SSL communication definition file
- Organization of this page
Format
[JP1_DEFAULT\JP1BASE\SSL] "ENABLE"=dword:{00000000 | 00000001} "CERTIFICATEFILE"=server-certificate-file-name "CACERTIFICATEFILE"=route-certificate-file-name "PRIVATEKEYFILE"=private-key-file-name "SSLPROTOCOL"=SSL-(TLS)-versions "SSLCIPHERS"=encryption-suites "BASESSL"=service-names |
Parameters by type
- Required parameters:
-
None
- Custom parameters:
-
None
File name
jp1bs_ssl.conf (SSL communication definition file)
jp1bs_ssl.conf.model (model file of an SSL communication definition file)
Storage destination directory
- For Windows:
-
installation-folder\conf\
shared-folder\jp1base\conf\ (in a cluster system)
- For UNIX:
-
/etc/opt/jp1base/conf/
shared-directory/jp1base/conf/ (in a cluster system)
Description
This file is used to set the SSL communication settings, such as whether to enable the communication encryption function (SSL communication), the server certificate file name, and the root certificate storage location, in the common definition information.
Application of settings
When the jbssetcnf command is executed, the contents of the SSL communication definition file are added to the common definition information. For details about the jbssetcnf command, see jbssetcnf in 15. Commands.
The changes to the common definition information are applied when JP1/Base is restarted.
Definition details
The following shows the conventions for specifying the SSL communication definition file:
-
Do not place a space or tab before or after an equal sign (=) or a comma (,), or at the beginning or end of a line. If you do so, an error occurs during execution of the jbssetcnf command.
-
Lines containing only a line break are ignored.
- [JP1_DEFAULT\JP1BASE\SSL]
-
In this section, specify the SSL communication settings, such as whether to enable the communication encryption function (SSL communication). If you are using a logical host, specify JP1_DEFAULT as the logical host name.
- "ENABLE"=dword:{00000000 | 00000001}
-
Specify whether to enable the communication encryption function (SSL communication). To enable encrypted communication, specify dword:00000001. To disable encrypted communication, specify dword:00000000. If this specification does not exist in the common definition information, JP1/Base assumes that dword:00000000 is specified.
If you specify dword:00000001, you can set hosts that perform non-SSL communication by using the non-SSL communication host definition file (jp1bs_nosslhost.conf).
The following parameters are enabled if the ENABLE parameter is set to dword:00000001:
- "CERTIFICATEFILE"=server-certificate-file-name
-
Specify the full path name of the server certificate file to be used for the communication encryption function. You can enter a character string that is from 1 to 255 bytes. Specify this parameter on the server-side host in SSL communication, such as a host on which you execute the command or a host on which you start the certificate server process. To disable this parameter, specify "CERTIFICATEFILE"="".
- "CACERTIFICATEFILE"=route-certificate-file-name
-
Specify the full path name of the root certificate file that is used for the communication encryption function. If multiple files are required as a route certificate, combine them into a single file, and specify the name of the file. You can enter a character string that is from 1 to 255 bytes. Specify this parameter on all hosts that uses SSL communication.
- "PRIVATEKEYFILE"=private-key-file-name
-
Specify the full path name of the private key file that was specified when you requested the CA to issue a server certificate to be used for the communication encryption function. You can enter a character string that is from 1 to 255 bytes. Specify this parameter on the server-side host in SSL communication, such as a host on which you execute the command or a host on which you start the certificate server process. To disable this parameter, specify "PRIVATEKEYFILE"="".
- "SSLPROTOCOL"=SSL-(TLS)-versions
-
Specify the version of SSL communication. You can specify TLSv1_2.
- TLSv1_2
-
Specify this value to use TLS1.2.
Specify this parameter on the server-side host in SSL communication, such as a host on which you execute the command or a host on which you start the certificate server process. To disable this parameter, specify "SSLPROTOCOL"="".
- "SSLCIPHERS"=encryption-suites
-
Specify an encryption suite of SSL communication that is defined in RFC5246 in which TLS1.2 is specified. If you do not specify this parameter, a strong encryption suite is automatically set according to the server certificate. Therefore, you do not have to specify this parameter normally. If you want to use an encryption suite, specify it in the format supported by OpenSSL. For example, if you want to use TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, specify DHE-RSA-AES256-SHA256. For details about encryption suites, see the official website of OpenSSL.
To specify multiple suites, separate each of them by using a colon (:). You can enter a character string of a length that is from 1 to 255 bytes. Specify this parameter on the server-side host in SSL communication, such as a host on which you execute the command, or a host on which you start the certificate server process. To disable this parameter, specify "SSLCIPHERS"="".
Note that if you enable SSL communication in JP1/IM and JP1/AJS3 - Manager, some encryption suites might not be available. For details, see the release notes of the relevant products.
- "BASESSL"=service-names
-
Specify the names of services for which the communication encryption function is enabled. You can specify jp1bsuser, jp1imcmda, and jp1bsagent. If you specify both of these values, separate them by a comma (,).
- jp1bsuser
-
Specify this value to enable SSL communication on the authentication server (user authentication).
- jp1imcmda
-
Specify this value to enable SSL communication for execution of JP1/IM commands. For details about the communication encryption function (SSL communication) of JP1/IM, see the JP1/Integrated Management 2 - Manager Overview and System Design Guide.
- jp1bsagent
-
Specify this value to enable SSL communication in the following control that supports SSL communication.
Transfer of JP1 events, search for JP1 events, reception of JP1 events, automatic action, execution of commands, management of configurations, and health checks performed between the manager host's JP1/IM - Manager and JP1/Base and the agent host's JP1/Base
Specify this parameter on all hosts that use SSL communication.
However, for the service name jp1bsagent, this parameter cannot be specified on the hosts specified in the non-SSL communication host configuration file.
Note
-
The parameters shown above are also used when you enable SSL communication in JP1/IM and JP1/AJS3 - Manager. For details, see the manuals for the relevant products.
-
If you set the SSL communication definition file on the logical host, you must set the file on both the active and standby nodes. In this case, replace the JP1_DEFAULT part in [JP1_DEFAULT\JP1BASE\SSL] by the logical host name.
-
For security purposes, do not store a server certificate (CERTIFICATEFILE), root certificate (CACERTIFICATEFILE), or private key (PRIVATEKEYFILE) in a directory from which the data collection tool collects data. For details about the collection targets of the data collection tool, see 18.3.1 Data that must be collected when a problem occurs (in Windows) and 18.3.2 Data that must be collected when a problem occurs (in UNIX).
Definition examples
[JP1_DEFAULT\JP1BASE\SSL] "ENABLE"=dword:00000001 "CERTIFICATEFILE"="C:\JP1\SSL\cert.pem" "CACERTIFICATEFILE"="C:\JP1\SSL\cacert.pem" "PRIVATEKEYFILE"="C:\JP1\SSL\certkey.pem" "SSLPROTOCOL"="TLSv1_2" "BASESSL"="jp1bsuser,jp1imcmda,jp1bsagent"