The OpenEdge Authentication Gateway must have a valid HTTPS TLS (Transport Layer Security, the successor to SSL) certificate and client-key installed.

If it hasn't been done already, an administrator can create a new STS Client Key file from an STS Server Key file using the OpenEdge STS Key Utility. For example:

oe_install_dir/bin/stskeyutil install -url https://oeag-dns-name:oeag-port-number -file oeagserverkey.ecp
Important: Always remove the .ecp file from the server after an install to prevent unauthorized access to your configuration. Store it in a secure location in case you need it to re-configure at a later date.
Note: Beginning in OpenEdge 12.3, STS client key management can be handled by the Key Distribution service. For more information, see About STS client key management.

Test the installation with the STS Client Utility. For example:

oe_install_dir\bin\stsclientutil -url https://yourmachinename:port -cmd ping [–nohostverify]
Note:

Be aware of these differences between a development server (used for application development) and a production server (used for application deployment):

  • For development servers, the Authentication Gateway and its clients ship with a server certificate specifically crafted to allow TLS connections, but which will fail post-connection Hostname validation. Therefore, the client connections to an Authentication Gateway always must include the -nohostverify option to work. For example:

    The -nohostverify option allows full server certificate validation per Public Key Cryptography Standards (PKCS) standards, but skips post-connection Hostname validation.

  • For production servers, the Authentication Gateway server must obtain, configure, and use a non self-signed server certificate. Therefore, it is required that the ROOT CA and any optional Intermediate CA certificates needed to validate the Authentication Gateway server's certificate be installed into the OpenEdge installation's DLC/certs directory. Install the ROOT CA and Intermediate CA certificates using only the OpenEdge supplied DLC/bin/certutil utility. Any other installation mechanism is not guaranteed to work.

After verifying that the Authentication Gateway is running, test HTTP connectivity: 

oe_install_dir/bin/stsclientutil -cmd ping -url https://oeagd-dns-name:oeag-port-number  [ -nohostverify ]

For more information about client-key generation, installation, and testing, see STS Client Key (for database server).