|
|
|
For testing and evaluation purposes only, a self-signed X.509 certificate is included in your default c-treeACE package. OpenSSL was used to create this certificate.
Security Note: It is critical this included certificate is never used in a production setting.
In the example below, a certificate and private key are both included in the file ctree_ssl.pem. Unencrypted TCP/IP connections are allowed, and the specified ciphers are the ones that are allowed to be used in encrypting the SSL connection:
SUBSYSTEM COMM_PROTOCOL SSL {
SERVER_CERTIFICATE_FILE ctree_ssl.pem
SSL_CONNECTIONS_ONLY NO
SSL_CIPHERS ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
}
To enable only TLS-encrypted communications for all connections, change SSL_CONNECTIONS_ONLY to YES, and, optionally, comment Shared Memory communications support to prevent local unencrypted shared memory connections. (c-treeACE Shared Memory connections are not supported for TLS encryption.)
;COMM_PROTOCOL FSHAREMM
Finally, for peer authentication, an additional cross-check validation against the server certificate, copy ctsrvr.pem to your client working directory. c-treeACE management and administration tools already include this local client certificate file in their working folder:
<faircom>\server
All GUI tool connection dialogs contain specific parameter options for enabling TLS connections. support.faircom.com was specified as the Common Name in provided c-treeACE default certificates. Specify support.faircom.com when testing c-treeACE SQL Explorer for TLS authentication using ADO.NET to succeed using these included certs.
