The following steps describe the process of creating and signing SSL certificates in OpenEdge for use with AppServer and WebSpeed brokers and their ABL clients. If the goal is to use certificates obtained from a recognized Certificate Authority, refer to article
How to import an SSL certificate obtained from a Certificate Authority (CA) into OpenEdge for the steps to import those into the OpenEdge keystore.
Example commands and output are from the Windows operating system; file separators, environment variables, etc. will be different on Unix-based operating systems. For specific instructions on how to perform selected steps in this article on Linux, see article
Steps to create a self signed SSL certificate from scratch on unix or linux.
1. Open a Proenv window.
2. Enter the following commands to create a set of scratch directories to be used by the OpenEdge utilities.
- md myssl
- cd myssl
- md certs
- md keys
- md newcerts
- md requests
- copy con serial
01
< Press CTRL-Z key combination on the keyboard>
<Press Enter key on the keyboard>
< Press CTRL-Z key combination on the keyboard>
<Press Enter key on the keyboard>
At this point the current working directory should be <OpenEdge work directory>\myssl
3. Use the OpenEdge pkiutil utility to create a 512-bit, 1024-bit or 2048-bit private key to use when creating the certificate. The default keysize is 1024-bit; the following example creates a 2048-bit key. Output of the command is in bold type; it may differ slightly in other OpenEdge versions. Enter any string for the pass phrase (it will not be echoed); note the value used as it will be needed in later steps.
proenv>pkiutil -keysize 2048 -newreq demoSSL
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
...........+++
............+++
writing new private key to 'C:\Progress\OpenEdge/keys/requests/demoSSL.pk1'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) []:Bedford
Organization Name (eg, company) []:Progress Software
Organizational Unit Name (eg, section) []:Technical Support
Server DNS name []:myserver.bedford.progress.com
You may now use the file C:\Progress\OpenEdge/keys/requests/demoSSL.pk10 to
request a new Digital Certificate from a CA Certificate
Authority.
After you obtain the new Digital Certificate from the CA
use the -import command to insert the certificate into
the keystore.NOTE: The pkiutil included in 11.7 through 11.7.4 has a keysize limit of 2048. To make a private key with a keysize larger than 2048 use keytool which can be found in the $DLC/jdk/bin directory of most OpenEdge installations. If the installation does not have a jdk (Java Development Kit) installed download an external JDK and use the keytool within the external JDK to make the private key.
Example:
keytool -genkey -alias server -keyalg RSA -keysize 4096 -keystore java-keystore-filename-here.jks
4. Copy the newly created keys to the scratch directory created in step 1:
proenv>copy %DLC%\keys\requests\demoSSL.pk10 requests
proenv>copy %DLC%\keys\requests\demoSSL.pk1 keys
5. Copy the configuration file used with the OpenEdge OpenSSL utility sslc into the scratch directory created in step 1.
proenv>copy %DLC%\keys\policy\pscpki.cnf myssl.cnf
6. Edit myssl.cnf to specify that files be created relative to the scratch directory instead of %DLC%\keys:
Change line 15:
dir = $ENV::DLC/keys # Location for everything
To:
dir = . # Location for everything
7. Create a master or root certificate based on the demoSSL.pk1 private key. This certificate will be used when signing other certificates.
proenv>sslc req -config myssl.cnf -new -x509 -days 1001 -key keys\demoSSL.pk1 -out certs\rootCA.cer
Enter pass phrase for keys\demoSSL.pk1:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) []:Bedford
Organization Name (eg, company) []:Progress Software
Organizational Unit Name (eg, section) []:Technical Support
Server DNS name []:myserver.bedford.progress.com
8. Sign the Certificate request:
proenv>sslc ca -config myssl.cnf -cert certs\rootCA.cer -in requests\demoSSL.pk10 -keyfile keys\demoSSL.pk1 -days 365 -out certs\demoSSL.cer
Using configuration from myssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for keys\demoSSL.pk1:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Massachusetts'
localityName :PRINTABLE:'Bedford'
organizationName :PRINTABLE:'Progress Software'
organizationalUnitName:PRINTABLE:'Technical Support'
commonName :PRINTABLE:'myserver.bedford.progress.com'
Certificate is to be certified until Feb 28 17:28:24 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
At this point 3 files will have been created:
- Two files in the myssl\certs folder – demoSSL.cer and rootCA.cer
- One file in the myssl\newcerts folder named 01.pem
9. Use the pkiutil utility to import the private key into the OpenEdge key store and the self-signed certificate into the certificate store:
proenv>pkiutil -import demoSSL certs\demoSSL.cer
Importing private key alias demoSSL:
Importing certificate file certs\demoSSL.cer
Enter keystore password to alias demoSSL:
10. Use the certutil utility to import the root certificate into the certificate store:
proenv>certutil -import certs\rootCA.cer
Importing trusted certificate to alias name: 8a2ac75f
The alias name in the example was generated in OpenEdge 10.2A 32-bit. Other OpenEdge versions may generate different aliases.
At this point the SSL creation and signing of certificates is complete.
To configure WebSpeed or AppServer broker Settings:
1. Open the broker properties on the Progress Explorer and select the SSL page for the broker
2. Check “Enable SSL Client Connections and select the demoSSL from the selection list of “Private Key/Digital Certificate Alias Name:”
3. Enter and confirm the password, and click OK to save the settings.
4. Restart the WebSpeed or AppServer broker
The properties configured by the above steps in ubroker.properties are:
sslEnable=1
keyAlias=demoSSL
keyAliasPasswd=<pass phrase>
To configure WebSpeed Messenger settings: 1. On the CGI messenger properties, select SSL page and check all the check boxes for:
- Enable SSL AppServer Connection
- Disable Client Verification of SSL Host Name
- Disable SSL Session Reuse
2. On the ISAPI messenger properties, select SSL page and check the following check boxes for:
- Enable SSL AppServer Connection
- Disable Client Verification o.f SSL Host Name
The properties configured by the above steps in ubroker.properties are:
noHostVerify=1
sslEnable=1
useConnID=0
For a distributed WebSpeed configuration, where the WebSpeed Messenger resides on a separate web server machine:
1. Copy the trusted hash formatted certificate (8a2ac75f.0) created in step 10 from %DLC%\certs to the messenger machine's %DLC%\certs folder.
For the remote 4GL/ABL client connecting to the AppServer broker, there are 2 options:
1. Copy the trusted hash formatted certificate (8a2ac75f.0) created in step 10 from %DLC%\certs to each of the ABL client machines' %DLC%\certs folder
OR
2. Copy the trusted hash formatted certificate (8a2ac75f.0) created in step 10 from %DLC%\certs to a central location on the network (non default location) and use the -certstorepath parameter on the client startup to specify the path of the certificate
%DLC%\bin\prowin32 -certstorepath \\<networkPath>\<certificate folder name> -nohostverify
For creating self-signed SAN certificate, reference How to create a SSL certificate that includes a SAN
When signing the certificate add -extfile pscpki.cnf -extensions v3_req
Note: -extfile points to the modified cnf file, which has the SAN names.
