Unwired Server includes default certificates for all
listeners. Since all installations use the same certificates by default, you must change
these certificates with production-ready ones after you install
Unwired Platform.
TLS/SSL/HTTPS all use default certificates that require changing.
Different listeners require different tools.
- Use keytool to manage
certificates for the encryption of DCN, OData, and DOE listeners. These
listeners all use the key and truststores
(keysstore.jks), because these listeners require
mutual certificate authentication. OCSP is only used for these
listeners.
- Use creatcert to manage
certificates for replication encryption. OCSP is not supported for
replication.
Irrespective of the tool used, you can follow these general
steps.
- Generate new production-ready certificates:
- If you use a PKI system, ensure that the generated certificates and key pairs
are signed by the certificate authority (CA) certificate that is widely
trusted in your organization. Unwired Platform is
compliant with certificates and key pairs generated from most well-known
PKI systems. Sybase recommends that you use
this option.
- If you do not use a PKI system, use the keytool or createcert
utility to generate new self-signed certificates.
- Import production-ready certificates, then update the security
profile to associate these files with the Unwired Server
encrypted port.
- Use the appropriate tool to import the new production certificates into the
primary Unwired Server keystore, if that listener
requires it.
- Configure the listener properties.
- (Optional) If you are using a PKI system that includes OCSP and OCSP can be
used by the listener, configure an OCSP responder. See Enabling OCSP.