TLS Parameters for Routes
The following table lists parameters that you can specify in the routes.conf configuration file, or on the command line when creating a route. The parameters for configuring TLS between routed servers are similar to the parameters used to configure TLS between server and clients; see TLS Protocol.
Parameter | Description |
---|---|
ssl_identity | The server’s digital certificate in PEM, DER, or PKCS#12 format. You can copy the digital certificate into the specification for this parameter, or you can specify the path to a file that contains the certificate in one of the supported formats. A DER format file can only contain the certificate; it cannot contain both the certificate and a private key.
For more information, see File Names for Certificates and Keys. |
ssl_issuer | Certificate chain member for the server. Supply the entire chain, including the CA root certificate. The server reads the certificates in the chain in the order they are presented in this parameter.
The certificates must be in PEM, DER, PKCS#7 or PKCS#12 format. A DER format file can only contain a single certificate; it cannot contain a certificate chain. Example ssl_issuer = certs\CA_root.pem ssl_issuer = certs\CA_child1.pem ssl_issuer = certs\CA_child2.pem For more information, see File Names for Certificates and Keys. |
ssl_private_key | The local server’s private key. If the digital certificate in
ssl_identity already includes this information, then you may omit this parameter.
This parameter accepts private keys in PEM, DER and PKCS#12 formats. You can specify the actual key in this parameter, or you can specify a path to a file that contains the key. For more information, see File Names for Certificates and Keys. |
ssl_password | Private key or password for private keys.
You can set passwords using the tibemsadmin tool. When passwords are set with this tool, the password is obfuscated in the configuration file. For more information, see Using the EMS Administration Tool. |
ssl_trusted | List of certificates that identify trusted certificate authorities.
The certificates must be in PEM, DER or PKCS#7 format. You can either provide the actual certificates, or you can specify a path to a file containing the certificate chain. If using a DER format file, it can contain only a single certificate, not a certificate chain. For more information, see File Names for Certificates and Keys. |
ssl_verify_host | Specifies whether the server must verify the other server’s certificate. The values for this parameter are
enabled and disabled.
When omitted, the default is enabled, signifying the server must verify the other server’s certificate. When this parameter is disabled, the server establishes secure communication with the other server, but does not verify the server’s identity. |
ssl_verify_hostname | Specifies whether the server must verify the name in the CN field of the other server’s certificate. The values for this parameter are enabled and disabled.
When omitted, the default is enabled, signifying the server must verify the name of the connected host or the name specified in the ssl_expected_hostname parameter against the value in the server’s certificate. If the names do not match, the connection is rejected. When this parameter is disabled, the server establishes secure communication with the other server, but does not verify the server’s name. |
ssl_expected_hostname | Specifies the name expected in the CN field of the other server’s certificate. If this parameter is not set, the default is the hostname of the other server.
This parameter is relevant only when the ssl_verify_hostname parameter is enabled. |
ssl_ciphers | Specifies a list of cipher suites, separated by colons (:).
This parameter accepts both the OpenSSL name for cipher suites, or the longer descriptive names. For information about available cipher suites and their names, see Specify Cipher Suites. |