Difference: APPXClientEncryption (6 vs. 7)

Revision 72008-09-16 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"
Deleted:
<
<

APPX Client Encryption

APPX now includes the ability to encrypt login data, session data, and file transfers.
 
Changed:
<
<
>
>

APPX Desktop Client Encryption

Effective with Release 5.0.0, the APPX Desktop Client includes an option to enable SSL encryption for APPX Desktop Client sessions.
 
Changed:
<
<		The APPX Connection Manager, and APPX Desktop Client by default will encrypt the data stream with SSL encryption. This datastream includes login ID, password, and all session data. You may optionally:
>
>
 
Changed:
<
<
  1. Disable Encryption
>
>		Release 5.0.0 of the APPX Desktop Client allows SSL encryption to optionally be enabled for APPX Desktop Client sessions connecting to APPX 5.0.0 or higher.  The APPX SSL encryption feature encrypts all data transmitted between the APPX Desktop Client and the APPX server includes login ID, password, all session data, all reports printed by the client, and all files transferred between the client and the server.  The APPX Desktop Client can only establish an encrypted SSL connection with an APPX Login Manager that has been properly configured to accept SSL connection requests from clients.  The APPX Login Manager may require that the APPX Desktop Client enable SSL encryption.  Furthermore, the APPX Login Manager may require that the APPX Desktop Client identify itself by providing an acceptable SSL certificate.

  1.  

 
  1. Provide a self signed SSL server certificate
  2. Provide a trusted SSL certificate from an official SSL CA such as Verisign, Thawte, Digicert, Geotrust....
Deleted:
<
<
  1. Require that any connecting client have a SSL certificate.

Lets review the configuration options available in the APPX Desktop Client, followed by the options in the APPX Connection Manager.

 
Changed:
<
<

APPX Desktop Client parameters available for SSL datastream encryption.

Upon initial startup of the APPX Desktop Client, just prior to logging in, there are three tabs available, Local, Remote, and Options. Select Options, and then click the Advanced button. You should now see four many options available broken up into sections, one of which is labeled [SSL]. In the SSL section are five options.
>
>

APPX Desktop Client SSL Preferences

 
Added:
>
>		The APPX Desktop Client provides five preferences (parameters) relating to SSL connection requests. 
 

SSLMode

Changed:
<
<
  1. Required - Non SSL connections are not allowed. Only SSL encrypted connections are permitted. If you are connecting to a 4.2.a or earlier build of APPX Connection Manager that does not support SSL encryption, or you connect to a 4.3 APPX Connection Manager that has SSL disabled, then upon connection, you will be presented with a notification that SSL is not available. This notification will enable you to continue unencrypted or to terminate the connection.
  2. Optional - If both parties support SSL connection, then SSL connect, else fall back to non encrypted connection. If you are connecting to a 4.2.a or earlier build of APPX, then you might experience a brief (<=3 second) handshake upon connection.
  3. Disabled - No SSL connections allowed, therefore no datastream encryption. If you are connecting to a 4.2.a or earlier build of APPX, then you might experience a brief (<=3 second) handshake upon connection.
  4. Pre43 - Do not perform any SSL notification to the target server. This can speed up connections to older builds of APPX Connection managers, such as appxdsvc.exe, winappxd, and appxd that did not have SSL capabilities.
>
>
  1. Required - When this option is specified, the APPX Desktop Client will attempt to establish an SSL connection with the APPX Login Manager on the APPX server.  If the APPX Login Manager is an older version that does not support SSL connections or if the APPX Login Manager is configured to not allow SSL connections, the client will display an error dialog informing the user that an SSL connection with the requested APPX server is not available.  In this case, the user has the option of cancelling the connection request or allowing the connection to proceed without enabling SSL encryption.
  2. Optional - This option is similar to the Required option.  However, in the event that an SSL connection cannot be established, the client will automatically connect without enabling SSL and without notifying the user.
  3. Disabled - No SSL connections allowed, therefore no datastream encryption. If you are connecting to a 4.2.a or earlier build of APPX, then you might experience a brief (<=3 second) handshake upon connection.
  4. Pre43 - Do not perform any SSL notification to the target server. This can speed up connections to older builds of APPX Connection managers, such as appxdsvc.exe, winappxd, and appxd that did not have SSL capabilities.
 

SSLAnonAllowed

Changed:
<
<
  1. True -
  2. False -
>
>		 This preference determines whether or not the APPX Desktop Client is allowed to connect to an APPX Server that does not have a signed SSL certificate.
  1. True - The connection is allowed
  2. False - The connection is not allowed
 

SSLMismatchAllowed

Changed:
<
<
  1. True -
  2. False -

SSLSelfSignedAllowed -

  1. True -
  2. False -

SSLHandshakeTimeout -

>
>		 This preference determines whether or not the APPX Desktop Client
  1. True
  2. False

SSLSelfSignedAllowed

This preference determines whether or not the APPX Desktop Client is allowed to connect to an APPX Server that has a self-signed SSL certificate.

  1. True - The connection is allowed
  2. False - The connection is not allowed

SSLHandshakeTimeout

This preference specifies the length of time in seconds that the client is to wait after attempting to establish an SSL connection with the APPX Login Manager.  If the specified amount of time passes without establishing an SSL connection, then the SSLMode preference will determine what additional action, if any, takes place.

 
  1. An integer 0 through 10, with the default being 3.

APPX Connection Manager SSL parameters.

RequireSSL - Not Implemented. Do not Use.

Changed:
<
<
  1. true
  2. false
>
>
  1. true
  2. false
 

RequireSSLClientCertificates

Changed:
<
<
  1. True - Connecting clients must have client side SSL certificates.
  2. False- This is the default option. Connecting clients do not need to have client side SSL certificates.
>
>
  1. True - Connecting clients must have client side SSL certificates.
  2. False - This is the default option. Connecting clients do not need to have client side SSL certificates.
 

ServerCertificateFile - This is the server's SSL public certificate

  1. The pathname of server's X509 certificate (leave blank for anonymous connections). An example is ServerCertificateFile=/usr/local/appx/tools/tubes.internal.appx.com.crt

ServerPrivateKeyFile - This is the server's SSL private server key

Line: 55 to 60
 

How to create a server's SSL private server key and server's SSL public certificate from the Unix/Linux command line with the openssl tool.

Create new private/public-keys without passphrase for server
Changed:
<
<		openssl genrsa -out tubes.internal.appx.com.private.key 1024
>
>		openssl genrsa -out tubes.internal.appx.com.private.key 1024
 

Create server's SSL public certificate
Changed:
<
<		openssl req -new -days 365 -key tubes.internal.appx.com.private.key -x509 -out tubes.internal.appx.com.crt
>
>		openssl req -new -days 365 -key tubes.internal.appx.com.private.key -x509 -out tubes.internal.appx.com.crt
 

Suggested Behavior:

View topic | History: r27 < r26 < r25 < r24 | More topic actions...
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback