Introduction  Enabling TLS-secure listeners

Chapter 9: Using TLS and FIPS in EAServer

Compatibility with previous versions

The EAServer SSL Client runtime prior to version 5.2 offers a mechanism to query the user and obtain the PKCS#11 pin, determine whether to trust the server certificate and set a client side Certificate to use for the SSL connection (if necessary).

The method getCertificateLabel() in the SSLCallback interface queries the user to determine which client-side certificate to use during the SSL handshake. The server asks the client to authenticate itself during mutual authentication, by sending a message as part of the SSL handshake requesting a client certificate. When this request arrives at the client, and the client has not set it’s client certificate, the SSL Client runtime queries the user through the getCertificateLabel() method. For more details on this, see the corresponding IDL documentation and these chapters:

The post-5.1 EAServer SSL Client runtime does not invoke the getCertificateLabel() callback. Due to this restriction, if your client application relies on the getCertificateLabel() method being invoked/executed during mutual authentication using SSL, you must do the following after installing EAServer 5.2 or later:

  1. Set the environment variable JAGSSL to true in the shell used to run the client program. This has the effect of using the previous version of the EAServer SSL Client runtime. The previous version of the SSL runtime does not support TLS. See “Disabling TLS support” for more information.

    PowerBuilder client applications that rely on mutual authentication should also set the environment variable JAGSSL to true before running the application.

  2. If you do require TLS support now, then you must re-code your client application. For example, if this is an EJB client application, set the client certificate label using the com.sybase.ejb.certificateLabel ORB property.

Copyright © 2005. Sybase Inc. All rights reserved. Enabling TLS-secure listeners