KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

SSL support for Web Service

 
Post new topic   Reply to topic    KS-Soft Forum Index -> Wish list
View previous topic :: View next topic  
Author Message
rdol



Joined: 28 Apr 2002
Posts: 20
PostPosted: Fri May 28, 2004 2:08 am    Post subject: SSL support for Web Service Reply with quote
Hi Alex,
I tried to find this topic but it seems nobody needed it. Or it exists and I am absolutely blind.

Do you plan to support HTTPS access to the Web Service component? I have to abide with strictly defined network security policies. Unfortunately HTTP plain text passwords do not correspond with them.

Regards

Radek
Back to top
View user's profile Send private message Visit poster's website
KS-Soft



Joined: 03 Apr 2002
Posts: 12795
Location: USA
PostPosted: Fri May 28, 2004 2:48 pm    Post subject: Reply with quote
You are right, nobody asked about this option before. You are 1st.
I have added this task into "to do" list. But I don't think it will be implemented in nearest versions.

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
JimmyKYA
Guest
PostPosted: Thu Oct 14, 2004 10:49 am    Post subject: SSL Support Reply with quote
SSL is an policy for any sites we host. Do you know when the update will be out? What can I do in the mean time?

Thanks,
Jimmy
Back to top
KS-Soft



Joined: 03 Apr 2002
Posts: 12795
Location: USA
PostPosted: Thu Oct 14, 2004 8:36 pm    Post subject: Reply with quote
Web Service does not provide access to any confidential information, it displays just tests (statistics, some settings, no passwords). That's why "SSL" task has "low" priority, probably will be implemented in version 5.x

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
plambrecht



Joined: 19 May 2004
Posts: 151
Location: Belgium
PostPosted: Fri Oct 15, 2004 1:02 am    Post subject: Reply with quote
Until HM is supports https, you can use a reverse proxy server to secure your webserver...
Clients connect to the proxy in https, the proxy decripts to http and sends the request to the hm webserver. the webserver responds in http to the proxy, and the proxy sends the answer back to the client in https...

There are several proxy servers than can do this
MS ISA 2000/2004 http://www.microsoft.com.isa
Apache webserver http://www.apacheweek.com/features/reverseproxies
Sun™ ONE Proxy Server http://www.sun.com
Pound (linux&GPL) http://www.apsis.ch/pound/index_html
Squid (GPL) http://www.squid-cache.org/

Regards

Pieter
Back to top
View user's profile Send private message Visit poster's website
plambrecht



Joined: 19 May 2004
Posts: 151
Location: Belgium
PostPosted: Fri Oct 15, 2004 3:10 am    Post subject: Reply with quote
I just managed to get it up and running with Free Proxy software : DELEGATE
http://www.delegate.org/

Steps to take:
1. dload these files and copy them to c:\program files\delegate
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/delegate.zip (unzipped)
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/sslway/libeay32.dll
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/sslway/libeay32.lib
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/sslway/ssleay32.dll
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/sslway/ssleay32.lib
ftp://www.delegate.org/pub/DeleGate/bin/windows/latest/sslway/sslway.exe

2. create PEM (certificate) files.
Dload and intall OpenSSL (temporary, can be removed afterwards)
http://www.slproweb.com/products/Win32OpenSSL.html
in the "openssl/etc" directory, create a openssh.cnf file with this content
Code:

#
# OpenSSL configuration file.
#

# Establish working directory.

dir               = .

[ ca ]
default_ca            = CA_default

[ CA_default ]
serial               = $dir/serial
database            = $dir/certindex.txt
new_certs_dir            = $dir/certs
certificate            = $dir/cacert.pem
private_key            = $dir/private/cakey.pem
default_days            = 365
default_md            = md5
preserve            = no
email_in_dn            = no
nameopt               = default_ca
certopt               = default_ca
policy               = policy_match

[ policy_match ]
countryName            = match
stateOrProvinceName         = match
organizationName         = match
organizationalUnitName         = optional
commonName            = supplied
emailAddress            = optional

[ req ]
default_bits            = 1024         # Size of keys
default_keyfile            = key.pem      # name of generated keys
default_md            = md5            # message digest algorithm
string_mask            = nombstr      # permitted characters
distinguished_name         = req_distinguished_name
req_extensions            = v3_req

[ req_distinguished_name ]
# Variable name            Prompt string
#-------------------------     ----------------------------------
0.organizationName         = Companyname
organizationalUnitName      = Organisationname
emailAddress            = youremail@site.com
emailAddress_max         = 40
localityName            = City
stateOrProvinceName         = State or Provence
countryName               = Country
countryName_min            = 2
countryName_max            = 2
commonName               = Commonname
commonName_max            = 64

# Default values for the above, for consistency and less typing.
# Variable name            Value
#------------------------     ------------------------------
0.organizationName_default      = Companyname
localityName_default         = City
stateOrProvinceName_default      = State or Provence
countryName_default            = Country
organizationalUnitName_default   = Organisationname
emailAddress_default         = youremail@site.com
commonName_default            = Commonname

[ v3_ca ]
basicConstraints            = CA:TRUE
subjectKeyIdentifier         = hash
authorityKeyIdentifier         = keyid:always,issuer:always

[ v3_req ]
basicConstraints            = CA:FALSE
subjectKeyIdentifier         = hash

Issue this command to create your PEM files:
openssl req -new -x509 -keyout server-key.pem -out server-cert.pem -days 365 -config ./openssl.cnf
Copy both PEM files to your delegate folder.
You can now delete/uninstall OpenSSL
In the delegate folder, create a file called 'server-key.pas'. in this file, enter the passphrase you used to create your PEM files

3. Install Delegate as a service by issuing this command:
delegated -P443 ADMIN=youremail@server.com FCL=sslway SERVER=https MOUNT="/* http://127.0.0.1/*"
If you are installing Delegate on another server than your HM server, replace in http://127.0.0.1 the ip with that of your HM server

This will install delegate as a service. If you want to debug this, just add the -v option. the it won't install the service, but run as an application.

It works great for me !

Pieter
Back to top
View user's profile Send private message Visit poster's website
plambrecht



Joined: 19 May 2004
Posts: 151
Location: Belgium
PostPosted: Sat Oct 16, 2004 4:53 am    Post subject: Reply with quote
If you want one certificate warning less, then use the fullname of your server as CommonName (eg: monitor.site.com)

At the moment you cannot prevent access as HTTP.
Alex, maybe a good option to restrict access to the Webservice by IP address (like the RMA)

P.
Back to top
View user's profile Send private message Visit poster's website
kesitter



Joined: 22 Sep 2002
Posts: 4
PostPosted: Thu Apr 07, 2005 10:13 am    Post subject: Reply with quote
Hi Alex,

Any idea on when secure connection to the Web Service might be available without using a reverse proxy as outlined in earlier posts.

Thanks,

Keith
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12795
Location: USA
PostPosted: Thu Apr 07, 2005 11:43 am    Post subject: Reply with quote
Actually we plan to implement GUI that will be able to work with remotely installed monitor. All traffic will be encrypted.
This task has higher priority than SSL for Web Service..

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
y236796
Guest
PostPosted: Mon Jul 11, 2005 2:09 pm    Post subject: Digital certs Reply with quote
I too have to check URLs that require SSL certs.

Please add this to your list.

Thanks
Back to top
KS-Soft



Joined: 03 Apr 2002
Posts: 12795
Location: USA
PostPosted: Mon Jul 11, 2005 3:17 pm    Post subject: Reply with quote
Quote:
I too have to check URLs that require SSL certs.


You may check such URLs. URL test method supports HTTPS protocol

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> Wish list All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
KS-Soft Forum Index