Turning on SSL Client Authentication

A description of how to turn on SSL client authentication after installation.

1. Enable SSL data encryption for Sybase CEP Engine, as described in section "Enabling SSL Support".
2. Enable SSL server authentication, as described in section "Turning on SSL Server Authentication".
3. Obtain and import client certificates into the SSL client Certificate Database using the certutil utility included with your Sybase CEP Server. To import the certificates:
   1. Copy the SSL client certificate to the secure directory you want the client to use. When determining which directory to designate as the secure directory, keep in mind that the SSL client searches for the client certificate in the first valid directory it finds. The client performs the search in this order:

      1. The client searches for the folder specified in the NSS folder preference section of the client's preferences.xml file.

      2. If it does not find a certificate there, the client searches for it in the secure directory located in the SybaseC8Repository.

      3. If it does not find a certificate there either, the client searches the client's secure directory .

   2. Navigate to the secure directory in which the certificate now resides.
   3. Import the certificate using the following command from your shell or MS-DOS prompt:

      certutil -A -n 
      nickname-of-your-certificate
         -t "u,u,u" 
         -d . -i 
      certificate-filename
      

      where nickname-of-your-certificate is a nickname you assign to the certificate for easy reference. For an explanation of certutil commands, execute the command

      
      certutil -H
      

      from the command line prompt in the server\bin directory of your Sybase CEP Engine installation.
4. Use the certutil utility to import the client certificates into the server's certificate database. The procedure for this step is the same as for Step 3, but performed on the SSL server machine.
5. Set the following values in the server's c8-server.conf file:
   1. Set the value of "ClientAuthenticate" preference in the "SSL" section to true.
   2. Add the nickname of your SSL client certificate to the configuration file, by setting the value of "ClientCertificate" in the "SSL" section to your client's certificate nickname.
6. Add the following line to the SSL client preferences file (for Sybase CEP Studio, this file is called studio-preferences.xml, located in the SybaseC8Repository, under the appropriate Sybase CEP Engine version number):

   <preference name="SybaseC8/Security/SSL/ClientCertificate"
      value="
   nickname-of-client-certificate"/>