10.12 Securing Enterprise Server Communications

10.12.1 Using SSL for Secure Communications

In a default deployment, the iFolder 3 enterprise server uses SSL 3.0 for secure communications between components as shown in the following table.

iFolder Component

Web Access Server

LDAP Server

Client

Web Browser

Enterprise Server

Yes

Yes

Yes

yes

iFolder uses the SSL 3.0 protocol instead of SSL 2.0 because it provides authentication, encryption, integrity, and non-repudiation services for network communications. During the SSL handshake, the server negotiates the cipher suite to use, establishes and shares a session key between client and server, authenticates the server to the user, and authenticates the user to the server.

The key exchange method defines how the shared secret symmetric cryptography key used for application data transfer will be agreed upon by client and server. SSL 2.0 uses only RSA key exchange, while SSL 3.0 supports a choice of key exchange algorithms, including the RC4 and RSA key exchange, when certificates are used, and Diffie-Hellman key exchange for exchanging keys without certificates and without prior communication between client and server. SSL 3.0 also supports certificate chains, which allows certificate messages to contain multiple certificates and support certificate hierarchies.

10.12.2 Configuring the SSL Cipher Suites and Protocol for the Apache Server

To ensure strong encryption, we strongly recommend the following configuration for the Apache server’s SSL cipher suite and protocol settings.

  • Use only High and Medium security cipher suites, such as RC4 and RSA.

  • Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-Hellman (ADH) ciphers.

  • Use TLS v1 and higher versions and disable SSL 2.0.

  • Disable the Low, Export, and Null cipher suites.

To set these parameters, modify the aliases in the OpenSSL ciphers command (the SSLCipherSuite directive) in the /etc/apache2/vhosts.d/vhost-ssl.conf file.

  1. Stop the Apache server: At a terminal console, enter

    /etc/init.d/apache2 stop
    
  2. Open the /etc/apache2/vhosts.d/vhost-ssl.conf file in a text editor and do the following:

    1. Locate the SSLCipherSuite directive in the Virtual Hosts section and modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:

      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
      
    2. Locate the SSLProtocol directive in the virtual hosts section and modify it include TLS v1:

      SSL Protocol TLSv1
      
  3. Save your changes.

  4. Start the Apache server: At a terminal console, enter

    /etc/init.d/apache2 start
    

For more information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong Encryption: How-To on the Apache.org Web site.

10.12.3 Configuring the Enterprise Server for SSL Communications with the LDAP Server

By default, the iFolder enterprise server is configured to communicate via SSL with the LDAP Server. For most deployments, this setting should not be changed. If the LDAP server is on the same machine as the enterprise server, communications do not need to be secured with SSL.

  1. Log in to Web Admin.

  2. Click System in the Web Admin console to open the System page.

  3. Select Enable SSL to enable LDAP SSL communication.

10.12.4 Configuring the Enterprise Server for SSL Communications with the iFolder Client

By default, the iFolder enterprise server is configured to require SSL. If set to use SSL, all iFolder client communication to the server is encrypted using the SSL protocol. In most deployments, this setting should not be changed because iFolder uses HTTP BASIC for authentication, which means passwords are sent to the server in the clear. Without SSL encryption, the iFolder data is also sent in the clear.

  1. Stop the Apache server: At a terminal console, enter

    /etc/init.d/apache2 stop
    
  2. Go to /usr/bin and run simias-server-setup

  3. Select Yes for the Enable SSL option.

  4. Start Apache: At a terminal console, enter

    /etc/init.d/apache2 start
    

10.12.5 Configuring the Enterprise Server for SSL Communications with the Web Access Server and Web Admin Server

By default, the Web Browser is configured to communicate via SSL with the iFolder Web Access server/ Web Admin server. The Web Access server/ Web Admin server communicate via SSL channels with the iFolder Enterprise Server. If the iFolder deployment is in a larger scale and the Web Access server or Web Admin server are on different machine than the iFolder enterprise server, then SSL enables you to increase the security between the two servers.

Communications between the two servers are governed by the Web Access server’s or Web Admin server’s settings for SSL traffic. For information, see Section 14.5.3, Configuring the Web Access Server for SSL Communications with the Enterprise Server.

10.12.6 Configuring an SSL Certificate for the Enterprise Server

For information, see Managing SSL Certificates for Apache.