Contribute in GitHub:

Configuring SSL and TLS encryption for SMS Gateway

You can secure connections between SMS Gateway, Voice Gateway, the SMS provider, and Watson Assistant using SSL and TLS encryption. For encrypted connections, you define a set of trusted certificate authorities (CAs), which are used to verify the identities of parties involved in the connection. Configuring SSL and TLS encryption for SMS Gateway requires that you generate keystore and truststore files, which you then mount on a Docker data volume and reference in the configuration.

The keystore secures inbound connections from the SMS provider. To generate the keystore file, you need a CA certificate that your SMS provider accepts, which is typically a .pem, .crt, .cer, or .cert file. Because SMS providers typically don't support self-signed certificates, you must purchase a certificate from a well-known certificate authority that is trusted by your SMS provider. For more information, see the security documentation for your SMS provider.

The truststore secures outbound connections to Watson Assistant and the SMS provider. To generate the truststore file, you need the CA certificates from Watson Assistant and your SMS provider. You can extract the certificate for Watson Assistant by using a tool such as OpenSSL.

You can create separate keystore and truststore files, or add all certificates in a single file.

Important: If you configured TLS for the XSLD caching server in a highly available environment, add the certificates for the SMS provider and Watson Assistant service to the same keystore and truststore files.

Creating the keystore and truststore

On the command line, change to your SMS Gateway deployment directory.
Generate the keystore file that contains the CA certificate from the SMS provider.
1. Add the signer certificate to the truststore by using the Java™ keytool command.
```
keytool -import -noprompt -trustcacerts -alias myAlias \
-file mysigner.cert -keystore trust.jks -storepass
```
1. List the certificates in the truststore to verify that the signer certificate was added.
```
keytool -list -v -keystore trust.jks
```
Generate a truststore file that contains the CA certificates from Watson Assistant and the SMS provider.

For truststore certificates, you might need to extract the signer certificate from the server.
1. If needed, extract the signer certificate from the server. To extract the certificate, you can use a tool such as OpenSSL.

openssl s_client -connect host-address:port
</dev/null|sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'>mysigner.cert

  {:codeblock}
  1. Add the signer certificate to the truststore by using the Java&trade; `keytool` command. The following example generates a JKS truststore file.
  ```bash
keytool -importcert \
    -file <CA certificate to trust> \
    -alias <alias for the certificate> \
    -keystore <name of the trustore> \
    -storepass <password for the truststore> \
    -storetype jks

{:codeblock}

Add the keystore and truststore files in your deployment configuration as described in the following sections.

Configuring store files on Docker

In the SMS Gateway configuration, mount the files on a Docker volume. For more information about volumes, see the Docker documentation.

In the following example, $PWD resolves to the current working directory and mounts it to the /sslConf/ path on the container.
```
volumes:
 - $PWD:/sslConf/
```
For both the truststore and keystore, specify the file location, file type, and its corresponding passphrase on the following environment variables.

If you generated the keystore and truststore in a single file, specify the same file on both sets of environment variables.
```
environment:
...
- SSL_TRUST_STORE_FILE=/sslConf/myTrustJKSFile.jks
- SSL_TRUST_FILE_TYPE=JKS
- SSL_TRUST_PASSPHRASE=myPassphrase

- SSL_KEY_STORE_FILE=/sslConf/myKeyJKSFile.jks
- SSL_KEY_FILE_TYPE=JKS
- SSL_KEY_PASSPHRASE=myPassphrase
```

  {:codeblock}
1. Redeploy SMS Gateway for your changes to take effect.