Enabling Diffe-Hellman

Set the security-client-dhalgo system property in the gfcpp.properties file to the password for the public key file store on the client (the name of a valid symmetric key cipher supported by the JDK).

Valid security-client-dhalgo property values are DESede, AES, and Blowfish, which enable the Diffie-Hellman algorithm with the specified cipher to encrypt the credentials.

security-client-dhalgo=Blowfish:128
    

For AES algorithms, you may need Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Sun or equivalent for your JDK.

Adding settings for Diffie-Hellman on clients also enables challenge response from server to client in addition to encryption of credentials using the exchanged key to avoid replay attacks from clients to servers. Clients can also enable authentication of servers, with challenge-response from client to server to avoid server-side replay attacks.

Client Authentication of Server

With Diffie-Hellman enabled, you can have your client authenticate its servers.

1. Generate a .pem file for each pkcs12 keystore:

   1. Enter this command from a pkcs12 file or a pkcs keystore:

      user@host: ~> openssl pkcs12 -nokeys -in <keystore/pkcs12 file> -out <outputfilename.pem >

   2. Concatenate the generated .pem files into a single .pem file. You will use its name in the next step.

2. In the gfcpp.properties file:

   1. Set security-client-kspath to the name of the .pem file password for the public key file store on the client.
   2. Set security-client-kspasswd to the password for the public key file store on the client.