Security

TLS/SSL Configuration

Union Platform supports encrypted communications via the and TLS/SSL protocols over both HTTPS and WSS (WebSocket Secure). TLS/SSL support was added in version 2.1.0.

To configure Union for TLS/SSL communications, follow these steps:

1) Import TLS/SSL Certificate into Keystore

Shut down Union Server, then follow Oracle's Key and Certificate Management Tool documentation to import your certificate into a keystore.

2) Configure Secure Gateway

Create a new Union Server gateway, and configure it as follows:

  • Set gateway type to SecureTCP
  • In the <keystore_file> tag, specify the path to the keystore file where the certificate was imported
  • In the <keystore_password> tag, specify the password to the keystore file

The following example excerpt from Union Server's union.xml configuration file demonstrates how to configure a secure gateway: 

        <gateway id="SecureGateway" type="SecureTCP">
            <ip>example.com</ip>
            <port>443</port>
            <policy_file>policy.xml</policy_file>
            <keystore_file>/root/.keystore</keystore_file>
            <keystore_password>password</keystore_password>
        </gateway>

The SecureTCP gateway communicates using TLS/SSL only; therefore, clients connecting to this gateway must be able to communicate using TLS/SSL. Clients that do not communicate using TLS/SSL will be disconnected.

Union Server can run both SecureTCP gateways and other non-secure gateways at the same time. For example, the following union.xml:

    <gateways>
        <gateway id="PrimaryGateway" type="TCP">
            <ip>example.com</ip>
            <port>80</port>
            <policy_file>policy.xml</policy_file>
        </gateway>
        <gateway id="SecureGateway" type="SecureTCP">
            <ip>example.com</ip>
            <port>443</port>
            <policy_file>policy.xml</policy_file>
            <keystore_file>/root/.keystore</keystore_file>
            <keystore_password>password</keystore_password>
        </gateway>
    </gateways>

3) Connect Using Secure Client Connections

In Orbiter and OrbiterMicro (Union's JavaScript client frameworks), the Orbiter class defines a secureConnect() method used to create WSS and HTTPS connections to Union Server. In Reactor (Union's ActionScript client framework) the Reactor class defines secureConnect(). To communicate with Union Server over TLS/SSL, use those methods instead of the standard connect() method. For more information, see each client framework's API documentation.