powered by CADENAS


Manual SSL encryption

You can use SSL encryption for all requests to the PARTapplicationServer [17].

If the checkboxes HTTPS-Port and/or SSL-Service-Port are activated, the dialog area SSL is also activated.

  1. HTTPS-Port: File system service

  2. SSL-Service-Port: Mzcom service calls (index, DB, search)

For Source of certificate there is a choice of two options: Make certificate available via Windows certificate store

After selection of Windows certificate store in the list field under Hostname, you can select administratively provided certificates.

In addition you can also request new certificates, which then also will be displayed in the list field under Hostname.

For this proceed as follows:

  1. Click on the link "certlm.msc".

    -> The local management page is opened on the client.

  2. Under "Personal", select the menu item "Certificates".

  3. On the right, open the context menu and there, under "All Tasks" click on the command "Request New Certifcate...".

    -> The "Certificate Enrollment" Wizard is opened.

  4. Then on the page "Active Directory Enrollment Policy" select a certificate and pay attention that under "Details" -> "Application Policies" the entry "Server Authentication" is available.

    Certificate selection

    Certificate selection

    Application Policies -> Server Authentication

    Application Policies -> Server Authentication

Forbidden algorithms: Leave the default setting. Make certificate available via file

You can make certificates available via file. This can be self-signed or official[18] certificates.

In the following the creation and the import of a self signed certificate is described:

Create certificate on the AppServer

  1. In PARTadmin, select the category AppServer Service.

  2. Activate the checkboxes for HTTPS-Port and/or SSL-Service-Port. Normally the others are deactivated. That means, unencrypted access to the server is not possible.

    -> The dialog area SSL is activated.

  3. Dialog area SSL

    • Forbidden algorithms: Here you can exclude unwanted algorithms for the data transfer.

      Click on Change.... -> The dialog box Encryption algorithms is opened.

      Via Reset you can clear the input field Remove algorithms. With a double-click on a list entry you can overtake it into the input field.

    • Certificate storage path: When clicking on Show... you can display the certificate (after generation).

    • Key storage path: When clicking on Show... you can display the key attributes and values (after generation).

    • Key type: Leave the setting on RSA. For self signed certificates, only RSA is possible.

  4. Click on Create self signed certificate....

    The dialog box Generate certificate... is opened.

    • End date: Specify an expiration date for the certificate.

    • Alternate Names: Both DNS names and IP addresses can be allowed. At the desired alternate names, activate the checkbox.

      By default, a certificate is issued to the CommonName. If, for example, several websites are hosted, only one certificate is sufficient when using Alternate Names. The client will check whether the used hostname corresponds to one of the alternate names.

    • Protect key with standard password:

      [Note] Note

      In the case of self signed certificates the key file may not contain a password, because the server would ask for it. However, you can store the key file at a place where only the server can access (possibly $CADENAS_USER). You can find this setting in the list field as an option.

      However, please note: $CADENAS_USER seen by the service is the relevant one!

    • Write certificate to:

    • Write key to:

Import certificate on the client

  1. In PARTadmin, select the category AppServer client.

  2. Activate the checkbox Use SSL.

    -> HTTP port and Service port are deactivated and HTTPS-Port and SSL-Service-Port are activated.

    Tunnel services via web sockets (optionally):

    You can use this option, if you want to bind only one port or if you want to connect via HTTP proxy (if websockets are possible).

    When using this option the input field for SSL-Service-Port grayed out.

  3. Click on Import certificates from server.

    -> As a confirmation a respective message is displayed.

Little testing if everything is working properly: Make sure that Use SSL is activated. Click on Show server state. If the certificate is properly stored on the client, the server state is displayed, otherwise an error message is displayed.

[17] SSL (Secure Sockets Layer ) is a cryptographic protocol that provides communications security over a computer network.

[18] not part of the documentation