Configuring the clent and server components of a remote DataServer connection with Transport Layer Security (TLS) communications is optional. Users can maintain both TLS-enabled and non-TLS instances of a DataServer broker environment. However a given instance supports only one type of connection, either secure or non-secure.

DataServer Security is based on the client authenticating the server's identity using a Public Key Infrastructure (PKI) and a symmetric data encryption system. To configure a Broker instance for TLS operation, you must:
  • Install a server private key and a public key certificate. OpenEdge provides built-in keys and certificates that are suitable for use on development or demonstration servers; for production machines, you should obtain server certificates from an internal or public Certificate Authority (CA).
  • Specify the keyAlias and keyAliasPasswd parameters in the UBroker.OR.orabroker1 section of the ubroker.properties file for access to the private key/digital certificate
  • Disable session caching of the orabroker using the noSessionCache parameter, or enable it with a specified timeout using the sessionTimeout parameter.
For more information see Establishing the TLS protocol in a DataServer broker instance of the Unified Broker and Introduction to Security and Auditing guide.

To connect to a TLS-enabled OE DataServer component, Client and Servers must have access to a digital (public key) certificate that can authenticate with the digital certificate used by the server, and the client must be configured to send TLS requests. All OpenEdge-managed TLS servers rely on a common OpenEdge key store to manage the private keys and server digital certificates required to support TLS connections from clients. Similarly, most OpenEdge-managed TLS clients and servers rely on a common OpenEdge certificate store to manage the root CA digital certificates that enable them to establish connections to appropriate TLS servers. With the OpenEdge installation, a third party Public/Private key pair is provided for testing. The root CA certificate is located in $DLC/keys/default_server.pem and the public key is located in $DLC/certs/pscca.cer.