Enterprise Administration > File Vaulting and Replication > Replication > Understanding Replication > Replication Security
  
Replication Security
To enable secure transactions, content replication requires replication sites to share a common, trusted certificate authority. If a client experiences a Java secure socket link exception (for example, “javax.net.ssl.SSLException: untrusted server cert chain”), the client needs to import the certificate authority of the server to which it is making a request.
Importing Certificates into Sites
Use the following commands to import certificates into master and remote sites:
keytool -import -alias someAliasName -file
path/to.certificateAuthority.cert
-storetype jks -keystore /path/to/keystore.jks
certificateAuthority.cert is the certificate of the certificate authority, not the web server. In the case of a self-signed web certificate, the certificate authority and the web server are the same.
keystore.jks is the file that the trusted certificate authority will be imported into. The Java secure socket extension (JSSE) provider has a truststore in the following location:
$JAVA_HOME/jre/lib/security/jssecacerts
The commands shown above install the certificate authority to be trusted by all invocations of the virtual machine. Alternatively, the certificate authority can be imported into any file and then referenced on the command line.
The argument to Java to use a truststore file is:
-Djavax.net.ssl.truststore=fileName
For example:
keytool -import -alias Acme_CA -file /tmp/acme_ca.cert
-storetype jks -keystore
/home/jlk/wgm_for_proe/conf/cacerts.jks

java -classpath /home/jlk/wgm_for_proe/lib/foo.jar:/...
-
Djavax.net.ssl.trustStore=/home/jlk/wgm_for_proe/conf/cacerts.jks com.ptc.foo.jar
About Security and Using wt.intersvrcom.URLAuthenticator.useUrlCache
If you set the wt.intersvrcom.URLAuthenticator.useUrlCache property to false on the master site and all remote sites, a single URL can be used multiple times within the grace period specified by the property wt.intersvrcom.security.graceTimePeriod. The default setting of the wt.intersvrcom.URLAuthenticator.useUrlCache property is true.
Allowing multiple uses of a URL in combination with a large grace period increases the risk of malicious use of the URL.
Importing Certificates into Sites
Use the following commands to import certificates into master and remote sites:
keytool -import -alias someAliasName -file
path/to.certificateAuthority.cert
-storetype jks -keystore /path/to/keystore.jks
certificateAuthority.cert is the certificate of the certificate authority, not the web server. In the case of a self-signed web certificate, the certificate authority and the web server are the same.
keystore.jks is the file that the trusted certificate authority will be imported into. The Java secure socket extension (JSSE) provider has a truststore in the following location:
$JAVA_HOME/jre/lib/security/jssecacerts
The commands shown above install the certificate authority to be trusted by all invocations of the virtual machine. Alternatively, the certificate authority can be imported into any file and then referenced on the command line.
The argument to Java to use a truststore file is:
-Djavax.net.ssl.truststore=fileName
For example:
keytool -import -alias Acme_CA -file /tmp/acme_ca.cert
-storetype jks -keystore
/home/jlk/wgm_for_proe/conf/cacerts.jks

java -classpath /home/jlk/wgm_for_proe/lib/foo.jar:/...
-
Djavax.net.ssl.trustStore=/home/jlk/wgm_for_proe/conf/cacerts.jks com.ptc.foo.jar
About Security and Using wt.intersvrcom.URLAuthenticator.useUrlCache
If you set the wt.intersvrcom.URLAuthenticator.useUrlCache property to false on the master site and all remote sites, a single URL can be used multiple times within the grace period specified by the property wt.intersvrcom.security.graceTimePeriod. The default setting of the wt.intersvrcom.URLAuthenticator.useUrlCache property is true.
Allowing multiple uses of a URL in combination with a large grace period increases the risk of malicious use of the URL.