TLS Concepts

Overview of TLS concepts and how they apply to FairCom products

FairCom servers use TLS to secure TCP/IP communications. FairCom server APIs can communicate over TCP/IP using HTTP, HTTPS, WS, WSS, MQTT, MQTTS, JDBC, ODBC, and FairCom's wire protocols.

Use TLS with FairCom's APIs

FairCom's JSON Action APIs use the HTTPS and WSS protocols with TLS.
FairCom's MQ broker uses the MQTTS protocol with TLS.
FairCom's ISAM, CTDB, and SQL APIs use FairCom's wire protocols with TLS when they use TCP/IP instead of shared memory.
Note
FairCom's ISAM and SQL wire protocols can use TCP/IP or shared memory. Shared memory works only when client software and the FairCom server run on the same computer. Shared memory is faster than TCP/IP but is not encrypted using TLS.

How to configure TLS for different FairCom protocols

HTTPS, WSS, and MQTTS
- In your client software, use TLS settings in your protocol driver.
- On the server, use settings in services.json.
FairCom ISAM wire protocol
- In your client software, use functions in FairCom's client library, mtclient.
- On the server, use TLS settings in the FairCom DB Configuration File, ctsrvr.cfg.
JDBC
- In a JDBC client, use Java TLS settings.
- On the server, use TLS settings in the FairCom DB Configuration File, ctsrvr.cfg.
ODBC
- On a Windows computer, use Microsoft's TLS settings.
- On the server, use TLS settings in the FairCom DB Configuration File, ctsrvr.cfg.

When to use client and server certificates with FairCom servers

Certificates provide different levels of secure communications with FairCom servers:

No certificates
- FairCom servers can optionally use TLS to encrypt communications without certificates.
- FairCom does not recommend this approach because a man-in-the-middle attack can intercept the encrypted communications between clients and the server.
Server certificate
- FairCom servers use TLS to encrypt communications.
- A server certificate prevents man-in-the-middle attacks when the client software uses the CA certificate to prove the server's identity.
Server and client certificates
- FairCom servers use TLS to encrypt communications.
- A server certificate prevents man-in-the-middle attacks if you configure client software to use the CA certificate.
- A client certificate improves authentication security when you configure server software to use the CA certificate to prove the client's identity.

Expected TLS Performance

The resource-intensive portion of a TLS connection is the initial creation. Once connected, ongoing communication overhead is negligible. Thus, for best performance, avoid repeated connections and maintain an established TLS connection.