Installing security certificates for the ACL Connector for Analytics Exchange

The ACL Connector for Analytics Exchange supports Secure Sockets Layer (SSL) encryption on the connections between client machines and AX Server. If SSL is enabled, the connector uses OpenSSL to encrypt all data moving across the network connections between client machines and the server.

To configure SSL using certificates, you must generate a set of SSL certificates on the server machine. You can generate one of the following certificate types for the SSL connection:

Before you begin

Download and install OpenSSL and then add the path to the openssl.exe executable to your PATH environment variable.

Note

Like many open source software projects, the OpenSSL project does not distribute any code in binary form. Instead you must download the project source code and build the binary or locate a binary that is distributed for your operating system from a third-party source.

For more information, see the OpenSSL documentation.

Generating an SSL certificate for self-signing

Use OpenSSL to generate a key file and certificate file on the server machine. Self-signed certificates are useful during development or testing, when you do not need to purchase a commercial certificate.

ClosedShow me how
  1. Open a command prompt and then create the C:\newcerts directory.
    md C:\newcerts
  2. Change to the new directory and generate a server key file and server certificate file.
    cd C:\newcerts
openssl req -x509 -newkey rsa:4096 -keyout server-key.pem -out server-cert.pem -days 365 -nodes

    You are prompted for information which is incorporated into the certificate, such as Country, City, Company Name, and so on. Make a note of the information you enter as you may get prompted for this information again at a later stage.

    Note

    The -nodes argument removes password-protection for the private key so you do not need to enter a password when you restart the server.

Result the self-signed certificate is created. You require server-key.pem and server-cert.pem during the installation of the ACL Connector for Analytics Exchange on the AX Server machine. Client users do not require a certificate file when using this option.

Generating an SSL certificate with a Certificate Authority (CA)

Like self-signed certificates, Certificate Authority (CA) certificates ensure no third-party can easily access the connection. However, CA certificates provide additional trust because an independent, trustworthy certificate authority validates the server's authenticity.

ClosedShow me how

Create the server private key

  1. Open a command prompt and then create the C:\newcerts directory.
     md C:\newcerts
  2. Change to the new directory and generate a new key.
    cd C:\newcerts
openssl genrsa -out server-key-withPass.pem
  3. Generate a certificate signing request.
    openssl req -new -key server-key-withPass.pem -out signingReq.csr

    You are prompted for information which is incorporated into the certificate, such as Country, City, Company Name, and so on. Make a note of the information you enter as you may get prompted for this information again at a later stage. When asked for an email address, provide a valid email address so that the Certificate Authority can send the certificate via this address.

  4. Verify the information in the signingReq.csr file and then send the file to the Certificate Authority as a request.

Result if the request is successful, the Certificate Authority sends you a certificate using the email address you provided in the signing request. The email you receive includes an encrypted CA certificate and a link to an encrypted CA intermediate certificate.

Copy both certificates to a text file, with the non-intermediate certificate followed by the intermediate certificate and then save the file as CA-cert.pem. You require this file for the following section.

Create and sign the server certificate

  1. Gather the following files that were generated in the previous section and copy the three files to C:\newcerts:
    • server-key-withPass.pem
    • signingReq.csr
    • CA-cert.pem
  2. Open a command prompt and change to C:\newcerts:
    cd C:\newcerts
  3. Create the server certificate:
    openssl CA -in signingReq.csr -out server-cert.pem -keyfile server-key-withPass.pem -days 365 -cert CA-cert.pem
  4. Remove the password from server-key-withPass.pem so that you are not required to enter a password when restarting the server, and generate the final server key file (server-key.pem).
    openssl rsa -in server-key-withPass.pem -out server-key.pem

    Caution

    Once you remove the requirement for the password, the certificate can be copied and used elsewhere. Therefore, once you remove the password requirement, you must take adequate precautions when storing the file. Ensure that the permissions are set to only allow access to those who need it.

Result the server certificate is created and signed.

Distributing the SSL certificates

Once you generate a self-signed or CA certificate, you have a full set of SSL certificates that you can distribute: