This section describes how to configure SSL traffic between the iFolder Web Admin server and other components. HTTPS (SSL) encrypts information transmitted over shared IP networks and the Internet. It helps protect your sensitive information from data interception or tampering.
In a default deployment, the iFolder server uses SSL 3.0 for secure communications between components as shown in the following table.
Table 11-6 SSL 3.0 for Secure Communication
|
iFolder Component |
Enterprise Server |
LDAP Server |
Client |
Web Browser |
|---|---|---|---|---|
|
Web Admin Server |
Yes |
Yes |
Yes |
Yes |
For more information about SSL 3.0, see Section 10.12.1, Using SSL for Secure Communications.
To restrict connections to SSL 3.0 and to ensure strong encryption, we strongly recommend the following configuration for the Apache server’s SSL cipher suite settings.
Use only High and Medium security cipher suites, such as RC4 and RSA.
Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-Hellman (ADH) ciphers.
Use SSL 3.0, and disable SSL 2.0.
Disable the Low, Export, and Null cipher suites.
To set these parameters, modify the aliases in the OpenSSL ciphers command (the SSLCipherSuite directive) in the /etc/apache2/vhosts.d/vhost-ssl.conf file.
Stop the Apache server: At a terminal console, enter
/etc/init.d/apache2 stop
Open the /etc/apache2/vhosts.d/vhost-ssl.conf file in a text editor, then locate the SSLCipherSuite directive in the Virtual Hosts section:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
Modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
Save your changes.
Start the Apache server: At a terminal console, enter
/etc/init.d/apache2 start
For more information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong Encryption: How-To on the Apache.org Web site.
By default, the Web Browser is configured to communicate with the iFolder Web Admin server and the iFolder Enterprise server via SSL. If the iFolder deployment is in a large scale and the Web Admin server is on a different machine than the iFolder enterprise server, then SSL enables you to increase the security for communications between the two servers.
The communication between the Web Admin server and the iFolder enterprise server is determined during the configuration of the Web Admin server. Specify an https:// in the URL for the enterprise server for SSL (HTTPS) communications between the servers. Traffic between the two servers is secure. If you specify an http:// in the URL, HTTP is used for communications between the servers and traffic is insecure.
The setting is stored in the /usr/lib/simias/webAdmin/Web.config file under the following tag:
<add key="SimiasUrl" value="https://localhost" />
<add key="SimiasCert" value=<raw certificate data in base 64 encoding> />
If you disable SSL between Web Admin server and the enterprise server and if the two servers are on different machines, you must also disable the iFolder server SSL requirement. Because the enterprise SSL setting also controls the traffic between the enterprise server and the client, all Web traffic between servers and between the clients and the enterprise server would be insecure.
IMPORTANT:Do not disable SSL on the Web Admin server if the servers are on different machines.
If the two servers are running on the same machine and you want to disable SSL, rerun the YaST configuration, and specify http://localhost as the URL for the enterprise server.
The SSL connection supports the secure exchange of data. For most deployments, this setting should not be changed because iFolder uses HTTP BASIC for authentication, which means passwords are sent to the server in the clear. Without SSL encryption, the iFolder data is also sent in the clear.
The following Rewrite parameters control this behavior and are located in the /etc/apache2/conf.d/ifolder_web.conf file:
LoadModule rewrite_module /usr/lib/apache2/mod_rewrite.so
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/ifolder/(.*) https://%{SERVER_NAME}/ifolder/$1 [R,L]
To disable the requirement for SSL connections, you can comment out these Rewrite command lines in the ifolder_web.conf file. Placing a pound sign (#) at the beginning of each line renders it as a comment.
WARNING:Without an SSL connection, traffic between a user’s Web browser and the Web Admin server is not secure.
To disable the SSL requirement:
Stop the iFolder Web Admin services.
Edit the /etc/apache2/conf.d/ifolder_web.conf file to comment out the Rewrite command lines.
For example:
#LoadModule rewrite_module /usr/lib/apache2/mod_rewrite.so
#RewriteEngine On
#RewriteCond %{HTTPS} !=on
#RewriteRule ^/ifolder/(.*) https://%{SERVER_NAME}/ifolder/$1 [R,L]
Start the iFolder Web Admin services.
For information, see Managing SSL Certificates for Apache.