Summary

Configuring new SSL Certificates
How to configure SSL Certificates
Using SSL Certificates
Replacing demo certificates with secure certificates

Environment

Orbix 3.3
All supported platforms

Question/Problem Description

This article described the configuration settings required to use SSL certificates in an Orbix 3.3 environment.

Resolution

The Orbix 3.3 SSL configuration settings can be found in the file:
  [Orbix Home]/config/orbixssl.cfg

In particular, the following three configuration variables set the location of the new certificates and trusted CA list:

IT_CERTIFICATE_PATH
  Specifies the directory in which the certificate file is stored in the file system.

IT_CERTIFICATE_FILE
  Specifies the name of the server’s certificate file.

IT_CA_LIST_FILE
  Specifies a list of CAs that the application should trust.

The above variables should be set inside the relevant scope for your application\\service. The name of this scope can be set in the server application's code, using the operation "IT_SSL::initScope()".

We will now consider three different scenarios:

• Making Private Keys Available to Server applications
• Making Private Keys Available to Orbix servers
• Making Private Keys Available to the Orbix Daemon

Making Private Keys Available to Server applications
By default, Orbix SSL expects the private key associated with a certificate to be appended to the certificate file. That is, the private key should be stored in encrypted Privacy Enhanced Mail (PEM) format.

Please see the Orbix SSL demonstration certificates for an example of certificates with appended private keys in this format.

Making a Private Key Available to Java-based Services

Java-based services (For example, the Naming Service) require the private key associated with a certificate to be available in a separate file.
The private key can also be appended to the certificate file, but the Orbix Naming Service ignores this appended key.
The separate private key associated with the certificate, is specified with the configuration variable "IT_PRIVATEKEY_FILE"

Making a Private Key Available to the Orbix Daemon
As with other processes, the certificate used by the Orbix Daemon is set using the configuration variable "IT_CERTIFICATE_FILE".
The pass-phrase used by the Orbix Daemon for its certificate is set with the utility "update". For example, on UNIX use the following command:

update orbixd "passphrase" 0

On Windows, use the following command:

update orbixd.exe "passphrase" 0

Summary

Configuring new SSL Certificates
How to configure SSL Certificates
Using SSL Certificates
Replacing demo certificates with secure certificates

Environment

Orbix 3.3
All supported platforms

Question/Problem Description

This article described the configuration settings required to use SSL certificates in an Orbix 3.3 environment.

Resolution

The Orbix 3.3 SSL configuration settings can be found in the file:
  [Orbix Home]/config/orbixssl.cfg

In particular, the following three configuration variables set the location of the new certificates and trusted CA list:

IT_CERTIFICATE_PATH
  Specifies the directory in which the certificate file is stored in the file system.

IT_CERTIFICATE_FILE
  Specifies the name of the server’s certificate file.

IT_CA_LIST_FILE
  Specifies a list of CAs that the application should trust.

The above variables should be set inside the relevant scope for your application\\service. The name of this scope can be set in the server application's code, using the operation "IT_SSL::initScope()".

We will now consider three different scenarios:

• Making Private Keys Available to Server applications
• Making Private Keys Available to Orbix servers
• Making Private Keys Available to the Orbix Daemon

Making Private Keys Available to Server applications
By default, Orbix SSL expects the private key associated with a certificate to be appended to the certificate file. That is, the private key should be stored in encrypted Privacy Enhanced Mail (PEM) format.

Please see the Orbix SSL demonstration certificates for an example of certificates with appended private keys in this format.

Making a Private Key Available to Java-based Services

Java-based services (For example, the Naming Service) require the private key associated with a certificate to be available in a separate file.
The private key can also be appended to the certificate file, but the Orbix Naming Service ignores this appended key.
The separate private key associated with the certificate, is specified with the configuration variable "IT_PRIVATEKEY_FILE"

Making a Private Key Available to the Orbix Daemon
As with other processes, the certificate used by the Orbix Daemon is set using the configuration variable "IT_CERTIFICATE_FILE".
The pass-phrase used by the Orbix Daemon for its certificate is set with the utility "update". For example, on UNIX use the following command:

update orbixd "passphrase" 0

On Windows, use the following command:

update orbixd.exe "passphrase" 0