|
|
|
To enable TLS (SSL), add a SUBSYSTEM COMM_PROTOCOL SSL section to ctsrvr.cfg containing your specified TLS configuration options.
Supported options
SERVER_CERTIFICATE_FILE - provide the name of the PEM-encoded certificate file that contains the FairCom DB server certificate.
SERVER_PRIVATE_KEY_FILE - indicate the name of the file containing the private key.
SERVER_ENCRYPTED_STORE_FILE - create an encrypted store file.
SSL_CONNECTIONS_ONLY - require the client to use SSL/TLS to connect to the FairCom Server or not.
SSL_CIPHERS - set the encryption ciphers that are allowed to be used for encrypting the SSL connection.
DEBUG_LOG - write messages to the specified <log file>.
VERIFY_CLIENT_CERTIFICATE - require the client to supply an X.509 certificate or not.
X509_AUTHENTICATION - enable or disable using an X.509 certificate at logon for authentication and database authorization
Example:
SUBSYSTEM COMM_PROTOCOL SSL {
;This is the file name of the server certificate
SERVER_CERTIFICATE_FILE c:\certs\server.pem
; This servers private key. It is encrypted in pkcs8 format
SERVER_PRIVATE_KEY_FILEc:\certs\private\server.pkcs8
; master.fkf contains the password for decrypting server.pkcs8
SERVER_ENCRYPTED_STORE_FILE master.fkf
;For SSL you can specify (un-comment) a debug log file name
;DEBUG_LOG ssl.log
SSL_CONNECTIONS_ONLY YES
;Require clients to provide a x509 certificate
VERIFY_CLIENT_CERTIFICATE YES
;Use x509 client certificate for database authentication
x509_AUTHENTICATION YES
;Use the SUBJECT:CN from the client's certificate as their user name
x509_PATH CN
}
