Setting Up TLS Certifcates
To secure the connection between a device running your client application and the ThingWorx Platform, set up the TLS certificates for the client (your Edge SDK application) and the ThingWorx Platform. The certificate of the platform's certificate Issuer must be stored in SSLCACert.pem in the directory, $JAVA_HOME/jre/lib/security.
If authentication of the client application at the server is required, store the client identity certificate and private key in SSLCert.pem and SSLPrivKey.pem, respectively.
To Generate a Certificate and Private Key Using the Java keytool Utility
These steps assume a Windows computer and an installation of the Java Development Kit:
1. Open a Command prompt.
2. Run make-keystore.bat from the command line in the format:
make-keystore.bat hostname
3. Answer the following questions:
a. What is your first and last name? [Unknown]: [use the host name] The name you enter here must match the name used by your client application. That is, if your client connects using https://mytwxserver:443, this value must be mytwxserver.
b. What is the name of your organizational unit? [Unknown]: QA Enter the name appropriate to your department within your organization. The example here uses "QA" (Quality Assurance).
c. What is the name of your organization? [Unknown]: Acme Enter the name of your company.
d. What is the name of your City or Locality? [Unknown]: Springfield Enter the name of the geographical location, such as a city, of the machine running your client application.
e. What is the name of your State or Province? [Unknown]: MA Enter the name of the state or province in which this city is located.
f. What is the two-letter country code for this unit? [Unknown]: US Enter the country code for the location of this machine. US in the example is for the United States.
g. Is CN=hostname, OU=QA, O=Acme, L=Springfield, ST=MA, C=US correct? [no]: yes Check that all the information is correct, and enter yes if true. The default answer is no.
4. When prompted for passwords, use the host name or some other easily identifiable name.
5. When prompted for the private key password, type the passphrase for your CA private key.pem.
6. The created file is named hostname.jks. Copy this file to the ThingWorx Platform and store it in the directory, $JAVA_HOME/jre/lib/security.
7. In your client code, specify the location of this trust store as follows:
System.setProperty("javax.net.ssl.trustStore",
"C:\Program Files\Java\jdk1.8.0_212.jdk\
Contents\Home\jre\lib\security\root_store")
"C:\Program Files\Java\jdk1.8.0_212.jdk\
Contents\Home\jre\lib\security\root_store")
8. Also in your client code, set the password for the trust store, as follows:
System.setProperty("javax.net.ssl.trustStorePassword", "thingworx")
 |
While developing an application, turn on debugging to see all the messages exchanged during an SSL/TLS handshake, using a line similar to the following:
System.setProperty("javax.net.debug", "ssl,keymanager");
|