Active Directory Certificate Services (AD CS)
The following procedure describes how you can use an Active Directory Certificate Service (AD CS) (CA) to generate certificates that can be used for SSL communication between Uniface Anywhere Client and the Uniface Anywhere Hosts.
Create and Enable SSL UA Host Certificate Template
By default the templates used by ADCS are not allowing you to export the Private Key. So you will need to create a template that will allow the export of the PVK.
- On the appropriate server (e.g. the CA root), open Certificate Services Manager (certsrv.msc)
- In the left pane, select Certificate Templates, From Action Menu select Manage
- in the Certificate Templates Console, select template 'SSL Certificates', From Action Menu select 'Duplicate Template'
- Select Compatibility Settings Highest possible.
- General tab: Give template a name like 'UA Host SSL Certificates'
- Request Handling tab: Select "Allow private key to be exported'
- Cryptography tab: "Key Storage Provider" and Request Hash: 'SHA256'
- Security tab: remove any unwanted users to enroll except for the administrator.
- press OK to create.
- close Certificate Templates Console
- in Certificate Services Manager (Certsrv), Open Action Menu and select New => Certificate Template to Issue
- Find and select Template 'UA Host SSL Certificates'
- press OK to add it to the Certsrv
- Close CertSrv.msc
Create UAhost Certificate and its Private Key file
- On the Uniface Anywhere Host machine (logged on as user Administrator or one that is allowed to enroll the 'UA Host SSL Certificates'), Open Microsoft Management Console (MMC).
- From 'File' Menu, select Add/Remove Snap-in
- Select Certificates and click Add.
- Select 'Computer account' and then click Next.
- Select 'Local computer' and then click Finish
- OK out of the Add/Remove snap-in window
- You will now see Certificates listed in the console view on the left. Right-click 'Personal', Select 'All Tasks', then 'Request New Certificate'
- Click Next on the first screen (before you begin)
- Click Next on the Selected 'Active Directory Enrollment Policy'
- Select 'Active Directory Enrollment Policy' 'UA Host SSL Certificates' and then click Enroll. A certificate will be created and placed in the Local Computer - Personal - Certificates store.
- Right-click the Certificate created in step 10, Select 'All Tasks', then Export
- Click Next on the first screen (Welcome)
- Select 'Yes, export the private key' and then Next
- Select 'Personal Information Exchange - PKCS #12 (.PFX)' and 'Include all certificates in the certification path if possible' and then Next
- Select 'Password' and enter twice a strong password and then Next
- Enter path and file name like d:\tempcert\Server.PFX and then Next
- Finish out of the Certificate Export Wizard. A Certificate Private Key file is placed in the temp directory
- Right-click the Certificate again created in step 10, Select 'All Tasks', then Export
- Click Next on the first screen (Welcome)
- Select 'No, do not export the private key', then Next
- Select format 'DER encoded binary X.509 (.CER)' then Next
- Enter path and file name like d:\tempcert\Server.CER and then Next
- Finish out of the Certificate Export Wizard. A Certificate Key file is placed in the temp directory
- Close the Microsoft Management Console
Prepare Certificate files for use with UA
The certificate files created with above procedure are in the DER format. Uniface Anywhere requires these files to be in PEM format.
The following procedure describes how to convert DER formatted certificate files in to PEM formatted files.
For this procedure you will require the OPENSSL software. On Linux systems this is a part of the Operating system, but on Windows System, you will need to install it.
OpenSSL downloads can be found at https://wiki.openssl.org/index.php/Binaries
- Save the location of the OpenSSL application as <openssl_path>
- Save the location of the two certificate files as <cert_path>
- Run the cmd.exe
in Windows Command Shell:
The server key and certificate files (e.g.,
server.crt) must have the same base filename and be located in the same directory on the Uniface Anywhere Host.
Enable the SSL protocol on the Host
- Create a directory on the Uniface Anywhere Host that can be accessed from the System account, but cannot be accessed from the accounts of users who will sign in to the Host.
- Copy the above created files:
server.crtto this directory location on the Uniface Anywhere host.
- Start the Uniface Anywhere Cluster Manager / Admin Console. From the menu choose Tools - Host Options.. and select 'Security' Tab.
- Change Transport to SSL, Select the desired Encryption and browse to the SSL Certificate file and Select file 'Server.crt'.
When required to notify the users that they have a secure connection to the host, mark the Notify box.
- Ok out of the Host Options
SSL on dependent hosts
Dependent hosts do not need SSL certificates, but their designated relay server must have a valid SSL certificate that is signed by a CA and that is recognized by the dependent hosts.