3.1.5 Setting up communication through SSL
JP1/AJS3 - Definition Assistant with the encrypted communication function enabled can connect to a JP1/AJS3 - Manager with the same function enabled. This subsection explains the settings for the encrypted communication function.
- Organization of this subsection
(1) Steps for setting up SSL communication
When JP1/AJS3 - Definition Assistant enables its encrypted communication function, it can connect to a JP1/AJS3 - Manager that has the encrypted communication function enabled.
To set up SSL communication:
-
Obtain the root certificate (in PEM format) of the certificate authority that issued the server certificate for the destination JP1/AJS3 - Manager.
-
Store the root certificate you now have in the following folder:
JP1/AJS3-Definition-Assistant-installation-path\conf\ssl\rootcer
-
Set the CACERTIFICATEFILE environment settings parameter to the full-path of the root certificate file you stored.
-
Set the SSL-ENABLE environment settings parameter to 1.
-
Restart JP1/AJS3 - Definition Assistant.
For details about the environment settings parameters, see 3.2 Environment settings parameters.
- Note:
-
-
The encrypted communication function of JP1/AJS3 - Definition Assistant supports only TLS version 1.2 as an encryption protocol. The function does not support any other protocols and versions.
-
(2) Unencrypted communication host settings file
If JP1/AJS3 - Definition Assistant with the encrypted communication function enabled connects to a JP1/AJS3 - Manager with the encrypted communication function disabled, create an unencrypted communication host settings file.
To create the file:
-
Copy the file ajsda_nosslhost.conf.model to the folder shown below. This is the model file of the unencrypted communication host settings file and located in the same folder.
JP1/AJS3-Definition-Assistant-installation-path\conf\ssl
-
Rename the copied file to ajsda_nosslhost.conf.
The file ajsda_nosslhost.conf acts as the unencrypted communication host settings file.
-
Edit the unencrypted communication host settings file in a text editor.
The unencrypted communication host settings file should have the following format:
#Δ[NOT_ENCRYPTION_HOST_LIST]Δ# host-name-or-IP-address-of-JP1/AJS3-Manager-that-is-not-accessed-over-SSL host-name-or-IP-address-of-JP1/AJS3-Manager-that-is-not-accessed-over-SSL ...
Legend:
Δ: Indicates a space character.
JP1/AJS3 - Managers that are listed in the unencrypted communication host settings file are accessed by using clear text.
If the unencrypted communication host settings file is not created, JP1/AJS3 - Definition Assistant with the encrypted communication function enabled always communicates with JP1/AJS3 - Managers in a secure way.
- Notes:
-
-
The host name of JP1/AJS3 - Manager is case-insensitive.
-
An IP address is also available as a host name of JP1/AJS3 - Manager.
-
No verification is performed to check whether the specified host name or IP address of JP1/AJS3 - Manager is valid.
-
Regular expressions are not available in the JP1/AJS3 - Manager host name. For example, you cannot specify the host name as a*, which indicates the "host name that starts with the letter a".
-
A line that starts with # is handled as a comment line.
-
The file can have a maximum of 1,024 lines, including comment lines and blank lines.
-
The specified host name or IP address of JP1/AJS3 - Manager can have a maximum length of 255 bytes.
-
The special host name * is not available, although it is available in the unencrypted communication host settings file for JP1/AJS3 - View. If all the destination JP1/AJS3 - Managers do not communicate over SSL, disable the encrypted communication function in JP1/AJS3 - Definition Assistant by using the environment settings parameter.
-