powered by CADENAS

Manual

Manual

4.5.7.3. SSL encryption

You can use SSL encryption for all requests to the PARTapplicationServer [69].

  1. File system service (access via HTTPS-Port)

  2. Mzcom service calls (index, DB, search) (access via SSL-Service-Port)

Self signed or official[70] certificates can be used.

In the following the creation and the import of a self signed certificate is described:

Create certificate on the AppServer

  1. In PARTadmin, select the category AppServer Service.

  2. Activate the checkboxes for HTTPS-Port and/or SSL-Service-Port. Normally the others are deactivated. That means, unencrypted access to the server is not possible.

    -> The dialog area SSL is activated.

  3. Dialog area SSL

    • Forbidden algorithms: Here you can exclude unwanted algorithms for the data transfer.

      Click on Change.... -> The dialog box Encryption algorithms is opened.

      Via Reset you can clear the input field Remove algorithms. With a double-click on a list entry you can overtake it into the input field.

    • Certificate storage path : When clicking on Show... you can display the certificate (after generation).

    • Key storage path: When clicking on Show... you can display the key attributes and values (after generation).

    • Key type: Leave the setting on RSA. For self signed certificates, only RSA is possible.

  4. Click on Create self signed certificate....

    The dialog box Generate certificate... is opened.

    • End date: Specify an expiration date for the certificate.

    • Alternate Names: Both DNS names and IP addresses can be allowed. At the desired alternate names, activate the checkbox.

      By default, a certificate is issued to the CommonName. If, for example, several websites are hosted, only one certificate is sufficient when using Alternate Names. The client will check whether the used hostname corresponds to one of the alternate names.

    • Protect key with standard password:

      [Note] Note

      In the case of self signed certificates the key file may not contain a password, because the server would ask for it. However, you can store the key file at a place where only the server can access (possibly $CADENAS_USER). You can find this setting in the list field as an option.

      However, please note: $CADENAS_USER seen by the service is the relevant one!

    • Write certificate to:

    • Write key to:

Import certificate on the client

  1. In PARTadmin, select the category AppServer client.

  2. Activate the checkbox Use SSL.

    -> HTTP port and Service port are deactivated and HTTPS-Port and SSL-Service-Port are activated.

    Tunnel services via web sockets (optionally):

    You can use this option, if you want to bind only one port or if you want to connect via HTTP proxy (if websockets are possible).

    When using this option the input field for SSL-Service-Port grayed out.

  3. Click on Import certificates from server.

    -> As a confirmation a respective message is displayed.

Little testing if everything is working properly: Make sure that Use SSL is activated. Click on Show server state. If the certificate is properly stored on the client, the server state is displayed, otherwise an error message is displayed.



[69] SSL (Secure Sockets Layer ) is a cryptographic protocol that provides communications security over a computer network.

[70] not part of the documentation