SSL in IBM EMM

Many HCL® application components can act as both server and client during normal operations, and some HCL components are written in Java™ and some in C++. These facts determine the format of the certificates you use. You specify the format when you create a self-signed certificate of purchase one from a CA.

Remember, HCL applications do not require a truststore when they act as a client making one-way SSL requests to an HCL server component.

Java component acting as a server

For HCL applications written in Java, using the JSSE SSL implementation, and deployed on an application server, you must configure the application server to use your certificate. The certificate must be stored in JKS format.

Application servers provide default certificates, which require no additional configuration. The application server default certificate is used when you simply enable an SSL port in the application server and do not perform any additional configuration in the application server.

If you use a certificate other than the default certificate supplied by the application server, additional configuration in your web application server is required.

C++ component acting as a server

The Campaign listener and Contact Optimization server component are written in C++, and require a certificate stored in PEM format.

Java component acting as a client

For HCL applications written in Java and deployed on an application server, no truststore is needed. For ease of configuration, HCL Java applications acting as a client do not authenticate the server during one-way SSL communications. However, encryption does take place.

C/C++ components acting as a client

For applications written in C/C++ and using the OpenSSL implementation, no truststore is needed. The Campaign listener, Contact Optimization server component, and NetInsight fall into this category.

How many certificates?

Ideally, you should use a different certificate for every machine that hosts an HCL component acting as a server.

If you do not want to use multiple certificates, you can use the same certificate for all the HCL components acting as servers, if it is the correct format (that is JKS for Java components and PEM for C++ components). If you use one certificate for all applications, when users access HCL applications for the first time, the browser asks whether they want to accept the certificate.

Examples in this chapter show you how to create self-signed certificate files for use with Java and C++ HCL components.