SSL / TLS and the Certificate Management Tool (CMT)
When the SSL protocol was standardized by the IETF, it was renamed to Transport Layer Security (TLS). Many use the TLS and SSL names interchangeably, but technically they are different since each describes a different version of the protocol.
SSL/TLS certificates can of course be used with both SSL and TLS protocols. SSL certificate is the more comfortable naming convention. This blog posts uses both terms.
By far the most widely deployed security protocol used on the Web, the TLS protocol provides a secure channel between two communicating programs over which application data can be sent securely. Published Web services are accessed through the Web using the HTTP protocol. When using TLS, these Web services are accessed using HTTPS.
The TLS layers encapsulate various application level protocols. For example, HTTP and Telnet are accessed through the Higher Layer and the Transport Layer (TCP/IP) is accessed through the Record Layer.
What is the Certificate Management Tool (CMT)?
The Certificate Management Tool is a multi-use program for SSL certificate creation, conversion, and editing. This program also provides the ability to convert certificates to and from a variety of file formats. You will find options that allow you to quickly and easily edit and search within your certificate without altering the validity of the certificate. In addition, you can use the CMT to test certificates. The CMT is independent of UniData and UniVerse (or specifically the U2 Extensible Admin tool), however, the outputs can be used by UniData and UniVerse. The outputs can also be used by D3, but this post focuses on UniData and UniVerse.
How can I get the CMT?
The CMT is available on GitHub. Simply login and search for Rocket Certificate Management Tool.
Setting up the tool
Before you can use the CMT, you must ensure that it is optimized for use on your machine.
- Download the pfxmenu.zip file from the U2 Common Clients installation file and extract the contents of the file. For information on system requirements, see the readme.txt file.
- Modify the scertmgr.cmd file to reflect your Java Runtime Environment.
- Right-click on the scertmgr.cmd file and select Edit.
- Paste the file path to your JRE program file after JRE_HOME=.
- After you have configured these options, double-click the pfxmenu.bat file to open the tool.
The CMT is available only for Windows and is run using a Windows command prompt. After you have your system properly configured and have opened the tool, you will see twelve options that you can choose from.
The main menu of the CMT is shown in the following graphic:
The CMT helps you implement SSL on the client side when connecting to the database, and the input you create using CMT can be implemented using XAdmin. You can protect any clear text by protecting the connections between clients and the database. Use the CMT to create a secure environment, which can then be used in XAdmin to secure connections to the UniData or UniVerse database.
Select option 1 to create a Certificate Signing Request (CSR) and then select option 2 to test the CSR within the CMT. You can then use the Security Context Record (SCR) in XAdmin to reference the certificate you created in the CMT.
The benefits of using the CMT
The CMT is a supplement to the XAdmin tool and helps you complete tasks more quickly and without errors. It also negates the need for you to understand how to key in the required parameters when configuring SSL for your server.
The graphic below shows examples of what you’d need to manually type into XAdmin to accomplish the same tasks.
Select option 9 to implement Database connection security quickly and easily using CMT, instead of having to manually code for the Key Code command. CMT creates code for you either based on what you created in the XAdmin tool or what you created using option 1 in the CMT.
Select Option 5 on the CMT menu to set up a new Root Certificate Store (RCS). For more information on Root Certificate Stores, read this post. Specifically, you can use the CMT to take certificates exported from the Microsoft RCS, convert the certificate to the correct format, and then import the certificate into the UniVerse or UniData RCS.
Here are other things you can accomplish by using the CMT
- Create a self-signed certificate.
- Test a certificate you created using the CMT on both a client and on the server. Testing on both the client and server side will help you discover problems before you implement the certificate.
- Quickly locate the PEM certificate and check its expiration date.
- Convert formats: PFX to PEM and PEM to PFX
- Import a Java KeyStore into any of our tools including REST, Soap, Connection Manager, and WebDE.
- Bond certificate chains together using the PFX file content viewer, which is specifically useful when using SystemBuilder.
- Look inside a certificate and view, extract, and display the contents using the Java KeyStore content viewer. Content includes who to contact, the name of the certificate, contents of the certificate, and the private key all in a more readable format.
For more information on the PFX archive file format, the PEM standard syntax, and the Java KeyStore, I encourage you to Google the Wiki for each.
Finally, if you need help starting the Certificate Management Tool, you can enter ? to receive help information taken directly from the README and pfxhelp.bat files. The pfxhelp.bat file can also be read in a text editor and contains information on the CMT and its capabilities as well as the contents of the tools.
I wrote this tool and hope you find it useful. I’d also love to hear about any modifications you make to the tool. Use the comment box here on the blog site to get a message to me.