Install externally-issued certificates into XCOM

Document ID : KB000048329
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This article describes where to install certificates issued by an external CA authority so that they are used by CA XCOM when performing SSL transfers.

Solution:

Regardless of whether you use the sample scripts delivered with XCOM (makeca, makeclient, makeserver) or have an external CA authority issue your certificates, at the end of the process you will have the following files:

  • A CA certificate which identifies the CA and signs the certificates issued by it

  • Two pairs of files, each one containing a private key and its corresponding certificate, one to be used when initiating a SSL transfer. The other to be used when another XCOM initiates an SSL transfer to us

    These files are functionally equivalent to the ones you create when running the XCOM sample scripts and need to go to the exact same places, as determined by XCOM config files. The rules are as follows:

  • File %XCOM_HOME%\config\xcom.glb has XCOM_CONFIG_SSL= parameter, which names the SSL configuration file (by default, %XCOM_HOME%\config\configssl.cnf). This file indicates where the certificate and key files reside.

  • The file containing the CA certificate is named in the [CA] section

  • The path containing the file is named in the [CA_DIRECTORY] section. This needs to be set although it's certainly redundant.

  • The files containing the client and server certificates are named in the [CERTIFICATE] section

  • The files containing the client and server private keys are named in the [PRIVATEKEY] section

Note that, in each section, INITIATE_SIDE refers to the client side, the one which initiates the connection, and RECEIVE_SIDE refers to the server side, the one which receives the connection request from the network.

You need to stop/start xcomd service if you change xcom.glb in order for it to read the changes. You do NOT need to do that if you change the SSL config file as it is read over each time an SSL transfer is initiated.