cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

CMS SSL config and thick clients

Go to solution
Joe_Peters
Active Contributor

‎2025 Apr 24 4:08 PM - edited ‎2025 Apr 24 6:25 PM

277

I am familiarizing myself with the steps necessary to implement SSL on the CMS.  But I'm unsure about the steps for configuring thick clients, specifically IDT/UDT and Crystal Reports.

The admin guide implies that the server certs should be copied to the clients, and sslconfig run to import them.  But the SAP article that describes the process in detail specifically says that server certificates should not be used.  So I have questions:

  • Assuming the article is correct, is it true that all of the cert files have to be re-generated on the client, and none of the server certs are copied to the client?
  • This article (regarding a client connecting to multiple servers) indicates that as long as the server certs are from the same CA, then the client can connect to any server.  If true, doesn't this mean that the certs installed on the clients really have no reference to a server?  I should be able to create a single client cert, copy the files to all my clients, and use that for multiple CMSs?
  • Thinking about this more, doesn't it also mean that I need only a single server cert, even for multiple clusters?
  • What if a client is connecting to an SSL-enabled CMS and a non-SSL-enabled CMS?  

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
Joe_Peters
Active Contributor
4 weeks ago
0 Kudos

I'm answering my own question to provide information on what I've found out.

I've done a lot of research and testing over the past few weeks, and also had an incident with SAP, and what I've learned is somewhat unsettling.

With the server and client both properly configured with CA-signed certificates, the only certificate validation that's done is:

  • Certificate effective/expiration date
  • Both server and client certs are trusted by the same root CA

Despite the documentation and SAP notes, the CN in each cert is completely ignored -- no hostname validation is performed by either side.  At least this is what I've found in all of my tests so far.

Distributing CA-signed certs to clients is unusual but not unheard of.  But in situations where they are, it's typically done for authentication -- the client authenticates to the server with a credential associated with the client cert.  But that's not happening here, so I'm struggling to understand why a client cert is needed at all.  But it is, so I need to configure it.

I also confirmed that once a client is configured for SSL, it can not connect to a non-SSL-enabled CMS.  I need to either run "sslconfig -protocol default" or toggle a registry key.  

Finally, I confirmed that although both the server and the client need to be pointed to five files (public cert, root cert, private key, passphrase, and pse), only the pse and passphrase files are actually used.  From what I can tell, the pse is a form of Java keystore and contains the two public certs and the private key.

Show replies
Show replies
Ask a Question