Configure SSL Connections between Components
To configure SuperSTAR to use SSL for CORBA connections between components, you will need:
An SSL keystore (which must be an RSA keystore, not DSA) for use by SuperADMIN and SuperWEB2.
Key and certificate files for use by SuperSERVER and (if applicable) Metadata Server.
Install the keystore in a location that is accessible to SuperADMIN and SuperWEB2, and install the key and certificate files in a location that is accessible to SuperSERVER/Metadata Server.
Self-signed certificates can be used, and the certificates do not need to be installed in the system truststore.
Once you have created the required keys, follow the steps below for all the components that apply to your system. The configuration adjustments described below do the following:
Instruct the components to use SSL for connections.
Set the locations of the keystores and key/certificate files.
When you have finished applying all of the configuration adjustments, restart all components to apply the changes.
The steps below use port 9430 as the SSL CORBA port. This is the suggested port for SSL connections but you can use a different port if you wish. You will need to make sure that you set the same port value for all components.
SuperADMIN
jacorb.properties
To configure SuperADMIN server, you need to locate and edit the following settings in its jacorb.properties file (located in C:\ProgramData\STR\SuperADMIN\server\config\etc by default):
Set
jacorb.security.support_ssl
toon
:CODEjacorb.security.support_ssl=on
Set
OASSLPort
to port9430
. This setting is commented out by default, so you will also need to remove the#
at the start to uncomment it:CODEOASSLPort=9430
Set the location of the keystore on your system and its password. You must use forward slashes
/
in the paths. Backslashes\
are not supported.For example:
CODEjacorb.security.keystore=C:/certs/keystore jacorb.security.keystore_password=changeme
Set
trustees_from_ks
toon
to allow the use of the certificates in the keystore without having to install them in the system truststore:CODEjacorb.security.jsse.trustees_from_ks=on
Set
supported_options
to20
for both the server and clients to configure them to use SSL:CODEjacorb.security.ssl.client.supported_options=20 jacorb.security.ssl.server.supported_options=20
SuperSERVER
network.properties
Create a file called network.properties (if it does not already exist) in the SuperSERVER data directory (C:\ProgramData\STR\SuperSERVER SA by default). This file is not part of the default SuperSERVER deployment, but you may have already created one if you have configured other SuperSERVER network settings.
Add the following settings to the network.properties file:
ssl=true
ssl-key=<path_to_key_file>
ssl-cert=<path_to_cert_file>
Replace the two paths with the relevant locations of those files on your system. You must use forward slashes /
in the paths. Backslashes \
are not permitted. For example:
ssl=true
ssl-key=C:/certs/ss.key
ssl-cert=C:/certs/ss.crt
tablemanager.config.xml
Open tablemanager.config.xml in a text editor. This file is located in C:\ProgramData\STR\SuperSERVER SA by default. Add the following settings inside <KEY name="TableManager"> … </KEY>
:
<KEY name="SuperAdminConnection">
<STRING name="HostName">localhost</STRING>
<NUMBER name="Port" value="9430" />
<BOOL name="UseSSL" value="true" />
</KEY>
Change localhost
to the appropriate host name for SuperADMIN, if it is not running at localhost on the same machine as SuperSERVER.
Production System
These steps are only required if you are using Production System.
sa2ps.config.xml
Open sa2ps.config.xml in a text editor. This file is located in C:\ProgramData\STR\SuperSERVER SA by default. Locate the following setting:
<NUMBER name="Port" value="9230" />
Change the port value to 9430
and add the UseSSL
setting below it:
<NUMBER name="Port" value="9430" />
<BOOL name="UseSSL" value="true" />
Metadata Server
These steps are only required if you are using Metadata Server.
metadata.config.xml
Open metadata.config.xml in a text editor. This file is located in C:\ProgramData\STR\SuperSERVER SA by default. Locate the following setting:
<NUMBER name="SA_PORT" value="9230"/> <!-- SuperADMIN port number machine -->
Change the port value to 9430
and add the UseSSL
setting below it:
<NUMBER name="SA_PORT" value="9430"/> <!-- SuperADMIN port number machine -->
<BOOL name="UseSSL" value="true" />
mdserver_network.properties
Create a file called mdserver_network.properties (if it does not already exist) in the SuperSERVER data directory (C:\ProgramData\STR\SuperSERVER SA by default). This file is not part of the default Metadata Server deployment, but you may have already created one if you have configured other Metadata Server network settings.
Add the following settings to the mdserver_network.properties file:
ssl=true
ssl-key=<path_to_key_file>
ssl-cert=<path_to_cert_file>
Replace the two paths with the relevant locations of those files on your system. You must use forward slashes /
in the paths. Backslashes \
are not permitted. For example:
ssl=true
ssl-key=C:/certs/ss.key
ssl-cert=C:/certs/ss.crt
SuperCROSS
When setting up new connections in SuperCROSS, users can select the UseSSL check box in SuperCROSS, and set the port to 9430, to ensure that it uses an encrypted connection:

For existing connections, you can update them to use SSL by opening ssii.ini in a text editor (located in C:\ProgramData\STR\SuperCROSS\Catalogue by default).
Locate the [SuperAdminServers]
section:
[SuperAdminServers]
SuperSTAR Database Server=inet:localhost:9230
Add ssl:
to the start of the address, and change the port number to 9430
. For example:
[SuperAdminServers]
SuperSTAR Database Server=ssl:inet:localhost:9430
SuperWEB2, Open Data API and Job Queue Manager
jacorb.properties
For all of these clients, you need to edit the settings in the jacorb.properties file (located in <tomcat_home>/webapps/<client>/WEB-INF/classes). Each client has its own copy of this file, so you will need to make sure you apply the changes individually for each one that is in use on your deployment.
jacorb.security.support_ssl
Set this to on
:
jacorb.security.support_ssl=on
Keystore Settings
Set the location of the keystore on your system and its password. You must use forward slashes /
in the paths. Backslashes \
are not supported.
For example:
jacorb.security.keystore=C:/certs/keystore
jacorb.security.keystore_password=changeme
trustees_from_ks
Set this to on
to allow the use of the certificates in the keystore without having to install them in the system truststore:
jacorb.security.jsse.trustees_from_ks=on
supported_options
Set the following value to configure the clients to use SSL:
jacorb.security.ssl.client.supported_options=20