Porovnávané verzie

Stará verzia 6

changes.mady.by.user D2000 Dev Team

Uložené

porovnané s

Nová verzia 7

changes.mady.by.user D2000 Dev Team

Uložené

Kľúč

  • Tento riadok sa pridal
  • Riadok je odstránený.
  • Formátovanie sa zmenilo.

...

The following steps are required to enable secure communication:


1. For the server, it is necessary to obtain/generate the encryption key and certificate. The certificate has to be distributed

...

to the client

...

processes.

The key and certificate can be generated, for example, using the openssl utility (https://slproweb.com/products/Win32OpenSSL.html).

...

Blok kódu
languageesl
themeConfluence
 HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Server\TLS_CertFile = c:\<cesta><path>\server.crt
 HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Server\TLS_KeyFile = c:\<cesta><path>\server.key
 HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Server\TLS_RequiredLevel = <level>

Setting the required security level of the connecting client <level>:

  • None - kernel allows the client to connect with/without security and also with security
  • TLSNoPeerAuth - kernel allows connection only from a client who communicates securely (but may not be verified with a certificatecurrently, no client certificate is used or verified

3. Setting up TLS support in the registers for clients

Blok kódu
languageesl
themeConfluence
 HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia><installation>\cfg_<aplikacia><application>\TLS_Client\TLS_TrustedCerts = c:\<cesta><path>\server.crt
 HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia><installation>\cfg_<aplikacia><application>\TLS_Client\TLS_RequiredLevel = <level>

...

TLS_RequiredLevel: the required security level of the connecting client <level>:

  • None - the client will connect to the kernel no matter if the kernel supports secure communication and even if it does not support secure communicationor not
  • TLSNoPeerAuth - the client will only connect to the kernel ensuring supporting secure communication communication (but the kernel does not need to be verified by a certificate, i.e. its certificate is not compared with the TLS_TrustedCerts list)
  • TLSPeerAuth - the client will only connect to the kernel ensuring secure communication and it whose certificate is verifiable by the certificatein the TLS_TrustedCerts list

4. To use TLS, the client must also start with @<application_name> parameter in addition to the usual parameters (/S, /RD or /RF)

The reason is to already know the name of the application before connecting to the application server and loading the parameters from the TLS  registers (see point 3). 
The alternative is to set the DefaultApplication parameter in the registry.

...

Info
titleChange of keys and certificates

The D2000 Server reads the TLS configuration each time the client is connected, so it is possible to change the configuration of the D2000 Server (including the change of files with a certificate and private key) during the D2000 Server runtime without any restart of the D2000 Server.



Info
titleRelated pages:

D2000 system processes
Start parameters of processes

...