This section describes how to configure SSL traffic between the iFolder Web Access server and other components. HTTPS (SSL) encrypts information transmitted over shared IP networks and the Internet. It helps protect your sensitive information from data interception or tampering.
Section 14.5.2, Configuring the SSL Cipher Suites and Protocol for the Apache Server
Section 14.5.3, Configuring the Web Access Server for SSL Communications with the Enterprise Server
Section 14.5.4, Configuring the Web Access Server for SSL Communications with Web Browsers
Section 14.5.5, Configuring an SSL Certificate for the Web Access Server
For information on how to configure SSL traffic on the iFolder enterprise server, see Section 10.12, Securing Enterprise Server Communications.
In a default deployment, Web Access server for iFolder uses SSL 3.0 for secure communications between components as shown in the following table.
iFolder Component |
Enterprise Server |
LDAP Server |
Client |
Web Browser |
---|---|---|---|---|
Web Access Server |
Yes |
Yes |
No |
Yes |
For more information about SSL 3.0, see Section 10.12.1, Using SSL for Secure Communications.
To ensure strong encryption, we strongly recommend the following configuration for the Apache server’s SSL cipher suite and protocol settings.
Use only High and Medium security cipher suites, such as RC4 and RSA.
Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-Hellman (ADH) ciphers.
Use TLS v1 and higher versions and disable SSL 2.0.
Disable the Low, Export, and Null cipher suites.
To set these parameters, modify the aliases in the OpenSSL ciphers command (the SSLCipherSuite directive) in the /etc/apache2/vhosts.d/vhost-ssl.conf file.
Stop the Apache server: At a terminal console, enter
/etc/init.d/apache2 stop
Open the /etc/apache2/vhosts.d/vhost-ssl.conf file in a text editor and do the following:
Locate the SSLCipherSuite directive in the Virtual Hosts section and modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
Locate the SSLProtocol directive in the virtual hosts section and modify it include TLS v1:
SSL Protocol TLSv1
Save your changes.
Start the Apache server: At a terminal console, enter
/etc/init.d/apache2 start
For more information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong Encryption: How-To on the Apache.org Web site.
The setting is stored in the /opt/novell/ifolder3/lib/simias/webaccess/Web.config file under the following tag:
<add key="SimiasUrl" value="https://localhost" />
<add key="SimiasCert" value=<raw certificate data in base 64 encoding> />
If you disable SSL between Web Access server and the enterprise server and if the two servers are on different machines, you must also disable the iFolder server SSL requirement. Because the enterprise SSL setting also controls the traffic between the enterprise server and the client, all Web traffic between servers and between the clients and the enterprise server would be insecure.
IMPORTANT:Do not disable SSL on the Web Access server if the two servers are on different machines.
If the two servers are running on the same machine and you want to disable SSL, rerun the configuration, and specify http://localhost as the URL for the enterprise server. By default, the Web Browser is configured to communicate with the iFolder Web Access server and the iFolder Enterprise server via SSL. iFolder uses HTTP BASIC for authentication, which means passwords are sent to the server in the clear. If the iFolder deployment is in large scale and the Web Access server is on a different machine than the iFolder enterprise server, an Administrator could reconfigure to enable SSL between the Web Access Server and the iFolder Enterprise Server, which would increase the security for communications between the two servers. This is a recommended setting
The iFolder 3.x Web Access server requires a secure connection between the user’s Web browser and the Web Access server. The SSL connection supports the secure exchange of data. For most deployments, this setting should not be changed because iFolder uses HTTP BASIC for authentication, which means passwords are sent to the server in the clear. Without SSL encryption, the iFolder data is also sent in the clear.
The following Rewrite parameters control this behavior and are located in the /etc/apache2/conf.d/ifolder_web.conf file:
LoadModule rewrite_module /usr/lib/apache2/mod_rewrite.so
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/ifolder/(.*) https://%{SERVER_NAME}/ifolder/$1 [R,L]
To disable the requirement for SSL connections, you can comment out these Rewrite command lines in the ifolder_web.conf file. Placing a pound sign (#) at the beginning of each line renders it as a comment.
WARNING:Without an SSL connection, traffic between a user’s Web browser and the Web Access server is not secure.
To disable the SSL requirement:
Stop the iFolder Web Access services.
Edit the /etc/apache2/conf.d/ifolder_web.conf file to comment out the Rewrite command lines.
For example:
#LoadModule rewrite_module /usr/lib/apache2/mod_rewrite.so
#RewriteEngine On
#RewriteCond %{HTTPS} !=on
#RewriteRule ^/ifolder/(.*) https://%{SERVER_NAME}/ifolder/$1 [R,L]
Start the iFolder Web Access services.
For information, see Managing SSL Certificates for Apache.