List of connections and known limitations
The table below lists all iWD component connections and their types.
Connections
| iWD Component | Connection Type | Role | Connections | TLS Mode | Comments |
|---|---|---|---|---|---|
| iWD Manager | PSDK | Client | Configuration Server | mutual | The Configuration Server auto-upgrade port should be used for TLS. |
| PSDK | Client | Interaction Server | mutual | ||
| PSDK | Client | UCS | mutual | ||
| PSDK | Client | Message Server | mutual | ||
| REST | Client | History Node | mutual | ||
| REST | Server | Web browser or custom desktops | mutual | ||
| iWD Data Mart | |||||
| PSDK | Client | Configuration Server | mutual | The Configuration Server auto-upgrade port should be used for TLS. | |
| JDBC | Client | iWD Data Mart database | tls | Configured via URL or JVM options or combination depending on database JDBC driver. | |
| JDBC | Client | ConfigServer database | tls | Configured via URL or JVM options or combination depending on database JDBC driver. | |
| REST | Client | iWD History Node | mutual | ||
| REST | Server | iWD Plug-in for GAX | mutual | ||
| LCA | no | LCA and product should be located on the same host, so TLS is not required | |||
| iWD History Node | PSDK | Client | Configuration Server | mutual | The Configuration Server auto-upgrade port should be used for TLS. |
| JMS | Client | Interaction Server Event Log | mutual | ||
| JDBC | Client | History Node database | tls | Configured via URL or JVM options or combination depending on database JDBC driver. | |
| REST | Server | iWD Data Mart and iWD Manager | mutual | ||
| Stat Server Extensions | JDBC | Client | iWD Data Mart database | tls | Configured via URL or JVM options or combination depending on database JDBC driver. |
| iWD GAX Plugin | JDBC | Client | Interaction Server DB | tls | Configured via URL or JVM options or combination depending on database JDBC driver. |
| REST | Client | iWD Data Mart | mutual | ||
| iWD Web | REST | Server | Web browser | mutual | |
| PSDK | Client | Configuration Server | mutual | The Configuration Server auto-upgrade port should be used for TLS. | |
| PSDK | Client | Interaction Server | mutual | ||
| PSDK | Client | Message Server | mutual | ||
| REST | Client | WSCP | mutual |
Limitations
PEM and Windows (MSCAPI) certificates
iWD Manager, iWD Web, iWD Data Mart and iWD History Node REST APIs do not support PEM and Windows (MSCAPI) certificates. Data Mart and History Node are based on Dropwizard, which is Jetty-based. Dropwizard documentation refers to Jetty documentation which you can find at http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html.
Jetty does not support PEM files directly, so when you get PEM certificates, you need to pack them into a keystore/truststore. There's more information at http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#loading-keys-and-certificates
The iWD Manager and iWD Web REST server is based on Tomcat, which does not support PEM directly. There's more information at https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores.
Redefinition of TLS settings on different levels
iWD uses the Genesys PSDK parser for TLS configuration. This tries to read TLS options from different levels in the following order:
port/conn > app > host
All options are independent and PSDK tries to find each option until the first non-null value. So there could be situations when configurations exist for different levels and some options presented at the highest levels (for example, a host configured as PEM and has certificate-key=someValue) are not presented on the lowest levels (for example, a connection configured as JKS but without any certificate-key). In this case, when PSDK parses the connection configuration it creates an invalid TLS configuration object with the provider set to JKS and the certificate-key set to someValue.
This configuration will fail during the creation of SSLContext. The problem is that no field that has a dedicated UI in GAX can be dropped to a lower level (app/port) if it is defined on a higher level (host/app); for example, certificate-key. The connection permits the redefining of properties with empty values (such as certificate-key= ) to transport parameters.
Cases
- All REST servers (Data Mart, History Node, iWD Manager) work only with JKS (port-level configuration). So the situation could arise in which the the host is configured as PEM and has a certificate-key value configured. But because REST servers do not use PSDK SSLContext, it is not as issue.
- To use JKS on any connection level , you must set certificate-key=
iWD Stat Extensions has a limitation regarding TLS settings for JDBC connection. iWD Stat Extensions shares database settings with Data Mart. The Data Mart Stat Adapter job copies the JDBC URL from the Data Mart DAP to Stat Server options. So Stat Server must be configured in the same way as Data Mart.
- If Data Mart is set to use a TLS connection to the database via JVM arguments (the recommended way), then Stat Server must be provided with the corresponding JVM options and certificates.
- If Data Mart is set to use a TLS connection to the database via a JDBC URL which contains certificates and/or passwords, then Stat Server should be installed to the same host as Data Mart or use the same certificate paths and passwords.
iWD Manager and iWD Web client applications cannot be configured on HOST level
Client applications do not have a linked host value, so iWD cannot read host parameters while configuring such application connections. There are two client applications in iWD—iWD Manager and iWD Web— with connections to Configuration Server. These connections through the auto-upgrade port can be configured ONLY on the connection or the application level.
Mutual TLS for databases
Mutual TLS for databases is not supported.