Understanding SSL in IBM® EMM
As we have seen, many IBM® application components can act as both server and client during normal operations, and some IBM® components are written in Java and some in C++. These facts determine the format of the certificates you use. You specify the format when you create a self-signed certificate of purchase one from a CA.
Remember, IBM® applications do not require a truststore when they act as a client making one-way SSL requests to an IBM® server component.
Java component acting as a server
For IBM® applications written in Java, using the JSSE SSL implementation, and deployed on an application server, you must configure the application server to use your certificate. The certificate must be stored in JKS format.
Application servers provide default certificates, which require no additional configuration. The application server default certificate is used when you simply enable an SSL port in the application server and do not perform any additional configuration in the application server.
If you use a certificate other than the default certificate supplied by the application server, additional configuration is required. This configuration is described in Configure your web application servers for SSL
C++ component acting as a server
The Campaign listener, Contact Optimization server component, the PredictiveInsight server component, and Attribution Modeler listener are written in C++, and require a certificate stored in PEM format.
Java component acting as a client
For IBM® applications written in Java and deployed on an application server, no truststore is needed. For ease of configuration, IBM® Java applications acting as a client do not authenticate the server during one-way SSL communications. However, encryption does take place.
C/C++ components acting as a client
For applications written in C/C++ and using the OpenSSL implementation, no truststore is needed. The Campaign listener, Contact Optimization server component, PredictiveInsight server component, Attribution Modeler listener, and NetInsight fall into this category.
How many certificates?
Ideally, you should use a different certificate for every machine that hosts an IBM® component acting as a server.
If you do not want to use multiple certificates, you can use the same certificate for all the IBM® components acting as servers, if it is the correct format (that is JKS for Java components and PEM for C++ components). If you use one certificate for all applications, when users access IBM® applications for the first time, the browser asks whether they want to accept the certificate.
Examples in this chapter show you how to create self-signed certificate files for use with Java and C++ IBM® components.