Administration > Security certificates

Security certificates

Analytics Exchange installations require SSL security certificates. By default, a self-signed security certificate is installed, however you may replace this default certificate with a certificate issued by a third-party certificate authority (CA).

How it works

SSL certificates are used to establish a trusted, secure, encrypted connection between client applications and AX Server.

Both self-signed certificates and CA-issued certificates ensure that the data transferred between AX Server and client applications cannot be easily accessed by a third party, however when you purchase a CA certificate you gain additional trust because an independent, trustworthy certificate authority validates the server's authenticity.

Using self-signed certificates for AX Server

If you choose to use a self-signed certificate, each user that accesses the server encounters a warning page indicating that the security certificate was not issued by a trusted certificate authority. To stop this warning, each client user must verify that the certificate is issued by a trusted source by doing the following:

Tip

Certificate installation is not typically required if you replace the self-signed certificate with a certificate purchased from a CA because Internet Explorer supports certificates issued by most CAs automatically. Using a CA certificate can therefore improve end user interaction with the server.

Replacing the certificate

To replace the default self-signed certificate, you must create a keystore, import the certificate, and then configure the TomEE application server to use the certificate. For more information, see Installing security certificates.

Note

If the Common Name (CN) value specified in the security certificate changes when you replace the self-signed certificate, you must change the cas.securityContext.casServerHost property in the aclCasClient.xml configuration file to match the updated CN value on every server where Analytics Exchange server components are installed.

If you used Integrated Windows Authentication and the CN value changes, you must also update the Internet Explorer settings on each client computer. For more information see, Configuring Integrated Windows Authentication.

AX Engine Node certificates

The certificate configured on each AX Engine Node is used encrypt communications between the AX Engine Node and the Analytics Exchange database.

The self-signed certificate can be replaced with a certificate purchased from a CA, but because end-users do not access the AX Engine Node replacing the certificate is typically not required.

PostgreSQL connections

The certificate configured for PostgreSQL is used to encrypt communications between the database server and any Analytics Exchange servers that connect to the database:

When to use SSL for database connections

The certificate is only used if the applications connecting to the database have SSL turned on. Because of the performance cost associated with SSL, it should be turned off if it is not required. For example, if AX Server and the PostgreSQL are installed on the same computer, SSL should be turned off for the components installed on AX Server.

Replacing the certificate

The security certificate created by the PostgreSQL setup wizard during installation is a self-signed certificate. The server certificate must be in place for SSL connections to work, but the specific information in the certificate, such as the server name, is not validated. For this reason, replacing the installed self-signed certificate with a CA issued certificate is typically not required.