HTTPS

Principle

HTTPS (with S for secured) is HTTP and SSL combined.

It can be used to check the identity of the site to which it is accessing thank to an authentication certificate.

It is a warrant of confidentiality and integrity for the data sent by the user (such as information entered in forms) and received by the server.

The authentication is carried out via the use of a numerical certificate called X.509 delivered by the certification authority.

The encrypting is carried out by an asymmetric encrypting, such as the RSA algorithm.

Certification authority (CA)

In cryptography, the certification authority (AC or CA)'s mission is to sign, issue and maintain certificates - after verifying the identity of the certificate requester through the authority that verifies the authenticity of the requester..

  • Verisign
  • Thawte
  • Global Sign
  • ...
RSA private key (server.key)

A RSA private key file is a numerical file that the user can use to decode messages that have been sent to the user.

There is a similar public file that can be distributed (via the certificate), this way, users can decode the messages sent to them.

Request for a certificate signature (CSR)

A Certificate Signature Request (CSR) is a numeric file that contains the user's public key and the user's name.

The CSR must be sent to a Certification Authority (CA) that is going to convert it into an actual certificate by signing it.

Certificate (server.crt)

A certificate contains the user's public RSA key, the user name and the CA's name. It is signed automatically by the CA.

Browsers that recognize the CA can check the certificate's signature and extract the user's public RSA key.

This way, they can send message that only the user can decode.

Obtaining a certificate

The commercial Certification Authority usually asks the user to send the CSR via a web form, to pay for the signature's amount and then sends a signed certificate that can be saved in a server.crt file.

Apache server configuration

The SSL protocol's configuration file of the Apache server is generated during the installation of the X3WEB server.

  • Path: WebTools\SOFTS\HTTPD\conf\extra\httpd-ssl.conf
  • WebTools is the 'Tools' directory defined during the installation of the X3WEB server

# Server Certificate:
SSLCertificateFile "C:/SAGE/WebREFJULIET/WebTools/SOFTS/HTTPD/conf/server.crt"

# Server Private Key:
SSLCertificateKeyFile "C:/SAGE/WebREFJULIET/WebTools/SOFTS/HTTPD/conf/server.key"

The certificate (.crt) and the private key (.key) files are located in:

  • WebTools\SOFTS\HTTPD\conf\server.crt
  • WebTools\SOFTS\HTTPD\conf\server.key

The server.crt and .key files delivered by default are test files delivered by the Apache foundation.

The server.crt file is not certified by a Certification Authority and therefore is not recognized (i.e. validated) by browsers.

In order to configure correctly the SSL protocol, the user must generate a private key file (server.key), send a certificate request (server.crt) to a Certification Authority then replace the existing files and keep the same name.

When a patch is installed on an X3WEB server, server.crt and server.key files should be saved and copied after the installation of the patch.

Creation of a Verisign test certificate

The Verisign certification authority (http://www.verisign.fr) offers a free SSL certificate for a limited amount of time.

The following paragraph explains the procedure in order to:

  • create the private key and the Certificate Signature Request (CSR) with the OpenSSL toolbox
  • obtain the test certificate from Verisign.

For further information, see Verisign's instruction.
http://www.verisign.fr/support/ssl-certificate-support/page_fr_fr_dev019500.html

1 - Install OpenSSL

The « openssl » utility (http://www.openssl.org) can be used to generate the key and the Certificate Signature Request (CSR).

Download OpenSSL (on Windows).
http://www.openssl.org/related/binaries.html

1. Install 'Visual C++ 2008 Redistributables'

2. Install 'Win32 OpenSSL v0.9.8j Light' oo 'Win64 OpenSSL v0.9.8j Light'

3. Use the \OpenSSL\Bin\openssl.exe command

2- Generate a private key

openssl genrsa -des3 1024 > verisign.key

See the genrsa documentation
http://www.openssl.org//docs/apps/genrsa.html

3- Generate a Certificate Signature Request

openssl req -new -key verisign.key verisign.csr

See the genrsa documentation
http://www.openssl.org//docs/apps/genrsa.html

1. Enter the private key's password

2. Enter the information on certificate

Enter the name of the Fully Qualified Domain Name (or FQDN) of the server when OpenSSL requests the Common Name (e.g., USER name).

If the user generates a CSR for a website which URL is https://www.mysite.com/, the FQDN will be www.mysite.com

Usually, a certificate per Fully Qualified Domain Name is bought.

Generate an auto-signed certificate

This certificate does not need to be signed by an authentication authority by it is not recognized by the browser. Use the following command:

openssl req -x509 -key verisign.key -in verisign.csr > verisign.crt

4- Certificate request

Open the following URL http://www.verisign.fr/ssl/index.html and click on 'Free trial'.

1. Fill out the Request form

2. Fill out the Technical contact form

3. Fill out the Certificate form

      • Select 'Apache server'
      • Open the CSR file (verisign.csr) with a text editor and copy its content
      • Paste this content in the text box
      • Select Server WEB use and validate
      • Enter the certificate password and validate

5. The certificate must be sent by email

6. Upon reception of the certificate

      • Copy the certificate
        text between -----BEGIN CERTIFICATE---- and -----END CERTIFICATE-----
      • Open Notepad(++) and paste the certificate
      • Save it with the .crt file extinction (verisign.crt)

Copy the files verisign.key and verisign.crt and keep the passwords.

5- Installation of the certificate

Copy/Replace the files verisign.key and verisign.crt under server.key and server.crt in the WebTools\SOFTS\HTTPD\conf\ directory

Configuration parameters

X3Web

The XTEND applications use the HTTPS port.

Check that the console parameters ALL.Apache.APACHESSL that activate the SSL mode of the Apache server has the value yes

The HTTP and HTTPS ports that give access to XTEND applications are given by the parameters xtend.server.gensetup.http.defhttpport and xtend.server.gensetup.http.defhttpsport.

These parameters must be entered.

XTEND

The grid displays the configuration parameters of the XTEND server that can be accessed via the console (advanced setup).

Parameter 

Default value

Description

xtend.session.trace.xtend

off

XTEND session log file

xtend.session.trace.httpreq

off

HTTP requests' log-file

xtend.session.trace.wsvc

off

Web service log file

xtend.session.wait.timeout

1500

Waiting time timeout in ms for an XTEND request if the session is busy (processing another request, for instance)

xtend.server.data.localpath

/data/local

Http alias to access the X3WEB server local resources (see httpd.conf)

xtend.server.data.protectdir

x_protect

Identification of XTEND folders that are protected

xtend.server.reposit.local

off

Location of the XTEND dictionary and other xml data published by XTEND
On: X3WEB local server
Off: in remote on the X3 server

xtend.server.menux3.local

off

Location of X3 menus (see xtend.server.reposit.local)

xtend.server.x3httpsrv.secured

off

Http/https protocol to the solutions' Http server
On: needs to activate manually the ssl mode of the solution's Http server

xtend.server.x3httpsrv.readtimeout

30000

Timeout (in ms) for the reading of a resource on the solution's Http server

xtend.server.x3httpsrv.cnxtimeout

30000

Timeout (ms) for the connection to the solution's Http server

xtend.server.activitylog.level

1

Activity tracking - Log file level - 0: off - 1: Normal - 2: Verbose

xtend.server.activitylog.filenumber

10

Activity tracking - Number of log files

xtend.server.activitylog.filesize

10000000

Activity tracking - Log file's size in octets

xtend.server.virtualpath.context

/xtend

XTEND web application path

xtend.cxtdtracesvc.trace.server.host

Hostname of the log file server

xtend.cxtdtracesvc.trace.server.port

1515

Log file server TCP port

xtend.cxtdtracesvc.tracesvc.canal.level

9  

Level of the log file server

xtend.cxtdtracesvc.tracesvc.canal.name

SXTD  

Prompt of the log file server

xtend.cxtdtracesvc.tracesvc.canal.on

off  

Active log file

xtend.cxtdtracesvc.tracesvc.on

off  

Active log file

xtend.server.gensetup.defsite.x3sol

 

Default X3 solution code if it has not been specified in the URL

xtend.server.gensetup.defsite.x3fldr

 

Default X3 folder code if it has not been specified in the URL

xtend.server.gensetup.defsite.xtdsite

 

Default XTEND site code if it has not been specified in the URL

xtend.server.gensetup.deflang

 

Default XTEND language code if it has not been specified in the URL

xtend.server.gensetup.http.defhttpport

28880   

HTTP port of the XTEND server

xtend.server.gensetup.http.defhttpsport

28443  

HTTPS port of the XTEND server

xtend.server.gensetup.http.cookie.sess.persist

on  

Persistence of cookies on the user workstation (on/off)

xtend.server.gensetup.http.cookie.disabled

  

off

Indicates if XTEND must work without cookies
In that case, the session id is distributed in all the URLs
The user action ASESSSWITCHCOOKIES is used to overload this parameter

xtend.server.gensetup.http.session.timeout

60

TOMCAT session maximum inactivity time
Once this delay has been reached, the session is destroyed and all data is lost
Not to be confused with the TimeOut of the XTEND session entered in the 'web site' record that disconnect the user in order to force the login for the next connection.

xtend.server.gensetup.http.askreferer

 on

Request of the referred http if it is not displayed in the HTTP headers
Used to manage the access to XTEND via 'reverse proxies'

xtend.server.gensetup.proxies.hosts

Hostnames of reverse proxies which access XTEND - names separated by 'blanks'

xtend.server.gensetup.proxies.portshttp

HTTP ports of reverse proxies which access XTEND - names separated by 'blanks'

xtend.server.gensetup.proxies.portshttps

HTTPS ports of reverse proxies which access XTEND - names separated by 'blanks'

xtend.server.gensetup.html.req.charset

utf-8

Decoding of the http response (used for the encoding of input fields)
If !=null
-> Forces request.setCharacterEncoding("CharSet")
-> Forces the "Accept-Charset"="CharSet" attribute of the tag form
-> Forces the presence of the tag <meta http-equiv="Content-Type" content="text/html; charset=CharSet">

xtend.server.gensetup.html.resp.charset  

utf-8 

Encoding of the HTTP response

xtend.server.gensetup.html.chunked  

off  

on: to activate the chunked mode (package)
Warning: the chunk mode cannot always be used to display the error pages

xtend.server.gensetup.html.buffersize  

 0

Buffer size for the http response

xtend.server.gensetup.misc.rtnstacksize  

 20

Maximum number of elements in the pages queue for the management of the return action (ADLKRETURN)

xtend.server.gensetup.defcharset

 CP1252

Default charset for the reading of text resources (platform's default Charset)
The HTML project is often created on Windows and uploaded on X3
If HTML files do not have a BOM (Byte Order Mark), it should be possible to force the charset in order to decode the file's contents
independently from the OS on which X3WEB functions