Skip to main content

TLS Concepts

Overview of TLS concepts and how they apply to FairCom products

FairCom servers use TLS to secure TCP/IP communications. FairCom server APIs can communicate over TCP/IP using HTTP, HTTPS, WS, WSS, MQTT, MQTTS, JDBC, ODBC, and FairCom's wire protocols.

Essential information

Transport Layer Security (TLS) is a secure way for computers to communicate. It uses encryption, a certificate file, and a private key file to create secure communications between computers. TLS was formerly called Secure Sockets Layer (SSL). FairCom products support TLS 1.3, which is the latest version.

TLS works by defining a series of requests and responses between a client computer and a server computer. This is called the TLS handshake.

Use TLS with FairCom's APIs

  • FairCom's JSON Action APIs use the HTTPS and WSS protocols with TLS.

  • FairCom's MQ broker uses the MQTTS protocol with TLS.

  • FairCom's ISAM, CTDB, and SQL APIs use FairCom's wire protocols with TLS when they use TCP/IP instead of shared memory.

    Note

    FairCom's ISAM and SQL wire protocols can use TCP/IP or shared memory. Shared memory works only when client software and the FairCom server run on the same computer. Shared memory is faster than TCP/IP but is not encrypted using TLS.

How to configure TLS for different FairCom protocols

  • HTTPS, WSS, and MQTTS

    • In your client software, use TLS settings in your protocol driver.

    • On the server, use settings in services.json.

  • FairCom ISAM wire protocol

    • In your client software, use functions in FairCom's client library, mtclient.

    • On the server, use TLS settings in the FairCom DB Configuration File, ctsrvr.cfg.

  • JDBC

  • ODBC

When to use client and server certificates with FairCom servers

Certificates provide different levels of secure communications with FairCom servers:

  • No certificates

    • FairCom servers can optionally use TLS to encrypt communications without certificates.

    • FairCom does not recommend this approach because a man-in-the-middle attack can intercept the encrypted communications between clients and the server.

  • Server certificate

    • FairCom servers use TLS to encrypt communications.

    • A server certificate prevents man-in-the-middle attacks when the client software uses the CA certificate to prove the server's identity.

  • Server and client certificates

    • FairCom servers use TLS to encrypt communications.

    • A server certificate prevents man-in-the-middle attacks if you configure client software to use the CA certificate.

    • A client certificate improves authentication security when you configure server software to use the CA certificate to prove the client's identity.

Expected TLS Performance

The resource-intensive portion of a TLS connection is the initial creation. Once connected, ongoing communication overhead is negligible. Thus, for best performance, avoid repeated connections and maintain an established TLS connection.

A certificate file contains the certficate required by TLS to prove the identity of a computer.

A private key file is a file that contains the private key required by TLS to prove the identity of a computer. The private key file contains the private key of the public-private key pair that is used to create a computer's digital identity certificate . The private key file typically has the extension, .key, such as server.key or client.pem.

TLS handshake is a series of requests by a client computer and the corresponding responses by a server computer.