Configuring exchanges with SSL termination

In this section you create and configure the following Transfer CFT objects to enable Transfer CFT exchanges that use Secure Relay with SSL termination:

  • Network object CFTNET
  • Protocol object CFTPROT
  • Security object CFTSSL
  • Partner objects CFTPART and CFTTCP

Creating a CFTNET object

  1. Create a CFTNET object where:
    • TYPE=TCP
    • protocol=SR
  2. Define the mandatory parameters RECALLHOST and SSLTERM.
    • RECALLHOST: The host address on which the Master Agent calls Transfer CFT when Secure Relay receives an incoming call. If Transfer CFT and the Master Agent run of the same host, use the loopback network interface (for example, instead of the public network interface. When using Secure Relay, the HOST parameter designates the network interface that is used on the Router Agent side.
    • SSLTERM: Set this Boolean to YES to enable SSL termination.



type = TCP,

call = INOUT,

class = 2,

host = <network_interface_used_by_Router_Agent>,

protocol = SR,

recallhost =, /*network_interface_used_by_CFT*/

sslterm = YES

Working in the Copilot UI

If you are working in the Copilot UI, the CFTNET dialog box also offers the required Secure Relay parameter options.

• Check the box Use Secure Relay to set the CFTNET PROTOCOL parameter to the value SR.

• Check the box Use SSL termination to set the CFTNET SSLTERM parameter to the value YES.

Creating a CFTPROT object

This section describes the CFTPROT object, and how various parameters are related to enabling secure data transmission using Secure Relay.

  • CFTPROT is linked to the CFTNET object through the NET parameter.
  • The SAP parameter is the listening port that is used on the RA side (using the CFTNET HOST parameter as the network interface).
  • The CFTPROT SSL parameter refers to a CFTSSL object, in this case PESITSSL, which is used when Secure Relay performs SSL termination in server mode.


This example uses a CFTNET object called NETSRSSL.



sap = 1762,


prof = ANY

Creating a CFTSSL object

Create a CFTSSL object to supply detailed information to Secure Relay on how the SSL termination should be done.

Secure Relay uses the CFTSSL parameters rootcid, usercid and its password, cipher suites list, SSL version and client authentication policy.

Secure relay uses a restricted list of cipher suites (cipher suites ‘59’, ‘60’ and ’61 are not supported).

SSL Termination in Secure relay is possible when using either the internal PKI base (uconf:pki.type=cft) or when using PassPort/PS PKI server (uconf:pki.type=passport).

When using the internal PKI base (uconf:pki.type=cft), rootcid and usercid correspond to certificates stored in the internal PKI base.

When using PassPort PS as the PKI server (uconf:pki.type=passport), rootcid and usercid correspond to PassPort entities that hold the root and user certificates respectively.


Here the CFTSSL object is used for incoming connections (direct=server).


version = TLSV1COMP,

direct = SERVER,

verify = NONE,

usercid = AXWMFTUSER,

rootcid = AXWMFTCA,

ciphlist = (47),

passw = <user_cid_password>


Here the CFTSSL object is used for incoming connections (direct=client).


version = TLSV1COMP,

direct = CLIENT,

rootcid = AXWMFTCA,

ciphlist = (47)

Creating CFTPART and CFTTCP objects

A partner object that refers to a CFTPROT and a CFTNET and that uses Secure Relay, uses Secure Relay for both incoming and outgoing connections.

SSL termination is also used for outgoing connections when the CFTNET object associated with the partner has its SSLTERM parameter set to YES. In this case the CFTSSL used will be in priority the one defined in partner (SSL parameter) or, if empty, the CFTSSL object of type client that have the same name as the one defined in the CFTPROT object.

To complete the configuration, create a CFTPART object and a CFTTCP object. In this way the CFTPART refers to the CFTPROT object, and that in turn refers to a CFTNET, which points to Secure Relay.


This is an example of the CFTPART and CFTTCP objects configuration, using PESITSSL.


prot = PESITSSL,

sap = <remote_partner_sap>,

nspart = NPARIS_SSL,




class = 2, /* the same class as the one used in the CFTNET */

host = <remote_partner_host_address>

Related Links