Endeca Server authentication of clients

The Endeca Server application running in the WebLogic domain uses SSL mutual authentication when it communicates with the Dgraph process and the endeca-cmd command utility.

Mutually-authenticated SSL uses both encryption and certificates for authentication of a component. Thus, safe and trusted communication among the various components of your Endeca Server application ensures that the data being transmitted will not be compromised.

During communication initialization, each component confirms that the certificate it is receiving from the other party has been signed by the CA. A bearer’s possession of a signed certificate implicitly grants full access to the Endeca Server component it is contacting. You create the SSL certificates for these components with the generate_ssl_keys utility, which is documented in Key Generation Utility.

Use of certificates by the Dgraph process of the Endeca Server

The generate_ssl_keys utility also updates the $DOMAIN_HOME/config/EndecaServer.properties file with the pathnames of the SSL certificate file (dgraphCert.pem) and certificate authority file (dgraphCA.pem).

When you create a data domain in the Endeca Server, the Dgraph process associated with that data domain is automatically configured to run with these two files via the Dgraph --sslcertfile and --sslcafile flags. Thus, you do not have to manually specify the SSL certificate files for the Dgraph process as the Endeca Server automatically performs that configuration task.

Thereafter, these certificates are used for authentication between Endeca Server and the Dgraph process.

Note on communications between Endeca Server and the Dgraph process

When configuring SSL, keep in mind how the Oracle Endeca Server communicates with the Dgraph processes it controls. The Endeca Server has hostname validation explicitly hard-coded to be off when using HTTPS between the Endeca Server and the Dgraph processes it is controlling. This is because all the URLs reference localhost, as the Endeca Server and its Dgraph processes are always on the same machine. Therefore, the Endeca Server is hard-coded not to check that the hostname in the Dgraph's certificate matches the URL that it is talking to.

However, when SSL is enabled on the Endeca Server, it is also enabled on the Dgraph process. The main reason is that if the Dgraph process is not secure, it can be an entry point for someone attempting to gain access to your application environment. Another use case where this is important is when you are accessing the Bulk Load Interface to load data from an SSL-enabled client (such as Integrator).

Endeca Server and the endeca-cmd command interface

When you run the endeca-cmd command utility in a secure installation, you need to specify the location of the Java keystore file (endecaServerClientCert.ks) and the Java truststore file (endecaServerTrustStore.ks), as well as the password for the key and trust stores. Providing this information enables the endeca-cmd command utility to communicate successfully with the Endeca Server.

There are SSL and non-SSL versions of the endeca-cmd command utility. The SSL version is located in the $DOMAIN_HOME/EndecaServer/bin directory, and is the one you should be using for an Endeca Server SSL deployment.

The SSL version lets you issue endeca-cmd commands without having to specify the location of the SSL certificates with the --keystore and --truststore options. It does so by making use of the $DOMAIN_HOME/config/EndecaCmd.properties configuration file. The file paths in EndecaCmd.properties are set automatically by the generate_ssl_keys utility.

By default, you are prompted for the keystore password whenever you issue a command. This is the password that you specified with the --sslPassphrase flag of the generate_ssl_keys utility. Note that you can override the prompt by providing the password with the --password option; however, you should not create a script that uses the --password option, as the password would have to be specified in clear text.

For more information on the SSL version of the endeca-cmd command utility, see the Oracle Endeca Server Administrator's Guide.