Hi Roman,
it's not mandatory to install CAPKI. But only when it's installed on both ends then the communication will be encrypted using the TLS protocol. In that case you need to set SMGR_SUPPORT_LEGACY_SECURITY=N
When you run the setup for CAPKI then it registers itself to the system (e.g. Registry Key on windows) with its Caller ID.
There are multiple levels of security when using CAPKI:
1) Basic: no validation of certificates (Trusted Certificate Store empty). The automatically created certificates will be used to encrypt communication, but not validated.
2) mutual TLS authentication incl. validation of certificates between ServiceManager and AE. For this level we recommend one certificate for the AE and one for the ServiceManager(s) (=2 certificates in total)
3) mutual TLS authentication incl. validation of certificates also between ServiceManager Dialog (ServiceManager CLI) and ServiceManager. For this level we recommend an additional certificate for ServiceManagerDialog and CLI (=3 certificates in total)
Regards, Markus
Original Message:
Sent: 03-03-2020 03:27 AM
From: Roman Embacher
Subject: New UC_SYSTEM_SETTINGS in 12.3. handling for Zero Downtime Upgrade
Hi Gang Lu,
many thanks for your Reply :) Need to get into the Details :)
What exactly do you mean by "If you do not install CAPKI". This Needs to be installed on each Server with command line tool if used, and configurations Need to be done in the ini-files. How does the AE check if it is installed or not?
I'm still a bit sceptic as the Default for this variable is "N". Will the upgrade routine somehow check some ini or on the OS if CAPKI is installed and then set it to "Y"??
To be on the safe side, is it an option to just set SMGR_SUPPORT_LEGACY_SECURITY in the UC_SYSTEM_SETTINGS, already before the ZDU upgrade?
Best Regards,
Roman
Original Message:
Sent: 02-27-2020 02:27 AM
From: Gang Lu
Subject: New UC_SYSTEM_SETTINGS in 12.3. handling for Zero Downtime Upgrade
Hi Roman,
If you do not install CAPKI, SMGR_SUPPORT_LEGACY_SECURITY will be set to Y automatically.
Best Regards
Original Message:
Sent: 02-26-2020 05:25 AM
From: Roman Embacher
Subject: New UC_SYSTEM_SETTINGS in 12.3. handling for Zero Downtime Upgrade
Hi All,
In our case the Setting SMGR_SUPPORT_LEGACY_SECURITY should be set to "Y" after the Zero downtime upgrade. "Y" is not the default.
Can we add this already to the UC_SYSTEM_SETTINGS in the older Version so that it is available when starting 12.3. the first time?
Best Regards,
Roman
------------------------------
Roman Embacher
R.E. IT Services
------------------------------