Setting secured communication between Dispatcher Paragon Management and Spooler Controller
The communication between Dispatcher Paragon Management and Dispatcher Paragon Spooler Controller is not secured by default. In order to start encrypted and authenticated communication, both sides need to be properly configured to use the same security settings. If one of the sides is set secure and the other one is not, the communication does not work.
This guide will help you with the configuration of the secured connection between Dispatcher Paragon Management and Dispatcher Paragon Spooler Controller, using CA-signed certificates.
CA-signed certificate requirements
-
The certificate must be signed by a certification authority trusted in your environment.
-
Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection to the respective server.
-
For importing the certificate you need an appropriate format - Java Keystore (.jks file) containing the private key and whole certificate chain.
-
Both the keystore and key itself need to be protected by a password
-
You will also need a truststore, file containing certificate of the root certification authority, again in the Java Keystore (.jks) format.
In case your key/certificate is in a different format than Java Keystore, convert it following the guide in Conversions between different keystores and certificate types .
In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Java Keystore format chapter in System communication hardening .
Dispatcher Paragon Management settings
-
Stop Dispatcher Paragon Management Service service in Dispatcher Paragon server.
-
Copy your key/certificate and certificate of the root certification authority, both in the Java Keystore format, to the <management_folder>\conf\ (usually C:\DispatcherParagon\Management\conf\) directory on the server with Dispatcher Paragon Management.
-
Go to <management_folder>\conf\ (usually C:\DispatcherParagon\Management\conf\) and create there a new file, communicator.conf.
When this file is present in the specified directory, correctly configured and accessible for read, then the settings specified are applied and communication between Dispatcher Paragon Spooler Controller and Dispatcher Paragon Management will start in secure mode.
-
Set following properties in the communicator.conf file:
# this property sets security in Communicator on/off if set to false then resp of properties are ignored (MANDATORY)
secureCommunicationEnabled=true
# name of Java truststore file in current directory (MANDATORY)
truststoreFile=truststore.jks
# password to java truststore if not set default value 'changeit' is used (OPTIONAL)
truststorePassword=changeit
# name of Java keystore file in current directory (MANDATORY)
keyStoreFile=keystore.jks
# password to java keystore if not set default value 'changeit' is used (OPTIONAL)
keystorePassword=changeit
# protocol type as defined by Java SSL specification (MANDATORY)
sslProtocol=TLS
# this option forces CML to require SPOC authentication (MANDATORY)
clientAuthenticationRequired=true
# available protocols as defined by Java SSL specification (OPTIONAL)
#allowedProtocols =
# available cipher sutes as defined by Java SSL specification (OPTIONAL)
#allowedCiphersuites =
The communicator.conf file has to refer to correct Java keystore and truststore files that have to be placed in the same SafeQ conf directory as this configuration file.
-
Start the Dispatcher Paragon Management Service service.
Dispatcher Paragon Spooler Controller settings
-
Stop Dispatcher Paragon Spooler Controller service.
-
Copy your key/certificate and certificate of the root certification authority, both in the Java Keystore format, to the <spoc_folder>\conf\ (usually C:\DispatcherParagon\SPOC\conf\) directory on the server with Dispatcher Paragon Spooler Controller.
-
Go to <spoc_folder>\conf\ (usually C:\DispatcherParagon\SPOC\conf\) and create there a new file, communicator.conf.
When this file is present in the specified directory, correctly configured and accessible for read, then the settings specified are applied and communication between Dispatcher Paragon Spooler Controller and Dispatcher Paragon Management will start in secure mode.
-
Set following properties in the communicator.conf file:
# this property sets security in Communicator on/off if set to false then resp of properties are ignored (MANDATORY)
secureCommunicationEnabled=true
# name of Java truststore file in current directory (MANDATORY)
truststoreFile=truststore.jks
# password to java truststore if not set default value 'changeit' is used (OPTIONAL)
truststorePassword=changeit
# name of Java keystore file in current directory (MANDATORY)
keyStoreFile=keystore.jks
# password to java keystore if not set default value 'changeit' is used (OPTIONAL)
keystorePassword=changeit
# protocol type as defined by Java SSL specification (MANDATORY)
sslProtocol=TLS
# this option forces CML to require SPOC authentication (MANDATORY)
clientAuthenticationRequired=true
# available protocols as defined by Java SSL specification (OPTIONAL)
#allowedProtocols =
# available cipher sutes as defined by Java SSL specification (OPTIONAL)
#allowedCiphersuites =
The communicator.conf file has to refer to correct Java keystore and truststore files that have to be placed in the same SafeQ conf directory as this configuration file.
-
Start the Dispatcher Paragon Spooler Controller service.
Example of communicator.conf file configuration
secureCommunicationEnabled=true
truststoreFile=truststore.jks
truststorePassword=password
keyStoreFile=dispatcherparagonkeystore.jks
keystorePassword=keystoreprotectingpassword
sslProtocol=TLS
clientAuthenticationRequired=true