Notes

Minimizing disruption

The certificate pair creation and import steps do not have any effect on running processes and can be performed on all Discover servers without disruption. Only the import step and the associated service restart will affect availability.

Apply the change to HBRs and Canisters one at a time, to prevent data loss. Once all servers have had TLS enabled, validate that data is being captured and components such as DMS and searches work as expected.

Changes to DMS

Once TLS is enabled, the Discover Management Service (DMS) will use the certificate pair to encrypt communication between DMS instances, rather than its own legacy certificate.

DNCA

The DNCA is not affected by enabling TLS for inter-process communication.

However, if the Pipeline connection between the DNCA and the downstream Canisters or HBRs needs to be secured then the DNCA must be upgraded to version 3682-24 or above, and the certificate pair must be copied to the DNCA and imported there. For more information, see "Securing the Pipeline".

Note: In previous versions a certificate pair was generated on the DNCA and then copied to the Windows server downsteam to secure the Pipeline. That is no longer the case from 12.1.8 onwards, where the DNCA uses the same certificate pair as the Windows servers.

Using a Signed Certificate

Discover can use an X.509 certificate pair created with your own organization's certificate infrastructure, rather than its own self-signed certificate. The certificate must have a subject name of "Discover CX" and be suitable for use by both TLS 1.2 clients and servers. It must be stored in a single file in PKCS#12 format containing both the certificate and its associated private key. The private key must be protected by a password consisting entirely of ASCII characters.

Provided the above requirements are met the import and enable steps for enabling TLS are the same as those described above.

Enabling support for TLS 1.0 and/or TLS 1.1

By default all inter-process communication and Pipeline security in 12.1.8 uses TLS 1.2. If support for the older TLS 1.0 and TLS 1.1 standards is required for legacy reasons, this can be configured.

DNCA

On the DNCA, to force secure delivery downstream to the HBRs or Canisters to use a specific version of TLS, add the following entry to the <Delivery> section of ctc-conf.xml:

<TLSVersion>0</TLSVersion>

This option is hidden and set to 2 by default (TLS 1.2). A value of "0" is for TLS 1.0 and "1" is TLS 1.1. Whichever version is chosen must match the version used on the downstream delivery peer.