Configure for the certificate authority list

When a client accesses a server with a certificate, the server sends back its certificate. The client needs to check to see if that certificate is trusted. This is done using a certificate authority list.

In this task you create the client's certificate authority list using the OpenSSL command line tool, and set the global certificate authority list in your FGLPROFILE file.

Important: On GMI mobile devices the iOS SSL/TLS layer is used for HTTPS, and the device Keychain® typically holds the server certificate authority list. Therefore, the FGLPROFILE file security settings are ignored with the exception of the following: security.global.ca, security.global.ca.lookuppath, and security.global.systemca.
  1. Create the client's certificate authority list.
    1. Save the certificates of the HTTPS server to disk.
      Type the server's URL in your browser. When prompted, save all the certificates from the Certificate Hierarchy. For more information see, Selecting the certificate to add and Missing certificates.
    2. Create the client's Certificate Authority List by running the following command for each of the certificates that you saved to disk.

      $ openssl x509 -in ServerCertificate.crt -text >> ClientCAList.pem

      Note: All trusted certificate authorities are listed. These are checked following a chain of child to parent certificates until a certificate is reached which is trusted. All other certificates that were trusted by the Root Certificate Authority will also be considered as trusted by the client. For more information see Certificate authorities.
  2. Set the global certificate authority list in your FGLPROFILE file.

    The global certificate authority list entry defines the file containing the certificate authority list used by the Genero Web Services client to validate all certificates coming from the different servers it will connect to.

    security.global.ca = "ClientCAList.pem"

    Note: The file is located based on the current execution directory. If you use Genero Studio, for instance, fglrun may not be executed in the same directory as when you use the command line. The recommended practice therefore is to specify an absolute path for the .pem, for example:

    security.global.ca = "/opt/usr/certs/ClientCAList.pem"

    If security.global.ca is not defined, Genero Web Services will look to see whether the operating system has a keystore, otherwise security.global.ca.lookuppath will be used. For further information, see Certificate authorities in HTTPS configuration.

The client application is configured to use the appropriate certificate authority list to validate a server's certificate.

What to do next

In your FGLPROFILE file ensure there are configuration entries (ws.* ) for the HTTPS server URL and for the HTTP authentication when accessing the HTTPS server. See Add configuration entries in your FGLPROFILE file.