Nirvana C++ Client SSL Configuration

Nirvana fully supports SSL Encryption. This section describes how to use SSL in your Nirvana C++ client applications.

Once you have created an SSL enabled interface you will need to create certificates for the server and the client. The Nirvana download contains a generator to create some example Java key store files to be used by the Nirvana server but may also be converted to Privacy Enhanced Mail Certificates (.pem) for use with a Nirvana C++ client.

Please refer to this guide to create your own client certificates. However please remember that in order to run a Nirvana C++ client, the certificate provided must be in .pem format.

Running a Nirvana C++ Client

A client can be run anonymously which means that any client can subscribe to a channel securely. The server can also be run with client validation such that only trusted clients can connect. To enable or disable client certificate validation you can use the Nirvana Enterprise Manager. Highlight the SSL enabled interface in the "Interface" tab for your realm then open the "Certificates" tab and check or uncheck the box labelled "Enable Client Cert Validation".

In order to run a client using SSL, the location of the key stores and the relevant passwords need to be specified in nConstants. This can be done by setting up the relevant environment variables (as necessary to run the sample applications), or by calling the relevant set methods (defined in nConstants) from the application code.

Different environment variables need to be set depending on whether client certificate validation is enabled:

With Client Certificate Validation

In this case, the client must hold a certificate to validate that it can be trusted. It must also have a trust store such that it can validate that the server is trusted. The key store located at CERTPATH also contains the client's private key and therefore must have a password associated with it. Therefore the following environment variables must be set:

  • CERTPATH - The path where the client certificate is located
  • CERTPASS - The password for the client certificate
  • CAPATH - The path where the trust store is located

Without Client Certificate Validation

If client certificate validation has been disabled on the server then clients connect to the server anonymously. This means that clients do not need to have a certificate and therefore CERTPATH and CERTPASS do not need to be set. With Nirvana C++ server-side validation is also set to be non-strict. This means that the client does not need to have a trust store because it will not try to validate the server certificate, therefore it is not necessary to set the CAPATH.

See the SSL Concepts section for more detailed information.