Tags:
view all tags
---+ APPX Desktop Client Encryption _Effective with Release 5.0.0, the APPX Desktop Client includes an option to enable SSL encryption for "Remote" APPX Desktop Client sessions._ %TOC% ---++ Overview Release 5.0.0 or higher of the APPX Desktop Client allows SSL encryption to optionally be enabled for "Remote" APPX Desktop Client sessions when connecting to APPX Server 5.0.0 or higher. The APPX Desktop Client SSL encryption feature encrypts all data transmitted between the APPX Desktop Client and the APPX server including login ID, password, all session data, all reports printed by the client, and all files transferred between the client and the server. The APPX Desktop Client can only establish an encrypted SSL connection with an APPX Server that has an [[APPXConnectionManagerForUnixLinux][APPX Login Manager]] that supports and that has been properly configured to accept SSL connection requests from the various types of APPX clients. The APPX Login Manager on the APPX Server may be configured to require that the APPX Desktop Client must use SSL encryption. Furthermore, the APPX Login Manager may require that the APPX Desktop Client identify itself by providing an acceptable SSL certificate [<font color="#0000ff">Note: This feature is not yet implemented by the APPX Desktop Client</font>]. ---++ APPX Desktop Client Handshake When an APPX Desktop Client connects with an APPX Login Manager to establish a client session with an APPX Server, the first step is to complete a "handshake". The handshake exchanges version and configuration information to determine whether or not the connection is able to use SSL and whether or not the connection should use SSL. APPX Desktop Client versions prior to 5.0 are not able to connect using SSL. If you want to use SSL, you must upgrade your APPX Desktop Client to version 5.0 or higher. You must also upgrade your server to APPX Server version 5.0 or higher. The following chart shows the types of connections that are technically possible for the various combinations of versions of the APPX Desktop Client and APPX Server. Please note that while it is technically possible for an APPX Desktop Client version prior to 5.0 to connect to an APPX Server version of 5.0 or higher, this combination is not recommended or supported since upward compatibility of old APPX Desktop Client versions with newer APPX Server versions is not assured. The APPX Desktop Client version should always be the same or higher than the APPX Server version with which a session is to be established. | *Client/APPX Versions* | *APPX-Prior to 5.0 * | *APPX-5.0 & Higher* | | Client - Prior to 5.0 | Clear Text Only | Clear Text Only | | Client - 5.0 & Higher | Clear Text Only | Clear Text or SSL | ---++ APPX Desktop Client SSL Preferences The APPX Desktop Client provides five preferences (parameters) relating to SSL connection requests. Depending on the value specified for SSLMode, the other SSL preferences may not always be relevant. ---+++ SSLMode 1 *Required* - When this option is specified, the APPX Desktop Client will attempt to establish an SSL connection with the APPX Login Manager on the APPX server. If the APPX Login Manager is an older version that does not support SSL connections or if the APPX Login Manager is configured to not allow SSL connections, the client will display an error dialog informing the user that an SSL connection with the requested APPX server is not available. In this case, the user has the option of cancelling the connection request or allowing the connection to proceed without enabling SSL encryption. 1 *Optional* - This option is similar to the *Required* option. However, in the event that an SSL connection cannot be established, the client will automatically connect without enabling SSL and without notifying the user. 1 *Disabled* - This option is used to specify that a "clear text" connection is desired. allowed, therefore no datastream encryption. If you are connecting to a 4.2.a or earlier build of APPX, then you might experience a brief (<=3 second) handshake upon connection. 1 *Pre43* - This option is used to specify that the Pre-5.0 Handshake protocol is to be used to initiate a "clear text" APPX Desktop Client connection with an APPX Server. If a "clear text" connection cannot be established within 5 seconds, the connection attempt will fail. This option is compatible with all versions of the APPX Login Manager including older versions such as appxdsvc.exe, winappxd, and appxd that did not have SSL capabilities. ---+++ SSLAnonAllowed This preference determines whether or not the APPX Desktop Client is allowed to connect to an APPX Server that does not have an SSL certificate signed by a trusted authority such as Verisign or Thawte. 1 *True* - The connection is allowed 1 *False* - The connection is not allowed ---+++ SSLMismatchAllowed If set to False, the user will be presented with an Error Dialog Window in the event that the requested type of connection cannot be established.False, the user is given the option of continuing with a different type of connection or cancelling. For example, if SSLMode is set to Required but the server does not allow 1 *True* 1 *False* ---+++ SSLSelfSignedAllowed This preference determines whether or not the APPX Desktop Client is allowed to connect to an APPX Server that has a self-signed SSL certificate. 1 *True* - The connection is allowed 1 *False* - The connection is not allowed ---+++ SSLHandshakeTimeout This preference specifies the length of time in seconds that the client is to wait after attempting to establish an SSL connection with the APPX Login Manager. If the specified amount of time passes without establishing an SSL connection, then the connect request will fail. This handshake timeout only applies when the client is attempting to 1 An integer 0 through 10, with the default being 3. ---++ APPX Connection Manager SSL parameters. ---+++ RequireSSL - Not Implemented. Do not Use. 1 *true* 1 *false* ---+++ RequireSSLClientCertificates 1 *True* - Connecting clients must have client side SSL certificates. 1 *False* - This is the default option. Connecting clients do not need to have client side SSL certificates. ---+++ ServerCertificateFile - This is the server's SSL public certificate 1 The pathname of server's X509 certificate (leave blank for anonymous connections). An example is ServerCertificateFile =/usr/local/appx/tools/tubes.internal.appx.com.crt ---+++ ServerPrivateKeyFile - This is the server's SSL private server key 1 Pathname of server's private key file (unlocks the ServerCertificateFile). An example is ServerPrivateKeyFile =/usr/local/appx/tools/tubes.internal.appx.com.private.key ---+++ ServerPrivateKeyPassphrase 1 Passphrase that unlocks ServerPrivateKeyFile ---+++ SSLMode 1 Enabled #SSL connection type (optional, required, disabled) 1 Disabled 1 Optional ---+++ TrustedCAFile = #determines which client certificates to trust ---++ How to create a server's SSL private server key and server's SSL public certificate from the Unix/Linux command line with the openssl tool. ---+++ Create new private/public-keys without passphrase for server <pre> *openssl genrsa -out tubes.internal.appx.com.private.key 1024* </pre> ---+++ Create server's SSL public certificate <pre> *openssl req -new -days 365 -key tubes.internal.appx.com.private.key -x509 -out tubes.internal.appx.com.crt* </pre> ---++ Suggested Behavior: 1 A field or two need to be added to the AppxDesktopClient SSL configuration parameters that would work with the AppxLoginMgr 's field named RequireSSLClientCertificates. ---++ Comments: _Read what other users have said about this page or add your own comments._ --- %COMMENT% -- AlKalter - 04 Apr 2008
Edit
|
Attach
|
Watch
|
P
rint version
|
H
istory
:
r27
|
r17
<
r16
<
r15
<
r14
|
B
acklinks
|
V
iew topic
|
Raw edit
|
More topic actions...
Topic revision: r15 - 2008-09-18
-
SteveFrizzell
Home
Site map
Main web
MedicaidBilling web
Sandbox web
TWiki web
Main Web
Users
Groups
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
P
View
Raw View
Print version
Find backlinks
History
More topic actions
Edit
Raw edit
Attach file or image
Edit topic preference settings
Set new parent
More topic actions
Account
Log In
Edit
Attach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback