Kbase P61914: How to deploy WebClient with digital certificates?
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
15/10/2008 |
|
Status: Unverified
GOAL:
How to deploy WebClient with digital certificates?
GOAL:
What are the prerequisites for deploying a WebClient with digital certificates?
FACT(s) (Environment):
Progress 9.1C
Progress 9.1D
OpenEdge 10.x
FIX:
This information is located in the installDir\certs\readme file.
1. A digital certificate
2. A server certificate installed on the Web server.
The details of this installation vary from Web server to Web server, follow your
Web server's instructions for requesting and installing a server certificate.
3. The Progress client has access to the root certificate that corresponds to the
server certificate. The Progress "Client-Side Security" and WebClient products
automatically install root certificates for RSA, Verisign or Thawte, certificate
authorities (issuers). The root certificates are placed in the install-dir/certs
(e.g. $DLC/certs) directory on the client machine.
The Progress WebClient or Client-Side Security product must be installed on the
client machine, in order to get the required certificates and utilities for
enabling AppServer https support.
If you are managing your own Certificate Server (for an intranet), rather than
using one of the three certificate authorities above, additional steps are
necessary before the Progress 4GL client (or WebClient) will be able to establish
a trust relationship with your server certificate.
1. Obtain a copy of a PEM encoded certificate from a Certificate Server. The
Certificate Server administration has options for getting this certificate.
This step is required to make the (internal-use) Cert Server a trusted signing
authority (issuer). If you do not do this step AppServer CONNECT("-URL
https://...) will fail with the error "Secure Socket Layer (SSL) failure. error
code -54: unable to get local issuer certificate (9318)".
2. Copy that PEM file onto the machine where the Progress client will run.
3. On the client machine, set the DLC environment variable. See the example in
the $DLC/bin/mkhashfile shell script on UNIX, or $DLC%\bin\mkhashfile.bat on
Windows.
4. On the client machine, run the mkhashfile command specifying the PEM encoded
certificate (from step 2) as the only command argument.
This creates a copy of the PEM encoded certificate file from step 2 as a
hashed file name and copies it to the directory on the client
machine. On Windows run the mkhashfile command in a PROENV DOS box as PROENV
will properly set DLC.