About configuring SSL in the Integrator Acquisition System

Configuring SSL in the Integrator Acquisition System enables SSL communication among all the IAS components.

To configure SSL in IAS, you need to do the following:
  1. Enable SSL for the Endeca IAS Service. Optionally, enable mutual authentication and if desired disable HTTPS as part of this step.
  2. Enable SSL for the IAS Command-line Utilities.
  3. Enable the Endeca Web Crawler to write to an SSL-enabled Record Store instance.

HTTPS redirects

Although enabling HTTPS redirects is optional, it is highly recommended to simplify IAS configuration. You can use the default IAS ports during installation and system setup and then perform minimal configuration to redirect requests from the default port (HTTP) to a secure port (HTTPS). For this reason, the IAS configuration files have HTTPS redirects enabled by default.

Mutual authentication and server-only authentication

The Integrator Acquisition System supports both mutual authentication (client and server authentication) and server-only authentication. Oracle recommends configuring your environment for mutual authentication.

Mutual authentication requires a keystore and truststore for clients of the Endeca IAS Service. Server-only authentication requires only truststore configuration.

SSL version 3.0

The Integrator Acquisition System supports Version 3.0 of the Secure Sockets Layer (SSL) protocol for its communication endpoints.

About enecerts, Java keytool, and fully qualified host names

The SSL certificates used for IAS must be issued to the fully qualified host name for the server running the IAS Service. The fully qualified host name must match the either the first common name (CN) or any of the subject-alts in the server certificate. A wildcard may occur in the CN and in any of the subject-alts. Also, certificates may be issued to all hosts in a domain by specifying a wildcard such as *.endeca.com.

If you generated keystores and truststores by running enecerts (included with MDEX Engine installation), followed by endeca-key-importer (included with the Platform Services installation), the keystores and truststores do not include the fully qualified host name.

You must generate your own keystore and truststore using another utility, for example, Java keytool. This is available as part of the Java instance installed with IAS in <install path>\Oracle\Endeca\IAS\<version>\java\bin for Windows and usr/local/oracle/endeca/IAS/<version>/java/bin on UNIX.

When running Java keytool, you specify the fully qualified host name or wildcard in response to the prompt "What is your first and last name?" For example: 
Enter keystore password: endeca
What is your first and last name?
[Unknown]: machine.endeca.com

In general, Oracle recommends that you create one truststore for your entire environment (it can contain multiple entries) and a keystore per machine. You can place the truststore in a common directory, for example, C:\Oracle\Endeca\truststore\truststore.ks or /usr/local/oracle/endeca/truststore/truststore.ks, and then point to that location for IAS configuration.