Client SSL Configuration
Universal Messaging fully supports SSL Encryption. This section describes how to use SSL in your Universal Messaging C++ client applications.
Once you have created an SSL enabled interface you will need to create certificates for the server and the client. The Universal Messaging download contains a generator to create some example Java key store files to be used by the Universal Messaging server but may also be converted to Privacy Enhanced Mail Certificates (.pem) for use with a Universal Messaging C++ client.
Please refer to the Enterprise Manager guide to create your own client certificates. However please remember that in order to run a Universal Messaging C++ client, the certificate provided must be in .pem format.
Running a Universal Messaging C++ Client
A client can be run anonymously which means that any client can subscribe to a channel securely. The server can also be run with client validation such that only trusted clients can connect. To enable or disable client certificate validation you can use the Universal Messaging Enterprise Manager. Highlight the SSL enabled interface in the "Interface" tab for your realm then open the "Certificates" tab and check or uncheck the box labelled "Enable Client Cert Validation".
In order to run a client using SSL, the location of the key stores and the relevant passwords need to be specified in nConstants. This can be done by setting up the relevant environment variables (as necessary to run the sample applications), or by calling the relevant set methods (defined in nConstants) from the application code.
Different environment variables need to be set depending on whether client certificate validation is enabled:
With Client Certificate Validation
In this case, the client must hold a certificate to validate that it can be trusted. It must also have a trust store such that it can validate that the server is trusted. The key store located at CERTPATH also contains the client's private key and therefore must have a password associated with it. Therefore the following environment variables must be set:
CERTPATH - The path where the client certificate is located
CERTPASS - The password for the client certificate
CAPATH - The path where the trust store is located
Without Client Certificate Validation
If client certificate validation has been disabled on the server then clients connect to the server anonymously. This means that clients do not need to have a certificate and therefore CERTPATH and CERTPASS do not need to be set. With Universal Messaging C++ server-side validation is also set to be non-strict. This means that the client does not need to have a trust store because it will not try to validate the server certificate, therefore it is not necessary to set the CAPATH.
See the SSL Concepts section for more detailed information.