11.6 Securing Web Admin Server Communications

This section describes how to configure SSL traffic between the iFolder Web Admin server and other components. HTTPS (SSL) encrypts information transmitted over shared IP networks and the Internet. It helps protect your sensitive information from data interception or tampering.

11.6.1 Using SSL for Secure Communications

In a default deployment, the iFolder server uses SSL 3.0 for secure communications between components as shown in the following table.

Table 11-6 SSL 3.0 for Secure Communication

iFolder Component

Enterprise Server

LDAP Server

Client

Web Browser

Web Admin Server

Yes

Yes

Yes

Yes

For more information about SSL 3.0, see Section 10.12.1, Using SSL for Secure Communications.

11.6.2 Configuring the SSL Cipher Suites for the Apache Server

To restrict connections to SSL 3.0 and to ensure strong encryption, we strongly recommend the following configuration for the Apache server’s SSL cipher suite settings.

  • Use only High and Medium security cipher suites, such as RC4 and RSA.

  • Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-Hellman (ADH) ciphers.

  • Use SSL 3.0, and disable SSL 2.0.

  • Disable the Low, Export, and Null cipher suites.

To set these parameters, modify the aliases in the OpenSSL ciphers command (the SSLCipherSuite directive) in the /etc/apache2/vhosts.d/vhost-ssl.conf file.

  1. Stop the Apache server: At a terminal console, enter

    /etc/init.d/apache2 stop
    
  2. Open the /etc/apache2/vhosts.d/vhost-ssl.conf file in a text editor, then locate the SSLCipherSuite directive in the Virtual Hosts section:

    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    
  3. Modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:

    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
    
  4. Save your changes.

  5. Start the Apache server: At a terminal console, enter

    /etc/init.d/apache2 start
    

For more information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong Encryption: How-To on the Apache.org Web site.

11.6.3 Configuring the Web Admin Server for SSL Communications with the Enterprise Server

By default, the Web Browser is configured to communicate with the iFolder Web Admin server and the iFolder Enterprise server via SSL. If the iFolder deployment is in a large scale and the Web Admin server is on a different machine than the iFolder enterprise server, then SSL enables you to increase the security for communications between the two servers.

The communication between the Web Admin server and the iFolder enterprise server is determined during the configuration of the Web Admin server. Specify an https:// in the URL for the enterprise server for SSL (HTTPS) communications between the servers. Traffic between the two servers is secure. If you specify an http:// in the URL, HTTP is used for communications between the servers and traffic is insecure.

The setting is stored in the /usr/lib/simias/webAdmin/Web.config file under the following tag:

  <add   key="SimiasUrl" value="https://localhost"   />
  <add key="SimiasCert" value=<raw certificate data in base 64 encoding>   />

If you disable SSL between Web Admin server and the enterprise server and if the two servers are on different machines, you must also disable the iFolder server SSL requirement. Because the enterprise SSL setting also controls the traffic between the enterprise server and the client, all Web traffic between servers and between the clients and the enterprise server would be insecure.

IMPORTANT:Do not disable SSL on the Web Admin server if the servers are on different machines.

If the two servers are running on the same machine and you want to disable SSL, rerun the YaST configuration, and specify http://localhost as the URL for the enterprise server.

11.6.4 Configuring the Web Admin Server for SSL Communications with Web Browsers

The SSL connection supports the secure exchange of data. For most deployments, this setting should not be changed because iFolder uses HTTP BASIC for authentication, which means passwords are sent to the server in the clear. Without SSL encryption, the iFolder data is also sent in the clear.

The following Rewrite parameters control this behavior and are located in the /etc/apache2/conf.d/ifolder_web.conf file:

LoadModule rewrite_module /usr/lib/apache2/mod_rewrite.so
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/ifolder/(.*) https://%{SERVER_NAME}/ifolder/$1 [R,L]

To disable the requirement for SSL connections, you can comment out these Rewrite command lines in the ifolder_web.conf file. Placing a pound sign (#) at the beginning of each line renders it as a comment.

WARNING:Without an SSL connection, traffic between a user’s Web browser and the Web Admin server is not secure.

To disable the SSL requirement:

  1. Stop the iFolder Web Admin services.

  2. Edit the /etc/apache2/conf.d/ifolder_web.conf file to comment out the Rewrite command lines.

    For example:

    #LoadModule rewrite_module /usr/lib/apache2/mod_rewrite.so
    
    #RewriteEngine On
    
    #RewriteCond %{HTTPS} !=on
    
    #RewriteRule ^/ifolder/(.*) https://%{SERVER_NAME}/ifolder/$1 [R,L]
    
  3. Start the iFolder Web Admin services.

11.6.5 Configuring an SSL Certificate for the Web Admin Server

For information, see Managing SSL Certificates for Apache.