TSL/SSL support

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over a connection. All the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. This protocol relies on asymmetric cryptography, so to enable a SSL connection the Application Server needs to have a Digital Certificate which will allow clients to trust the server authenticity. This Digital Certificate may be issued by a Certificate Authority (CA) or you can create your own Certificate (so called self-signed Certificate): the difference is that many of the Certificate Authorities are known by the JavaTM Runtime Environment (more than 80 in version 8), so that you don't need to install anything on the client, while if you use a self-signed certificate, you must install it on the client too.

isCOBOL Application Server relies on JSSE (JavaTM Secure Socket Extension). In the Sun/Oracle version you need to get also the JCE (JavaTM Cryptography Extension) in order to get unlimited strength cryptography. In the JSSE specification, certificates are stored in a file called keystore: according to JavaTM documentation:

"A keystore is a database of key material. Key material is used for a variety of purposes, including authentication and data integrity. Generally speaking, keystore information can be grouped into two different categories: key entries and trusted certificate entries. A key entry consists of an entity's identity and its private key, and can be used for a variety of cryptographic purposes. In contrast, a trusted certificate entry only contains a public key in addition to the entity's identity". Thus you need to have a keystore with a key entry (with both private and public key) onthe server side and a trusted certificate entry on the client side. JavaTM supports the JKS (JavaTM KeyStore) format and it may contain both key entries and trusted certificate entries. In order to handle this file format the command line program keytool is provided with the standard JDK distribution (a more user friendly tool can be freely downloaded from the Internet, i.e. KeyStore Explorer http://keystoreexplorer.sourceforge.net).

If you need a Certificate issued by a CA then the procedure to get it may change from one organization to another. In any case you need a SSL certificate importable in a JKS keystore as well as any other Java server application, e.g. Tomcat. Note however that some Java server application may also use different formats while currently isCOBOL Application Server supports only the JKS format. So, let's see an example about how to create a self-signed Certificate using the keytool program. You can find all the information about this tool in the Oracle site, http://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html. The keytool program is located in the bin directory under the JavaTM Home.

For the sake of simplicity let's assume that we can invoke keytool supplying only the name. To create a new keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:

keytool -genkeypair -alias iscobol -keyalg RSA

After executing this command, you will first be prompted for the keystore password. You can chose any password you like at least 6 characters long. Than You will be asked about general information about this Certificate, such as company, contact name, and so on. This information will be displayed to users who attempt to access a secure page in your application, so make sure that the information provided here matches what they will expect.

Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). The keytool prompt will tell you that pressing the ENTER key automatically uses the same password for the key as the keystore. The JSSE framework, and isCOBOL by consequence, requires these passwords to be identical.

If everything was successful, you now have a new file, named .keystore under your HOME directory. You can specify a different name and location using the -keystore option or use a different encryption algorithm through the -keyalg option.

Now you can establish a secure connection between client and server inserting in the isCOBOL configuration file the following entries:

iscobol.conf.var_delimiters=${.} home=${user.home} # server side iscobol.net.ssl.key_store=${home}/.keystore iscobol.net.ssl.key_store_password=mypassword # client side iscobol.net.ssl.trust_store=${home}/.keystore iscobol.net.ssl.trust_store_password=mypassword

If you got a certificate from a CA known by the JavaTM Runtime Environment then you don't need to have that certificate on the client, however you need to instruct the client to use an encrypted connection. In order to do so you have to add the following line in the client configuration file:

iscobol.net.ssl.trust_store=*

This line instructs the client to use an encrypted communication and to use the standard default keystore to acknowledge the server.