -keyfile server-key-withPass.pem -days 365 -cert CA-cert.pem
- Remove the password from server-key-withPass.pem so that you are not required to enter a password when restarting the server, and generate the final server key file (server-key.pem).
openssl rsa -in server-key-withPass.pem -out server-key.pem
Caution
Once you remove the requirement for the password, the certificate can be copied and used elsewhere. Therefore, once you remove the password requirement, you must take adequate precautions when storing the file. Ensure that the permissions are set to only allow access to those who need it.
Result the server certificate is created and signed.
Distributing the SSL certificates
Once you generate a self-signed or CA certificate, you have a full set of SSL certificates that you can distribute:
- the CA-cert.pem file required by any client to connect to the ACL Connector for Analytics Exchange over SSL using a Certificate Authority certificate
- the Server Key file (server-key.pem) and the Server Certificate file (server-cert.pem) required when you run the ACL Connector for Analytics Exchange installer on AX Server if you want to enable SSL