/
19.2 TLS/SSL Encryption

19.2 TLS/SSL Encryption

Owned by Chooi San Chong
Last updated: Jan 21, 2025
2 min read

This page explains how to configure MediationZone as an HTTP client to use these APL functions when the HTTP server is TLS-enabled.

  • httpGetSecureURL

  • httpBinaryGetSecureURL

  • httpPostSecureURL

  • httpBinaryPostSecureURL

  • httpRequestSecureBasicAuth

  • httpRequestSecure

When HTTP server is configured with one-way SSL server authentication, MediationZone uses its own truststore by default, which always trusts any server connection. You can use these functions immediately.

However, if you want to use your own truststore to validate the server, follow the steps in the section Configure Java Truststore for Secure URL Functions.

When HTTP server is configured with two-way SSL server authentication, MediationZone needs to provide client certificate to server for validation, follow the steps in the section Configure Java Keystore for Secure URL Functions.

 

Configure Java Truststore for Secure URL Functions 

To validate the server certificate, and if you want to use a specific truststore, first add the server's public certificate to your custom truststore.

Example,

$ keytool -importcert -alias platform -file certificate.x509.pem -keystore client.truststore -storetype pkcs12 -storepass mzadmin

Then turn on the property https.apl.userdefined.truststore for the required EC to true. The default value of this property is false.

$ mzsh topo set topo://container:<container>/pico:<pico>/val:config.properties.https.apl.userdefined.truststore true

Example,

$ mzsh topo set topo://container:echost01/pico:ec1/val:config.properties.https.apl.userdefined.truststore true

After setting the property https.apl.userdefined.truststore to true, use the mzsh topo command to set the following properties in the relevant ECs:

  • https.apl.truststore_location represents the location of the truststore.

  • https.apl.truststore_passphrase represents the passphrase for that truststore.

Example,

You can do mzsh topo open <ec name> to view the properties that set into EC configuration file.

Example ec1.conf,

If you do not set these two properties in EC, the Java Default Truststore is used.

Add the server's public certificate to the Java default truststore:

 

Configure Java Keystore for Secure URL Functions

For server to validate client certificate, keystore is used to store HTTP Client’s credential.

To specify a Keystore file that you want to use, use the mzsh topo command to set the following properties in the relevant ECs:

  • https.apl.keystore_location  represents the location of the keystore.

  • https.apl.keystore_passphrase  represents the passphrase for that keystore.

Example,

You can do mzsh topo open <ec name> to view the properties that set into EC configuration file.

Example ec1.conf,

The following command can be used to create a keystore with the Java keytool program.

The Keystore passphrase must be the same as the passphrase used by the certificate.

See the JVM product documentation for more information about how to use the keytool.

If you do not set these two properties in EC, MZ Default Keystore is used.

Restart Required

After the configuration is done all affected processes need to be restarted. Use the following command:

Next:

19.3 Troubleshooting HTTP Client Functions