View previous topic :: View next topic |
Author |
Message |
rdol
Joined: 28 Apr 2002 Posts: 20
|
Posted: Fri May 28, 2004 2:08 am Post subject: SSL support for Web Service |
|
|
Hi Alex,
I tried to find this topic but it seems nobody needed it. Or it exists and I am absolutely blind.
Do you plan to support HTTPS access to the Web Service component? I have to abide with strictly defined network security policies. Unfortunately HTTP plain text passwords do not correspond with them.
Regards
Radek |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Fri May 28, 2004 2:48 pm Post subject: |
|
|
You are right, nobody asked about this option before. You are 1st.
I have added this task into "to do" list. But I don't think it will be implemented in nearest versions.
Regards
Alex |
|
Back to top |
|
|
JimmyKYA Guest
|
Posted: Thu Oct 14, 2004 10:49 am Post subject: SSL Support |
|
|
SSL is an policy for any sites we host. Do you know when the update will be out? What can I do in the mean time?
Thanks,
Jimmy |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Thu Oct 14, 2004 8:36 pm Post subject: |
|
|
Web Service does not provide access to any confidential information, it displays just tests (statistics, some settings, no passwords). That's why "SSL" task has "low" priority, probably will be implemented in version 5.x
Regards
Alex |
|
Back to top |
|
|
plambrecht
Joined: 19 May 2004 Posts: 151 Location: Belgium
|
|
Back to top |
|
|
plambrecht
Joined: 19 May 2004 Posts: 151 Location: Belgium
|
Posted: Fri Oct 15, 2004 3:10 am Post subject: |
|
|
I just managed to get it up and running with Free Proxy software : DELEGATE
http://www.delegate.org/
Steps to take:
1. dload these files and copy them to c:\program files\delegate
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/delegate.zip (unzipped)
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/sslway/libeay32.dll
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/sslway/libeay32.lib
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/sslway/ssleay32.dll
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/sslway/ssleay32.lib
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/sslway/sslway.exe
2. create PEM (certificate) files.
Dload and intall OpenSSL (temporary, can be removed afterwards)
http://www.slproweb.com/products/Win32OpenSSL.html
in the "openssl/etc" directory, create a openssh.cnf file with this content
Code: |
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Companyname
organizationalUnitName = Organisationname
emailAddress = youremail@site.com
emailAddress_max = 40
localityName = City
stateOrProvinceName = State or Provence
countryName = Country
countryName_min = 2
countryName_max = 2
commonName = Commonname
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = Companyname
localityName_default = City
stateOrProvinceName_default = State or Provence
countryName_default = Country
organizationalUnitName_default = Organisationname
emailAddress_default = youremail@site.com
commonName_default = Commonname
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash |
Issue this command to create your PEM files:
openssl req -new -x509 -keyout server-key.pem -out server-cert.pem -days 365 -config ./openssl.cnf
Copy both PEM files to your delegate folder.
You can now delete/uninstall OpenSSL
In the delegate folder, create a file called 'server-key.pas'. in this file, enter the passphrase you used to create your PEM files
3. Install Delegate as a service by issuing this command:
delegated -P443 ADMIN=youremail@server.com FCL=sslway SERVER=https MOUNT="/* http://127.0.0.1/*"
If you are installing Delegate on another server than your HM server, replace in http://127.0.0.1 the ip with that of your HM server
This will install delegate as a service. If you want to debug this, just add the -v option. the it won't install the service, but run as an application.
It works great for me !
Pieter |
|
Back to top |
|
|
plambrecht
Joined: 19 May 2004 Posts: 151 Location: Belgium
|
Posted: Sat Oct 16, 2004 4:53 am Post subject: |
|
|
If you want one certificate warning less, then use the fullname of your server as CommonName (eg: monitor.site.com)
At the moment you cannot prevent access as HTTP.
Alex, maybe a good option to restrict access to the Webservice by IP address (like the RMA)
P. |
|
Back to top |
|
|
kesitter
Joined: 22 Sep 2002 Posts: 4
|
Posted: Thu Apr 07, 2005 10:13 am Post subject: |
|
|
Hi Alex,
Any idea on when secure connection to the Web Service might be available without using a reverse proxy as outlined in earlier posts.
Thanks,
Keith |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Thu Apr 07, 2005 11:43 am Post subject: |
|
|
Actually we plan to implement GUI that will be able to work with remotely installed monitor. All traffic will be encrypted.
This task has higher priority than SSL for Web Service..
Regards
Alex |
|
Back to top |
|
|
y236796 Guest
|
Posted: Mon Jul 11, 2005 2:09 pm Post subject: Digital certs |
|
|
I too have to check URLs that require SSL certs.
Please add this to your list.
Thanks |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Mon Jul 11, 2005 3:17 pm Post subject: |
|
|
Quote: | I too have to check URLs that require SSL certs. |
You may check such URLs. URL test method supports HTTPS protocol
Regards
Alex |
|
Back to top |
|
|
|