Configuring the Adapter for Communication through Secure Sockets Layer

You can configure the Replication Server adapter to communicate with Replication Server over a secure connection using Secure Socketl Layer (SSL) communication. In order to use SSL on the ESP-short-name server, the Java Development Kit (JDK) needs to be version 8 or higher.

1. Provide a keystore with the key or certificate to be used during the SSL handshake. You can use a self-signed certificate or obtain one from a certification authority (CA).
   The JRE provides a keytool executable you can use to create a keystore containing a self-signed certificate. To use this tool, execute:

    keytool –genkey –keyalg RSA –alias <keystore_alias> -keystore
         <keystore_path>\keystore.jks –storepass <keystore password> -validity 360 –keysize
         2048 

   The values and requirements for the command parameters depend on the tool you use to generate the keystore; there are no ESP-specific requirements for these values. In the current example, the keystore location can use an absolute or relative path. The validity period is user-defined and expressed in number of days.

   Ensure that the first and last name field of the key or certificate matches the name of the adapter connection definition in the RepServer sql.ini file. For example, if the adapter connection definition is ESP_RSAdapter, then the first and last name field for the key or certificate should be ESP_RSAdapter.

   All other values, except for the key password, are optional.

2. Export the certificate from the keystore in RFC format into a file named trusted.txt. If you are using the JRE keytool executable, execute:

    keytool –exportcert –alias <keystore alias> -keystore <path to keystore.jks> -storepass
         <keystore password> -file <path to trusted.txt> -rfc 

3. Place the trusted.txt file inside the SQL directory of your Replication Server installation. Replication Server looks in this file for trusted certificates during the SSL handshake.
4. In the RepServer sql.ini interface file, modify the adapter connection entry by adding ",ssl" to the end. For example:

   [espadapter]
   master=TCP,<hostname>,<port>,ssl 
    query=TCP,<hostname>,<port>,ssl 
   

5. When configuring the adapter:
   1. Set the keystore parameter to point to the keystore file created in step 1. Specify a path relative to the working directory of the application (that is, the <base-directory> property under <ApplicationTypes> in the cluster configuration file), or make the path absolute.
   2. Set the keystore password parameter to the password you set for the keystore you created in step 1.
   3. Specify the port in the TDS SSL port parameter to match the port in the RepServer sql.ini file adapter connection entry.

   Providing a greater-than-zero value to the TDS SSL port parameter enables SSL communication between the adapter and Replication Server. The regular TDS port parameter is still required, as that port is used by the adapter for internal communication. Therefore, when enabling SSL communication, the adapter uses 2 ports.

   When you have configured SSL communication between the adapter and Replication Server, you can use SSL communication against ESP projects running in a cluster with SSL turned on by specifying the project URI adapter property with "esps://". This will achieve end-to-end SSL communication from Replication Server to the adapter to the ESP Server.