In this chapter, we will explain how to configure the connection on the D2000 application side for the Smartweb platform needs using examples. For communication between the SmartWeb application and D2000, the JAPI library is used which communicates with the D2Connector process on the D2000 side. To make use of this chapter, we need an active D2000 application (kernel at least) to which we can connect. Connection possibilities are divided into three categories and the possibilities from individual categories can be combined freely.

A connection can be established in two basic ways:

Connection actively follows the SmartWeb server (basic way of connecting). It is a standard method, easier for usage and debugging and can be applied in every network in which the security policy allows it.
Connection actively follows D2Connector (reverse connection). This method is used when the SmartWeb server is located in a so-called "demilitarized zone" (DMZ) - it is a computer network segment with which you can establish connection also from a local intranet and from outside internet but you cannot establish any connection from DMZ outside. (Supported from the 10.1.39 version)

From the point of view of the wiretapping protection, you can establish:

Unsecured connection. Although the JAPI protocol is binary, all texts are transmitted in a readable way. An unsecured connection is good when debugging or in the case when communication between D2Connector and JConnector runs in a secure network.
Connection secured by the TLS v1.2 protocol. JAPI and D2Connectorcommunicate with each other by an encrypted protocol while D2Connector shows its identity by a certificate and a private key which JConnector compares with its own certificate. (Supported from the 10.1.39 version)

From the point of view of connection to "hot" kernel in a redundant group:

D2Connector always connects to the "hot" server
D2Connector is always connected to the same Kernel regardless of whether it is "hot" or "standby server".

Parameters for Running D2Connector

D2Connector is a process of the D2000 system and it is distributed as a console application (d2connector.exe). It accepts standard parameters of D2000 processes for running from the command line which are described in the D2000 Online Reference Help. Besides, it accepts the following parameters of a command line:

--CONNECTOR_LISTEN_PORT=<port> - it sets the number of the TCP port on which D2Connector listens for incoming connections from JAPI. If it is not stated differently, it will listen on the 3120 port. (The parameter will be ignored if the combination with --DCC is used)
--DCC=<hostname:port> - it switches D2Connector from the listening mode to the mode of active connecting to the given address (DNS or IP) and to a port. It tries to establish a connection every 30 seconds until it succeeds. After ending the connection, it again tries to establish one.
--CONNECTOR_TLS_CERT=<path.crt> - it turns on the TLS security and sets the path to the file with a certificate in the .crt format.
--CONNECTOR_TLS_PK=<path.pem> - it turns on the TLS security and sets the path to the file with a private key to a certificate in the.pem format. Both TLS parameters have to be used together.

D2Connector establishes connection only in one way from eight possible combinations. This means that it either actively connects or listens but not both at the same time. Similarly, it communicates either in unsecured or secured way but never in both ways at the same time. Either it is connected to one Kernel all the time or it switches to current "hot" one. In the case that more various client applications connect to the D2000 application and these client applications require different methods of connecting, it is necessary to run an individual instance of D2Connector for each method.

Basic Connection Method

It is an unsecured connection initiated by JAPI.

We can start D2Connector without parameters and it will listen to connection on the 3120 port

> d2connector.exe

or we can change the listening port to for example 3121:

> d2connector.exe --CONNECTOR_LISTEN_PORT=3121

Establishing a Reverse Connection

It is an unsecured connection between D2Connector and the SmartWeb application located in the DMZ from which it cannot initiate the TCP connection. However, it can listen to upcoming TCP connection which will be initiated by D2Connector.

The client application is located on the computer portal.dmz.customer.com and listens on the 3125 port on all of its network interfaces. We run D2Connector in the mode of connecting:

> d2connector.exe --DCC=portal.dmz.customer.com:3125

Establishing a Secure Connection

It is a connection between D2Connector and JConnector secured by the TLS v1.2 protocol. The process is similar for standard and reverse connections. That is why the example encompasses both possibilities.

For establishing the TLS connection, it is necessary for one party to be in the role of the "TLS server" and the second party in the role of the "TLS client" while these roles are not dependent on who initiated the TCP connection. The "TLS server" shows a certificate to which it owns a personal key. The "TLS client" verifies the license validity and the key authenticity⁵. For JAPI, the vždy D2Connector a „TLS klient" vždy JConnector.

Predpokladom pre vytvorenie zabezpečeného spojenia je, že máme RSA kľúčový pár a k nemu X.509 certifikát. Certifikát je uložený v súbore vo formáte *.crt a musí mať k jeho kópii prístup aj D2Connector aj JConnector. Privátny kľúč je uložený v nešifrovanej forme v súbore vo formáte *.pem a prístup k nemu musí mať iba JConnector. Vzhľadom k tomu, že JConnector považuje D2Connector za dôveryhodný iba na základe toho, že sa preukázal rovnakým certifikátom, ako očakával, použitý certifikát môže byť „self-signed" a nie je vôbec potrebné získať certifikát od nejakej certifikačnej autority.

POZOR: Z bezpečnostného hľadiska je veľmi dôležité, aby bol súbor s certifikátom uložený tak, aby ho nikto bez príslušného oprávnenia nemohol zmeniť. (Na čítanie môže byť verejný.) Takisto je veľmi dôležité, aby súbor so súkromným kľúčom mohol prečítať iba D2Connector a nikto ho nemohol zmeniť. V prípade porušenia týchto podmienok hrozí kompromitácia dôveryhodnosti certifikátu a otvára sa možnosť odpočúvania zabezpečenej komunikácie.

D2Connector je potrebné spustiť s parametrami --CONNECTOR_TLS_CERT a --CONNECTOR_TLS_PK, ktoré odkazujú na súbory s certifikátom a súkromným kľúčom. V príklade je certifikát uložený v súbore certificate.crt a súkromný kľúč v súbore private.pem. Podľa potreby sa môže použiť aj parameter --DCC alebo --CONNECTOR_LISTEN_PORT.

> d2connector.exe --CONNECTOR_TLS_CERT=certificate.crt --CONNECTOR_TLS_PK=private.pem

Vytvorenie certifikátu pre účely zabezpečeného spojenia

Pre vytvorenie „self-signed" certifikátu je možné použiť napríklad aplikáciu OpenSSL z príkazového riadku. Najskôr musíme vytvoriť kľúčový pár pre RSA šifru. V príklade generujeme 2048 bitový kľúčový pár do súboru private.pem.

> openssl.exe genrsa -out private.pem 2048

Ku kľúčovému páru vytvoríme „Certificate Signing Request" žiadosť o vystavenie certifikátu, ktorá bude uložená v súbore request.csr. OpenSSL sa opýta na viaceré údaje, ktoré zapíše do žiadosti a ktoré budú vo výslednom certifikáte uvedené. JAPI však tieto údaje neskúma a nekontroluje.

> openssl.exe req -new -key private.pem -out request.csr

Následne podpíšeme žiadosť vygenerovaným súkromným kľúčom, čím z neho vytvoríme „selfsigned" certifikát, ktorý bude v súbore certificate.crt. Certifikát bude mať platnosť 365 dní počínajúc aktuálnym časom.

> openssl.exe x509 -req -days 365 -in request.csr -signkey private.pem -out certificate.crt