Tags:
view all tags

APPX Client Encryption

APPX now includes the ability to encrypt login data, session data, and file transfers.

The APPX Connection Manager, and APPX Desktop Client by default will encrypt the data stream with SSL encryption. This datastream includes login ID, password, and all session data. You may optionally:

  1. Disable Encryption
  2. Provide a self signed SSL server certificate
  3. Provide a trusted SSL certificate from an official SSL CA such as Verisign, Thawte, Digicert, Geotrust....
  4. Require that any connecting client have a SSL certificate.

Lets review the configuration options available in the APPX Desktop Client, followed by the options in the APPX Connection Manager.

APPX Desktop Client parameters available for SSL datastream encryption.

Upon initial startup of the APPX Desktop Client, just prior to logging in, there are three tabs available, Local, Remote, and Options. Select Options, and then click the Advanced button. You should now see four many options available broken up into sections, one of which is labeled [SSL]. In the SSL section are five options.

SSLMode

  1. Required - Non SSL connections are not allowed. Only SSL encrypted connections are permitted. If you are connecting to a 4.2.a or earlier build of APPX Connection Manager that does not support SSL encryption, or you connect to a 4.3 APPX Connection Manager that has SSL disabled, then upon connection, you will be presented with a notification that SSL is not available. This notification will enable you to continue unencrypted or to terminate the connection.
  2. Optional - If both parties support SSL connection, then SSL connect, else fall back to non encrypted connection. If you are connecting to a 4.2.a or earlier build of APPX, then you might experience a brief (<=3 second) handshake upon connection.
  3. Disabled - No SSL connections allowed, therefore no datastream encryption. If you are connecting to a 4.2.a or earlier build of APPX, then you might experience a brief (<=3 second) handshake upon connection.
  4. Pre43 - Do not perform any SSL notification to the target server. This can speed up connections to older builds of APPX Connection managers, such as appxdsvc.exe, winappxd, and appxd that did not have SSL capabilities.

SSLAnonAllowed

  1. True -
  2. False -

SSLMismatchAllowed

  1. True -
  2. False -

SSLSelfSignedAllowed -

  1. True -
  2. False -

SSLHandshakeTimeout -

  1. An integer 0 through 10, with the default being 3.

APPX Connection Manager SSL parameters.

RequireSSL - Not Implemented. Do not Use.

  1. true
  2. false

RequireSSLClientCertificates

  1. True - Connecting clients must have client side SSL certificates.
  2. False- This is the default option. Connecting clients do not need to have client side SSL certificates.

ServerCertificateFile - This is the server's SSL public certificate

  1. The pathname of server's X509 certificate (leave blank for anonymous connections). An example is ServerCertificateFile=/usr/local/appx/tools/tubes.internal.appx.com.crt

ServerPrivateKeyFile - This is the server's SSL private server key

  1. Pathname of server's private key file (unlocks the ServerCertificateFile). An example is ServerPrivateKeyFile=/usr/local/appx/tools/tubes.internal.appx.com.private.key

ServerPrivateKeyPassphrase

  1. Passphrase that unlocks ServerPrivateKeyFile

SSLMode

  1. Enabled #SSL connection type (optional, required, disabled)
  2. Disabled
  3. Optional

TrustedCAFile = #determines which client certificates to trust

How to create a server's SSL private server key and server's SSL public certificate from the Unix/Linux command line with the openssl tool.

Create new private/public-keys without passphrase for server 

openssl genrsa -out tubes.internal.appx.com.private.key 1024

Create server's SSL public certificate 

openssl req -new         -days 365         -key tubes.internal.appx.com.private.key         -x509         -out tubes.internal.appx.com.crt

Suggested Behavior:

  1. A field or two need to be added to the AppxDesktopClient SSL configuration parameters that would work with the AppxLoginMgr's field named RequireSSLClientCertificates.

Comments:

Read what other users have said about this page or add your own comments.

-- AlKalter - 04 Apr 2008

Edit | Attach | Watch | Print version | History: r27 | r8 < r7 < r6 < r5 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r6 - 2008-09-15 - SteveFrizzell
 
  • Edit
  • Attach
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback