SSL support for Web Service

[rdol]

Hi Alex,
I tried to find this topic but it seems nobody needed it. Or it exists and I am absolutely blind.

Do you plan to support HTTPS access to the Web Service component? I have to abide with strictly defined network security policies. Unfortunately HTTP plain text passwords do not correspond with them.

Regards

Radek

[KS-Soft]

You are right, nobody asked about this option before. You are 1st.
I have added this task into "to do" list. But I don't think it will be implemented in nearest versions.

Regards
Alex

[JimmyKYA]

SSL is an policy for any sites we host. Do you know when the update will be out? What can I do in the mean time?

Thanks,
Jimmy

[KS-Soft]

Web Service does not provide access to any confidential information, it displays just tests (statistics, some settings, no passwords). That's why "SSL" task has "low" priority, probably will be implemented in version 5.x

Regards
Alex

[plambrecht]

Until HM is supports https, you can use a reverse proxy server to secure your webserver...
Clients connect to the proxy in https, the proxy decripts to http and sends the request to the hm webserver. the webserver responds in http to the proxy, and the proxy sends the answer back to the client in https...

There are several proxy servers than can do this
MS ISA 2000/2004 http://www.microsoft.com.isa
Apache webserver http://www.apacheweek.com/features/reverseproxies
Sun™ ONE Proxy Server http://www.sun.com
Pound (linux&GPL) http://www.apsis.ch/pound/index_html
Squid (GPL) http://www.squid-cache.org/

Regards

Pieter

[plambrecht]

I just managed to get it up and running with Free Proxy software : DELEGATE
http://www.delegate.org/

Steps to take:
1. dload these files and copy them to c:\program files\delegate
ftp://www.delegate.org/pub/DeleGate/bin ... legate.zip (unzipped)
ftp://www.delegate.org/pub/DeleGate/bin ... beay32.dll
ftp://www.delegate.org/pub/DeleGate/bin ... beay32.lib
ftp://www.delegate.org/pub/DeleGate/bin ... leay32.dll
ftp://www.delegate.org/pub/DeleGate/bin ... leay32.lib
ftp://www.delegate.org/pub/DeleGate/bin ... sslway.exe

2. create PEM (certificate) files.
Dload and intall OpenSSL (temporary, can be removed afterwards)
http://www.slproweb.com/products/Win32OpenSSL.html
in the "openssl/etc" directory, create a openssh.cnf file with this content

Code: Select all

#
# OpenSSL configuration file.
#

# Establish working directory.

dir					= .

[ ca ]
default_ca				= CA_default

[ CA_default ]
serial					= $dir/serial
database				= $dir/certindex.txt
new_certs_dir				= $dir/certs
certificate				= $dir/cacert.pem
private_key				= $dir/private/cakey.pem
default_days				= 365
default_md				= md5
preserve				= no
email_in_dn				= no
nameopt					= default_ca
certopt					= default_ca
policy					= policy_match

[ policy_match ]
countryName				= match
stateOrProvinceName			= match
organizationName			= match
organizationalUnitName			= optional
commonName				= supplied
emailAddress				= optional

[ req ]
default_bits				= 1024			# Size of keys
default_keyfile				= key.pem		# name of generated keys
default_md				= md5				# message digest algorithm
string_mask				= nombstr		# permitted characters
distinguished_name			= req_distinguished_name
req_extensions				= v3_req

[ req_distinguished_name ]
# Variable name				Prompt string
#-------------------------	  ----------------------------------
0.organizationName			= Companyname
organizationalUnitName		= Organisationname
emailAddress				= youremail@site.com
emailAddress_max			= 40
localityName				= City
stateOrProvinceName			= State or Provence
countryName					= Country
countryName_min				= 2
countryName_max				= 2
commonName					= Commonname
commonName_max				= 64

# Default values for the above, for consistency and less typing.
# Variable name				Value
#------------------------	  ------------------------------
0.organizationName_default		= Companyname
localityName_default			= City
stateOrProvinceName_default		= State or Provence
countryName_default				= Country
organizationalUnitName_default	= Organisationname
emailAddress_default			= youremail@site.com
commonName_default				= Commonname

[ v3_ca ]
basicConstraints				= CA:TRUE
subjectKeyIdentifier			= hash
authorityKeyIdentifier			= keyid:always,issuer:always

[ v3_req ]
basicConstraints				= CA:FALSE
subjectKeyIdentifier			= hash

Issue this command to create your PEM files:
openssl req -new -x509 -keyout server-key.pem -out server-cert.pem -days 365 -config ./openssl.cnf
Copy both PEM files to your delegate folder.
You can now delete/uninstall OpenSSL
In the delegate folder, create a file called 'server-key.pas'. in this file, enter the passphrase you used to create your PEM files

3. Install Delegate as a service by issuing this command:
delegated -P443 ADMIN=youremail@server.com FCL=sslway SERVER=https MOUNT="/* http://127.0.0.1/*"
If you are installing Delegate on another server than your HM server, replace in http://127.0.0.1 the ip with that of your HM server

This will install delegate as a service. If you want to debug this, just add the -v option. the it won't install the service, but run as an application.

It works great for me !

Pieter

[plambrecht]

If you want one certificate warning less, then use the fullname of your server as CommonName (eg: monitor.site.com)

At the moment you cannot prevent access as HTTP.
Alex, maybe a good option to restrict access to the Webservice by IP address (like the RMA)

P.

[kesitter]

Hi Alex,

Any idea on when secure connection to the Web Service might be available without using a reverse proxy as outlined in earlier posts.

Thanks,

Keith

[KS-Soft]

Actually we plan to implement GUI that will be able to work with remotely installed monitor. All traffic will be encrypted.
This task has higher priority than SSL for Web Service..

Regards
Alex

[y236796]

I too have to check URLs that require SSL certs.

Please add this to your list.

Thanks

[KS-Soft]

I too have to check URLs that require SSL certs.

You may check such URLs. URL test method supports HTTPS protocol

Regards
Alex