To create a new communication process, click
* New Comms Server.
To view the listeners associated with a communications process, click the communications process in the communications process
list.
To display all the configurable properties of the communication process, click
Configure.
- Auto Start
- Check this to automatically start the communications process when the enterprise server instance starts.
- Status
- Displays the current status of the communications process:
- Started
- Stopped
- Disabled
- Blocked
- Not Responding - This means any listener whose status is unknown because the server it is registered with is not responding
to the server monitor.
- Not Started - This means any listener with a status other than Started.
- Not Stopped - This means any listener with a status other than Stopped.
- Requested Status
- The requested status of the communications process. If the region is running, at least one communications process must be
started.
- Process ID
- Displays the process ID of this communications process.
- Actual Address
- Displays the network address or addresses used by the communications process to accept incoming client requests. The format
is:
protocol:hostname or ip-address:port
where:
- protocol
- This can be tcp or tcpssl.
- hostname or ip-address
- This can be a single hostname or multiple IP addresses that can be either IPv4 or IPv6.
Note: Specifying 0.0.0.0 binds on all available IPv4 addresses. Specifying :: binds on all available IPv6 addresses. Specifying
* binds on all available IPv4 and IPv6 addresses.
- port
- This must be a valid port or an asterisk * which indicates that the address is dynamically assigned for the communications
process when it starts.
To add additional addresses, expand
CONFIGURE and then click the
+ icon. To remove an addresses, click the
- icon.
- Status Log
- Displays most recent event for that communications server.
Configure
- Protocol
- Protocol can be tcp or tcpssl.
- Hostname or IP Address
- A hostname, IPv4, or IPv6 Address to accept incoming client requests. Specify
* to listen on all available addresses.
- Port
- A port to accept incoming client requests. Specify
* to pick an unused port at start up.
- Custom Configuration
- Specify optional textual configuration information.
TLS Settings
For an enterprise server instance, you can create a secure Communications Process control listener to encrypt the communications
it handles. To do this, click TLS SETTINGS, this expands the TLS Settings group.
You must specify the following fields:
- Enable TLS
- Enables Transport Layer Security (TLS) for this communications process.
- Certificate File
- The location, on disk, of the certificate. If multiple certificates are used, separate the paths with a semicolon ';'.
- Keyfile
- The location, on disk, of the keyfile. If multiple keyfiles are used, separate the paths with a semicolon ';'.
- Server CA Root Certificate File
- Location on disk of the server CA root certificate. This root certificate is used when the Directory Server communicates with
a TLS enabled Communications Process. MFDS uses this to verify if it trusts the Communications Process' certificate chain,
and therefore trusts the Communications Processed server certificate itself.
Note: The following certificate file formats are supported DER, CER, PKCS #7, PKCS #8, PKCS #12 and PEM and following key file formats
PKCS #8, PKCS #12 and PEM.
Advanced TLS Settings
Optionally, click
Advanced to expand the advanced group of options:
- Client Authentication
- Select one of the client authentication types:
- Accept all clients
-
Allow all clients to communicate with the server without being checked for a TLS/SSL certificate.
- Request client certificate, and verify if present
-
Requests the client for a certificate, and to verify the returned certificate. If the client does not return a certificate,
communication continues between the client and server. If a certificate is returned and it fails to verify, communication
stops. If you select this, you must specify the CA root certificates file.
- Require client certificate, and verify
-
Always require a client certificate and to verify it. This ensures that the client is trusted. If a certificate is not returned
or it cannot be verified, communication between the client and server is stopped. If you select this, you must specify the
CA root certificates file.
- Honor Server Cipher List
- By default, the TLS Honor Server Cipher List is checked. This forces clients to use the protocols and cipher suites specified
in order of their priority.
- Protocols
- The list of TLS protocols to be used, in order of precedence. Each specified protocol is preceded by one of the following
operators:
- !
- Exclude. Permanently exclude the protocol and ignore any subsequent attempt to add the protocol back in.
- +
- Add. Add the protocol to the existing collection.
- -
- Delete. Delete the protocol from the existing collection.
For example, to only use TLS1.1 and TLS1.2, type
-ALL+TLS1.1+TLS1.2
Note: The
Protocols field now supports TLS1.3.
- Cipher Suites
- Specifies the priority of cipher suites to be used. The cipher suite priority is formed using a combination of keywords and
keyword modifiers for a space-separated string:
- !
- Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
- +
- Add. Add the cipher suite to the end of the collection.
- -
- Delete. Delete the cipher suite from the existing collection.
By default, the following cipher suite list is used:
kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
- TLS1.3 Cipher Suites
- The list of cipher suites to be used with TLS1.3 separated by a colon ':'. For example:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
- Diffie-Hellman Minimum Group Size
- Specifies the size in bits of the modulus length of the Diffie-Hellman group.
Note: Micro Focus recommends a minimum modulus size of 2048 bits.
- Key Exchange Cipher Groups
- The key exchange cipher groups to be used, separated by semicolons ';'.
For example:
secp521r1;secp384r1;prime256v1;secp256k1;secp224r1;secp224k1;prime192v1
- TLS1.3 Middlebox Compatibility
- Enables workaround for TLS1.3 on networks with incompatible middleboxes, for example, routers and firewalls. Disabling this
can improve performance on compatible networks but might result in dropped connections otherwise.