Active Directory Certificate Services (AD CS)

The following procedure describes how you can use an Active Directory Certificate Service (AD CS) (CA) to generate certificates that can be used for SSL communication between Uniface Anywhere Client and the Uniface Anywhere Hosts.

Create and Enable SSL UA Host Certificate Template

By default the templates used by ADCS are not allowing you to export the Private Key. So you will need to create a template that will allow the export of the PVK.

1. On the appropriate server (e.g. the CA root), open Certificate Services Manager (certsrv.msc)
2. In the left pane, select Certificate Templates, From Action Menu select Manage
3. in the Certificate Templates Console, select template 'SSL Certificates', From Action Menu select 'Duplicate Template'
   1. Select Compatibility Settings Highest possible.
   2. General tab: Give template a name like 'UA Host SSL Certificates'
   3. Request Handling tab: Select "Allow private key to be exported'
   4. Cryptography tab: "Key Storage Provider" and Request Hash: 'SHA256'
   5. Security tab: remove any unwanted users to enroll except for the administrator.
   6. press OK to create.
   7. close Certificate Templates Console
4. in Certificate Services Manager (Certsrv), Open Action Menu and select New => Certificate Template to Issue
   1. Find and select Template 'UA Host SSL Certificates'
   2. press OK to add it to the Certsrv
5. Close CertSrv.msc

Create UAhost Certificate and its Private Key file

1. On the Uniface Anywhere Host machine (logged on as user Administrator or one that is allowed to enroll the 'UA Host SSL Certificates'), Open Microsoft Management Console (MMC).
2. From 'File' Menu, select Add/Remove Snap-in
3. Select Certificates and click Add.
4. Select 'Computer account' and then click Next.
5. Select 'Local computer' and then click Finish
6. OK out of the Add/Remove snap-in window
7. You will now see Certificates listed in the console view on the left. Right-click 'Personal', Select 'All Tasks', then 'Request New Certificate'
8. Click Next on the first screen (before you begin)
9. Click Next on the Selected 'Active Directory Enrollment Policy'
10. Select 'Active Directory Enrollment Policy' 'UA Host SSL Certificates' and then click Enroll. A certificate will be created and placed in the Local Computer - Personal - Certificates store.
11. Right-click the Certificate created in step 10, Select 'All Tasks', then Export
12. Click Next on the first screen (Welcome)
13. Select 'Yes, export the private key' and then Next
14. Select 'Personal Information Exchange - PKCS #12 (.PFX)' and 'Include all certificates in the certification path if possible' and then Next
15. Select 'Password' and enter twice a strong password and then Next
16. Enter path and file name like d:\tempcert\Server.PFX and then Next
17. Finish out of the Certificate Export Wizard. A Certificate Private Key file is placed in the temp directory
18. Right-click the Certificate again created in step 10, Select 'All Tasks', then Export
19. Click Next on the first screen (Welcome)
20. Select 'No, do not export the private key', then Next
21. Select format 'DER encoded binary X.509 (.CER)' then Next
22. Enter path and file name like d:\tempcert\Server.CER and then Next
23. Finish out of the Certificate Export Wizard. A Certificate Key file is placed in the temp directory
24. Close the Microsoft Management Console

Prepare Certificate files for use with UA

The certificate files created with above procedure are in the DER format. Uniface Anywhere requires these files to be in PEM format.

The following procedure describes how to convert DER formatted certificate files in to PEM formatted files.

For this procedure you will require the OPENSSL software. On Linux systems this is a part of the Operating system, but on Windows System, you will need to install it.

OpenSSL downloads can be found at https://wiki.openssl.org/index.php/Binaries

1. Save the location of the OpenSSL application as <openssl_path>
2. Save the location of the two certificate files as <cert_path>
3. Run the cmd.exe

in Windows Command Shell:

C:\> <openssl_path>\openssl pkcs12 -nocerts -in <cert_path>\server.pfx -out <cert_path>\server.pem -nodes
C:\> ren <cert_path>\server.pem <cert_path>\server.key
C:\> <openssl_path>\openssl x509 -inform der -in <cert_path>\server.cer -out <cert_path>\server.pem
C:\> ren <cert_path>\server.pem <cert_path>\server.crt]] ></cert_path></cert_path></cert_path></cert_path></openssl_path></cert_path></cert_path></cert_path></cert_path></openssl_path>

The server key and certificate files (e.g.,

server.key

server.crt

Enable the SSL protocol on the Host

1. Create a directory on the Uniface Anywhere Host that can be accessed from the System account, but cannot be accessed from the accounts of users who will sign in to the Host.
2. Copy the above created files:

   server.key

   and

   server.crt

   to this directory location on the Uniface Anywhere host.
3. Start the Uniface Anywhere Cluster Manager / Admin Console. From the menu choose Tools - Host Options.. and select 'Security' Tab.
4. Change Transport to SSL, Select the desired Encryption and browse to the SSL Certificate file and Select file 'Server.crt'.
   When required to notify the users that they have a secure connection to the host, mark the Notify box.
5. Ok out of the Host Options

SSL on dependent hosts

Dependent hosts do not need SSL certificates, but their designated relay server must have a valid SSL certificate that is signed by a CA and that is recognized by the dependent hosts.