Configuring the client and server components of a remote DataServer connection with Transport Layer Security (TLS) communications is optional. Users can maintain both TLS-enabled and non-TLS instances of a DataServer broker environment. However a given instance supports only one type of connection, either secure or non-secure.

DataServer Security is based on the client authenticating the server's identity using a Public Key Infrastructure (PKI) and a symmetric data encryption system. To configure a Broker instance for TLS operation, you must:
  • Install a server private key and a public key certificate. OpenEdge provides built-in keys and certificates that are suitable for use on development or demonstration servers; for production machines, you should obtain server certificates from an internal or public Certificate Authority (CA).
  • Specify the keyAlias and keyAliasPasswd parameters in the UBroker.MS.mssbroker1 section of the ubroker.properties file for access to the private key/digital certificate.
    Note:
    • mssbroker1 is the default service name for OpenEdge DataServer for MS SQL Server created in the ubroker.properties file. However, you can rename it or create additional MS SQL Server broker services as needed.

    • You can use the genpassword command-line utility to encode the specified keyAliasPasswd.

      For more information, see genpassword.

  • Disable session caching of the orabroker using the noSessionCache parameter, or enable it with a specified timeout using the sessionTimeout parameter.
For more information see Establishing the TLS protocol in a DataServer broker instance of the Unified Broker and Configure and run TLS sessions.

To connect to a TLS-enabled OE DataServer component, Client and Servers must have access to a digital (public key) certificate that can authenticate with the digital certificate used by the server, and the client must be configured to send TLS requests. All OpenEdge-managed TLS servers rely on a common OpenEdge key store to manage the private keys and server digital certificates required to support TLS connections from clients. Similarly, most OpenEdge-managed TLS clients and servers rely on a common OpenEdge certificate store to manage the root CA digital certificates that enable them to establish connections to appropriate TLS servers. With the OpenEdge installation, a third party Public/Private key pair is provided for testing. The root CA certificate is located in $DLC/keys/default_server.pem and the public key is located in $DLC/certs/pscca.cer.