História stránky

The D2000 system can be configured to ensure that communication between the server and clients takes place through a secure encrypted communication channel. Security is implemented by Transport Layer Security  (TLS v1.23).  

The following steps are required to enable secure communication:

1. For the server, it is necessary to obtain/generate the encryption key and certificate. The certificate has to be distributed

...

to the client

...

processes.

The key and certificate can be generated, for example, using the openssl utility (https://slproweb.com/products/Win32OpenSSL.html).

...

 HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Server\TLS_CertFile = c:\<cesta><path>\server.crt
 HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Server\TLS_KeyFile = c:\<cesta><path>\server.key
 HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Server\TLS_RequiredLevel = <level>

Setting the required security level of the connecting client <level>:

• None - kernel allows the client to connect with/without security and also with security
• TLSNoPeerAuth - kernel allows connection only from a client who communicates securely (currently, no client certificate is used or verified) 

3. Setting up TLS support in the registers for clients

 HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia><installation>\cfg_<aplikacia><application>\TLS_Client\TLS_TrustedCerts = c:\<cesta><path>\server.crt
 HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia><installation>\cfg_<aplikacia><application>\TLS_Client\TLS_RequiredLevel = <level>

TLS_TrustedCerts: the path to the server certificate. It is also possible to enter multiple certificates separated by a semicolon (;). This is applicable for redundant systems or in a certificate exchange process when both an old and a new server certificate can be configured.

TLS_RequiredLevel: Setting the required security level of the connecting client <level>client:

• None - the client will connect to the kernel no matter if the kernel supports secure communication and even if it does not support secure communicationsecure communication or not
• TLSNoPeerAuth - the client will only connect to the kernel supporting secure communication (but the kernel does not need to be verified by a certificate, i.e. its certificate is not compared with the TLS_TrustedCerts list)
• TLSPeerAuth TLSNoPeerAuth - the client will only connect to the kernel ensuring secure communication and it whose certificate is verifiable by the certificatein the TLS_TrustedCerts list

4. To use TLS, the client must also start with

...

/C<application_name> parameter in addition to the usual parameters (/S, /RD or /RF)

The reason is to already know the name of the application before connecting to the application server and load loading the parameters from the TLS  registers (see point 3). 
The alternative is to set the DefaultApplication parameter in the registry.
Note: we recommend setting the DefaultApplication in the registry so that it is not necessary to enter the parameter /C<application_name> not only in all shortcuts on the desktop, but also when starting applications manually.

A client connecting to a server using TLS will write this in the log. If certificate verification is also required and the certificate is correctly verified, the word VERIFIED is in the log:

[2022-09-23 07:48:11.289]I CLIENT - Connecting to D2000 Server [localhost] TCP/IP|TLS...
[2022-09-23 07:48:11.348]I CLIENT - Connection established to D2000 Kernel V22.00.074 s380 [TCP/IP localhost:3119][TLSv1.3 VERIFIED]. ConnectionSqId = 1

The kernel accepting the client via TLS also writes this information in the log:

[2022-09-23 07:48:10.598]I BACKEND - RegistrateProces request from DispPC.HIP V22.00.074 s380 [TCP/IP 127.0.0.1:50481][TLSv1.3]. ClientName: DispPC.HIP
[2022-09-23 07:48:10.600]I SERVER - RegistrateProces OK. ClientName: DispPC.HIP Id: 7652 ComputerName: PC1PHUM1v SAS: 0

...