Configure TLS for a server

Configure a FairCom server to use a TLS server certificate

FairCom servers communicate over a variety of secure protocols, including HTTPS, MQTTS, MQTTWSS, WSS, SQL, and FairCom's proprietary protocol for its ISAM and CTDB APIs. This section describes how to enable secure TLS communications over all these protocols. The following steps must be performed on each FairCom server instance you wish to use TLS-encrypted connections. For more information on the keywords used here, visit our Database Administrator's Guide.

  • The web protocols (HTTPS, MQTTS, MQTTWSS, and WSS) are configured in the services.json configuration file.
  • FairCom's proprietary protocols (ISAM, CTDB, and SQL) are configured in the ctsrvr.cfg configuration file.

Enable TLS for JSON APIs, MQTT, and browser-based apps (HTTPS, MQTTS, MQTTWSS, and WSS)

Use the Google Chrome browser for FairCom browser-based tools. Other browsers may cause unexpected behavior.

 

FairCom servers include a built-in app server that supports FairCom’s JSON APIs, browser-based applications, and MQTT broker. The app server communicates over TCP/IP ports using HTTP/HTTPS, WebSocket, and MQTT protocols.

Enable and configure listeners for these ports and protocols in the services.json file. You must use different ports for TLS and non-TLS connections. For TLS connections, configure the "tls" property for a listener.

  1. Navigate to and open the services.json file in the <faircom>/config folder.
  2. This JSON file starts with an array called "listeners". Locate the object / block in that array that corresponds to the service you are interested in (following this table), and then proceed with the following steps, modifying the block which you selected:
Protocol Object / block in "listeners" array
HTTPS/WSS "serviceName": "https8443"
MQTTS "serviceName": "mqtts8883"
MQTTWSS "serviceName": "mqttwss9002"
  1. Use the "certificateFilename" property to specify the filename and optional path of the server certificate file on that server. (For info on creating a certificate file, see Create a server certificate and createservercert.py).

You do not need to specify a path when the file is located in the <faircom>/server folder. If you use Windows path separators (\), please escape each one out with an extra \ (e.g. "C:\\my\\path\\serverCert.pem"). Use the "privateKeyFilename" property to specify the filename and optional path of the server key file.

 
  1. Use the "privateKeyFilename" property to specify the filename and optional path of the server key file.

This property is optional. It is not needed if you embed the server key in the server certificate file mentioned in step 3.

 
  1. Optionally, use the "certificateAuthoritiesFilename" property to specify the filename and optional path of the CA certificate file to require clients to authenticate using X509 client certificates. If you choose to do this, a client certificate must be generated and distributed to each client.
  2. Verify that the files you specified above actually exist at the specified locations on this server computer.
  3. Optionally, use the "allowedCipherSuites" property to specify a list of cipher suites that you require clients to use.
  4. If your FairCom server is already running, restart it so the changes you have made to the services.json file take effect. This file is processed only at server startup time.

Examples

Minimally secure TLS examples

"tls": { 
  "certificateFilename": "serverCert.pem", 
  "privateKeyFilename": "serverKey.pem"
}

"tls": { 
  "certificateFilename": "serverCertAndKey.pem" 
}

Secure TLS example with a wide variety of options

{ 
    "serviceName": "https8443", 
    "description": "Port 8443 using TLS-secured HTTPS protocol", 
    "port": 8443, 
    "protocol": "https", 
    "enabled": true,
    "tls": {
      "certificateFilename": "serverCert.pem",
      "privateKeyFilename": "serverKey.pem",
      "certificateAuthoritiesFilename": "caCert.pem",
      "allowedCipherSuites": [
        "TLS_AES_128_GCM_SHA256",
        "TLS_AES_256_GCM_SHA384",
        "TLS_CHACHA20_POLY1305_SHA256",
        "ECDHE-ECDSA-AES128-GCM-SHA256",
        "ECDHE-RSA-AES128-GCM-SHA256",
        "ECDHE-ECDSA-AES256-GCM-SHA384",
        "ECDHE-RSA-AES256-GCM-SHA384",
        "ECDHE-ECDSA-CHACHA20-POLY1305",
        "ECDHE-RSA-CHACHA20-POLY1305",
        "DHE-RSA-AES128-GCM-SHA256",
        "DHE-RSA-AES256-GCM-SHA384"
      ]
    }
}

You can run the nmap command line utility against FairCom's default app server port 8443 to verify the TLS ciphers in use. Linux includes nmap, and you can install nmap on Windows and MacOS.

nmap-p 8443 -v -Pn --script ssl-enum-ciphers localhost

 
 
 

Enable TLS for SQL, ISAM, and CTDB

  1. Navigate to and open the ctsrvr.cfg file in the <faircom>/config/ folder.
  2. Edit or add the SUBSYSTEM COMM_PROTOCOL SSL setting.

The SUBSYSTEM COMM_PROTOCOL SSL setting normally exists in ctsrvr.cfg but is commented out with a semicolon at the beginning of the section. Uncomment it by removing the semicolon.

 
  1. If this setting does not exist, add it using the Default minimally secure configuration for COMM_PROTOCOL SSL example.
  2. Modify Default minimally secure configuration for COMM_PROTOCOL SSL example to match your desired TLS configuration options.

The default setting is insecure because it is designed for maximum connectivity and compatibility while evaluating the server.

 
  1. Verify that the files you specified above actually exist at the specified locations on this server computer.
  2. Create and use a secure configuration for all your environments.
  3. If your FairCom server is already running, please restart it so the changes you have made to the ctsrvr.cfg file take effect. This file is processed only at server startup time.

Examples

Default minimally secure configuration for COMM_PROTOCOL SSL example

SUBSYSTEM COMM_PROTOCOL SSL {
  SERVER_CERTIFICATE_FILE serverCert.pem
  SSL_CONNECTIONS_ONLY NO
  SSL_CIPHERS ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
}

Maximally secure configuration for COMM_PROTOCOL SSL example

SUBSYSTEM COMM_PROTOCOL SSL {
  SERVER_CERTIFICATE_FILE my_server_certificate.pem
  SERVER_PRIVATE_KEY_FILE my_server_key.key
  SSL_CONNECTIONS_ONLY YES
  SSL_CIPHERS AES256-SHA256:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256
}

SERVER_CERTIFICATE_FILE

SERVER_CERTIFICATE_FILE is a required property that specifies the name and optional path of a server certificate file.

  • A server certificate file is a PEM-encoded certificate that you create specifically for one server. It contains information that uniquely identifies the server, such as its host-name or IP addresses.
  • FairCom's createservercert.py script creates a server certificate file as well as a server key file.
  • The server certificate file is put in the <faircom>/server folder.
  • Put the server certificate file name in this property
  • If you specify a path with the file name, the path will be relative to the <faircom>/server folder.
  • If your company has a security team that manages certificates, you have additional options.
    • A server certificate file may optionally embed the server key inside it. 
    • The server certificate may be self-signed.
 
 

SERVER_PRIVATE_KEY_FILE

SERVER_PRIVATE_KEY_FILE is an optional property (but is typically used) that specifies the name and optional path of a server key file.

  • This property can be omitted if the server key is embedded in the server certificate file.
  • FairCom's createservercert.py script creates a server certificate file as well as a server key file.
  • Put the server key file name in this property.
  • If you specify a path with the server key file name, the path will be relative to the <faircom>/server folder.
 
 

SERVER_ENCRYPTED_STORE_FILE

SERVER_ENCRYPTED_STORE_FILE is an optional property that specifies the name and optional path of an encrypted key store file, which contains a password that can decrypt a server key.

Essential information

  • It is desirable, but not required, to encrypt a server key because it makes it more difficult for malicious users to steal the server key and impersonate the server.
  • Encrypting the server key complicates setting up security. For this reason, FairCom's scripts make key encryption optionsl.
  • The FairCom server needs to read the server key so it can use the server certificate to encrypt communications. When the server key is encrypted, the FairCom server cannot read the server key. The solution to this is to use FairCom's ctcpvf utility to create an encrypted key store file that contains the password for the server key. Only the FairCom server knows how to read the key store file and decrypt the password that it contains. This allows the FairCom server to retrieve the password and decrypt the server key. Once the FairCom server has the server key, it can use the server key with the server certificate to do encrypted TLS communications.
 
 
 
 

SSL_CONNECTIONS_ONLY

SSL_CONNECTION_ONLY is an optional property that specifies if a FairCom server requires all ISAM, CTDB, and SQL TCP communications to be encrypted using TLS (SSL), or if it accepts both encrypted and unencrypted communications. It defaults to NO.

Essential information

  • It can be set to the value NO or YES.
  • A value of YES is the safest option because it requires all TCP communications to be encrypted. Shared memory is still allowed.
  • A value of NO allows both encrypted and unencrypted TCP communications.
 
 
 
 

SSL_CIPHERS

SSL_CIPHERS is an optional property that specifies the encryption ciphers that are allowed to be used for encrypting a TLS (SSL) connection. It defaults to ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256.

 
 

Enable TLS client certificates for MQTTS and MQTTWSS

  1. Ensure you have TLS configured as described in the Enable TLS for SQL, ISAM, and CTDB section. Minimally you need to have the SERVER_CERTIFICATE_FILE property set to your server certificate.
    SERVER_CERTIFICATE_FILE /Certs/serverCert.pem
    Example 
SUBSYSTEM COMM_PROTOCOL SSL {
  SERVER_CERTIFICATE_FILE /Certs/serverCert.pem
  SSL_CONNECTIONS_ONLY YES
  VERIFY_CLIENT_CERTIFICATE YES
  x509_AUTHENTICATION YES
  x509_PATH CN
}
  1. Configure the TLS block of the protocol (MQTTS) to include the CA certificate and the server keypair.
"tls": {
  "serverCertificateFilename": "/Certs/serverCert.pem",
  "certificateAuthoritiesFilename": "/Certs/ca.crt", 
  "clientCertificateFilename": "adminClient.pem"
}
  1. While still in services.json, ensure the authenticationMethods block in the mqtt section contains "clientCertificate".
  2. Start or restart the server.

Sample Python script to test the connection

import time

import paho.mqtt.client as mqtt


def message_callback( message_client, userdata, message ):
  print( message.payload.decode( 'utf-8' ) )


if __name__ == "__main__":
  topic = "test/IncrediblySimpleMqttsClientCertTopic"
  mqtts_client = mqtt.Client( client_id = "MQTTS secured client" )
  mqtts_client.tls_set( ca_certs = "/Certs/ca.crt",
                        certfile = "/Certs/AdminClient.pem",
                        keyfile = "/Certs/AdminClient.pem" )
  mqtts_client.on_message = message_callback
  mqtts_client.loop_start()

  mqtts_client.connect( "127.0.0.1", port = 8883 )
  time.sleep( 2 )

  mqtts_client.subscribe( topic )
  mqtts_client.publish( topic, "Incredibly Simple MQTTS client certificate message" )

  count = 0
  while count < 5:
    time.sleep( 1 )
    count += 1
  mqtts_client.unsubscribe( topic )
  mqtts_client.disconnect()
  mqtts_client.loop_stop()
 
 
 
 
security encryption

Was this article helpful?

Give feedback about this article

Related Articles