rocket u2 clients and apis - rocket softwaredocs.rocketsoftware.com/nxt/gateway.dll/rkbnew20/u2...

Rocket U2 Clients and APIs

Administrative Supplement for Current and Legacy Client APIs

July 2014UCC-J2014-SUPP-UG-01

Notices

Edition

Publication date: July 2014Book number: UCC-J2014-SUPP-UG-01Product version: U2 Clients and APIs JUL2014

Copyright

© Rocket Software, Inc. or its affiliates 1988-2014. All Rights Reserved.

Trademarks

Rocket is a registered trademark of Rocket Software, Inc. For a list of Rocket registered trademarks go to: www.rocketsoftware.com/about/legal. All other products or services mentioned in this document may be covered by the trademarks, service marks, or product names of their respective owners.

Examples

This information might contain examples of data and reports. The examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

License agreement

This software and the associated documentation are proprietary and confidential to Rocket Software, Inc. or its affiliates, are furnished under license, and may be used and copied only in accordance with the terms of such license.

Note: This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when exporting this product.

2

Corporate informationRocket Software, Inc. develops enterprise infrastructure products in four key areas: storage, networks, and compliance; database servers and tools; business information and analytics; and application development, integration, and modernization.

Website: www.rocketsoftware.com

Rocket Global Headquarters 77 4th Avenue, Suite 100 Waltham, MA 02451-1468 USA

To contact Rocket Software by telephone for any reason, including obtaining pre-sales information and technical support, use one of the following telephone numbers.

Contacting Technical Support

The Rocket Customer Portal is the primary method of obtaining support. If you have current support and maintenance agreements with Rocket Software, you can access the Rocket Customer Portal and report a problem, download an update, or find answers in the U2 Knowledgebase. To log into the Rocket Customer Portal or to request a Rocket Customer Portal account, go to www.rocketsoftware.com/support.

In addition to using the Rocket Customer Portal to obtain support, you can send email to [email protected] or use one of the following telephone numbers.

Country Toll-free telephone numberUnited States 1-855-577-4323Australia 1-800-823-405Belgium 0800-266-65Canada 1-855-577-4323China 800-720-1170France 0800-180-0882Germany 08-05-08-05-62Italy 800-878-295Japan 0800-170-5464Netherlands 0-800-022-2961New Zealand 0800-003210South Africa 0-800-980-818United Kingdom 0800-520-0439

Country Toll-free telephone numberNorth America +1 800 729 3553United Kingdom/France +44(0) 800 773 771 or +44(0) 20 8867 3691Europe/Africa +44 (0) 20 88673692Australia +1 800 707 703 or +61 (0) 29412 5450New Zealand +0800 505 515

3

mailto:[email protected]

Table of Contents

C:\UsJuly 10

Table of Contents

Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta

Chapter 1 Chapter 1: IntroductionWhat are the client APIs? . . . . . . . . . . . . . . . . 1-2

UCI . . . . . . . . . . . . . . . . . . . . . . 1-2UniOLEDB . . . . . . . . . . . . . . . . . . . 1-2InterCall . . . . . . . . . . . . . . . . . . . . 1-3UniObjects . . . . . . . . . . . . . . . . . . . 1-3UniObjects for Java . . . . . . . . . . . . . . . . 1-3UniObjects for .NET . . . . . . . . . . . . . . . . 1-3JDBC Driver for UniVerse and UniVerse . . . . . . . . . 1-4

Chapter 2 Chapter 2: Maintaining the UniRPCSystem requirements . . . . . . . . . . . . . . . . . 2-3How the UniRPC works . . . . . . . . . . . . . . . . 2-4Maintaining the UniRPC . . . . . . . . . . . . . . . . 2-5

UniRPC maintenance on UniVerse systems . . . . . . . . 2-5UniRPC maintenance on UniVerse servers . . . . . . . . 2-11

About the unirpcservices file . . . . . . . . . . . . . . . 2-12

Chapter 3 Chapter 3: The UCI Configuration EditorUCI Configuration file . . . . . . . . . . . . . . . . . 3-4System requirements . . . . . . . . . . . . . . . . . 3-5Starting the UCI Configuration Editor . . . . . . . . . . . 3-6Creating the UciCfgFile key in the registry . . . . . . . . . . 3-7Adding a data source . . . . . . . . . . . . . . . . . 3-8

Adding a parameter . . . . . . . . . . . . . . . . 3-9Data source parameters . . . . . . . . . . . . . . . 3-11

Modifying a data source . . . . . . . . . . . . . . . . 3-16Deleting a data source . . . . . . . . . . . . . . . . . 3-18Creating a UCI configuration file . . . . . . . . . . . . . 3-19Opening an alternative UCI configuration file. . . . . . . . . 3-20

ers\awaite\Documents\U2Doc\Clients\Source\apisupp\apisuppTOC.fm (bookTOC.template), 2014 2:12 pm

Reverting to the default uci.config file . . . . . . . . . . 3-20Securing configuration files . . . . . . . . . . . . . . . 3-21

Procedure . . . . . . . . . . . . . . . . . . . . 3-21Modifying a configuration file and making comments . . . . . . 3-22

New data source parameters and comments . . . . . . . . 3-22Comments . . . . . . . . . . . . . . . . . . . 3-22

Chapter 4 Chapter 4: Accessing UniVerse AccountsRunning concurrent UniVerse versions . . . . . . . . . . . 4-4

Running UCI, UniVerse ODBC, or UniOLEDB concurrently . . 4-4Running InterCall, UniObjects, or UniObjects for Java concurrently 4-5

Tracing events . . . . . . . . . . . . . . . . . . . . 4-6

Chapter 5 Chapter 5: Device LicensingLicensing modes . . . . . . . . . . . . . . . . . . . 5-3Why do I need device licensing? . . . . . . . . . . . . . 5-4

Device licensing requirements. . . . . . . . . . . . . 5-4Connection types . . . . . . . . . . . . . . . . . . . 5-5

Direct connections . . . . . . . . . . . . . . . . . 5-5Two-tier connections . . . . . . . . . . . . . . . . 5-5Multiple-tier connections . . . . . . . . . . . . . . 5-5Using device subkeys. . . . . . . . . . . . . . . . 5-6

Chapter 6 Chapter 6: The U2 SSL Configuration EditorAbout SSL property lists . . . . . . . . . . . . . . . . 6-3

List encryption . . . . . . . . . . . . . . . . . . 6-3Working with SSL property lists . . . . . . . . . . . . 6-3Loading and decrypting an SSL property list . . . . . . . 6-4SSL properties . . . . . . . . . . . . . . . . . . 6-4

Starting the SSL Configuration Editor. . . . . . . . . . . . 6-12To start the SSL Configuration Editor: . . . . . . . . . . 6-12

Creating an SSL property list . . . . . . . . . . . . . . . 6-15Creating a new SSL property list . . . . . . . . . . . . 6-15Specifying certificates . . . . . . . . . . . . . . . 6-18Specifying authentication properties, CRLs, and cipher suites . . 6-21

Editing an existing SSL property list . . . . . . . . . . . . 6-25Deleting an SSL property list . . . . . . . . . . . . . . . 6-36Copying an SSL property list . . . . . . . . . . . . . . . 6-37Renaming an SSL property list . . . . . . . . . . . . . . 6-39Using the Trace feature . . . . . . . . . . . . . . . . . 6-40

Table of Contents 5

C:\UsJuly 10

1 Chapter

ers\aw, 2014

Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta Beta

Chapter 1: Introduction

What are the client APIs? . . . . . . . . . . . . . . . 1-2 UCI . . . . . . . . . . . . . . . . . . . . . 1-2 UniOLEDB . . . . . . . . . . . . . . . . . . . 1-2 InterCall . . . . . . . . . . . . . . . . . . . . 1-3 UniObjects . . . . . . . . . . . . . . . . . . . 1-3 UniObjects for Java . . . . . . . . . . . . . . . . 1-3 UniObjects for .NET. . . . . . . . . . . . . . . . 1-3 JDBC Driver for UniVerse and UniVerse . . . . . . . . . 1-4

aite\Documents\U2Doc\Clients\Source\apisupp\Ch1TOC.fm2:12 pm

C:\Users\awaite\Documents\U2Doc\Clients\Source\apisupp\Ch1.fm

What are the client APIs?U2 provides seven common APIs for writing client application programs that connect to UniVerse and UniVerse databases. We call them common APIs because programs written in them can access data in both databases.

The seven Client APIs are:

UCI (Uni Call Interface)

UniOLEDB

InterCall

UniObjects

UniObjects for Java

UniObjects for .NET

JDBC Driver for UniVerse and UniVerse

UCI

UCI is a C-language API. It lets developers write UNIX and Windows client programs that use SQL statements to access and manipulate data in UniVerse and UniVerse databases. UCI is modelled on the ODBC standard as defined in the Microsoft ODBC 2.0 specification. It models only the API side of the ODBC standard, not the driver/transport side. Unlike the standard ODBC interface, UCI is more closely integrated with the extended relational database model used by UniVerse and UniVerse, with their nested tables, transaction processing support, and so forth.

UniOLEDB

UniOLEDB is U2’s OLE DB provider for UniVerse and UniVerse. It uses Microsoft’s Universal Data Access (UDA) technology to provide applications in an enterprise network with direct access to UniVerse and UniVerse databases.

1-2

C:\Users\awaite\Documents\U2Doc\Clients\Source\apisupp\Ch1.fm7/10/14

InterCall

InterCall is an open API that lets client application programs developed on UNIX or Windows systems access data on UniVerse or UniVerse servers. On UNIX systems, developers can write client programs using any tool that accesses static libraries, typically a C compiler. On Windows platforms, developers can write client programs using any tool that accesses DLLs, for example, Visual Basic, C, or Visual C/C++.

Note: InterCall replaces and supersedes ICI (Integrated Calling Interface).

UniObjects

UniObjects is an API to UniVerse or UniVerse from Visual Basic, or from any other program development environment that uses the Microsoft ActiveX interface. It is fully integrated with the Microsoft environment.

UniObjects for Java

UniObjects for Java is an API that lets developers create Java-based applications that access UniVerse and UniVerse databases. UniObjects for Java, based on the UniObjects model, is a 100% Pure Java™ Class Library whose objects can take full advantage of any Java-based IDE (Integrated Development Environment).

UniObjects for .NET

UniObjects for .NET is an API that lets developers create .NET-based applications that access UniVerse and UniVerse databases. UniObjects for .NET is fully integrated with the Microsoft environment.

1-3 Administrative Supplement for Current and Legacy Client APIs


JDBC Driver for UniVerse and UniVerse

The JDBC driver for UniVerse and UniVerse is an interface to UniVerse and UniVerse databases from JDBC applications. This book is for experienced programmers and application developers who are familiar with UniVerse and UniVerse, Java, JDBC, and who want to write JDBC applications that access these databases.

Note: The JDBC Driver for UniVerse and UniVerse does not require any configuration for UCI and will not need an entry within the UCI configuration file.

1-4

C:\UsJuly 10

1Administering UniVerse on Windows NT or Windows 20000

2 Chapter

ers\aw, 2014


Chapter 2: Maintaining the UniRPC

System requirements . . . . . . . . . . . . . . . . . 2-3How the UniRPC works. . . . . . . . . . . . . . . . 2-4Maintaining the UniRPC . . . . . . . . . . . . . . . 2-5 UniRPC maintenance on UniVerse systems. . . . . . . . 2-5 UniRPC maintenance on UniVerse servers . . . . . . . . 2-11About the unirpcservices file . . . . . . . . . . . . . . 2-12

aite\Documents\U2Doc\Clients\Source\apisupp\Ch2TOC.fm2:12 pm Administering UniVerse on Windows NT or Windows 2000


The UniRPC lets local UniVerse and UniVerse systems communicate with remote systems. The communicating systems must use TCP/IP networking software to make connections.

Note: In this chapter the terms local and remote refer to client and server programs or systems. However, because client programs can connect to server programs running on the same computer, remote does not necessarily imply that the server is on another physical computer system.

This chapter describes:

The UniRPC daemon (on UNIX servers)

The UniRPC service (on Windows servers)

The contents of the unirpcservices file

The UniRPC on UniVerse servers requires little maintenance, other than starting and stopping the UniRPC daemon or service. On UniVerse servers, you can also do the following:

Change the port number

Add entries to a UNIX hosts file

2-2


System requirementsBefore installing layered or third-party products that use the UniRPC, such as the UniDK, UniOLEDB, the JDBC Driver for UniVerse and UniVerse, or UniAdmin, you must install and configure TCP/IP using the instructions supplied by the TCP/IP facility vendor. On UniVerse systems, you should then identify the systems to be networked with the database by defining them in the /etc/hosts file. See “Maintaining the hosts file (UniVerse Only)” on page 2-6 for more information.



How the UniRPC worksThe UniRPC daemon unirpcd (or the UniRPC service unirpc) waits for a request from a client system to connect to a server process. When it receives a connection request, it checks the unirpcservices files to verify that the client system is allowed to request a particular service. If it can, the UniRPC starts the requested service, then returns to the listening state. Each client process connects to its own server process. Each server process uses the same amount of system resources as a local database user.

2-4


Maintaining the UniRPCThis section describes the following:

How to change the UniRPC port number (UniVerse only)

How to maintain a UNIX server’s hosts file (UniVerse only)

How to start and stop the UniRPC daemon (unirpcd)

UniRPC maintenance on UniVerse systems

Use UniAdmin to:

Define the UniRPC port number

Maintain the hosts file on a UNIX server

Choose Network Services from the UniAdmin menu. The Network Services window appears, as shown in the following example:

This window has the following components:

Port # field. The current port number for the UniRPC daemon.



Hosts list. Displays the machine name and IP address for each node in the /etc/hosts file.

Note: If you are using the Network Information Services (NIS, also known as Yellow Pages), you do not need to use the /etc/hosts file to define, change, and delete network nodes. See the UNIX networking documentation provided with your system for more information.

Defining the UniRPC port number (UniVerse Only)

Before you can use the UniRPC, you must specify the number of the port that the UniRPC is to use. You specify the port number on the client and the server systems.

Note: If you specify a port number other than the default, it must be the same on all systems that communicate via the UniRPC.

The current UniRPC daemon port number is displayed in the Port # field in the Network Services window. To change the number, do the following:

1. Click Change. The Change Port Number dialog box appears. Enter a new number in the Enter new Port number field.

2. Click OK. The new port number is saved and the Network Services window is updated with the new setting.

Note: To use the new port number, you must restart the UniRPC daemon (see “Starting the UniRPC daemon” on page 2-10).

Maintaining the hosts file (UniVerse Only)

Use the Network Services option of UniAdmin to add, modify, and remove nodes in the hosts file. These tasks are performed from the Network Services window.

Adding a Node

To add a new node to the hosts file:

1. Click Add… on the Network Services window. The Add Node dialog box appears.

2. Enter the node name in the Machine Name field.

2-6


3. Enter the node address in the IP Address field.

4. Click OK. The new node’s machine name and IP address are checked against existing entries in the hosts file. If the new node matches an existing entry, a message box appears. You must acknowledge the message before you can enter alternative values. If the new node details are unique, the new node definition is added to the hosts file and the Network Services window is updated.

Modifying a node

To modify the name or IP address of an existing entry in the hosts file:

1. Choose the node to modify by doing one of the following:

Double-click the node in the Hosts list.

Choose the node and click Modify.

The Modify Node dialog box appears.

2. Edit the entries in the Machine Name and IP Address fields.

3. Click OK. The node’s machine name and IP address are checked against existing entries in the hosts file. If the node details match an existing entry, a message box appears. You must acknowledge the message before you can enter alternative values. If the node details are unique, the node definition is added to the hosts file and the Network Services window is updated.

Removing a node

To remove a node definition from the hosts file:

1. Select the node from the Hosts list.

2. Click Remove. A message box appears.

3. Click Yes. The node definition is removed from the hosts file and the Network Services window is updated.



Starting and stopping the UniRPC on Windows platforms

On UniVerse systems you cannot use UniAdmin to start or stop the UniRPC daemon because it uses the UniRPC daemon to connect to the UniVerse server. On Windows platforms, you can start the UniRPC daemon or service in one of three ways:

From the Windows Control Panel

From the UniVerse Control Panel

At the MS-DOS prompt

From the Control Panel

To start the UniRPC:

1. Double-click the Services icon.

2. Scroll down the list of services until you find three entries for UniVerse: UniVerse Resource Service, UniRPC Service, and UniVerse Telnet Service.

3. Choose UniRPC Service, then choose Start.

4. Click Startup, then Click Automatic. This ensures that UniVerse starts automatically when the server is rebooted.


To start the UniRPC:

1. Choose Start -> Programs -> Rocket U2 -> UniVerse Control.

2. Click the Start All Services button to start all UniVerse services.


Enter the following command:

D:\users>net start unirpc

The system reports the name of the service it is starting and whether the startup is successful.

2-8


Note: The UniVerse services are started automatically when the operating system is loaded unless you clear the automatic startup boxes during UniVerse installation.

Stopping the UniRPC on Windows platforms

You can shut down the UniRPC daemon or service in one of three ways:

From the Windows Control Panel



Note: If users are connected to the services when they are shut down, the users do not lose their connections; the connections remain active until the users terminate them. However, it is not possible for new users to connect to UniVerse.

If you want to do a complete shutdown of UniVerse to restart the services, be sure that all connections are terminated first.

From the Control Panel

To stop the UniRPC:

1. Double-click the Services icon.

2. Scroll down the list of services until you find three entries for UniVerse:

UniVerse Resource Service

UniRPC Service

UniVerse Telnet Service

3. Choose UniRPC Service, then choose Stop.

4. Click OK. The UniRPC daemon or service is shut down.


To stop the UniRPC:

1. Choose Start -> Programs -> Rocket U2 -> UniVerse Control.

2. Click Stop All Services to stop all UniVerse services. Wait for all services to stop.



3. Click OK to exit the UniVerse Control Panel. All four services are shut down.


To stop the UniRPC:

1. Enter the following command at the MS-DOS prompt:

D:\users>net stop unirpc

A message appears prompting you to confirm that you want to stop the UniRPC.

2. Enter Y to stop the UniRPC daemon or service.

Starting and stopping the UniRPC daemon on UNIX systems

Use the UniVerse System Administration menus on the UniVerse server to start and stop the UniRPC daemon. See Administering UniVerse for more information.

Starting the UniRPC daemon

To start the UniRPC daemon:

1. Choose Rpc administration from the Package menu, then choose Start the rpc daemon.

2. At the prompt, do one of the following to handle any error messages:

Enter the name of the file to send all error and system messages to.

Enter a space to display messages on your screen.

Press ENTER if you do not want to display or save messages.

3. At the next prompt, click Yes to start the UniRPC daemon or No to return to the Rpc administration menu.

Note: The file that receives all error and system messages can grow unchecked unless you monitor it periodically.

Once you start the UniRPC daemon, it automatically restarts whenever you boot UniVerse.

2-10


Stopping the UniRPC Daemon

To stop the UniRPC daemon:

1. Choose Rpc administration from the Package menu, then choose Halt the rpc daemon.

2. At the prompt, click Yes to stop the UniRPC daemon or No to return to the Rpc administration menu.

Note: Stopping the UniRPC daemon does not interrupt active UniRPC processes.

UniRPC maintenance on UniVerse servers

On UniVerse servers, UniRPC maintenance is minimal. You cannot change the port number of the UniRPC, and there is no need to maintain a hosts file.

Use the stopud command to stop the UniRPC daemon or service. Use the startud command to start the UniRPC.



About the unirpcservices fileEach process that uses the UniRPC automatically configures the unirpcservices file when it first starts. If no unirpcservices file exists, it is created in the unishared directory.

On UNIX systems the default location of this file is /usr/unishared/unirpc.

On Windows platforms the default location is <drive>:\u2\unishared\unirpc.

To determine the location of the unirpcservices file on your system, do the following:

On UNIX systems, execute the command:

$ cat /.unishared

On Windows platforms, find the registry entry under the subkey \HKEY_LOCAL_MACHINE\SOFTWARE\Rocket Software\unishared.

When a client system requests a connection to a service on a server system, the UniRPC daemon (unirpcd) on the server uses the unirpcservices file to verify that the client system can start the requested service.

The UniRPC software uses field 3 of the unirpcservices file to verify that a machine making a request for a service is allowed to do so. The following table lists the fields in the unirpcservices file:

Field Contents

1 The name of the UniRPC service (for example, uvserver).

2 The full path of the service engine executed by the UniRPC daemon.

3 The names of nodes allowed to execute this service. This field is multivalued, with values separated by commas (no spaces). If the field contains * (asterisk), all hosts defined in /etc/hosts can execute this service.

unirpcservices File Fields

2-12


UniVerse systems

On UniVerse systems the unirpcservices file might contain entries such as the following:

uvnet /usr/uv/bin/uvnetd host1,host2,host3 TCP/IP 3 3600 uvdrsrv /usr/uv/bin/uvdrsrvd * TCP/IP 0 3600 uvcs /usr/uv/bin/uvapi_server * TCP/IP 0 3600 uvfilefix /usr/uv/bin/uvfilefix_server * TCP/IP 0 3600 uvserver /usr/uv/bin/uvsrvd * TCP/IP 0 3600

The version of uv.rc shipped with UniVerse systems (/usr/uv/sample/uv.rc) contains commands that:

Check for the existence of the unirpcservices file

Verify that services are defined in it

Start the UniRPC daemon if the file contains services

The UniRPC daemon is executed as part of the UniVerse reboot procedure.

UniVerse systems

On UniVerse systems the unirpcservices file might contain:

udcs /usr/ud72/bin/udapi_server * TCP/IP 0 3600 udserver /usr/ud72/bin/udsrvd * TCP/IP 0 3600

4 The network transport mechanism for the service (TCP/IP).

5 Reserved for future use.

6 The value (in seconds) specifying how long an open connection can be idle before automatic closure from the remote connection. The default is 3600, or 60 minutes.

Field Contents

unirpcservices File Fields (Continued)


C:\UsJuly 10


3 Chapter

ers\aw, 2014


Chapter 3: The UCI Configuration Editor

UCI Configuration file . . . . . . . . . . . . . . . . 3-4System requirements . . . . . . . . . . . . . . . . . 3-5Starting the UCI Configuration Editor . . . . . . . . . . . 3-6Creating the UciCfgFile key in the registry . . . . . . . . . 3-7Adding a data source. . . . . . . . . . . . . . . . . 3-8 Adding a parameter. . . . . . . . . . . . . . . . 3-9 Data source parameters . . . . . . . . . . . . . . 3-11Modifying a data source. . . . . . . . . . . . . . . . 3-16Deleting a data source . . . . . . . . . . . . . . . . 3-18Creating a UCI configuration file. . . . . . . . . . . . . 3-19Opening an alternative UCI configuration file . . . . . . . . 3-20 Reverting to the default uci.config file . . . . . . . . . 3-20Securing configuration files . . . . . . . . . . . . . . 3-21 Procedure . . . . . . . . . . . . . . . . . . . 3-21Modifying a configuration file and making comments . . . . . 3-22 New data source parameters and comments . . . . . . . 3-22 Comments . . . . . . . . . . . . . . . . . . . 3-22

aite\Documents\U2Doc\Clients\Source\apisupp\Ch3TOC.fm11:35 am Administering UniVerse on Windows NT or Windows 2000


The UCI Configuration Editor lets you define and configure data sources. When an application requests a connection to a data source, UCI uses the information in the UCI configuration file (uci.config or another UCI configu-ration file you create) to connect to the data source.

The UCI Configuration Editor lets you:

Add, modify, or delete data sources.

Create your own UCI configuration file.

Set up your system registry to access a particular UCI configuration file.

Open a UCI configuration file different from the one that currently appears in the UCI Configuration Editor window.

Create secure configuration files.

This tool can generate the system registry key and create a default uci.config file in the c:\U2\UniDK\config directory, if either are missing. For more details about this, refer to “Creating the UciCfgFile key in the registry” on page 3-7.

Note: You must be in Administrator mode to update the registry on computers that have user access controls (UAC) enabled.

3-3


UCI Configuration fileApplications access data sources through entries in the UCI configuration file. This file contains connection parameters needed to route connection requests to the appropriate UniData or UniVerse server.

When an application tries to connect to a data source, the UCI configuration file on the client machine is read to determine the name of the host system, the DBMS type, and other information.

The UCI configuration file that UCI uses is specified in the UciCfgFile key in the system registry under

HKEY_LOCAL_MACHINE \SOFTWARE\Rocket Software\UniClient\UCI

or

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Rocket Software\UniClient\UCI.

Each entry in the UCI configuration file describes the physical attributes of a connection in sufficient detail to perform three tasks:

Establish communications

Start a UniData or UniVerse server process

Route query and update requests

In the UCI configuration file on the client machine, you must define the UCI data sources to which you want applications to connect. Use the UCI Config-uration Editor to define and modify data source definitions.

For more information about the UCI configuration file, see UCI Developer’s Guide.



System requirements .NET Framework 4.0 Client Profile

This UCI Editor tool is installed as part of the UniDK, 32-bit U2ODBC, 64-bit U2ODBC, and VSG client installations.

It is installed in one of the following directories:

C:\U2\UniDK\U2ODBC_32bit\UCI_Editor

C:\U2\UniDK\U2ODBC_64bit\UCI_Editor

C:\U2\UniDK\bin\UCI_Editor

3-5


Starting the UCI Configuration EditorTo start the UCI Configuration Editor on a Windows computer, from the Start menu choose Programs ->Rocket U2 -> UniDK -> UCI Editor. The UCI Editor window opens:

The data source information in this example represents the default settings in the uci.config file, as shipped with the client product.

Note: If the uci.config file is password protected, you will be prompted for a password before the editor will open. If you do not know the password, you can click the Help button for instructions on how to resolve the issue.



Creating the UciCfgFile key in the registryThe UCI configuration file that the client uses is specified in the UciCfgFile key in the system registry under HKEY_LOCAL_MACHINE \SOFTWARE\Rocket Software\UCI. Initially this is set to uci.config, the UCI configuration file U2 ships to you.

You must create a new UciCfgFile key if it is not already included in the registry. You may also need to create a new UciCfgFile key if the registry becomes corrupt, making the key inaccessible to your system.

If the registry key does not exist, the UCI Editor will open with the UCI RegKey button visible. Click UCI RegKey to create the UciCfgFile key in the registry and to set the path to the default uci.config file. You must restart the UCI Configuration Editor for the changes to take effect.

Note: If the UciCfgFile exists in the registry, the UCI RegKey button will not be visible.

3-7


Adding a data sourceTo add a data source:

1. Click New Data Source. The New Data Source dialog box opens, as shown in the following example:

2. Enter a data source name.

3. Under DBMSTYPE, click the type of database to which you want to connect.

4. Enter the host name or the network IP address of the server to which you want to connect.



5. Click OK to save your definition and exit the New Data Source dialog box or click Cancel to exit the dialog box without saving your definition. The data source information now shows in the UCI Configuration Editor:

The parameters that appear automatically on the Data Source Editing section are required for each data source you add. Their val-ues are set according to the information you provide on the New Data Source dialog box.

Adding a parameter

After a data source is defined, it may become necessary to add additional parameters.

3-9


Procedure

1. Click Add Parameter. The Parameter dialog box for UniVerse or UniData opens, as shown:

2. Click the parameter you want to add from the Parameter list. For a list of parameters, see “Data source parameters” on page 3-11.

3. In the Value field, enter an appropriate value for the parameter. Information about the parameter appears under Parameter Description.

4. Click Set to add the parameter.

5. After you finish adding parameters, click Cancel. The Data Source Adding dialog box displays all parameters associated with the data source.

Note: To edit parameters, see “Modifying a data source” on page 3-16.

6. After you finish adding parameters for the data source, click Save Data Source.

7. When you finish adding data sources, click or Save Configuration File to save your changes.



Data source parameters

Each data source definition in the UCI configuration must include the following parameters:

DBMSTYPE

NETWORK

SERVICE

HOST

Two parameters you might want to change are MAXFETCHBUFF and MAXFETCHCOLS. Use these parameters to increase the amount of data in each buffer sent from the server to the client. This will improve performance by reducing the number of data transfers between server and client. For more information about these two parameters, see the UCI Developer’s Guide.

If the UniVerse server you are connecting to has NLS enabled, you also can add or change the NLS parameters. For information about setting the NLS parameters, see the UCI Developer’s Guide.

Warning: Adding or changing other parameters can make UCI unusable. Entries in the uci.config file are order dependent. Changing the order will cause an error.

The following table describes the parameters that are required for each data source entry:

Parameter Description Default

DBMSTYPE Specifies the type of database you want to access (UNIDATA, UNIVERSE, or any other database type, such as DB2).

none

NETWORK Specifies the network used to access the data source (TCP/IP or LAN).

none

SERVICE Specifies the name of the server process for the DBMSTYPE you specified. For UniData, specify udserver; for UniVerse, specify uvserver.

none

HOST Specifies the name of the server machine or its network IP address.

none

Parameters for Data Source Entry

3-11


The following table describes other parameters in the Parameters list that you may want to add or change:


ACCOUNT Specifies one of the following:

■ The full path of a UniData or UniVerse account directory

■ A valid UniVerse schema name

■ A valid UniData database name

A UniData database name is valid if it appears as an entry in the ud_database file. For UNIX systems, this file is typically located in the /usr/udxx/include path, where xx is the UniData version, such as /usr/ud73/include. For Windows systems, it is located in the equivalent Windows path, for example C:\U2\ud73\INCLUDE.

none

AUTOINC Produces an SQLColAttributes report if the column is an auto-increment column.

No

CASE Produces an SQLColAttributes report if the column is case-sensitive.

Yes

DESCB4EXEC (For internal use only) Indicates if the database’s describe operation is legal before executing the SQL statement.

Yes

DSPSIZE Produces an SQLColAttributes report showing the column display size.

Yes

IPVERSION Specifies the IP version through which the client will communicate with the server. Can be one of the following:

■ IPV4

■ IPV6

■ IPV4_IPV6

■ IPV6_IPV4

■ IPVANY

IPV4

Other Parameters for Data Source Entry



MAPERROR Maps UniVerse error codes to standard ODBC SQLSTATE error codes. Whenever the server returns one of the mapped codes as an error condition, UCI sets the SQLSTATE variable equal to the five-character code defined in the ODBC standard.

List

MARKERNAME Indicates if the database uses names for parameter markers. If not, the ? (question mark) is the marker character.

No

MAXFETCHBUFF Controls the maximum buffer size on the server to hold data rows. The server usually fills this buffer with as many rows as possible before sending data to the client. If any single row exceeds the length of MAXFETCHBUFF, SQLFetch fails, and you should increase the value of this parameter.

8192 bytes

MAXFETCHCOLS Controls the maximum number of column values the server can put in the buffer before sending data to the client. If the number of columns in the result set exceeds the number specified by MAXFETCHCOLS, SQLFetch fails, and you should increase the value of this parameter.

400 column values

NLSLCALL Specifies all components of a locale. none

NLSLCCOLLATE Specifies the name of a locale whose sort order to use.

none

NLSLCCTYPE Specifies the name of a locale whose character type to use.

none

NLSLCMONETARY Specifies the name of a locale whose monetary convention to use.

none

NLSLCNUMERIC Specifies the name of a locale whose numeric convention to use.

none

NLSLCTIME Specifies the name of a locale whose time convention to use.

none


Other Parameters for Data Source Entry (Continued)

3-13


NLSLOCALE Specifies all components of a locale. none

NLSMAP Specifies the name of the server’s NLS map for the connection. For a client to connect to the server successfully, the server must be able to locate the specified map, which must also be installed in the server’s shared memory segment.

none

NULLABLE Produces an SQLDescribeCol and SQLColAttributes report if the column is nullable.

Yes

SEARCH Produces an SQLColAttributes report if the column is searchable.

Yes

SECUREMODE Turns on/off a U2 ODBC-enabled SSL connection.

none

SSLPROPERTYLIST Specifies the SSLPROPERTY list name defined in the SSL Configuration Editor.

none

SSLPROPERTY-PASSWORD

Specifies the password defined for the SSLPROPERTY list.

none

TXBEHAVIOR Defines default autocommit/ manual-commit transaction behavior. Normally, UniVerse is autocommit by default.

1

TXCOMMIT (For internal use only) Database SQL statement for committing a transaction.

No

TXROLL (For internal use only) Database SQL statement for rolling back a transaction.

No

TXSTART (For internal use only) Database SQL statement for starting a transaction.

No

TYPENAME Produces an SQLColAttributes report showing the name of the SQL TYPE for the column.

Yes

UNSIGNED Produces an SQLColAttributes report if the column is UNSIGNED.

No





UPDATE Produces an SQLColAttributes report if the column is updatable.

Yes

USERNAME Specifies the user’s login name on the server. none

WALLETID Specifies the Wallet ID for Automatic Data Encryption.

none

WALLETPASS Specifies the Wallet password for Automatic Data Encryption.

none



3-15


Modifying a data sourceTo modify a data source:

1. From the UCI Configuration Editor, click the data source you want to modify. The data source information populates in the Data Source Editing area.

You can add new parameters or edit existing ones. To add new parameters, see “Adding a data source” on page 3-8. To edit parameters, continue with the following steps.

2. Click the parameter you want to modify. The parameter name and current value appear under Parameter Editor, as shown in the following example:

3. To remove the parameter, click Remove Parameter.



4. To modify the parameter value, enter a new value in the Value field, then click Update Parameter.

5. After you finish modifying parameters for the data source, click Save Data Source.

6. When you finish modifying data source information, click Save Configuration File to save your changes.

3-17


Deleting a data sourceTo delete a data source:

1. From the UCI Configuration Editor, select the data source you want to delete.

2. Click the Delete Data Source button.

3. When you finish deleting data sources, click Save Configuration File to save your changes.



Creating a UCI configuration fileComplete the following steps to create your own UCI configuration file:

1. From the UCI Configuration Editor, open the UCI configuration file you want to use as a base for the new UCI configuration file. To open a file, see “Opening an alternative UCI configuration file” on page 3-20.

2. Choose File -> Save As.

3. From the Save As dialog box, navigate to the folder to which you want to save the new UCI configuration file, specify a file name with the extension .config, then click Save.

4. If there was a password set on the original configuration file, a dialog box opens and asks you to define a password for the new configuration file. You are not required to create a password.

5. Modify the new UCI configuration file with the appropriate data source information.

3-19


Opening an alternative UCI configuration fileTo open the UCI configuration file that is set in the UciCfgFile registry key, choose File > Set new configuration file.

To open a UCI configuration file that is different from the one set in the UciCfgFile registry key:

1. From the UCI Configuration Editor, choose File -> Open disk file.

2. From the Open File dialog box, choose the appropriate UCI configuration file (the file should have the extension .config), then click Open.

Reverting to the default uci.config file

If you have previously elected to use an alternative UCI configuration file, you can elect to use the default uci.config file at any time.

1. Click File > Use default uci.config.



Securing configuration filesThe UCI configuration files can be password-protected for an additional layer of security. When a configuration file is password protected, the infor-mation in the configuration file is encrypted and can thereafter only be accessed using the UCI Configuration Editor.

Procedure

1. Open the UCI Configuration Editor, if it is not already open.

2. Make sure that the configuration file you want to secure is the one open in the UCI Configuration Editor. To select a new configuration file, click File > Open disk file, select the configuration file you want to secure, and then click OK to return to the editor.

3. Click the Secure UCI configuration file check box.

4. Click Save Config File. Click Yes when asked if you want to update the configuration file. This opens a new password dialog box.

5. Enter the new password information, and then click OK.

Note: When the secure password is not provided correctly, the secure uci.config file will not be opened. You can delete the secure uci.config file and the tool will create a new default uci.config file.

3-21


Modifying a configuration file and making commentsAfter selecting the correct UCI configuration file, you can open the configu-ration file to manually make any changes.

In the UCI Configuration Editor, click Text Editor to easily access the config-uration file.

New data source parameters and comments

You can define additional parameters or comments to include in the UCI configuration file. To do either of these, click New Items in the Parameter list, then under Parameter Editor enter one of the following in the Parameter field:

A new parameter name

New data source parameters

New parameters must begin with a C– prefix. For example, you might name a new parameter C–CATEGORY. UCI ignores any parameter beginning with the C– prefix, but UCI applications can get the parameter information using the SQLDataSources function.

Comments

To include a comment in a data source definition, open the configuration file and then enter an asterisk (*) before any comments. The comments must appear at the top of the configuration file, before the parameters in the data source definition.


C:\UsJuly 10


4 Chapter

ers\aw, 2014


Chapter 4: Accessing UniVerse Accounts

Running concurrent UniVerse versions . . . . . . . . . . 4-3 Running UCI, UniVerse ODBC, or UniOLEDB concurrently . . 4-3 Running InterCall, UniObjects, or UniObjects for Java concurrently 4-4Tracing events . . . . . . . . . . . . . . . . . . . 4-5



UniVerse databases are organized into accounts. A consumer connects to a UniVerse account and can access the files there. You optionally can define the account as a database in the ud_database file on the server. You can also include the account path or database name in the UCI data source definition in the UCI configuration file. For information about setting up the UCI Configuration file, see Chapter 3, “Chapter 3: The UCI Configuration Editor.”

You can also specify the account path or database name each time you try to connect to the account. In this case you need not include the account path or database name in the UCI configuration file. When you try to connect, you are prompted to specify either the full path to the account or the database name.

If you want to access an account that has a UDTHOME directory different from the default UDTHOME directory, you must include a definition for that account in the ud_database file on the server. On UNIX systems this file is located in the /usr/ud72/include path. On Windows platforms it is located in \udthome\include. You can find the path for udthome by looking in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Rocket Software\UniVerse\7.3. Use any text editor to modify the ud_database file.

To determine your default UniVerse home directory, use the UNIX env command. Output from this command includes the default setting for the UDTHOME environment variable.

The following Windows example shows an entry in the ud_database file for a database named db2:

DATABASE=db2 UDTHOME=d:\disk2\test72 UDTACCT=d:\disk2\test72\testacct

In the ud_database file entry the UDTHOME parameter is optional. You should include it only when the UDTHOME directory is different from the default UDTHOME directory.



Running concurrent UniVerse versionsWhen you install UniVerse 7.2 on a machine where UniVerse 5.1 or UniVerse 5.2 was previously installed, the unirpcservices file is overwritten with UniVerse 7.2 information. If you want to run UniVerse 5.1, UniVerse 5.2, UniVerse 6.0, UniVerse 6.1or UniVerse 7.1 concurrently with UniVerse 7.2, you must edit certain files to enter the UniVerse 5.1, UniVerse 5.2, UniVerse 6.0, or UniVerse 6.1 definitions.

Running UCI, UniVerse ODBC, or UniOLEDB concurrently

If you are running UCI, UniVerse ODBC, or UniOLEDB with concurrent versions of UniVerse, you must edit the unirpcservices file and the uci.config file to define locations of executables from the previous version of UniVerse.

The following example illustrates unirpcservices file entries when running UniVerse 7.2 concurrently with UniVerse 7.3:

udserver_72 d:\u2\ud72\bin\udsrvd.exe * TCP/IP 0 3600udserver_73 c:\u2\ud73\bin\udsrvd.exe * TCP/IP 0 3600

Make sure the uci.config file contains an entry for the server for each version of UniVerse, as shown in the following example:

<UniVerse72> DBMSTYPE = UniVerse network = TCP/IP service = udserver_72 host = server1

<UniVerse73> DBMSTYPE = UniVerse network = TCP/IP service = udserver_73 host = server2

4-4


Running InterCall, UniObjects, or UniObjects for Java concurrently

If you are running InterCall, UniObjects, or UniObjects for Java with concurrent versions of UniVerse, you must edit the unirpcservices file to define the location of the udapi_server executable for the previous version you are running.

The following example illustrates unirpcservices file entries when running UniVerse 7.2 concurrently with UniVerse 7.3:

udcs_72 C:\u2\ud72\bin\udapi_server.exe * TCP/IP 0 3600udcs_73 C:\u2\ud73\bin\udapi_server.exe * TCP/IP 0 3600

You can now set your service name to either service defined in the unirpcservices file, for example, udcs_72 for UniVerse 7.2 or udcs for UniVerse 7.3.



Tracing eventsYou can use the tracing feature to create logs of events between clients and the database through the server. Logs enable support personnel to help troubleshoot problems. You can define trace levels for database entries in the ud_database file.

The following table describes the valid trace levels and the associated information that is written to the trace log:

The following UNIX example shows a tracing level setting for a database named dbase3:

DATABASE=dbase3 UDTHOME=/disk1/ud72 UDTACCT=/home/test/udtest TRACE_LEVEL=3

Trace Level Description

0 Includes all fatal error information.

1 Includes all UCI functions in addition to the information provided by trace level 0.

2 Includes parameter information and column descriptions in addition to the information provided by trace levels 0 and 1.

3 Includes data values in addition to the information provided by trace levels 0, 1, and 2.

Valid Trace Levels

4-6

C:\UsJuly 10


5 Chapter

ers\aw, 2014


Chapter 5: Device Licensing

Licensing modes . . . . . . . . . . . . . . . . . . 5-3Why do I need device licensing? . . . . . . . . . . . . . 5-4 Device licensing requirements . . . . . . . . . . . . 5-4Connection types . . . . . . . . . . . . . . . . . . 5-5 Direct connections . . . . . . . . . . . . . . . . 5-5 Two-tier connections . . . . . . . . . . . . . . . 5-5 Multiple-tier connections . . . . . . . . . . . . . . 5-5 Using device subkeys . . . . . . . . . . . . . . . 5-6



This chapter describes how device licensing works. For more information about device licensing, see Installing and Licensing UniVerse Products and Administering UniVerse.

5-2


Licensing modesUniVerse and UniVerse provide two licensing modes:

Session licensing

Device licensing

Session licensing

Session licensing is like the licensing system used before Release 9.5 of UniVerse and Release 5.1 of UniVerse. Every connection from telnet or an API, even from the same PC, consumes one database license. On UniVerse systems, session licensing has been enhanced to include a new licensing tool, uvlictool, that reports on the current licensing state and cleans up current licensing.

Device licensing

Device licensing, sometimes called client-side licensing, tries to combine all remote connections from a single device to a database server at both the database license level and the package level.

Device licensing works with the following connection types (among others):

UCI

UniObjects

UniObjects for Java

UniObjects for .NET

InterCall

UniOLEDB



Why do I need device licensing?Users accessing a database server through one or more client application programs may want to put their licensing scheme on a one-license-per-device basis. Such applications often open multiple connections to a database server. For example, an application might use one connection to browse, another connection to check data, yet another connection to update the database, and so forth.

Before UniVerse Release 9.5 and UniVerse Release 5.1, each connection to the server consumed its own separate license, even though only one user was using all those connections from one PC. Device licensing lets such users consume one database license and the number of connections for which they are licensed, up to ten, to the server from a single PC.

Device licensing requirements

Device licensing has the following requirements:

Clients must run on a Windows platform.

Clients must run on a LAN or TCP/IP with an Ethernet card.

5-4


Connection typesThere are three ways to connect to a database server:

Direct connection. This is not a client/server connection.

Two-tier client/server connection.

Multiple-tier client/server connection.

Each PC can have up to ten connections to the server, but not all connections from a PC can be combined.

Direct connections

Direct connections are not really client/server connections because there is no real client. Examples of direct connections are:

Directly invoking the database on a system

TTY serial line

Two-tier connections

Two-tier connections are typical client/server connections where a client application connects to a database server either on the same machine or on a different machine. Telnet connections to the database are an example of a two-tier connection.

Client applications running on PCs different from the database server appear to the server with unique identifiers.

Multiple-tier connections

Multiple-tier connections are client applications that connect from a PC to a database server either through one or more different PCs, or through an application server component. Examples of multiple-tier connections are:

An HTTP server running scripts that use UniObjects or UniObjects for Java.



An application that connects first to an application server either on a different PC or on the server system. The application server connects to the database server.

Using device subkeys

Each PC that connects immediately to the database server can have up to ten connections.

Using multiple-tier connections, each PC that connects to an intermediate application component consumes a separate license. But each of these PCs, at one or more removes from the server, can have up to ten connections.

In order for a PC to have multiple connections to the database server and still consume only one license, users must ensure that each PC connecting to the server through another system specify a unique device subkey before requesting a connection to the server. This subkey is a string of up to 24 characters. All client applications on a given device that connect to one database server must use the same unique subkey.

5-6

C:\UsJuly 10


6 Chapter

ers\aw, 2014


Chapter 6: The U2 SSL Configuration Editor

About SSL property lists . . . . . . . . . . . . . . . 6-3 List encryption . . . . . . . . . . . . . . . . . 6-3 Working with SSL property lists . . . . . . . . . . . 6-3 Loading and decrypting an SSL property list . . . . . . . 6-4 SSL properties . . . . . . . . . . . . . . . . . . 6-4Starting the SSL Configuration Editor . . . . . . . . . . . 6-12 To start the SSL Configuration Editor: . . . . . . . . . 6-12Creating an SSL property list . . . . . . . . . . . . . . 6-15 Creating a new SSL property list . . . . . . . . . . . 6-15 Specifying certificates . . . . . . . . . . . . . . . 6-18 Specifying authentication properties, CRLs, and cipher suites . 6-21Editing an existing SSL property list . . . . . . . . . . . 6-25Deleting an SSL property list . . . . . . . . . . . . . . 6-36Copying an SSL property list . . . . . . . . . . . . . . 6-37Renaming an SSL property list . . . . . . . . . . . . . 6-39Using the Trace feature . . . . . . . . . . . . . . . . 6-40

aite\Documents\U2Doc\Clients\Source\apisupp\Ch6TOC.fm11:59 am Administering UniVerse on Windows NT or Windows 2000


At UniVerse 11.1 and UniData 7.3, U2 supports the ability of client applications to make secure connections to the database server through Secure Sockets Layer (SSL). SSL is a transport layer protocol that provides a secure channel between two communicating programs over which application data can be transmitted securely. It is the most widely implemented security protocol on the World Wide Web.

Applications can use U2 ODBC or UniOLEDB to access U2 data sources through entries in the UCI configuration file (uci.config) on the client machine.

When ODBC or UniOLEDB attempts to connect to a data source, U2 ODBC or UniOLEDB reads the UCI configuration file to determine the connection parameters. Three parameters indicate whether the client application requires a secure connection to the database server. One of these parameters is SSLPROPERTYLIST, which specifies the name of the SSL property list to be used to verify the properties of the secure connection.

This chapter focuses on the SSL Configuration Editor, a graphical user interface (GUI) tool used to create or change an SSL property list. It first provides a high-level overview of SSL property lists and details the SSL properties.

It then shows you how to start the SSL Configuration Editor and use it to perform file creation and maintenance tasks:

Create a new SSL property list

Edit an existing SSL property list

Save to a new SSL property list

Delete an SSL property list

Copy an SSL property list

Rename an SSL property list

If you need more information about the UCI configuration file, please see the UCI Developer’s Guide.

6-2


About SSL property listsAn SSL property list is an ASCII text file that stores the properties for a secure connection. These properties define the characteristics and behaviors of the secure connection.

List encryption

An SSL property list may contain sensitive information such as the password to a private key or the location of a certificate authority (CA) certificate. For this reason, it is saved in encrypted form to the Windows Registry at:

HKEY_LOCAL_MACHINE \SOFTWARE\Rocket Software\UniDK\SPL

or

HKEY_LOCAL_MACHINE\Software\Wow6432\Rocket Software\UniDK\SPL

The SSL Configuration Editor uses an algorithm developed by U2 to encrypt the list.

If you do not assign your own password to the list, the algorithm uses a an internal default password to generate the encryption key for the list. Because the internal default password is fixed, the algorithm always produces the same encryption key from this password. Consequently, anyone who uses the SSL Configuration Editor can access and read the contents of your SSL property list.

For increased security, we strongly recommend that you assign your own password to the SSL property list. In this case, the same algorithm uses your unique password as the seed for generating an encryption key. The resulting encryption key is unique, so only users who know the password can access the list and read its contents.

Working with SSL property lists

Although the property list is an ASCII text file, you should never edit it directly. Use the SSL Configuration Editor to create, modify, or delete the property list; this ensures that the list is properly saved to (or deleted from) the Registry.



Loading and decrypting an SSL property list

Before the SSL handshake takes place, the SSL property list must be loaded into memory and decrypted. After the list has been decrypted, it is supplied in plain text form to a function that handles the SSL handshake.

Alternatively, the program can assemble the property list on demand in memory, eliminating the need to create a property list in advance.

When the property list is in decrypted form (only internally in U2), each property is stored on a separate line in the file, as shown below:

propertyName=propertyValue

SSL properties

This section describes each property supported in the SSL property list to define the characteristics and behaviors of a secure connection.

SSLVersion={SSLv3 | TLSv1}

Optional. Default is SSLv3.

This property specifies the preferred protocol version.

Version Description

SSLv3 This is most widely used protocol.

TLSv1 This is the newer protocol. Most newer applications support it, but some older applications may not.

Protocol Versions

6-4


CertificateStoreType={U2 | Windows}

Optional. Default is U2.

This property specifies the type of certificate stores to be used for all certificates issued for the secure connection.

CACertificate=<cert-path>[;<cert-path>...]

Each property value string can contain multiple CA certificate paths, with paths separated by a semicolon (;) as shown above. Specifying multiple CACertificate properties is allowed.

If the CA Certificate property is left empty, the SSL Property List (SPL) can still be created. When a client using the created SPL starts an SSL connection, if the CertificateStoreType is Windows, the Windows’s root certificate will be used; Beginning at the JUL2014 client release, if the CertificateStoreType is U2, a U2-supplied default root certificate store will be used as the CA certificate.

Value Description

U2 All certificates specified in this file are PEM, DER, or PKCS #12-format OS-level files.

Windows All certificates specified in this file are looked up from the native Windows certificate store. Generally, a CA certificate is looked up from Windows CA and ROOT stores, while MyCertificate is looked up from MY stores.

In Microsoft’s terminology, these certificate stores are system stores: a collection of physical certificate stores that reside in the Windows Registry. U2 looks up these stores from both of the following Registry locations:

■ CERT_SYSTEM_STORE_CURRENT_USER

■ CERT_SYSTEM_STORE_LOCAL_MACHINE

Certificate Store Types



The default U2 Root Certificate Store (.u2rcs) is created in the C:\U2\UniDK folder. The U2 Root Certificate Store can only be maintained on U2 server and copied to the client machine. The U2 Root Certificate Store can be managed by the U2 rcsman utility tool, which is found in the U2 server bin folder. For more information about the rcsman utility or the U2 Root Certificate Store, refer to the UniVerse Security Features or UniData Security Features manuals.

U2 certificate store type

<cert-path> is the path of the certificate file that is used as a CA certificate. The format of the certificate can be either PEM, DER, or PKCS #12. (However, see the CertificatePath property for additional information on how U2 loads certificates when performing the SSL handshake.) With the U2 type, if a CA certificate chain is required, you have the choice of specifying multiple CACertificate properties, or, for PEM-format certificates, concatenating the certificate files into one single file (using OS-level editor or command line) and specifying the concatenated file once.

Windows certificate store type

Specify the same “friendly name” or “Common name” that is used for the certificate in the certificate store. With the Windows type, specify only one certificate, which should be the most immediate CA certificate (the one used directly to sign the certificate to which authentication is to be performed).

A certificate chain is automatically established and used in an SSL session. Note that the above description is based on the assumption that a correct and complete trust relationship exists in the Windows certificate store for the certificate involved. If a complete chain cannot be formed, an error is reported. This also applies to other certificate-related properties described below.

MyCertificate=<cert-path>

Optional for client SSL property list; default is none. Required for server SSL property list.

U2 certificate store type

Note that if you specify this property, you must also specify the MyPrivateKey and PrivateKeyPassword properties. The format of the certificate can be PEM, DER. or PCKCS #12.

6-6


Windows certificate store type

Specify the same “friendly name” or “Common name” that is used for the certificate in the certificate store. Note that when you import a Windows store type certificate to the MY store, you must associate an exportable private key with it by selecting the Exportable private key check box.

See also ClientAuthentication (below).

MyPrivateKey=<key-path>

Applicable to U2 certificate store type only. Required if you entered a value in My Certificate.

This property specifies the path for the file that contains the private key associated with MyCertificate. The format of the key file can be PEM, DER. or PCKCS #12.

When an SSL property list is created, the private key is loaded into memory and validated against its corresponding certificate (My Certificate). If it passes validation, the key is stored with the SSL property list. This validation feature is designed to enhance the security and protection of the user’s private key.

After the SSL property list has been created, you do not need to keep the private key file on your hard disk. You can store the key file safely on offline media until the next time you want to edit the SSL property list.


PrivateKeyPassword=<pass-phrase>

Applicable to U2 certificate store type only. Required if you specified a value for MyCertificate.

This property specifies the password for the private key file.


CRL=<cert-path>

Optional. Default is none. Specifying multiple CRL properties is allowed.



This property specifies the Certificate Revocation List (CRL) to be used for this secure connection.

The CRL is a special certificate published by certificate authority (CA); it contains the serial numbers of certificates revoked by CA. If an incoming server certificate is specified, it is checked against the CRL to verify that it has not been revoked before other verification is performed.

The format of the CRL can be PEM, DER, or PKCS #12.

AuthenticationDepth=<level>

Optional. Default is 5.

This property determines the level at which to stop U2’s verification process in authentication processing. The default setting of 5 is a sufficient depth in most cases. If you set the depth for fewer levels of authentication than actually employed for the certificate, the certificate will not pass authentication.

CipherSuite=<cipher-suite-string>

Optional. Default is all ciphers supported by the OpenSSL open source library.

This property specifies a suite of ciphers to be used in a specific order in the SSL handshake.

For further details, see the description of addCipherSuite() in the UniBasic Extensions manual.

TrustedPeerName=<trusted-peer-name-string>

Optional. Default is none. Specifying multiple TrustedPeerName properties is allowed.

<trusted-peer-name-string> is in the format of <peer-name>[;<peer-name>[;<peer-name>]...]

6-8


This property tells U2 that it needs to perform additional checking in authenticating the incoming certificate. If you do not specify TrustedPeerName, the incoming certificate is considered valid when the CA certificate has verified it. However, if you specify TrustedPeerName, a further check is performed to verify that the incoming certificate’s SubjectAltName extension or CommonName subject field matches one of the specified TrustedPeerName.

TrustedPeerName can be either a fully specified name (such as [email protected]) or a wildcard name. Two wildcard characters are supported:

For example, %@us.xyz.com matches both [email protected] and [email protected], while [email protected] matches [email protected] only.

AuthenticationStrength=[STRICT | GENEROUS]

Optional. Default is STRICT.

STRICT authentication requires the following:

The incoming server certificate is a well-formed X.509 certificate.

A valid CA certificate exists and verifies the incoming server certificate.

Peer name checking (if specified) is performed.

GENEROUS authentication requires only the following:

The incoming server certificate is a well-formed X.509 certificate.

Peer name checking (if specified) is performed.

Note: GENEROUS authentication is not highly secure. We recommend using it in test environments only.

% Match any character strings

_ Match one character



CertificatePath=[DEFAULT | RELATIVE | PATH=<path> | ENV=<env-var>]

Applicable to U2 certificate store type only. Optional. The default location is PATH:C:/U2/UniDK/certs.

When you specify a certificate by the CACertificate, MyCertificate, or CRL property, the value for that property is registered internally. When loading the certificate into memory to establish an SSL connection, U2 uses this registered path by default to retrieve the certificate.

The CertificatePath property allows you to specify different locations in which to search the certificates. Note that this property applies to all certificates specified in the file.

Four options are available:

ClientAuthentication=[TRUE | FALSE]

Optional. Default is FALSE.

This property should be specified for a server SSL property list only.

Option Description

DEFAULT Specifies the above-described behavior. This option is the default.

RELATIVE U2 looks for the certificate in the current directory under which the client process is running.

PATH:<path> <path> is a user-specified path for loading certificates specified in this SSL property list. It can be either an absolute path or a relative path.

The default path is C:\U2\UniDK\certs. With this path, the behavior is the same as that of the DEFAULT option.

ENV:<env-var> <env-var> is an environment variable name. With this option, the client process uses the value of the environment variable as the path to load the certificates. Note that U2 looks up the environment variable for a client process only once when the first SSL connection is made and its value is cached for later reference by that process.

CertificatePath Options

6-10


If the value is TRUE, the SSL server using this property list requires client authentication during the SSL handshake. It asks the client to send its certificate.

If TRUE, U2 treats the SSL property list as a server property list. Consequently, you must also specify MyCertificate, MyPrivateKey (for the U2 certificate store type only), PrivateKeyPassword, and CACertificate or the SSL property list will not be created.

RandomFileLocation=<directory-path>

Optional. Default is “.” (the current directory).

This property specifies the directory in which the client stores random data for the use of SSL operations. The directory should be specfied as an absolute path (for example, D:\mysys\work). The directory must currently exist and be writeable.

By default, random data is stored in the directory in which a client process runs. If you want to control where the random data is stored (for example, to limit users’ access to the random data by storing it in a directory that has restricted permissions), you should use this property to specify the desired directory.

The random data file named U2SSL.rnd is created in the specified directory.



Starting the SSL Configuration EditorThe SSL Configuration Editor program files are placed in a subfolder under the Programs folder when you install U2. This section tells you how to navigate to the tool and start it. It also describes the layout of the SSL Config-uration Editor window.

Note: You must be in Administrator mode to update the registry key on computers that have user access controls (UAC) enabled.

To start the SSL Configuration Editor:

From the Start menu, choose All Programs ➤ Rocket U2 ➤ SSL Configuration Editor. The SSL Configuration Editor window opens.

Components of this window are described below.

6-12


Main menu

At the top of the SSL Configuration Editor window are two menus:

Menu Description

File Options for creating new SSL property lists, as well as deleting, saving, and performing other tasks for managing SSL property lists.

Help Help topics, including the documentation.

SSL Configuration Editor Main Menu



Views

The SSL Configuration Editor window is divided into four views:

From the main window, you can perform the following tasks to manage SSL property lists:

Creating an SSL property list

Editing an existing SSL property list

Deleting an SSL property list

Copying an SSL property list

Renaming an SSL property list

Using the Trace feature

Navigate to the folder containing the log and open the file to view its contents.

View Usage

SSL Property Lists treeview

Use this view to review the directory structure of SSL property lists and copy, rename, or delete existing SSL property lists.

Property List This view contains information about any item highlighted in the SSL Configuration Editor.

Property Editor This editor is used to change the value of the property selected in the Property List. It also describes the property in the description field.

Result view Use this view to review the details on any problems encountered while creating, editing, deleting, or performing other operations on an SSL property list.

SSL Configuration Editor: Main Window Panes

6-14


Creating an SSL property listThis section takes you through the process of creating an SSL property list and defining all the properties of a secure connection.

The Create a New SSL Property List dialog wizard steps you through the process of entering these properties, helping you input the required infor-mation. The requirements are based on whether the SSL property list is for the use of a client or a server, and on the certificate store type.

Creating a new SSL property list

1. In the SSL Configuration Editor window, select File ➤ New. The Create a New SSL Property List dialog box opens.



2. In the Property list name box, enter a unique name for the SSL property list to be created.

3. Optional. We strongly recommend that you establish a password for the SSL property list. An algorithm is applied to your password to derive a unique encryption key for the list. To access a password-protected list, users must enter the password as the key to decrypt the list and view its plaintext contents. If you do not assign a password to the list, the algorithm uses a fixed internal default password to generate the encryption key. The key produced in this manner never varies and anyone who uses the SSL Configuration Editor can access the list and view its contents.

In the Password box, enter a password for the SSL property list. There are no limitations on length or restrictions on characters allowed; however, the length of the password and randomness of the characters contribute to its relative security. Use a password that is difficult to guess and share it only with users who need to access the list.

4. If you entered a password for the SSL property list, you must verify the password. In the Re-enter password box, type the same password again.

5. U2 supports SSL version 3 and TLS version 1. Under SSL version, select the version of the protocol to be used for this secure connection:

Option Description

SSLv3 This is the default setting. It is the most widely used protocol.

TLSv1 This is the newer protocol. Most newer applications support it, but some older applications may not.

SSL Versions

6-16


6. Under Certificate store type, select the type of certificate stores to be used for all certificates issued for this secure connection:

7. Click Next to specify the certificate information. The Specify Certificates dialog box opens

Option Description

U2 This is the default setting. Use this setting if all certificates that apply to this secure connection are PEM, DER, or PKCS #12 format OS-level files.

Windows All certificates for this connection are looked up from the native Windows certificate store. Generally, a CA certificate is looked up from Windows CA and ROOT stores, while My Certificate is looked up from MY stores.


■ CERT_SYSTEM_STORE_CURRENT_USER

■ CERT_SYSTEM_STORE_LOCAL_MACHINE

Certificate Store Type



Specifying certificates

1. Specify the path of a certificate, set the private key and password if applicable, specify the path of the certificate revocation list (CRL), and specify cipher suites to be used in the handshake..

2. If applicable, in the CA certificate box, enter the path of the file to contain a certificate authority (CA) certificate for this secure connection, or click Browse to find the path. See specifics for the certificate store type below.

6-18


U2 certificate store type:

Specify the path of the certificate file that is used as a CA certificate. The format of the certificate can be either PEM, DER, or PKCS #12. With the U2 type, you can specify multiple certificate paths, separating each with a semicolon (;).

If a CA certificate chain is required, you have the choice of specifying multiple certificate files in the CA certificate box, or, for PEM-format certificates, concatenating the certificate files into one single file (using OS-level editor or command line) and specifying the concatenated file once.

Windows certificate store type:

Specify the same “friendly name” or “Common name” that is used for the certificate in the certificate store. With the Windows type, specify only one certificate, generally the most immediate CA certificate (the one used directly to sign the certificate to which authentication is to be performed).

A certificate chain is automatically established and used in an SSL session. Note that the above description is based on the assumption that a correct and complete trust relationship exists in the Windows certificate store for the certificate involved. If a complete chain cannot be formed, an error is reported. This also applies to other certificate-related properties.

3. Optional for a client SSL property list; required for a server SSL property list.

In the My Certificate box, enter the path for your certificate for this secure connection, or click Browse to find the path. See specifics for the certificate store type below.


Note that if you specify a path in My Certificate for a server SSL property list, you must also enter values for Private key and Private key password. The format of the certificate can be either PEM, DER, or PKCS #12.




Specify the same “friendly name” or “Common name” that is used for the certificate in the certificate store. Note that when you import a Windows store type certificate into the MY store, you must associate an exportable private key with it by selecting the Exportable private key check box.

4. Applicable to the U2 certificate store type only. Required if you entered a value in My Certificate.

In the Private key box, enter the path for the file that contains the pri-vate key associated with My Certificate, or click Browse to find the path. The format of the key file can be either PEM, DER, or PKCS #12.


After the SSL property list has been created, you do not need to keep the private key file on your hard drive. You can store the key file safely on external media until the next time you want to modify properties of the SSL property list.

5. Applicable to the U2 certificate store type only. Required if you entered a value in My Certificate.

In the Private key password box, enter the password for the private key file.

6-20


6. Under Authentication strength, select the appropriate option for this secure connection.

7. Choose one of the following actions:

Click Finish to create the property list.

Click Advanced to view the advanced options, such as defining trusted peers, ciphers, or CRLs.

Specifying authentication properties, CRLs, and cipher suites

After selecting the Advanced option, the Advanced Options dialog box opens with the following options.

Option Description

Strict This is the default setting. Strict authentication requires that the following conditions be met:

■ The incoming server certificate is a well-formed X.509 certificate.

■ A valid CA certificate exists and verifies the incoming server certificate.

■ Peer name checking (if specified) is performed.

Generous Generous authentication requires only that the incoming server certificate is a well-formed X.509 certificate.

Note: Generous authentication is not highly secure. We recommend using it in test environments only.

Authentication Strength



1. Optional. In the Trusted peers box, enter the name of a trusted peer as detailed below.

This property tells U2 that additional checking needs to be performed in authenticating the incoming certificate. If you leave this box blank, the incoming certificate is considered valid when the CA certificate has verified it. However, if you specify a trusted peer name, a further check is performed to verify that the incoming certificate’s SubjectAltName extension or CommonName subject field matches that of the trusted peer.

The trusted peer name can be either a fully specified name (such as [email protected]) or a wildcard name. Two wildcard characters are supported:


You can enter the names of multiple trusted peers, separating each with a semicolon (;).

2. Optional. In the Random file location box, enter the absolute path of the directory in which U2 stores random data for the use of SSL operations, or click Browse to find the path. For example, D:\mysys\work is an absolute path. The directory must currently exist and be writable. The default is “.” (the current directory).

By default, random data is stored in the directory in which a client process runs. If you want to control where the random data is stored (for example, to limit users’ access to the random data by storing it in a directory that has restricted permissions), use this property to specify the desired directory.

When the SSL property list is created, the random data file named U2SSL.rnd is created in the directory specified here.

% Match any character string


6-22


3. Optional. In the Authentication depth list, select the level at which to stop U2’s verification process in authentication processing. The default setting is 5, which is a sufficient depth in most cases. If you set the authentication depth for fewer levels of authentication than actually employed for the certificate, the certificate will not pass authentication.

6. Applicable to U2 certificate store type only. Optional.

When you specify a certificate by the CA certificate, My Certificate, or CRL property, the value for that property is registered internally. When the certificate is loaded into memory to establish an SSL connection, U2 uses this registered path by default to retrieve the certificate.

The Certificate path property allows you to specify different locations in which to search the certificates. Note that this property applies to all certificates in the file.

Under Certificate path, select one of the following options:

Option Description

Default Specifies the above-described behavior.

Relative U2 looks for the certificate in the current directory under which the client process is running.

Path Enter the path for loading certificates specified in this property list, or click Browse to find the path. This can be either an absolute path or a relative path.

The default path is C:\U2\UniDK\certs. With this path, the behavior is the same as that of the Default option.

Environment Variable Enter an environment variable name. With this option, the value of the environment variable is used as the path in which to load the certificates. Note that U2 looks up the environment variable for a client process only the first time the process makes an SSL connection; the value of the environment variable is cached for later reference by that process.

Certificate Path Options



7. Optional. In the CRL box, enter the path of a certificate revocation list (CRL) to be used for this secure connection, or click Browse to find the path. You can specify multiple CRL paths, separating each with a semicolon (;).

The CRL is a special certificate published by the certificate authority (CA), containing the serial numbers of certificates that the CA has revoked. If an incoming server certificate is specified, it is checked against the CRL to verify that the certificate has not been revoked before other verification is performed.

The format of the CRL can be either PEM, DER, or PKCS #12.

8. Optional. In the Cipher Suites box, specify a suite of ciphers to be used in a specific order in the SSL handshake. If you make no entry, the default of all ciphers supported by the OpenSSL open source library applies. For further details, see the description of addCipherSuite() in the UniBasic Extensions manual. Choose one of the following actions:

To return to the previous page of the dialog box, click Back.

To discard your entries and cancel the process of creating an SSL property list, click Cancel.

Otherwise, to finish entry of properties and create the SSL property list, click Finish.

The SSL Configuration Editor tool checks your entries to ensure that you have input all required properties. The requirements are based on whether this is a client or server SSL property list, and on the selected certificate store type.

If you left a required property blank or entered conflicting or inconsistent values in related properties, when you click Finish the SSL Configuration Editor issues an error message and redisplays the first page on which you to need to enter information.

If the tool finds no errors, the program creates the new SSL property list, saving it in encrypted form to the Windows Registry at:

HKEY_LOCAL_MACHINE/SOFTWARE/Rocket Software/UniDK/SPL

6-24


Editing an existing SSL property listThis section takes you through the process of editing an existing SSL property list, changing the properties of a secure connection.

To edit an existing SSL property list:

1. Open the SSL Configuration Editor.

2. In the SSL Property Explorer, double-click the name of the SSL property list to be edited. The information for the selected property list populates in the Property Editor.

3. If the selected SSL property list has an associated password, enter the password and click OK. Otherwise, if the property list has no associated password, leave the box blank and click OK.



4. In the Property List, select the line containing a property value to be changed. The Property Editor displays information for the selected property.

The following table provides information on changing the value of each SSL property. This table lists properties in the order in which they appear in the Property List on the left side of the Editor view.

Element Description

Property Display only. This box contains the name of the property as it is stored in the SSL Configu-ration Editor program. Property names cannot be changed.

Description Provides guidelines and tips for setting the value of this property.

Value Initially displays the current value of the property. In this box, you can change the value of the selected property.

Property Editor

Property Value

SSLVersion U2 supports SSL version 3 and TLS version 1. Select the version of the protocol to be used for this secure connection:■ SSLv3 – This is the default setting. It is the

most widely used protocol.

■ TLSv1 – This is the newer protocol. Most newer applications support it, but some older applications may not.

To apply this change, click OK.

Editing Property Values

6-26


CertificateStoreType Select the type of certificate stores to be used for all certificates issued for this secure connection.■ U2 – This is the default setting. Use this setting

if all certificates that apply to this secure connection are PEM, DER, or PKCS #12 format OS-level files.

■ Windows – All certificates for this connection are looked up from the native Windows certif-icate store. Generally, a CA certificate is looked up from Windows CA and ROOT stores, while My Certificate is looked up from MY stores.


CERT_SYSTEM_STORE_CURRENT_USER

CERT_SYSTEM_STORE_LOCAL_MACHINE


Property Value

Editing Property Values (Continued)



CACertificate Enter the path of the file to contain a certificate authority (CA) certificate for this secure connection, or click Browse to find the path. See specifics for the certificate store type below.


Specify the path of the certificate file that is used as a CA certificate. The format of the certificate can be either PEM, DER, or PKCS #12. With the U2 type, you can specify multiple certificate paths, separating each with a semicolon (;).

If a CA certificate chain is required, you have the choice of specifying multiple certificate files, or, for PEM-format certificates, concatenating the certificate files into one single file (using OS-level editor or command line) and specifying the concatenated file once.


Specify the same “friendly name” or “Common name” that is used for the certificate in the certif-icate store. With the Windows type, specify only one certificate path, generally the most immediate CA certificate (the one used directly to sign the certificate to which authentication is to be performed).

A certificate chain is automatically established and used in an SSL session. Note that the above description is based on the assumption that a correct and complete trust relationship exists in the Windows certificate store for the certificate involved. If a complete chain cannot be formed, an error is reported. This also applies to other certificate-related properties.


Property Value


6-28


MyCertificate Optional for a client SSL property list; required for a server SSL property list.

Enter the path for your certificate for this secure connection, or click Browse to find the path. See specifics for the certificate store type below.


Note that if you specify a path in MyCertificate for a server SSL property list, you must also enter values for MyPrivateKey and PrivateKeyPassword. The format of the certificate can be either PEM, DER, or PKCS #12.


Specify the same “friendly name” or “Common name” that is used for the certificate in the certificate store. Note that when you import a Windows store type certificate into the MY store, you must associate an exportable private key with it by selecting the Exportable private key check box.


Property Value




MyPrivateKey Applicable to the U2 certificate store type only. Required if you entered a value in MyCertificate.

Enter the path for the file that contains the private key associated with My Certificate, or click Browse to find the path. The format of the key file can be either PEM, DER, or PKCS #12.


After the SSL property list has been created, you do not need to keep the private key file in memory. You can store the key file safely on media until the next time you want to modify properties of the SSL property list


PrivateKeyPassword Applicable to the U2 certificate store type only. Required if you entered a value in MyCertificate.

Enter the password for the private key file.


Property Value


6-30


TrustedPeerName Optional. Enter the name of a trusted peer as detailed below.

This property tells U2 that additional checking needs to be performed in authenticating the incoming certificate. If you leave this box blank, the incoming certificate is considered valid when the CA certificate has verified it. However, if you specify a trusted peer name, a further check is performed to verify that the incoming certificate’s SubjectAltName extension or CommonName subject field matches that of the trusted peer.

The trusted peer name can be either a fully specified name (such as [email protected]) or a wildcard name. Two wildcard characters are supported:

% Match any character string



You can enter the names of multiple trusted peers, separating each with a semicolon (;).


Property Value




AuthenticationStrength Optional. Select the appropriate authentication strength option for this secure connection:

■ STRICT – This is the default setting. Strict authentication requires that the following conditions be met:

– The incoming server certificate is a well-formed X.509 certificate.

– A valid CA certificate exists and verifies the incoming server certificate.

– Peer name checking (if specified) is performed.

■ GENEROUS – This strength requires only that the incoming server certificate is a well-formed X.509 certificate. Note that generous authentication is not highly secure. We recommend its use in test environments only.


Property Value


6-32


CertificatePath Applicable to U2 certificate store type only. Optional.

When you specify a certificate by the CACertificate, MyCertificate, or CRL property, the value for that property is registered internally. When the certificate is loaded into memory to establish an SSL connection, U2 uses this registered path by default to retrieve the certificate.

The CertificatePath property allows you to specify different locations in which to search the certificates. Note that this property applies to all certificates in the file. Select one of the following options:

■ DEFAULT – Specifies the above-described behavior.

■ RELATIVE – U2 looks for the certificate in the current directory under which the client process is running.

■ ENV – Enter an environment variable name. With this option, the value of the environment variable is used as the path in which to load the certificates. Note that U2 looks up the environment variable for a client process only the first time the process makes an SSL connection; the value of the environment variable is cached for later reference by that process.

■ PATH – Enter the path for loading certificates specified in this property file, or click Browse to find the path. This can be either an absolute path or a relative path. The default path is C:\U2\UniDK\certs. With this path, the behavior is the same as that of the Default option.


Property Value




CipherSuite Optional. Specify a suite of ciphers to be used in a specific order in the SSL handshake. If you make no entry, the default of all ciphers supported by the OpenSSL open source library applies.


AuthenticationDepth Optional. Enter the level at which to stop U2’s verification process in authentication processing. The default setting is 5, which is a sufficient depth in most cases. If you specify a depth with fewer levels of authentication than actually employed for the certificate, the certificate will not pass authentication.


CRL Optional. Enter the path of a certificate revocation list (CRL) to be used for this secure connection, or click Browse to find the path. You can specify multiple CRL paths, separating each with a semicolon (;).

The CRL is a special certificate published by the certificate authority (CA), containing the serial numbers of certificates that the CA has revoked. If an incoming server certificate is specified, it is checked against the CRL to verify that the certificate has not been revoked before other verification is performed.

The format of the CRL can be either PEM, DER, or PKCS #12.


Property Value


6-34


1. When you have finished making changes to the properties in this SSL property list, take one of the following actions:

To save your changes to the list, click the Save button in the Property List panel.

To save your changes as a new SSL property list, click the Save As button in the Property List panel. The Property List Name and Password dialog box opens. Enter a unique name for the new list, enter a password, and re-enter the password. Click OK.

RandomFileLocation Optional. Enter the absolute path of the directory in which U2 stores random data for the use of SSL operations, or click Browse to find the path. For example, D:\mysys\work is an absolute path. The directory must currently exist and be writable. The default is “.” (the current directory).

By default, random data is stored in the directory in which a client process runs. If you want to control where the random data is stored (for example, to limit users’ access to the random data by storing it in a directory that has restricted permissions), use this property to specify the desired directory.

When the SSL property list is created, the random data file named U2SSL.rnd is created in the directory specified here.


Property Value




Deleting an SSL property listThis section shows you how to delete an SSL property list. It is important that you use the SSL Configuration Editor to perform this task so the file is properly deleted from the Windows Registry.

To delete an SSL property list:

1. In the SSL Property List, select the SSL property list to be deleted.

2. Click the Delete button. The Property List Password dialog box opens.

3. If the selected SSL property list has an associated password, enter the password and click OK. Otherwise, if the property list has no associated password, leave the box blank and click OK.

4. The Please Confirm dialog box opens. The message states that you are about to delete an SSL property list and requests your confirmation to proceed.

If you want to cancel the deletion, click Cancel.

Otherwise, if you want to complete the procedure and delete the SSL property list, click OK. The SSL property list is deleted from the Registry.

6-36


Copying an SSL property listThis section details the steps for copying an SSL property list. The copy function allows you to create a new list from an existing list.

You can use this function for two different purposes:

Create a list that is similar to the original – When you have a new list, you can edit its properties, specifying the characteristics of a secure connection that is similar to the connection defined by the original list.

Rename an existing list and assign it a password – If an existing list has no password or you want to change its password, you can use this function to rename the list and assign a new password. You can then delete the original list if it is no longer needed.

Do not copy an SSL property list by any method other than the SSL Configu-ration Editor. You must use this tool so the list is entered properly in the Registry.

To copy an SSL property list:

1. In the SSL Property List, select the SSL property list to be copied.

2. Click File > Copy. The Property List Password dialog box opens.

3. To continue with the copy procedure,

If the SSL property list to be copied has an associated password, enter the password and click OK.

If the property list has no associated password, leave the box blank and click OK.

The Console displays the message “List ‘listname’ has been copied successfully.”

Otherwise, to cancel the copy procedure, click Cancel.

4. In the SSL Property Explorer pane, right-click the SSL Property Lists folder. In the Enter name for new property list box, the system-generated name for the new list is highlighted. Enter a unique name for the new list.



5. Optional. In the Enter password for property list box, assign a password to the new list. To increase the level of security, we strongly recommend that you establish a password for the SSL property list.

6. If you entered a password for the SSL property list, you must verify the password. In the Re-enter password box, type the same password again.

6-38


Renaming an SSL property listThis section provides instructions for renaming an SSL property list. The rename function allows you to change the name of an existing list by overwriting the old name.

Do not rename an SSL property list by any method other than the SSL Config-uration Editor. You must use this tool so the list is entered properly in the Registry.

To rename an SSL property list:

1. In the SSL Property List, right-click the SSL property list to be renamed.

2. Select the Rename option.The Property List Name and Password dialog box opens.

3. In the Enter name for new property list box, enter a unique name for the list.

4. To continue with the rename procedure,

If the SSL property list to be renamed has an associated password, enter the password and click OK.

If the property list has no associated password, leave the box blank and click OK.

The Console displays the message “List ‘old_listname’ has been renamed to ‘new_listname’.”

Otherwise, to cancel the rename procedure, click Cancel.



Using the Trace featureThe SSL Configuration Editor provides a Trace feature for recording all operations performed through the tool on SSL property lists. The events of these operations are written to a file named U2SSLConfig.log and also displayed in the Console pane.

You can use the log to track activity on the lists and to troubleshoot any problems that may arise when performing operations on the lists.

The log is located by default in your C:\temp folder. The log file name and location can be changed at the user’s discretion.

When you initially open the SSL Configuration Editor, Trace mode is turned off by default. This section contains instructions for turning Trace mode on and off.

To use the Trace feature:

1. In the SSL Property List, right-click the SSL property list for which you want to use the Trace feature.

6-40


2. Select Trace. The Trace Log dialog box opens with the following trace options: Trace Log Level and Trace Log File

Trace Log Level

Trace Log File - Browse to the location where the trace file should reside. The default location for the Trace file is C:\temp\U2SSLConfig_WIN.log.

3. With Trace mode turned on, perform operations on SSL property lists as you normally would. The events of these operations are recorded in the log.

4. To turn off Trace mode, choose File ➤ Trace.

5. Navigate to the folder containing the log and open the file to view its contents.

Log level Description

1 - Brief The information in the trace file will contain only the function name.

2 - Detail The information provided in the trace file will contain the function name and function details. This is the default setting.

3 - All The information provided in the trace file will contain the function name, function details, as well as all additional information. This setting has the potential to create very large SSL log files, so should be used with caution.

Property Editor
