Understanding security certificate configuration

When you install ACL Analytics Exchange, you are required to configure certificates. By default, self-signed security certificates are installed. In some cases, you may want to replace the self-signed security certificate with a certificate issued by a third-party certificate authority (CA). The following sections outline the certificate configuration and options for each AX Server component.

AX Server

The certificate configured on AX Server is used in the following two ways:

  • It allows clients connecting to the web applications with their web browsers to securely access the applications through HTTPS. Connecting to the web applications using HTTPS ensures that data transmitted between the web browser and the server is encrypted.

    If you choose to use the self-signed certificate, each user that accesses the server will encounter a warning page indicating that the security certificate was not issued by a trusted certificate authority. They will need to install the self-signed certificate in their browser to stop this warning page from being displayed. The certificate warning message will also be displayed in AX Client because the Connect tab uses a web browser control to display the login page. Certificate installation is not typically required if you replace the self-signed certificate with a certificate purchased from a CA because Internet Explorer supports certificates issued by most CAs automatically.

  • It is used to encrypt communications between AX Client and AX Server. When users import or export files from AX Server, the certificate is required to uniquely encrypt the communications between the two computers.

If you replace the certificate used by the Geronimo application server service on AX Server, and the Common Name (CN) value specified in the security certificate changes, you must modify the cas.securityContext.casServerHost property in the aclCasClient.xml configuration file to match the updated CN value. This configuration file is located on all servers where ACL Analytics Exchange server components are installed.

If you used Integrated Windows Authentication and the CN value changes, you must also update the Internet Explorer settings on each client computer. For more information see, Configuring Internet Explorer for Integrated Windows Authentication.

AX Engine Node

The certificate configured on each AX Engine Node is used encrypt communications between the AX Engine Node and the ACL Analytics Exchange database. The self-signed certificate can be replaced with a certificate purchased from a CA, but because end-users do not access the AX Engine Node replacing the certificate is typically not required.

PostgreSQL database server

The certificate configured for the PostgreSQL database server is used to encrypt communications between the database server and any ACL Analytics Exchange servers that connect to the database, including AX Server, AX Engine Node, and AX Exception. The certificate is only used if the applications connecting to the database have SSL turned on. Because of the performance cost associated with SSL, it should be turned off if it is not required. For example, if AX Server and the PostgreSQL database server are installed on the same computer, SSL should be turned off for the components installed on AX Server.

The security certificate created by the PostgreSQL database server setup wizard during installation is a self-signed certificate. The server certificate must be in place for SSL connections to work, but the specific information in the certificate, such as the server name, is not validated. For this reason, replacing the installed self-signed certificate with a CA issued certificate is typically not required.


(C) 2015 ACL Services Ltd. All Rights Reserved.