Security certificates

Analytics Exchange installations require SSL security certificates. By default, a self-signed security certificate is installed, however you may replace this default certificate with a certificate issued by a third-party certificate authority (CA).

How it works

SSL certificates are used to establish a trusted, secure, encrypted connection between client applications and AX Server.

Both self-signed certificates and CA-issued certificates ensure that the data transferred between AX Server and client applications cannot be easily accessed by a third party. However, when you purchase a CA certificate you gain additional trust because an independent, trustworthy certificate authority validates the server's authenticity.

Using self-signed certificates for AX Server

If you choose to use a self-signed certificate, each user that accesses the server encounters a warning page indicating that the security certificate was not issued by a trusted certificate authority. To stop this warning, each client user must verify that the certificate is issued by a trusted source by doing the following:

  • install the self-signed certificate in their browser when connecting with AX Web Client
  • select Trust self-signed certificates during installation or on the Tools menu in AX Client

Tip

Certificate installation is not typically required if you replace the self-signed certificate with a certificate purchased from a CA because Internet Explorer supports certificates issued by most CAs automatically. Using a CA certificate can therefore improve end user interaction with the server.

Replacing the certificate

To replace the default self-signed certificate, you must create a keystore, import the certificate, and then configure the TomEE application server to use the certificate. For more information, see Installing security certificates for AX Server.

Note

If the Common Name (CN) value specified in the security certificate changes when you replace the self-signed certificate, you must change the axcas.securityContext.casServerHost property in the aclCasClient.xml configuration file to match the updated CN value on every server where Analytics Exchange server components are installed.

If you used Integrated Windows Authentication and the CN value changes, you must also update the Internet Explorer settings on each client computer. For more information, see Configuring Integrated Windows Authentication.

AX Engine Node certificates

The certificate configured on each AX Engine Node is used to encrypt communications between the AX Engine Node and the Analytics Exchange database.

The self-signed certificate can be replaced with a certificate purchased from a CA, but because end-users do not access the AX Engine Node replacing the certificate is typically not required.

PostgreSQL connections

The certificate configured for PostgreSQL is used to encrypt communications between the database server and any Analytics Exchange servers that connect to the database:

  • AX Server
  • AX Engine Node
  • AX Exception

When to use SSL for database connections

The certificate is only used if the applications connecting to the database have SSL turned on. Because of the performance cost associated with SSL, it should be turned off if it is not required. For example, if AX Server and the PostgreSQL are installed on the same computer, SSL should be turned off for the components installed on AX Server.

Replacing the certificate

The security certificate created by the PostgreSQL setup wizard during installation is a self-signed certificate. The server certificate must be in place for SSL connections to work, but the specific information in the certificate, such as the server name, is not validated. For this reason, replacing the installed self-signed certificate with a CA-issued certificate is typically not required.

ACL Connector for Analytics Exchange connections

The ACL Connector for Analytics Exchange does not require an SSL connection, however it does support SSL encryption if you choose to enable it.

The connector relies on different technology and protocols than AX Server, and therefore does not use the same security certificate configuration or tool set that is required when encrypting other AX Server communication.

To support SSL encryption, you must generate and install a set of security certificates on the AX Server machine using OpenSSL. When SSL is enabled, the connector uses OpenSSL to encrypt all data moving across the network connection.

For more information, see Installing security certificates for the ACL Connector for Analytics Exchange.