Implementing a Secure Binary Interface
These are the instructions for starting an OmniSci server with an encrypted main port.
Required PKI Components
These are the PKI (Public Key Infrastructure) components you need to implement a Secure Binary Interface.
- A CRT (short for certificate) file containing the server's PKI certificate. This file must be shared with the clients that connect using encrypted communications. Ideally, this file is signed by a recognized certificate issuing agency.
- A key file containing the server's private key. Keep this file secret and secure.
-
A Java TrustStore containing the server's PKI certificate. The password for
the trust store is also required.
Note While in this instance the trust store contains only information that can be shared, the Java TrustStore program insists that it must be password protected.
Demonstration Script to Create "Mock/Test" PKI Components
It is possible to use OpenSSL utilities to create the various PKI elements. The server certificate in this instance is self-signing, and should not be used in a production systems.
- Generate a new private key.
openssl genrsa -out server.key 2048
- Use the private key to generate a certificate signing request.
openssl req -new -key server.key -out server.csr
- Self sign the certificate signing request to create a public certificate.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
- Use the Java tools to create a key store from the public certificate.
keytool -importcert -file server.crt -keystore server.jks
Start the Server
Start the server using the following options.
--ssl-cert <path to the server's public certificate> --ssl-private-key <path to the server's private key> --ssl-trust-store <path to Java TrustStore> --ssl-trust-password <Java TrustStore password>
Example
sudo start_omnisci_server --port 6274 --data /data --ssl-cert /home/omnisci/certs/server.crt --ssl-private-key /home/omnisci/certs/server.key --ssl-trust-store /home/omnisci/certs/server.jks --ssl-trust-password XXXXXX