3.1.2    SSL connections with DATA Boreum

SSL or TLS?

Everyone, including us, talks about SSL when it comes to securing communication channels. The reason for this is that SSL has become established as a term for secure communication and is now used in a similar way to a deonym (other deonyms include Kleenex, Band-Aid, and Xerox). So, when we continue to talk about SSL, we are of course always referring to TLS 1.2 and TLS 1.3. SSL and older versions of TLS are long outdated, insecure and are no longer used.

DATA Boreum and Governikus server software

DATA Boreum can use the signature services and time stamp services offered by the Governikus server software DATA Deneb (product of the Governikus Suite 5.x) and DATA Sign Fachintegration (stand-alone business integration). Communication between DATA Boreum and the Governikus server software is secured via SSL.

If you have configured Governikus server software in DATA Boreum, see chapter 5.4, the connections between DATA Boreum, the authentication server and the Governikus server software are secured via SSL. On the servers on which the authentication service and the Governikus server software are operated, SSL certificates must be stored in the SSL keystores and trust stores, which originate from qualified certificate authorities, such as D-Trust or TeleSec. If you use SSL certificates from your own PKI or other self-signed SSL certificates, no SSL connection can be established, as there is no option in DATA Boreum to store these SSL certificates. However, it is possible to store an SSL certificate in the Java that is used to run DATA Boreum.

 

Workaround SSL certificates

If you have secured the SSL routes with your own SSL certificates, you can store them in the truststore of the Java runtime environment (JDK). This is the place where DATA Boreum looks for trusted SSL certificates.

·     JDK truststore: the truststore of a JDK can usually be found in this path:

<JDK installation directory>/lib/security

·     Truststore name: The truststore is named cacerts (with no other file extension).

·     Truststore password: The password for the cacerts file is changeit.

·     Add SSL certificates: To be able to add the SSL certificates of the authentication service and a Governikus server software as "trusted certificates" to the truststore cacerts, you need administrator rights.

·     Restart: Restart DATA Boreum afterwards.