Tags:
view all tags

APPX Desktop Client Encryption

Effective with Release 5.0.0, the APPX Desktop Client includes an option to enable SSL encryption for APPX Desktop Client sessions.

Release 5.0.0 or higher of the APPX Desktop Client allows SSL encryption to optionally be enabled for "Remote" APPX Desktop Client sessions connecting to APPX 5.0.0 or higher.  The APPX SSL encryption feature encrypts all data transmitted between the APPX Desktop Client and the APPX server includes login ID, password, all session data, all reports printed by the client, and all files transferred between the client and the server.  The APPX Desktop Client can only establish an encrypted SSL connection with an APPX Login Manager that has been properly configured to accept SSL connection requests from clients.  The APPX Login Manager may require that the APPX Desktop Client enable SSL encryption.  Furthermore, the APPX Login Manager may require that the APPX Desktop Client identify itself by providing an acceptable SSL certificate [How is this done???].

APPX Desktop Client SSL Preferences

The APPX Desktop Client provides five preferences (parameters) relating to SSL connection requests. 

SSLMode

  1. Required - When this option is specified, the APPX Desktop Client will attempt to establish an SSL connection with the APPX Login Manager on the APPX server.  If the APPX Login Manager is an older version that does not support SSL connections or if the APPX Login Manager is configured to not allow SSL connections, the client will display an error dialog informing the user that an SSL connection with the requested APPX server is not available.  In this case, the user has the option of cancelling the connection request or allowing the connection to proceed without enabling SSL encryption.
  2. Optional - This option is similar to the Required option.  However, in the event that an SSL connection cannot be established, the client will automatically connect without enabling SSL and without notifying the user.
  3. Disabled - No SSL connections allowed, therefore no datastream encryption. If you are connecting to a 4.2.a or earlier build of APPX, then you might experience a brief (<=3 second) handshake upon connection.
  4. Pre43 - Do not perform any SSL notification to the target server. This can speed up connections to older builds of APPX Connection managers, such as appxdsvc.exe, winappxd, and appxd that did not have SSL capabilities.

SSLAnonAllowed

This preference determines whether or not the APPX Desktop Client is allowed to connect to an APPX Server that does not have a signed SSL certificate.

  1. True - The connection is allowed
  2. False - The connection is not allowed

SSLMismatchAllowed

This preference determines whether or not the APPX Desktop Client

  1. True
  2. False

SSLSelfSignedAllowed

This preference determines whether or not the APPX Desktop Client is allowed to connect to an APPX Server that has a self-signed SSL certificate.

  1. True - The connection is allowed
  2. False - The connection is not allowed

SSLHandshakeTimeout

This preference specifies the length of time in seconds that the client is to wait after attempting to establish an SSL connection with the APPX Login Manager.  If the specified amount of time passes without establishing an SSL connection, then the SSLMode preference will determine what additional action, if any, takes place.

  1. An integer 0 through 10, with the default being 3.

APPX Connection Manager SSL parameters.

RequireSSL - Not Implemented. Do not Use.

  1. true
  2. false

RequireSSLClientCertificates

  1. True - Connecting clients must have client side SSL certificates.
  2. False - This is the default option. Connecting clients do not need to have client side SSL certificates.

ServerCertificateFile - This is the server's SSL public certificate

  1. The pathname of server's X509 certificate (leave blank for anonymous connections). An example is ServerCertificateFile =/usr/local/appx/tools/tubes.internal.appx.com.crt

ServerPrivateKeyFile - This is the server's SSL private server key

  1. Pathname of server's private key file (unlocks the ServerCertificateFile). An example is ServerPrivateKeyFile =/usr/local/appx/tools/tubes.internal.appx.com.private.key

ServerPrivateKeyPassphrase

  1. Passphrase that unlocks ServerPrivateKeyFile

SSLMode

  1. Enabled #SSL connection type (optional, required, disabled)
  2. Disabled
  3. Optional

TrustedCAFile = #determines which client certificates to trust

How to create a server's SSL private server key and server's SSL public certificate from the Unix/Linux command line with the openssl tool.

Create new private/public-keys without passphrase for server 

*openssl genrsa -out tubes.internal.appx.com.private.key 1024*

Create server's SSL public certificate 

*openssl req -new         -days 365         -key tubes.internal.appx.com.private.key         -x509         -out tubes.internal.appx.com.crt*

Suggested Behavior:

  1. A field or two need to be added to the AppxDesktopClient SSL configuration parameters that would work with the AppxLoginMgr 's field named RequireSSLClientCertificates.

Comments:

Read what other users have said about this page or add your own comments.

-- AlKalter - 04 Apr 2008

Edit | Attach | Watch | Print version | History: r27 | r10 < r9 < r8 < r7 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r8 - 2008-09-16 - SteveFrizzell
 
  • Edit
  • Attach
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback