Apply Destination Connector SSL Settings

Item	Name	Default Value	Description
A	Server Certificate Validation	Enabled	If enabled, only the certificates configured in the below Trusted Client Certificates section will be trusted. If disabled, all certificates are automatically trusted.
B	Trusted Server Certificates	Java Truststore only	Select the wrench icon here to select which certificates to trust. This applies not only to certificates presented by servers, but also to those trusted for CRL / OCSP revocation checking. For additional information, seeTrusted Server Certificates
C	Hostname Verification	Enabled	If enabled, validation will fail if the Subject CN (or Subject Alternative Name) presented in the server certificate does not match the actual endpoint the connector is dispatching to. If disabled, valid certificates will be accepted even if the host name does not match.
D	Subject DN Validation	No	If enabled, only server certificates with subject distinguished names (DNs) matching the given list will be allowed. If a server certificate not matching any of the trusted DNs is presented, the SSL connection / handshake will fail. For additional information, see Subject DN Validation
E	Allow Expired Certificates	No	If disabled, both local and remote certificates will be checked during the SSL handshake to ensure that none of the certificates in the accessible chain have expired.
F	OCSP Revocation Checking	No	Select Yes to enable Online Certificate Server Protocol (OCSP) checking for all local and remote certificates. The issuer of the response certificate must be trusted as well in order to verify signatures. For additional information, see OCSP Revocation Checking
G	CRL Revocation Checking	No	Select Yes to enable Certificate Revocation List (CRL) checking for all local and remote certificates. The issuer of the CRL must be included in your trusted certificates as well in order to verify signatures. For additional information, see CRL Revocation Checking
H	My Client Certificate	None	If client/mutual authentication is needed, select the local certificate used to identify this connector. For additional information, see My Client Certificate
I	Enabled Protocols	Server defaults	The TLS/SSL protocols to enable for this listener connector. For additional information, see Enabled TLS/SSL Protocols
J	Enable Sipher Suites	Server defaults	The TLS/SSL cipher suites to enable for this listener connector. For additional information, see Enabled TLS/SSL Cipher Suites

SSL Manager User Guide

Apply Source Connector SSL Settings

On the Channels page, double-click a channel in the Channel list. Select the Source tab. In the Connector Type field, select the connector type that supports the SSL Manager (for example, HTTP Listener, Web Service Listener, File Reader in FTP mode). In the SSL Settings section - Enable field, select Yes. Enabling SSL Settings Select the wrench icon to open the SSL Settings window: Items on the SSL Settings Window Item Name Default Value Description A My Server Certificate None Select the local certificate used to identify this listener connector. For additional information, see My Server Certificate B Client Authentication Disabled Disabled: No client authentication is requested. Request: Client certificate is requested but not required. If the client presents a certificate it will be used for extra security. Require: Client certificate is required. If the client does not present a certificate, the handshake will fail. C Client Certificate Validation Enabled If enabled, only the certi

SSL Manager User Guide

Settings

Certificate DN Regex (optional) settings Validation Errors Select the type of errors you want this alert to trigger on. Expired: Triggers when a certificate has expired or is about to expire. If this option is checked, the Cert Expiration Settings below will be used. Revoked by CRL: Triggers when a channel/connector has CRL Revocation Checking enabled and encounters a certificate that has been revoked according to the CRL. Revoked be OCSP: Triggers when a channel/connector has OCSP Revocation Checking enabled and encounters a certificate that has been revoked according to the OCSP provider. DN Rejected: Triggers when a channel/connector has Subject DN Validation enabled and encounters a certificate that has been rejected due to an incorrect Subject DN. Cert Expiration Settings These settings are used when the Expired error type is enabled. Time Until Expiration: The amount of time (for example, 7d) before a certificate expires to trigger the alert. Only valid down to a minute-level pre

SSL Manager User Guide

Common Connector SSL Settings

The following sections provide descriptions and examples of common connector SSL settings. Subject DN Validation OCSP Revocation Checking CRL Revocation Checking Enabled TLS/SSL Protocols Enabled TLS/SSL Cipher Suites Subject DN Validation OCSP Revocation Checking CRL Revocation Checking Enabled TLS/SSL Protocols Enabled TLS/SSL Cipher Suites

SSL Manager User Guide

Trusted Server Certificates

Trusted Server Certificates: On the SSL Settings window in the Trusted Server Certificates field, select the Wrench icon. The Trusted Certificates window appears. which is identical in task options and appearance to the Public Certificates table on the Settings - SSL Manager page. If the Server Certificate Validation is disabled, the destination connector assumes that any certificate it receives is automatically trusted. When Validation is enabled (previous graphic), you can select specific trusted certificates by selecting the Wrench icon next to Trusted Server Certificates. A Trusted Certificates window appears that is identical in task options and appearance to the Public Certificates table on the Settings - SSL Manager page, except for the Trust column (left end of the table) by which you select the desired server certificate. Trusted Certificates Window with Check Boxes for Selecting Certificates Check the boxes of the desired certificates (or select the Select All / Deselect All

SSL Manager User Guide

My Client Certificate

My Client Certificate: If the server to which you are connecting requires client (two-way) authentication, select the Wrench icon next to My Client Certificate. A My Certificate window appears that is identical in task options and appearance to the My Certificates table on the Settings - SSL Manager page. Selecting a Certificate on the My Certificate Window Select the desired certificate, then select OK. Parent topic: Apply Destination Connector SSL Settings

SSL Manager User Guide

Subject DN Validation

If enabled, only client certificates with subject distinguished names (DNs) matching the given list will be allowed. If a client certificate not matching any of the trusted DNs is presented, the SSL connection / handshake will fail. Subject DN Validation option on the SSL Settings window Select the wrench icon to open the Trusted Subject DNs window: Set Trusted Certificate Subject DNs window Select the New / Delete buttons to add or remove entries. For each Trusted Subject DN entry, configure the following: Distinguished Name: The full or partial distinguished name (DN) to trust. This will be matched against the Subject DN of the remote certificate. Full Match: If enabled, all components (RDNs) configured here must match the ones in the certificate, and the subject DN cannot have any additional components. If disabled, the components configured here will only be considered a required subset, and the subject DN may have additional components. Example 1 Example 2 Example 3 Parent topic:

Apply Destination Connector SSL Settings

Recommendations

Apply Source Connector SSL Settings

Settings

Common Connector SSL Settings

Trusted Server Certificates

My Client Certificate

Subject DN Validation

Apply Source Connector SSL Settings

Settings

Common Connector SSL Settings

Trusted Server Certificates

My Client Certificate

Subject DN Validation