Attunity RepliWeb SSL Guide

Attunity RepliWeb SSL Guide Sftware Versin 5.2 June 25, 2012 RepliWeb, Inc., 6441 Lyns Rad, Ccnut Creek, FL 33073 Tel: (954) 946-2274, Fax: (954) 337-6424 E-mail: inf@repliweb.cm, Supprt: http://supprt.repliweb.cm

2012 Attunity Ltd. All rights reserved. The infrmatin in this manual has been cmpiled with care, but Attunity Ltd. makes n warranties as t its accuracy r cmpleteness. The sftware described herein may be changed r enhanced frm time t time. This infrmatin des nt cnstitute a cmmitment r representatin by Attunity and is subject t change withut ntice. The sftware described in this dcument is furnished under license and may be used and/r cpied nly in accrdance with the terms f this license and the End User License Agreement. N part f this manual may be reprduced r transmitted, in any frm, by any means (electrnic, phtcpying, recrding r therwise) withut the express written cnsent f Attunity Ltd. Windws, Windws XP and Windws Vista are trademarks f Micrsft Crpratin in the US and/r ther cuntries. UNIX is a registered trademark f Bell Labratries licensed t X/OPEN. Any ther prduct r cmpany names referred t in this dcument may be the trademarks f their respective wners. Please direct crrespndence r inquiries t: RepliWeb, Inc. 6441 Lyns Rad Ccnut Creek, Flrida 33073 USA Telephne: (954) 946-2274 Fax: (954) 337-6424 Sales & General Infrmatin: Dcumentatin: Technical Supprt: Website: inf@repliweb.cm dcs@repliweb.cm http://supprt.repliweb.cm http://www.repliweb.cm ii

Table f Cntents 1. Overview... 1 2. SSL Intrductin... 3 Cnfidentiality... 3 Integrity... 3 Authenticatin... 3 3. SSL Terminlgy... 4 Public Key Cryptgraphy... 4 Digital Certificates... 4 Certificate Authrity... 5 SSL Handshake... 5 4. SSL in R-1... 6 GUI... 6 CLI... 8 Using R-1 Defaults... 9 5. Cmmn SSL Cnfiguratins... 10 Center Authenticating the Cnsle... 10 Cnsle Authenticatin... 10 Mutual Center-Edge Authenticatin... 14 Center (Client) Settings... 15 Edge (Server) Settings... 16 Center Authenticating the Cnsles and Edges... 18 Cnsle-Center Cmmunicatin... 19 Center-Edge Cmmunicatin... 22 6. Multiple Trusted Certificate Authrities... 25 Using a Multiple Apprved CA File... 25 Using a Multiple Apprved CA Path... 26 iii

1. Overview R-1 security mechanisms allw using Internet and Internet-based VPNs and WANs as efficient distributin channels withut the cncerns f data lss, pilferage r malicius impersnatin. R- 1 uses SSL end-t-end, making integratin with ther systems seamless. R-1 ffers the fllwing SSL features: Three levels f certificate authenticatin: Certificate level, Cmmn Name, Nne A chice f strng encryptin ciphers Private key-phrase prtectin Nte: SSL is enabled fr jbs using WAN r LFA transprt engines. When using SSL, all traffic in the jb, including snapsht generatin and file transfer, is encrypted. SSL cmmunicatin is supprted bth fr Cnsle Center cmmunicatin and Center Edge cmmunicatin. In a typical SSL sessin, the Server presents its digital certificate t the Client and the Client, in turn, presents the Server with its wn digital certificate. T successfully negtiate an SSL cnnectin, the Client and the Server must authenticate each ther. This type f authenticatin is referred t as mutual authenticatin. Bth the Client and the Server are required t have digital certificates frm trusted certificate authrities. When using mutual authenticatin, bth the Server and the Client need private keys and digital certificates that represent their identity. This type f authenticatin restricts access t trusted clients nly. Figure 1 SSL Tplgy Using R-1 fr Cnsle Center with SSL cmmunicatin, the Cnsle is the Client and the Center is the Server. Fr Center Edge SSL cmmunicatin (during a replicatin prcess), the Center is the Client and the Edge is the Server. 1

Overview Nte: Using SSL cnnectin fr bth Cnsle Center and Center Edge, the Center needs t be cnfigured twice: nce as an SSL Server and nce as an SSL Client. 2

2. SSL Intrductin R-1 5.2 SSL prtcl prtects yur data frm tampering and prvides the fllwing security features: Cnfidentiality Integrity Authenticatin Cnfidentiality Cnfidentiality is the ability t keep cmmunicatins secret frm parties ther than the intended recipient. It is achieved by encrypting data with strng algrithms. The SSL prtcl prvides a secure mechanism that enables tw cmmunicating parties t negtiate the strngest algrithm they bth supprt and t agree n the key with which t encrypt the data. Integrity Integrity is a guarantee that the transferred data has nt been mdified in transit. The same handshake mechanism, which allws the tw parties t agree n algrithms and keys, als allws the tw ends f an SSL cnnectin t establish shared data integrity secrets, which are used t ensure that when mdified data is received, it will be detected. Authenticatin Authenticatin is the ability t ascertain with whm yu are speaking. By using digital certificates and public key security, R-1 client and server applicatins can each be authenticated t the ther. This allws the tw parties t be certain they are cmmunicating with smene they trust. The SSL prtcl prvides secure cnnectins by allwing tw applicatins cnnecting ver a netwrk cnnectin t authenticate the ther's identity and by encrypting the data exchanged between the applicatins. When using the SSL prtcl, the target always authenticates itself t the initiatr. Encryptin makes data transmitted ver the netwrk intelligible nly t the intended recipient. An SSL cnnectin begins with a handshake during which the applicatins exchange digital certificates, agree n the encryptin algrithms t use, and generate encryptin keys used fr the remainder f the sessin. The SSL prtcl uses public key encryptin fr authenticatin. 3

3. SSL Terminlgy The fllwing terms and cncepts are used in this dcument. Public Key Cryptgraphy Public-key cryptgraphy - als knwn as asymmetric cryptgraphy - uses a pair f keys that wrk tgether t fulfill ne r bth f the fllwing functins: Encrypt and decrypt infrmatin Sign and verify digital signatures One key is freely distributed (the public key) while the ther key (the private key) is kept secret. The sender uses the public key t encrypt messages t the recipient. The recipient uses his r her private key t decrypt messages frm the sender. Similarly, the sender may use his r her private key t sign a digital signature. The recipient uses his r her public key t verify the authenticity f the sender s signature. The private key will nly wrk with its crrespnding public key. Digital Certificates Digital certificates are electrnic dcuments used t uniquely identify entities ver netwrks such as the Internet. A digital certificate securely binds the client/server identity, as verified by a trusted third party knwn as a certificate authrity (CA), t a particular public key. The cmbinatin f the public key and the private key prvides a unique identity t the wner f the digital certificate. Digital certificates prvide cnfirmatin that a specific public key des in fact belng t the sender. A recipient f a digital certificate can use the public key cntained in the digital certificate t verify that a digital signature was created with the crrespnding private key. If the verificatin is successful, the recipient can be certain that the crrespnding private key belngs t the subject named in the digital certificate, and that the digital signature was created by that particular subject. A digital certificate typically includes a variety f infrmatin, such as: The name f the subject (hlder, wner) and ther identificatin infrmatin required t uniquely identifying the subject, such as the hstname f the nde using the digital certificate (in the Cmmn Name field), r an individual's email address. The subject's public key. The name f the certificate authrity that issued the digital certificate. A serial number. 4

SSL Terminlgy The validity perid (r lifetime) f the digital certificate (defined by a start date and an end date). Certificate Authrity Digital certificates are issued by a Certificate Authrity (CA). Any trusted third-party rganizatin r cmpany that is willing t vuch fr the identities f thse t whm it issues digital certificates and public keys can be a certificate authrity. When a certificate authrity creates a digital certificate, the certificate authrity signs it with its private key, t ensure the detectin f tampering. The certificate authrity then returns the signed digital certificate t the requesting subject. The subject can verify the digital signature f the issuing certificate authrity by using the public key f the certificate authrity. The certificate authrity makes its public key available by prviding a digital certificate issued frm a higher-level certificate authrity attesting t the validity f the public key f the lwer-level certificate authrity. Thus, digital signatures establish the identities f cmmunicating entities, but a digital signature can be trusted nly t the extent that the public key fr verifying the digital signature can be trusted. SSL Handshake The SSL handshake establishes the encrypted cnnectin. This is accmplished in part by mutual authenticatin whereby the client authenticates itself t the server and the server authenticates itself t the client. Authenticatin invlves digital certificates, which emply public-key encryptin techniques. During the SSL handshake, the server and client exchange a symmetric sessin key. The sessin key itself is encrypted using public-key techniques, s nly the intended recipient can decrypt it. 5

4. SSL in R-1 R-1 uses OpenSSL t enable Encryptin and Authenticatin fr: Cnsle Center cmmunicatin effective fr R-1 Cnsle Center, RTM Cnsle RTM Organizer and RTM Cnsle RTM Hst. Center Edge cmmunicatin effective fr WAN and LFA transfer replicatin and distributin jbs. SSL sessins can be cnfigured using RTM GUI and Manage / Center r Manage / Cnsle SSL Settings n the Cnsle GUI user interfaces. Nte: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle n each f the Centers and Edges, and nt ver the netwrk. GUI Nte: Only users with Administrative Grup Privileges n the Center may cnfigure SSL settings. T cnnect t a UNIX Center, use rt r rt-like users (UID and GID 0); t cnnect t a Windws Center, use a member f the Administratr grup n the Center. T access the SSL windw: Frm the R-1 Cnsle GUI, select Manage / Center / SSL. 6

SSL in R-1 Nte: Use the default certificate and key prvided with R-1 t cnfigure and test SSL cmmunicatin. Hwever, fr prductin envirnment, it is recmmended t use certificates prvided by a Certificate Authrity (CA). T cnfigure R-1 s SSL security settings: 1. Select the required sub-tab: Cnsle (Client) Cnfigure the Client in a Cnsle Center cmmunicatin. Center, RTM Organizer/Hst (Server) Cnfigure the Server in a Cnsle Center cmmunicatin. Center (Client) Cnfigure the Client in a Center Edge replicatin prcess cmmunicatin. Edge (Server) Cnfigure the Server in a Center Edge replicatin prcess cmmunicatin. 2. In the Lcal Certificate sectin, determine hw the machine being cnfigured intrduces itself in the Authenticatin stage. Select the Use Files checkbx t specify the Certificate and Key file names t be used. If unselected, the default certificate, private key and private key phrase will be used. i. In the Certificate field, specify the full path t the CA Certificate file. ii. iii. In the Private Key field, specify the full path t the private key file. In the Private Key Phrase field, specify the passwrd t read the private key file. The key phrase is kept encrypted and hidden. Nte: Private Key Phrase is kept encrypted fr each Windws Lgin user separately. 3. In the Other Side Authenticatin sectin, specify hw the machine being cnfigured verifies the ther side in the Authenticatin stage. a. Frm the Authenticate using drp-dwn list, select the authenticatin type that will take place: Certificate Authenticate the ther end using a certificate Certificate + Name Authenticate the ther end by using a certificate and the Cmmn name written in certificate. Server/Client Cmmn Name When using authenticatin by name this name will be expected in the ther end s certificate. Nne D nt authenticate the ther end. The SSL sessin will use encryptin but nt authenticatin. This ptin is nly available in Cnsle Center cmmunicatin. Nte: Authenticating the ther side using Certificate r Certificate + Name, the ther side has t have the Lcal certificate/use Files checkbx selected. 7

SSL in R-1 b. Select the Use Apprved CA checkbx t change the certificate being used. If unselected, the default certificate, private key and private key phrase will be used. If selected, the fllwing will be used: i. In the CA File field, specify the full path t a file cntaining trusted certificate authrities infrmatin. ii. In the CA Dir field, specify the full path t a directry cntaining trusted certificate authrities files. 4. Frm the Encryptin sectin, select the encryptin type t use during the SSL sessin. Optins are: DES DES (Data Encryptin Standard) applies a 56-bit key t each 64-bit blck f data. 3DES Triple DES. RC2 RC2 (Rivet s Cipher 2) is a variable key-size blck cipher. RC4 RC4 is a variable key-size blck cipher with a key size range f 40 t 128 bits. It is faster than DES and is exprtable with a key size f 40 bits. Use Server Defaults The encryptin type is selected by the server autmatically. Nte: Encryptin can be set n Client side nly. CLI Using the CLI, use the apprpriate qualifier t specify SSL usage: Cnsle Center cmmunicatin: -center_ssl -ncenter_ssl Specify t R-1 that all cmmunicatin t the Center will be ver SSL. Center Edge cmmunicatin effective fr WAN transfer replicatin and distributin jbs. -ssl -nssl qualifier in the submit cmmand. Specify t R-1 that all cmmunicatin with the Edges will be ver SSL. Nte: The CLI cannt be used t set SSL prperties. This can nly be perfrmed using the GUI. 8

SSL in R-1 Using R-1 Defaults Sample key files and certificates are lcated in the fllwing default directries: Windws: ~\RepliWeb\RDS\Cnfig\SSL UNIX: ~/repliweb/rds/cnfig/ssl/ The files are: Client certificate Client private key file Server certificate Server private key file Trusted CA (RepliWeb) certificate rds_client_cert.pem rds_client_key.pem rds_server_cert.pem rds_server_key.pem trusted_ca_cert.pem Key Phrases fr default private keys are: Client private key phrase Server private key phrase rdsclient rdsserver Cmmn Names: Client Cmmn Name Server Cmmn Name RDSClient RDSServer Default Certificates directry is lcated in: Windws: ~\RepliWeb\RDS\Cnfig\SSL\Cert UNIX: ~/repliweb/rds/cnfig/ssl/cert These directries may be used when using the Multiple Apprved CA Path ptin. They cntain the files (Windws) and Links (UNIX) required fr this ptin. Nte: Key Phrases and Cmmn Names are case sensitive. 9

5. Cmmn SSL Cnfiguratins This chapter explains in detail what prperties need t be set fr cmmn SSL cnfiguratins. Center Authenticating the Cnsle In this cnfiguratin, the Center authenticates all Cnsles cnnecting t it. Figure 2 Center Authenticating Cnsle & Edges The cnfiguratin steps are as fllws: 1. Set the Cnsle and Center SSL fr Cnsle Authenticatin. 2. Test the Cnsle cnnectin using SSL by pening the Cnsle GUI, and cnnecting t the Center. Cnsle Authenticatin Set the Cnsle and Center SSL fr Cnsle Authenticatin, and then verify settings by cnnecting t the Center using the Cnsle GUI. Cnsle (Client) Settings T cnfigure SSL fr the Client: 1. On the Cnsle machine, create a directry which will include the fllwing files: Certificate file identifying the Cnsle (Client). Private Key file that matches the Certificate file. 2. Using the Cnsle GUI, select: Manage / Cnsle SSL Settings. This ptin can be perfrmed while the Cnsle is nt cnnected t any Center (ffline). 10

Cmmn SSL Cnfiguratins If cnnected t a Center, using the Cnsle GUI, select Manage / Center / SSL tab: T cnfigure the machine the Cnsle is currently running n: Cnnect t lcalhst. T cnfigure a remte Cnsle: Cnnect t the remte Center n that machine 3. T set the Cnsle (Client) t be authenticated using Certificate and Private Key Phrase: a. In the Lcal Certificate area, select the Use Alternate Files checkbx. b. Brwse t the client Certificate and Private Key files cpied earlier. c. Enter the Private Key Phrase. Using the default R-1 files, the key phrase is: rdsclient 4. In the Other Side Authenticatin area, perfrm the fllwing steps. The Cnsle will nt authenticate the Center. Therefre, fields are left blank. a. Frm the Authenticate using drp-dwn list, select Nne. b. Leave the Use Apprved CA checkbx unselected. 5. Frm the Encryptin area s SSL Sessin Cypher drp-dwn list, select any ptin. 6. Click Save. 11

Cmmn SSL Cnfiguratins Center RTM Organizer/Hst (Server) Settings Nte: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle n the Center, and nt ver the netwrk. T cnfigure SSL fr the Center RTM Organizer/Hst (Server): 1. On the Center machine, create a directry which will include the trusted Certificate Authrity file. 2. Using the Cnsle GUI, cnnect t the Center and select the menu ptin Manage / Center / SSL Tab. 3. Select the Center RTM Organizer/Hst (Server) sub-tab. a. In the Lcal Certificate area, leave the Use Alternate Files checkbx unselected. The Center will nt be authenticated. Therefre, Center Authenticatin fields are left blank. b. In the Other Side Authenticatin area, perfrm the fllwing steps. The Cnsle (Client) will be authenticated using these settings. i. Frm the Authenticate using drp-dwn list, select Certificate + Name and enter the Client Cmmn Name. Using the default R-1 files, the Client Cmmn Name is: RDSClient ii. 4. Click Save. Select the Use Apprved CA checkbx and brwse t the Trusted CA file. 12

Cmmn SSL Cnfiguratins Testing Cnsle Center Cmmunicatin Test the SSL settings defined s far. Using the Cnsle GUI, cnnect t the Center using SSL. Figure 3 Cnnecting using SSL When the cnnectin is apprved and the main Cnsle windw is pened, the SSL lck is displayed at the Center Status bar at the bttm f the screen. Figure 4 Cnsle Cnnected with SSL 13

Cmmn SSL Cnfiguratins Mutual Center-Edge Authenticatin In this cnfiguratin, the Center and Edge authenticate each ther during Replicatin and Distributin jbs. Figure 5 Mutual Authenticatin The cnfiguratin steps are as fllws: 1. Set the Center SSL fr Edge Authenticatin. 2. Set the Edge SSL fr Center Authenticatin. 3. Test the Center - Edge cmmunicatin using SSL by running an R-1 jb. 14

Cmmn SSL Cnfiguratins Center (Client) Settings Nte: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle n the Centers, and nt ver the netwrk. T cnfigure SSL fr the Center (Client): 1. On the Center machine, create a directry which will include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Center (Client). Private Key file that matches the Certificate file. 2. Using the Cnsle GUI, cnnect t the Center and select the menu ptin Manage / Center / SSL Tab. 3. Select the Center (Client) sub-tab and cnfigure the Lcal Certificate and Other Side Authenticatin. a. In the Lcal Certificate area, the Center (Client) will be authenticated using these settings. i. Select the Use Alternate Files checkbx. ii. iii. Brwse t the client Certificate and Private Key files cpied earlier. Enter the Private Key Phrase. Using the default R-1 files, the key phrase is: rdsclient b. In the Other Side Authenticatin area, perfrm the fllwing steps. The Edge (Server) will be authenticated using these settings. i. Frm the Authenticate using drp-dwn list, select Certificate + Name. ii. iii. Enter the Client Cmmn Name. Using the default R-1 files, the Client Cmmn Name is: RDSServer Select the Use Apprved CA checkbx and brwse t the Trusted CA file. 4. Frm the Encryptin area s SSL Sessin Cipher drp-dwn list, select any ptin. 5. Click Save. 15

Cmmn SSL Cnfiguratins Edge (Server) Settings Nte: Using an Edge nly machine, nly the RTM Cnsle can be used t Manage SSL settings fr that Edge. If the Edge machine als has the Center cmpnent installed, then SSL settings fr that Edge can be perfrmed thrugh the R-1 Cnsle GUI cnnected t the Center. Nte: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle GUI n the Edge, and nt ver the netwrk, using the RTM Cnsle. T cnfigure SSL fr the Edge (Server): 1. On the Edge machine, create a directry which will include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Center (Client). Private Key file that matches the Certificate file. 2. Using the RTM Cnsle, select the Edge and click the Manage menu ptin. 3. Select the Edge (Server) sub-tab and cnfigure the Lcal Certificate and Other Side Authenticatin. a. In the Lcal Certificate area, perfrm the fllwing steps. The Edge (Server) will be authenticated using these settings. i. Select the Use Alternate Files checkbx. ii. iii. Brwse t the server Certificate and Private Key files cpied earlier. Enter the Private Key Phrase. Using the default R-1 files, the key phrase is: rdsserver b. In the Other Side Authenticatin area, perfrm the fllwing steps. The Center (Client) will be authenticated using these settings. i. Frm the Authenticate using drp-dwn list, select Certificate + Name. ii. iii. 4. Click Save. Enter the Client Cmmn Name. Using the default R-1 files, the Client Cmmn Name is: RDSClient Select the Use Apprved CA checkbx and brwse t the Trusted CA file. 16

Cmmn SSL Cnfiguratins Testing Center Edge Cmmunicatin Test the SSL settings defined s far. T test cmmunicatin between the Center and Edge: 1. Using the Cnsle GUI, cnnect t the Center. 2. Define a Replicatin r Distributin jb frm the Center t ne r mre Edges. 3. In the Perfrmance Tab, r Transfer Tab if yu are defining a Distributin jb, select t use WAN r LFA transprt engines and select the Use SSL ptin. Make sure the jb actually transfers data. Nte: SSL is nt available when using the LAN transprt engine. The General Reprt shuld indicate that SSL was used during the transfer stage: 12:27:18 Starting files transfer t target Using WAN Transfer Engine Using SSL authenticatin and encryptin 17

Cmmn SSL Cnfiguratins Center Authenticating the Cnsles and Edges In this cnfiguratin the Center authenticates all Cnsles and all Edges cnnecting t it, and the Cnsle and Edges authenticate the Center. The Center plays a duplicate rle here, nce as a Server (in a Cnsle Center cmmunicatin), and nce as a Client (in a Center Edge cmmunicatin). Figure 6 Center Authenticating Cnsle & Edges; Cnsle & Edges Authenticating the Center The cnfiguratin steps are as fllws: 1. Set the Cnsle and Center SSL fr Cnsle-Center Authenticatin. 2. Test the Cnsle cnnectin using SSL by pening the Cnsle GUI, and cnnecting t the Center. 3. Set the Center and Edge SSL fr Center-Edge Authenticatin. 4. Test the Edge cmmunicatin using SSL by running an R-1 jb using the WAN transfer engine. 18

Cmmn SSL Cnfiguratins Cnsle-Center Cmmunicatin Set Cnsle and Center SSL prperties, and then verify settings by cnnecting t the Center using the Cnsle GUI. Cnsle (Client) Settings T cnfigure SSL fr the Cnsle (Client): 1. On the Cnsle machine, create a directry which wuld include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Cnsle (Client). Private Key file that matches the Certificate file. 2. Using the Cnsle GUI, select the menu ptin Manage / Cnsle SSL Settings. This ptin can be perfrmed while the Cnsle is nt cnnected t any Center (ffline). If cnnected t a Center, using the Cnsle GUI, select the menu ptin Manage / Center / SSL tab: T cnfigure the machine the Cnsle is currently running n: Cnnect t lcalhst. T cnfigure a remte Cnsle: Cnnect t the remte Center n that machine 3. In the Lcal Certificate area, perfrm the fllwing steps. The Cnsle (Client) will be authenticated using these settings. a. Select the Use Alternate Files checkbx and brwse t the client Certificate and Private Key files cpied earlier. b. Enter the Private Key Phrase. Using the default R-1 files, the key phrase is: rdsclient 4. In the Other Side Authenticatin area, perfrm the fllwing steps. The Cnsle will nt authenticate the Center, hence fields are left blank. a. Frm the Authenticate using drp-dwn list, select Certificate + Name. b. Enter the Server Cmmn Name. Using the default R-1 files, the Client Cmmn Name is: RDSServer c. Select the Use Apprved CA checkbx and brwse t the Trusted CA file. 5. Frm the Encryptin area s SSL Sessin Cipher drp-dwn list, select any ptin. 6. Click Save. 19

Cmmn SSL Cnfiguratins Center Settings (Server) Nte: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle n the Center, and nt ver the netwrk. T cnfigure SSL fr the Center (Server): 1. On the Center machine, create a directry which wuld include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Center (Server). Private Key file that matches the Certificate file. 2. Using the Cnsle GUI, cnnect t the Center, and select the ptin: Manage / Center / SSL Tab. 3. Select the Center (Server) sub-tab and cnfigure the Lcal Certificate and Other Side Authenticatin. a. In the Lcal Certificate area, leave the Use Alternate Files checkbx unselected. The Center will nt be authenticated, hence Center Authenticatin fields are left blank. b. In the Other Side Authenticatin area, perfrm the fllwing steps. The Cnsle (Client) will be authenticated using these settings. i. Frm the Authenticate using drp-dwn list, select Certificate + Name. ii. iii. 4. Click Save. Enter the Client Cmmn Name. Using the default R-1 files, the Client Cmmn Name is: RDSClient Select the Use Apprved CA checkbx and brwse t the Trusted CA file. 20

Cmmn SSL Cnfiguratins Testing Cnsle Center Cmmunicatin Test the SSL settings defined s far. Using the Cnsle GUI, cnnect t the Center using SSL. Figure 7 Cnnecting using SSL When the cnnectin is apprved and the main Cnsle windw is pened, the SSL lck is displayed at the Center Status bar at the bttm f the screen. Figure 8 Cnsle Cnnected with SSL 21

Cmmn SSL Cnfiguratins Center-Edge Cmmunicatin Set Center and Edge SSL prperties, and then verify settings by running a replicatin jb frm the Center t the Edge using WAN Transfer Engine with SSL. Center Settings (Client) Nte: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle n the Centers, and nt ver the netwrk. T cnfigure SSL fr the Center (Client): 1. On the Center machine, create a directry which wuld include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Center (Client). Private Key file that matches the Certificate file. 2. Using the Cnsle GUI, cnnect t the Center, and select the menu ptin Manage / Center / SSL Tab. 3. Select the Center (Client) sub-tab and cnfigure the Lcal Certificate and Other Side Authenticatin. a. In the Lcal Certificate area, perfrm the fllwing steps. The Center (Client) will be authenticated using these settings. i. Select Use Alternate Files ii. iii. Brwse t the client Certificate and Private Key files cpied earlier. Enter Private Key Phrase. Using the default R-1 files, the key phrase is: rdsclient b. In the Other Side Authenticatin area, perfrm the fllwing steps. The Edge (Server) will be authenticated using these settings. i. Frm the Authenticate using drp-dwn list, select Certificate + Name. ii. iii. Enter the Client Cmmn Name. Using the default R-1 files, the Client Cmmn Name is: rdsclient Select the Use Apprved CA checkbx and brwse t the Trusted CA file. 4. Frm the Encryptin area s SSL Sessin Cipher drp-dwn list, select any ptin. 5. Click Save. 22

Cmmn SSL Cnfiguratins Edge (Server) Settings Nte: Using an Edge nly machine, nly the RTM Cnsle can be used t Manage SSL settings fr that Edge. If the Edge machine als has the Center cmpnent installed, then SSL settings fr that Edge can be perfrmed thrugh the R-1 Cnsle GUI cnnected t the Center. Nte: Fr maximal data-security, althugh the key-phrase is encrypted at all times, it is recmmended t set SSL cnfiguratin using a lcal Cnsle GUI n the Edge, and nt ver the netwrk, using the RTM Cnsle. T cnfigure SSL fr the Edge (Server): 1. On the Edge machine, create a directry which wuld include the fllwing files: Trusted Certificate Authrity file. Certificate file identifying the Edge (Server). Private Key file that matches the Certificate file. 2. Using the RTM Cnsle, select the Edge and Click n the Manage menu ptin. 3. Select Edge (Server) sub-tab a. In the Lcal Certificate sectin, perfrm the fllwing steps. The Edge (Server) will be authenticated using these settings. i. Select Use Alternate Files. ii. iii. Brwse t the server Certificate and Private Key files cpied earlier. Enter Private Key Phrase. Using the default R-1 files, the key phrase is: rdsclient b. In the Other Side Authenticatin area, perfrm the fllwing steps. The Center (Client) will be authenticated using these settings. i. Frm the Authenticate using drp-dwn list, select Certificate + Name. ii. iii. 4. Click Save. Enter the Client Cmmn Name. Using the default R-1 files, the Client Cmmn Name is: rdsclient Select the Use Apprved CA checkbx and brwse t the Trusted CA file. 23

Cmmn SSL Cnfiguratins Testing Center Edge Cmmunicatin Test the SSL settings defined s far. T test cmmunicatin between the Center and Edge: 1. Using the Cnsle GUI, cnnect t the Center. 2. Define a Replicatin r Distributin jb frm the Center t ne r mre Edges. 3. In the Perfrmance Tab, r Transfer Tab in a Distributin jb, select t use WAN r LFA transprt engines and select the Use SSL ptin. Make sure the jb actually transfers data. Nte: SSL is nt available when using the LAN transprt engine. The General Reprt shuld indicate that SSL was used during the transfer stage: 12:27:18 Starting files transfer t target Using WAN Transfer Engine Using SSL authenticatin and encryptin 24

6. Multiple Trusted Certificate Authrities Installing a trusted CA (Certificate Authrity) certificate n a system means that the system nw cmpletely trusts that CA in terms f authenticatin. If there are multiple authrities t trust, all certificates shuld be stred in ne place: either put all files in the same path with ne authrity certificate in each file, r put all certificate files in ne directry. OpenSSL will search the multiple certificates t verify that the currently used authrity exists, and therefre can be trusted. A typical certificate lks like: -----BEGIN CERTIFICATE----- MIICgTCCAeCAQAwDQYJKZIhvcNAQEEBQAwgYgxCzAJBgNVBAYTAklMMQ8wDQYD gdxenh1kxr5o7xb1+d5jbjzypgve -----END CERTIFICATE----- Using a Multiple Apprved CA File Yu can stre multiple apprved CA certificates in a single file. T stre multiple CA certificates in a single file: 1. Using a text editr, append all certificates int ne file. Make sure that each certificate is cpied in full, including the lines: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- 2. Using the R-1 Cnsle, in the Manage / SSL tab f the cnfigured cmpnent: a. Select Use Apprved CA. i. Select the File ptin. ii. Brwse t the file cntaining all certificates. b. Click Save. Nte: Whenever the certificate changes, r is replaced, the trusted CA file has t be updated. 25

Multiple Trusted Certificate Authrities Using a Multiple Apprved CA Path Multiple Certificates can be stred in a single directry. In this case, OpenSSL is lking fr certificates by Hash Values, and nt by file names. Nte: T use this ptin, a UNIX machine must be used with OpenSSL installed. The certificates can be stred n a Windws machine at the end f the prcess, but the hashing utility can be activated n UNIX nly. T stre multiple apprved CA certificates in a single flder: 1. Cpy all Apprved CA Files t a UNIX machine t a single flder /cert_dir. 2. Run a utility called c_rehash t create hash keys t all apprved CA certificate files in cert_dir by perfrming: > cd /cert_dir > ls l -rwxr-xr-x 1 rt rt 928 Jul 26 09:21 trusted_ca_cert.pem --wxrw--wt 1 rt rt 1314 Jul 29 06:31 trusted_ca_cert_sl.pem > c_rehash 3. Verify that a link was created fr each f the CA files. Link names are in a hexadecimal frmat. > ls l lrwxrwxrwx 1 rt rt 22 Jul 29 08:53 50d59a91.0 -> trusted_ca_cert_sl.pem lrwxrwxrwx 1 rt rt 19 Jul 29 08:53 58c1d707.0 -> trusted_ca_cert.pem -rwxr-xr-x 1 rt rt 928 Jul 26 09:21 trusted_ca_cert.pem --wxrw--wt 1 rt rt 1314 Jul 29 06:31 trusted_ca_cert_sl.pem 4. This flder is nw ready t be used. If the CA files are required n a Windws machine, perfrm the fllwing steps: a. Create a directry with the CA files stred in it. b. Cpy each CA file (in the same directry) and name the cpy with the apprpriate hash value frm the UNIX machine. c. In this example we will nw have 4 files in the directry 50d59a91.0 identical t trusted_ca_cert_sl.pem 58c1d707.0 identical t trusted_ca_cert.pem 5. Using the R-1 Cnsle, in the Manage / SSL Tab f the cnfigured cmpnent: 26

Multiple Trusted Certificate Authrities 6. Select Use Apprved CA. a. Select the Path ptin. b. Brwse t the flder cntaining all certificates. 7. Click Save. R-1 is installed with a default Certificates directry which is lcated in: Windws: ~\RepliWeb\RDS\Cnfig\SSL\Cert UNIX: ~/repliweb/rds/cnfig/ssl/cert These directries may be used fr using the Multiple Apprved CA Path ptin. They cntain the files (Windws) and Links (UNIX) required fr this ptin. Fr any additinal infrmatin, cntact us at supprt.repliweb.cm 27