14.5 Securing Web Access Server Communications

This section describes how to configure SSL traffic between the iFolder Web Access server and other components. HTTPS (SSL) encrypts information transmitted over shared IP networks and the Internet. It helps protect your sensitive information from data interception or tampering.

For information on how to configure SSL traffic on the iFolder enterprise server, see Section 10.12, Securing Enterprise Server Communications.

14.5.1 Using SSL for Secure Communications

In a default deployment, Web Access server for iFolder uses SSL 3.0 for secure communications between components as shown in the following table.

iFolder Component

Enterprise Server

LDAP Server

Client

Web Browser

Web Access Server

Yes

Yes

No

Yes

For more information about SSL 3.0, see Section 10.12.1, Using SSL for Secure Communications.

14.5.2 Configuring the SSL Cipher Suites and Protocol for the Apache Server

To ensure strong encryption, we strongly recommend the following configuration for the Apache server’s SSL cipher suite and protocol settings.

  • Use only High and Medium security cipher suites, such as RC4 and RSA.

  • Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-Hellman (ADH) ciphers.

  • Use TLS v1 and higher versions and disable SSL 2.0.

  • Disable the Low, Export, and Null cipher suites.

To set these parameters, modify the aliases in the OpenSSL ciphers command (the SSLCipherSuite directive) in the /etc/apache2/vhosts.d/vhost-ssl.conf file.

  1. Stop the Apache server: At a terminal console, enter

    /etc/init.d/apache2 stop
    
  2. Open the /etc/apache2/vhosts.d/vhost-ssl.conf file in a text editor and do the following:

    1. Locate the SSLCipherSuite directive in the Virtual Hosts section and modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:

      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
      
    2. Locate the SSLProtocol directive in the virtual hosts section and modify it include TLS v1:

      SSL Protocol TLSv1
      
  3. Save your changes.

  4. Start the Apache server: At a terminal console, enter

    /etc/init.d/apache2 start
    

For more information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong Encryption: How-To on the Apache.org Web site.

14.5.3 Configuring the Web Access Server for SSL Communications with the Enterprise Server

The setting is stored in the /opt/novell/ifolder3/lib/simias/webaccess/Web.config file under the following tag:

  <add   key="SimiasUrl" value="https://localhost"   />
  <add key="SimiasCert" value=<raw certificate data in base 64 encoding>   />

If you disable SSL between Web Access server and the enterprise server and if the two servers are on different machines, you must also disable the iFolder server SSL requirement. Because the enterprise SSL setting also controls the traffic between the enterprise server and the client, all Web traffic between servers and between the clients and the enterprise server would be insecure.

IMPORTANT:Do not disable SSL on the Web Access server if the two servers are on different machines.

If the two servers are running on the same machine and you want to disable SSL, rerun the configuration, and specify http://localhost as the URL for the enterprise server. By default, the Web Browser is configured to communicate with the iFolder Web Access server and the iFolder Enterprise server via SSL. iFolder uses HTTP BASIC for authentication, which means passwords are sent to the server in the clear. If the iFolder deployment is in large scale and the Web Access server is on a different machine than the iFolder enterprise server, an Administrator could reconfigure to enable SSL between the Web Access Server and the iFolder Enterprise Server, which would increase the security for communications between the two servers. This is a recommended setting

14.5.4 Configuring the Web Access Server for SSL Communications with Web Browsers

The iFolder 3.x Web Access server requires a secure connection between the user’s Web browser and the Web Access server. The SSL connection supports the secure exchange of data. For most deployments, this setting should not be changed because iFolder uses HTTP BASIC for authentication, which means passwords are sent to the server in the clear. Without SSL encryption, the iFolder data is also sent in the clear.

The following Rewrite parameters control this behavior and are located in the /etc/apache2/conf.d/ifolder_web.conf file:

LoadModule rewrite_module /usr/lib/apache2/mod_rewrite.so
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/ifolder/(.*) https://%{SERVER_NAME}/ifolder/$1 [R,L]

To disable the requirement for SSL connections, you can comment out these Rewrite command lines in the ifolder_web.conf file. Placing a pound sign (#) at the beginning of each line renders it as a comment.

WARNING:Without an SSL connection, traffic between a user’s Web browser and the Web Access server is not secure.

To disable the SSL requirement:

  1. Stop the iFolder Web Access services.

  2. Edit the /etc/apache2/conf.d/ifolder_web.conf file to comment out the Rewrite command lines.

    For example:

    #LoadModule rewrite_module /usr/lib/apache2/mod_rewrite.so
    
    #RewriteEngine On
    
    #RewriteCond %{HTTPS} !=on
    
    #RewriteRule ^/ifolder/(.*) https://%{SERVER_NAME}/ifolder/$1 [R,L]
    
  3. Start the iFolder Web Access services.

14.5.5 Configuring an SSL Certificate for the Web Access Server

For information, see Managing SSL Certificates for Apache.