Skip to main content
Skip table of contents

Configure SSL Connections between Components

To configure SuperSTAR to use SSL for CORBA connections between components, you will need:

  • An SSL keystore (which must be an RSA keystore, not DSA) for use by SuperADMIN and SuperWEB2.

  • Key and certificate files for use by SuperSERVER and (if applicable) Metadata Server.

Install the keystore in a location that is accessible to SuperADMIN and SuperWEB2, and install the key and certificate files in a location that is accessible to SuperSERVER/Metadata Server.

Self-signed certificates can be used, and the certificates do not need to be installed in the system truststore.

Once you have created the required keys, follow the steps below for all the components that apply to your system. The configuration adjustments described below do the following:

  • Instruct the components to use SSL for connections.

  • Set the locations of the keystores and key/certificate files.

When you have finished applying all of the configuration adjustments, restart all components to apply the changes.

The steps below use port 9430 as the SSL CORBA port. This is the suggested port for SSL connections but you can use a different port if you wish. You will need to make sure that you set the same port value for all components.

SuperADMIN

jacorb.properties

To configure SuperADMIN server, you need to locate and edit the following settings in its jacorb.properties file (located in C:\ProgramData\STR\SuperADMIN\server\config\etc by default):

  1. Set jacorb.security.support_ssl to on:

    CODE
    jacorb.security.support_ssl=on
  2. Set OASSLPort to port 9430. This setting is commented out by default, so you will also need to remove the # at the start to uncomment it:

    CODE
    OASSLPort=9430
  3. Set the location of the keystore on your system and its password. You must use forward slashes / in the paths. Backslashes \ are not supported.

    For example:

    CODE
    jacorb.security.keystore=C:/certs/keystore
    jacorb.security.keystore_password=changeme
  4. Set trustees_from_ks to on to allow the use of the certificates in the keystore without having to install them in the system truststore:

    CODE
    jacorb.security.jsse.trustees_from_ks=on
  5. Set supported_options to 20 for both the server and clients to configure them to use SSL:

    CODE
    jacorb.security.ssl.client.supported_options=20
    jacorb.security.ssl.server.supported_options=20

SuperSERVER

network.properties

Create a file called network.properties (if it does not already exist) in the SuperSERVER data directory (C:\ProgramData\STR\SuperSERVER SA by default). This file is not part of the default SuperSERVER deployment, but you may have already created one if you have configured other SuperSERVER network settings.

Add the following settings to the network.properties file:

CODE
ssl=true
ssl-key=<path_to_key_file>
ssl-cert=<path_to_cert_file>

Replace the two paths with the relevant locations of those files on your system. You must use forward slashes / in the paths. Backslashes \ are not permitted. For example:

CODE
ssl=true
ssl-key=C:/certs/ss.key
ssl-cert=C:/certs/ss.crt

tablemanager.config.xml

Open tablemanager.config.xml in a text editor. This file is located in C:\ProgramData\STR\SuperSERVER SA by default. Add the following settings inside <KEY name="TableManager"> … </KEY>:

CODE
	<KEY name="SuperAdminConnection">
		<STRING name="HostName">localhost</STRING>
		<NUMBER name="Port" value="9430" />
		<BOOL name="UseSSL" value="true" />
	</KEY>

Change localhost to the appropriate host name for SuperADMIN, if it is not running at localhost on the same machine as SuperSERVER.

Production System

These steps are only required if you are using Production System.

sa2ps.config.xml

Open sa2ps.config.xml in a text editor. This file is located in C:\ProgramData\STR\SuperSERVER SA by default. Locate the following setting:

CODE
<NUMBER name="Port" value="9230" />

Change the port value to 9430 and add the UseSSL setting below it:

CODE
<NUMBER name="Port" value="9430" />
<BOOL name="UseSSL" value="true" />

Metadata Server

These steps are only required if you are using Metadata Server.

metadata.config.xml

Open metadata.config.xml in a text editor. This file is located in C:\ProgramData\STR\SuperSERVER SA by default. Locate the following setting:

CODE
<NUMBER name="SA_PORT" value="9230"/> <!-- SuperADMIN port number machine -->

Change the port value to 9430 and add the UseSSL setting below it:

CODE
<NUMBER name="SA_PORT" value="9430"/> <!-- SuperADMIN port number machine -->
<BOOL name="UseSSL" value="true" />

mdserver_network.properties

Create a file called mdserver_network.properties (if it does not already exist) in the SuperSERVER data directory (C:\ProgramData\STR\SuperSERVER SA by default). This file is not part of the default Metadata Server deployment, but you may have already created one if you have configured other Metadata Server network settings.

Add the following settings to the mdserver_network.properties file:

CODE
ssl=true
ssl-key=<path_to_key_file>
ssl-cert=<path_to_cert_file>

Replace the two paths with the relevant locations of those files on your system. You must use forward slashes / in the paths. Backslashes \ are not permitted. For example:

CODE
ssl=true
ssl-key=C:/certs/ss.key
ssl-cert=C:/certs/ss.crt

SuperCROSS

When setting up new connections in SuperCROSS, users can select the UseSSL check box in SuperCROSS, and set the port to 9430, to ensure that it uses an encrypted connection:

SuperCROSS Add SuperADMIN connection dialog showing Use SSL check box

For existing connections, you can update them to use SSL by opening ssii.ini in a text editor (located in C:\ProgramData\STR\SuperCROSS\Catalogue by default).

Locate the [SuperAdminServers] section:

CODE
[SuperAdminServers]
SuperSTAR Database Server=inet:localhost:9230

Add ssl: to the start of the address, and change the port number to 9430. For example:

CODE
[SuperAdminServers]
SuperSTAR Database Server=ssl:inet:localhost:9430

SuperWEB2, Open Data API and Job Queue Manager

jacorb.properties

For all of these clients, you need to edit the settings in the jacorb.properties file (located in <tomcat_home>/webapps/<client>/WEB-INF/classes). Each client has its own copy of this file, so you will need to make sure you apply the changes individually for each one that is in use on your deployment.

jacorb.security.support_ssl

Set this to on:

CODE
jacorb.security.support_ssl=on

Keystore Settings

Set the location of the keystore on your system and its password. You must use forward slashes / in the paths. Backslashes \ are not supported.

For example:

CODE
jacorb.security.keystore=C:/certs/keystore
jacorb.security.keystore_password=changeme

trustees_from_ks

Set this to on to allow the use of the certificates in the keystore without having to install them in the system truststore:

CODE
jacorb.security.jsse.trustees_from_ks=on

supported_options

Set the following value to configure the clients to use SSL:

CODE
jacorb.security.ssl.client.supported_options=20
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.