To manage your own OpenEdge TLS server identity and make it available to TLS clients, you must generate a password-protected, alias-named private key for the server and obtain a server certificate that is authorized by a trusted CA. The trusted CA can be one of the major public CAs, including Go Daddy, Thawte, or GlobalSign; or it can be any other CA that you trust for your purpose, including your own internal CA. Follow the requirements of your chosen CA in order to request and receive the server certificate that you need. Once you have the authorized server certificate, you must install it, together with the corresponding private key, as an entry in the keystore of any OpenEdge server you want configured with this TLS identity.

You then must propagate to all TLS clients (if necessary) the root CA public-key certificate that corresponds to the authorized server identity. OpenEdge comes installed with the root CA certificates for the major public CAs, including Symantec, DigiCert, and Entrust, that you can use to authenticate servers that they authorize. If you use another CA (including your own internal CA), you must appropriately obtain (or generate) the root public-key certificate and install it in each TLS clients certificate store.

Using the OpenEdge TLS management software, you can add, list, update, and debug TLS server identities defined in both OpenEdge-managed TLS server keystores and TLS client certificate stores.

Next, you need to configure standard TLS connection parameters and properties associated with each OpenEdge client and server component using a given TLS server identity in order to initiate and maintain TLS connections between them. For any TLS server identity other than the default, you must specify the keystore entry alias name and password to configure the specified identity for a given TLS server. If you need to configure a server component manually (required for starting up the OpenEdge RDBMS), you must provide an encrypted form of the keystore entry password during server configuration or startup.

Note: You can provide effective server authentication using the default server identity by updating the default_server keystore entry with a new trusted CA server certificate. If you do not change the default password for this update, you can continue to use any default TLS configurations without change. However, if you change the password, you must then specify the new password for each TLS server configured using the default_server keystore entry.

For more information on using the OpenEdge tools for managing TLS server identities and obtaining encrypted forms of keystore entry passwords, see the sections on managing OpenEdge key and certificate stores in Manage OpenEdge Keys and Certificates.

The following topics describe how to configure OpenEdge TLS clients and TLS servers for a given TLS server identity.