Additional configuration

You can configure TCP on NexJ Model Server, set up SSL communication including two-way including two-way SSL authentication, and set up password encryption on Model Server.

Configuring TCP

You can configure OS TCP keep-alive and retries to enable quicker detection of remotely disconnected TCP connections.

To configure TCP:

1. Change the kernel parameter values or registry keys, based on operating-system-specific files provided with the NexJ Studio plugin.

   • On Linux, do one of the following:
     • If the /etc/sysctl.conf file exists, edit the file to match the values in the <NEXJ_PLUGIN>/core/etc/config/os/tcp-linux.conf file.
     • Otherwise, copy the <NEXJ_PLUGIN>/core/etc/config/os/tcp-linux.conf file to the /etc/sysctl.d directory. Ensure that none of the other .conf files in that directory specify the parameters listed in the tcp-linux.conf file.

   • On Windows, double-click the <NEXJ_PLUGIN>\core\etc\config\os\tcp-<os>.reg file, where os is one of: xp, server2003, or server2008-Vista-7. Accept the confirmation messages to update registry settings.

2. If using Windows, restart the computer.

The TCP settings are now updated.

Setting up SSL communication

You can enable SSL communication and server authentication through the secureTransport property in the environment file. To enable SSL communication, you must place your SSL keystore file in the SERVER_HOME/conf folder. You can obtain an SSL keystore from a trusted certificate authority (CA). For non-production environments, you may generate a self-signed keystore. The following is an example command to generate a self-signed keystore.

openssl genrsa -out nexjsa_pki.key 2048
openssl req -new -key nexjsa_pki.key -out nexjsa_pki.csr
# User input for certificate information
openssl x509 -req -days 3650 -in nexjsa_pki.csr -signkey nexjsa_pki.key -out nexjsa_pki.crt 
openssl pkcs12 -export -in nexjsa_pki.crt -inkey nexjsa_pki.key -out ssl.keystore -name <user_name>

where user_name is a valid user of the NexJ application.

When generating the keystore, you will be prompted to specify a keystore password, which you must specify in the environment when enabling SSL for it.

To set up SSL communication:

1. Enable SSL communication. Do one of the following:
   
   1. In the environment file, set secureTransport="true".
   2. In NexJ Studio, in the Deployment layer, double-click the environment,  click the Overview tab > Security tab, and select the Secure Transport Protocol (use SSL) checkbox.

2. Specify the keystore password. Do one of the following:

   1. In the environment file, set keystorePassword="text:<password>".

   2. In NexJ Studio, in the Deployment layer, double-click the environment,  click the Overview tab > Security tab, and enter the password in the Keystore Password field.

   

   After you specify the password, for security reasons, you can only view it in the Source tab in NexJ Studio. The Security tab and the Properties tab only display *** in password fields.

SSL communication is now set up.

Configuring two-way SSL authentication

You can configure two-way SSL authentication for an HTTP channel or a Kafka channel. Two-way authentication ensures that the client and the server mutually authenticate each other before exchanging data.

As of NexJ CRM 9.9, and when you are running with HTTPS on local development environments on the NexJ Model Server, you must generate a new certificate (for example, sha256RSA, 4096 bits), insert it into the PKCS#12 keystore, and then replace enterprise\etc\config\teee\ssl.keystore. Microsoft Internet Explorer and Google Chrome will be able to mark the site as trusted if the certificate is added to the Windows certificate store as "Trusted Root Certification Authorities."

Setting up two-way authentication involves specifying the following certificates in the channel connection attributes:

• The base64-encoded PKCS#12 certificate to send to external systems.
• The base64-encoded X.509 certificate for your NexJ application to trust.

For communication to happen, the external system must also specify its own certificate for the NexJ application to authenticate against and add the NexJ application’s certificate to its trust store.

The process to set up two-way authentication is the same for communicating with all external systems including other Model Server instances.

If you do not already have the certificates in a compatible base64 format, you can convert them into the supported format using the following two-step command sequence:

openssl enc -base64 -in ssl.keystore -out nexjsa_pki_base64

cat nexjsa_pki_base64 | tr -d '\n' | tee nexjsa_pki_base64_one_line

To configure two-way authentication:

Steps that refer to NexJ Studio are performed in the Deployment layer for the environment, in the Channel Connections tab > General tab for the HTTP or Kafka channel you want to set up two-way authentication for.

1. Set the authentication mode to certificate. Do one of the following:
   1. In the environment file, set authentication="certificate".
   2. In NexJ Studio, select certificate in the Authentication dropdown.
2. Specify your keystore password. Do one of the following:
   
   1. In the environment file, set password="text:<keystore_password>".
   2. In NexJ Studio, specify your keystore password in the Password field.
   For more information about keystore password, see Setting up SSL communication.

3. Enter the base64-encoded PKCS#12 certificate of your channel. Do one of the following:

   1. In the environment file, set certificate="<channel_certificate>".
   2. In NexJ Studio, copy the certificate into the Certificate field.

4. Enter the base64-encoded X.509 certificate for the external system you want to trust. If you do not specify this, any channel with a global trust certificate is automatically trusted.

   1. In the environment file, set trust="<external_system_certificate>".
   2. In NexJ Studio, copy the certificate into the Trust field.

   When you copy the certificate, ensure that you preserve newline characters for the certificate, as shown in the following example:
   

   TEXT

   -----BEGIN CERTIFICATE-----
   MIIFGTCCBAGgAwIBAgIQDglpv5N//FO17+tKwyGMtDANBgkqhkiG9w0BAQsFADBN
   MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
   aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTQwODA2MDAwMDAwWhcN
   MTYwOTA3MTIwMDAwWjBvMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQ
   MA4GA1UEBxMHVG9yb250bzEaMBgGA1UEChMRTmV4SiBTeXN0ZW1zIEluYy4xCzAJ
   BgNVBAsTAklUMRMwEQYDVQQDDAoqLm5leGouY29tMIIBIjANBgkqhkiG9w0BAQEF
   AAOCAQ8AMIIBCgKCAQEAt2hNQUcIuZLCAbnNCnHE6NWkzo4+Jr+fswvoaCY8lQvu
   eA9jKdcLQxLRtfK6q4i/pmSEFiYnxODsrxf7ACiqia8s/itBlDa0xwWOrGPzygFa
   odSSVXgS8rGo2VjKWhjSXQYC8EkVUs1mLsKAcG8n3K3Fp0xAf7YOF5BPJQUq9XSG
   tGySchZDlTPPYbhWtRj3lDpDMOAoS7S9qB55RxjOL1GSsLiGKP+YUG6wjWB4CQwl
   8ZSoqFsq0NKG0HPMFtoe6N4G4myFtX8MoKDYLKxGtr7eFeurv0S1UlyBm5gMPbS4
   bCSXRl8K2X6ntwaBRaQl1wt34VKtoRoXiO+EmXtJMQIDAQABo4IB0TCCAc0wHwYD
   VR0jBBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFCeln20KJoCz
   psdW0UcEzp4X9LyOMB8GA1UdEQQYMBaCCioubmV4ai5jb22CCG5leGouY29tMA4G
   A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYD
   VR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hh
   Mi1nMy5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNo
   YTItZzMuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEW
   HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwfAYIKwYBBQUHAQEEcDBuMCQG
   CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKG
   Omh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVT
   ZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAG395
   LDTPwvm88mTy+QfO1AEMChO9cj82rsBmsBldblPnSY1PGsmwml29DFYrz1BISufp
   kqx3zLdcfBsp78B5pmfyDbjZtHiUbDuNZfMGK0MoOiqt4chBwbo3sf9SerbKfYig
   FfGr2dtlddm2i9RU98G0NDNwthofDB3hWn23A5ENfXRj/CJj0cJTxzrTVxboVAOa
   dCUs8D/o0Xsl8vovQtSunVF00P3QFiondp50ICiKFUMgsEYyJwLnHO9wLmN+B29o
   kxlTKdBvobvCJz5Q5AMsh9ohqw/X3wTHd9o9ozCeMTyVVwrsv2XkVcsIKSkOmLq1
   cNoZIv6P+fLm0RWBvA==
   -----END CERTIFICATE-----

   

   The first line of the certificate must contain only -----BEGIN CERTIFICATE-----, and the last line must contain only -----END CERTIFICATE-----.

5. Click the Save button 

   

   in the toolbar to save the changes to the environment.

The channel is now set up for two-way authentication.

Setting up password encryption

To secure your environment with master password encryption, you must create a master password file and encrypt your environment with this master password. For more information, see Creating a master password file and Encrypting deployment files.

You must then deploy your application with the master password encryption. For an example Ant script used to deploy the application with master password encryption, see Deploying using the command line.

After you deploy the application, to enable Model Server to process your encrypted environment file:

1. Copy the master password file to the Model Server machine in the <SERVER_HOME>/conf directory.

   

   If you want to place the file in a different location, add the following line to the modeld.conf file located at <SERVER_HOME>/conf directory:
   cipher.master.url=<location_of_master.pwd>

2. Set file permissions to make the master password file readable only to the server process user (that is, the login account specified in the application server service) and the deployment administrator.

Password encryption is now enabled for your Model Server.

Restart Model Server for the changes to take effect.