Certificate Management

• Certificate Management
• • Obtaining Certificates
  • Storing Certificates
  • Generating Self-Signed Certificates
  • Certificate Expiry

MineMarket can be configured to use the Secure Sockets Layer (SSL) protocol for encrypted communication between the MineMarket Service and all clients. Clients include the MineMarket Clients, the MineMarket Marketing Service, the MineMarket Export and Reports Service, the MineMarket Data Mart Service, the MineMarket Data Agents, the MineMarket Data Service, and the MineMarket Excel Uploader. Clients may also include IMS Integration Hub and third-party plugins or DLLs.

Datamine recommends using the SSL protocol.

To use SSL, you need to:

• Enable the Use SSL setting in the configuration of the MineMarket Service and all clients. This setting is enabled by default.
• Use the following SSL certificates and keys:
  • root.crt—The certificate authority (CA) certificate used to sign the server and client certificates. This file must be the same on the MineMarket Server and all clients.
  • server.crt—The server certificate, which must be issued to the host name of the MineMarket Server; that is, the name or IP address of the server on which the MineMarket Service runs.
  • server.key—The private key for the server certificate.
  • client.crt—The client certificate, which is presented to the server to prove that the client is trusted for communication. Datamine recommends that each client has its own certificate; however, this is not required.
  • client.key—The private key for the client certificate.

Obtaining Certificates

You can request certificates from a CA, or you can generate self-signed certificates.

Note: Datamine expects that MineMarket is running in a secured and isolated network environment. However, if the MineMarket Server and clients are not exposed to the public internet, using purchased certificates from an external CA may be difficult. External CAs have stringent requirements for proof of ownership before issuing certificates. Self-signed certificates are sufficient to protect internal communication between the MineMarket Service and clients. If your organisation already has a CA that can be used to sign additional certificates, that CA can be used as root.crt.

Storing Certificates

Certificates and their keys must be accessible yet secure:

• root.crt—Must be accessible to the logon users of the MineMarket Service and all clients.
• server.crt—Must be accessible to the logon users of the MineMarket Service. This file should not be included in the keystore for client installations.
• server.key—Must be accessible to the logon users of the MineMarket Service and must be kept secure. Other users should not have access to this file.
• client.crt—Must be accessible to the logon users of the applicable clients.
• client.key—Must be accessible to the logon users of the applicable clients. Other users should not have access to this file.

Specify the keystore location in the configuration of the MineMarket Service and all clients. The default location is .\keystore, which is the keystore subfolder of the MineMarket installation.

Important: Other files, such as root.key and server.csr and client.csr (if created), should not be added to the MineMarket keystore location.

Generating Self-Signed Certificates

Note: This activity is only required if you are not using provided certificates from a CA.

MineMarket includes two methods to generate self-signed certificates:

1. In the MineMarket Service Config screen, if you set Use SSL to True, when you save the configuration, MineMarket displays a prompt to generate the certificates. See Configure the MineMarket Service. The server certificate Subject Alternative Name (SAN) is assumed to be localhost with this method. This method is most suitable for a complete installation of MineMarket on a server identified as localhost. In a networked installation, enter localhost as the SSL Target Name Override in the Application Configuration Editor when you are configuring each client.
2. Run the gencerts.bat file in the keystore subfolder of the MineMarket installation on the MineMarket Server. This method allows you to specify the SAN, expiry and output path.

You should only generate one set of self-signed certificates. Copy root.crt, client.crt and client.key to each of the MineMarket clients in the keystore location specified in the Application Configuration Editor. You may need to create the keystore subfolder in the client installations.

Certificate Expiry

Self-signed certificates generated by MineMarket have a default expiry date of 100 years from the current date. That is, effectively the certificates will not expire. If you want to generate self-signed certificates with a shorter expiry date, edit the number of days in the gencerts.bat file and use that method to generate the certificates.

The MineMarket Service has a daily process to check the validity of the certificates. If any certificate is set to expire within 30 days, a warning is sent to the warehouse email (if configured/enabled) and logged. The check runs when the MineMarket Service starts, and then every 24 hours. If any certificates have expired, an expiry notification is emailed and logged, and the MineMarket Service stops.