Authentication and Encryption

A managed set of public key certificates that are issued by a certificate authority is required to enable TLS communications.

Use a key management tool such as OpenSSL to manage the certificates that you need to configure TLS connections. Root certificates are stored in a key store and secured by a password. Before you can configure a secure TLS connection with a network server, you must obtain and install the root signer certificate for the server's public key certificate. The process for obtaining the root certificate depends on the type of certificate that the network server uses. The following list includes some possible scenarios:
  • The network server with which you are communicating has a certificate that is issued by a well-known certificate authority. The root signer certificates for some well-known CAs might be included in the default key store. However, the default key store is provided as a sample only and the certificates that it contains are included for testing purposes. In a production environment, it is best to create a new key store and then populate it with the CA root certificates that you need. You must request the certificate from the CA and then add it to your key store.
  • The network server with which you are communicating has a certificate that is issued by an unknown certificate authority. In this case, create and submit a certificate request. After you receive the root certificate, add it to the key store. Use a key store that you create, rather than the default key store that is provided.
  • The network server with which you are communicating has a self-signed certificate that was created by and for that network server. In this case, create a personal certificate request and add a root certificate to the key store.

Whichever scenario applies, to ensure consistent operation, it's important that you track the expiration dates of all certificates. Before a certificate expires, obtain a replacement certificate so that secure connectivity is not disrupted.

For HTTP access services, the SafeLinx Server can trust a secured connection to a specified application server, for example, a Domino® or Sametime® server, automatically. If you set up the SafeLinx Server to accept untrusted certificates, you do not have to install a trusted root signer certificate in the key store that the SafeLinx Server uses to secure the connection. For more information, see Adding HTTP access services.