7 Things You Need to Know about the U2 Root Certificate Store (U2RCS)

What’s U2RCS?

U2RCS is a trusted store provided by Rocket that makes the life of a UniVerse or UniData application developer or administrator much easier and provides a greater level of confidence that your data in transit is protected. The U2 Root Certificate Store (U2RCS) is a container which includes a set of the most popular public Certificate Authority (CA) certificates used on the web, very much like the trusted root certificate store on Windows or the trust store for Java applications. We create and update it for each new U2 server release. Its content is encrypted to protect its integrity. In addition, you can add a password to protect it from unauthorized changes.

We collect the certificates in the U2RCS from a reliable public source that maintains a well-chosen collection of public CA certificates. We update the collection periodically to add new CA certificates and remove expired or revoked ones.

The file name of U2RCS is .u2rcs and is installed under $UVHOME or $UDTHOME/sys during UniVerse or UniData server installation. For U2 client installation, the file is under C:\U2\UniDK by default.

Why do I need U2RCS?

Modern day applications rely on SSL to protect the security of data in transit. SSL depends on digital certificates for authentication. An SSL client must be able to validate the server’s certificate that is sent from the server during the SSL session negotiation. To perform the validation, the client must have access to the root certificate (also known as CA certificate), as well as all intermediate certificates that are used to issue the server’s certificate. According to the data collected by the Rocket U2 Support Team, it is this requirement that causes most of the user support requests, as far as U2 SSL features are concerned.

Prior to U2RCS, as a user of U2 SSL features such as secure sockets or secure HTTP, you were required to painstakingly obtain physical copies of the root (CA) certificates you might have needed to validate against all servers you connect to, and specify them in a Security Context Record (SCR). If the server was not controlled by you, it was hard to know in advance what root certificates you must have. The servers could change to use a new certificate issued by a different CA, making it difficult to create, debug, maintain or reuse your secure communication modules.

The above description also applies if you needed to enable SSL for certain UCI-based clients, such as ODBC or OLEDB. You had to create an SSL Property List (SPL) in which CA certificates are similarly required. You would face the same difficulties as you set up SSL for UniVerse and UniData servers.

In most cases, the U2RCS already contains the public CA certificates your application needs to access third-party servers. So, with U2RCS you are freed from having to find out exactly which CA certificate need and getting a physical copy, keeping it on your system and specifying it when you create the SCR/SPL for your application to use.

You can augment the U2RCS by adding your own special CA certificate (public or private) to the store. You can also create your own version of U2RCS to contain just the certificates needed by your application.

What do I need to do to use U2RCS?

Nothing! You just leave the CA Certificate property of your SCR/SPL unspecified. Then when your application starts an SSL connection, UniVerse and UniData will automatically load the contents of U2RCS and find out the required CA certificates for you.

You can override this default behavior by specifying your own CA certificates for the SCR/SPL (as you did prior to having U2RCS). Then UniVerse or UniData will not consult U2RCS during SSL processing.

What UniVerse and UniData versions have U2RCS available?

You may already have it. U2RCS has been available since UniVerse 11.2 and UniData 8.1.

How do I manage U2RCS?

What if the default U2RCS does not contain the CA certificates I need? This could happen if you are using your own self-signed certificates in a closed environment or if the server you must connect to is using a certificate issued by a less well-known public CA. In these cases, you can easily add (import) the required CA certificates into U2RCS.

The tool you use to manage U2RCS is called rcsman. It is a utility that requires superuser (or uvadm for UniVerse) privileges to run. U2RCS is a vital component in your overall security infrastructure so you need to protect it. If you allow an illegal or otherwise forged CA certificate into the U2RCS, your application may be tricked into connecting to illicit servers.

Rcsman has options for you to import, delete or query certificates. When importing certificates, you have the liberty of using PEM, DER or PKCS12 format sources. You can also export certificates from the U2RCS.

You may want to enhance the security of U2RCS by adding a password to it. You do this by running rcsman with the changepass option. After adding the password, U2RCS cannot be modified unless you provide the correct password. Note that you do not need to provide the password when your application loads the content of U2RCS when establishing an SSL connection.

Can I create my own U2RCS?

Absolutely. If you do want to have a U2RCS that contains only CA certificates useful to you, it is easy and it may give you a little better performance.

Before you create your own U2RCS, we recommend that you back up the system-shipped U2RCS file .u2rcs. You can then remove it or rename it to something else on the system. You must have your own copy of CA certificates ready. Then by running rcsman with the import option, a new U2RCS containing your specified CA certificate will be created. You can then import more CA certificates into it if you want, making it your own copy of U2RCS.

What will happen to my version of U2RCS when I upgrade to a new release?

Rest assured, your unique U2RCS will be kept intact during an upgrade, whether you added or deleted a few certificates from U2RCS or re-created it completely from scratch, the upgrade process will detect the change and leave it untouched. You will be notified of the fact and you can manually update it by running the updatercs script shipped with the release.

Summary

U2RCS is a trusted store provided by Rocket which may make your life easier as a UniVerse or UniData application developer or administrator as it relates to security.

For more information regarding U2RCS, you can reach Rocket MV Support by visiting the Rocket Customer Portal, or read a more detailed description in Chapter 1 of either the Rocket UniVerse Security Features manual or the Rocket UniData Security Features manual online at http://www.rocketsoftware.com/products/rocket-u2/documentation.

Jing Cui

Jing Cui 5 Posts

I have been a member of the Rocket MV product development team for over 25 years. Most recently my focus has been on enhancing the database server's security offerings, including SSL, data encryption and audit logging. I have been closely following the ever-changing security landscape of the industry and am committed to bringing new security features into our Rocket MV product families.

0 Comments

Leave a Comment

Your email address will not be published. Required fields are marked *