Welcome to the TOCF- TAFC Agent Connection-SSL Encryption Learning

unit. In this learning unit you will understand how to enable SSL to connect to
T24.

1
At the end of this session you will be able to

Enable SSL encryption and connect to T24 using SSL.

2
Secure Sockets Layer (SSL) is a cryptographic protocol that provide
communications security over the internet. SSL has been succeeded by
Transport Layer Security (TLS).

SSL and TLS encrypts the segments of network connections above the
Transport Layer of TCP/IP architecture, using asymmetric cryptography for
privacy and keyed message authentication code for message reliability.

When implementing security with SSL, you place SSL on top of the TCP/IP
layers and substitute TCP calls with the SSL calls. It is independent of the
applications i.e., once you set up a connection, after the initiating handshake, it
acts just like a secure tunnel and you can send and receive anything through it.
SSL is transparent to the user.

3
Some of the advantages of using SSL:

Encryption – Messages sent using SSL is encrypted and hence the

sender and the receiver alone can decrypt the message.
Integrity – Message integrity ensures that any change in data
can be immediately detected and prevented.
Confidentiality – User transactions are protected by encrypting data
streams and messages to ensure that only intended recipients can
unlock (decrypt).
Authentication – Process of verifying that the user’s identity is valid.
Non-Repudiation – User cannot refute that they signed or encrypted a
particular message once it has been sent, assuming the private key is
secured.

4
The SSL Encryption process comprises of the following steps:
1. A SSL client and server negotiate a stateful connection by using handshake
procedure. During this handshake, the client and server agree on various
parameters used to establish the connection's security.
2. The handshake begins when a client connects to a SSL-enabled server
requesting a secure connection and presents a list of supported Cipher
Suites (ciphers and hash functions).
3. From this list, the server picks up the strongest cipher and hash function. It
supports and notifies the client on the decision.
4. The server sends back its identification in the form of a digital certificate.
The certificate usually contains the server name, the trusted Certificate
Authority (CA) and the server's public encryption key.
5. The client may contact the server that issued the certificate (the trusted CA
as above) and confirm the validity of the certificate before proceeding.
6. In order to generate the session keys used for the secure connection, the
client encrypts a random number with the server's public key and sends the
result to the server. Only the server should be able to decrypt it, with its
private key.
7. From the random number, both parties generate key material for encryption
and decryption.

5
This concludes the handshake and begins the secured connection, which is encrypted
and decrypted with the key material until the connection closes.

5
The SSL encryption in TOCF secures the communication between TOCF and
T24, (i.e between the Resource Adapter and TAFC Agent).

The entire SSL encryption process is simple and is comprises of the following
steps:

Obtain a certificate.
Install the certificate.
Start tafc_agent with the certificate and the specified key
parameters.
Set SSLEncrypt and Naive Trust Manager parameters to “true”
in t24-ds.xml.
Start jBoss and perform secure communication with T24.

You will now be able to connect to T24 via SSL with required authentication.

Let’s take a look at each step in detail.

6
• The certificate has to be obtained from a Certification Authority.

• For learning purpose you can obtain a self-signed certificate using

OpenSSL, a freeware tool that can be downloaded.

• Once you have downloaded OpenSSL, extract the contents to a root folder
(Eg: D:/ssl)

• The directory structure will have the bin, lib, include folders etc.,
• bin - openssl executable file
• lib - library files
• include - include (header) files

• Create the directories named keys and certs by using the md command.
• md certs
• md keys

• These folders holds the certificates and private keys respectively.

7
Note:

Certificate authority (CA) is an authority in a network that issues and manages

security credentials and public keys for message encryption

7
TAFC Agent may be configured to use SSL encryption. To activate SSL
encryption, it is sufficient if you provide a valid x509 certificate and a private
key.

The following examples describes how to create a self-signed certificate and

key with OpenSSL:

First, let’s create a 1024-bit RSA private key which will be used when creating
our certificate:

The RSA algorithm involves three steps: Key generation, encryption and
decryption. The RSA key can be used both for encryption and for signing.

Generating a key for the RSA algorithm is quite easy, all you have to do is to
use the following command:

openssl genrsa -out keys/ca.key 1024

This will create a file called D:\ssl\keys\ca.key, which contains the certificate
authority private key.

8
Generate a certificate, using the key that has been generated by you already.
Use the openssl command as shown here, to create the certificate.

You will be asked to enter information to incorporate it into your certificate

request, as shown above.

For some fields, there will be a default value. To leave a field blank, enter ‘ . ’.

9
After creating the certificate install it, so it can be categorized as a trusted one.

The steps to install the certificate are quite simple :

1. Double click on the certificate and click “Install Certificate”
2. In the wizard, Click Next
3. Select the option, “Place the certificate in the Following folder”
4. Click Browse to locate the folder for storing the certificate and
select “Trusted Root certification Authorities” and click OK
5. Click Next and Finish
6. In the Security Warning window, click Yes to accept it as a valid
certificate.

10
Now, let’s say you have ‘ca.cer' and ‘ca.key' files as your certificate and key.
Save the files in your T24 server (where you will be running your TAFC
Agent.. for eg.. D:\Temenos\ModelBank-R13\Temenos\bnk\bnk.run folder)
and start TAFC Agent using the following command,

tafc_agent –c ca.cer –k ca.key

11
Add the required properties to t24-ds.xml and start jBoss

12
Now you can connect to T24 via SSL.

13
14
You will now be able to explain,

How to enable SSL encryption and connect to T24 using SSL.

16
17