The documentation from version 39.5.17 of PLANTA project can be found in the new PLANTA Online Help.

Encrypted Connection Between Server and Client Up to S 39.5.22

Attention

  • The solution for encrypted connections by means of the Stunnel software described below is no longer supported by PLANTA. Instead, PLANTA offers the new PLANTA Secure add-on.

Information

  • The encrypted connection between server and client is realized via a freeware called Stunnel.
  • This software enables secure SSL connections between client and server when using PLANTA project.

General

Objective
  • This topic helps you to set up a protection of the client-server-communication via SSL.
Note
  • In order to carry out the following administrative tasks, substantial skills in the corresponding subject areas are required.

Stunnel Installation

Information
  • For the installation guidelines, go to the official Stunnel page. Some installation steps are unix specific — however, there is also a Windows installer.
Note
  • For Linux users, it is recommended to use distribution specific packet management (if available) for the installation since it facilitates the update of Stunnel with regard to security updates.

Configuration of Stunnel for the PLANTA Server

Procedure
  • First, you have to create a planta.conf configuration file in the Stunnel configuration directory.
  • Here is an example of the content (at least adjustments to the port are generally required):
syslog = yes
socket = l:TCP_NODELAY=1

[PlantaServer]
verify = 0
ciphers = HIGH:!RC4

accept = 22004
connect = 127.0.0.1:21004
cert = /etc/stunnel/planta.pem
  • Explanation of some configuration parameters:
    • ciphers : You can specify an optional list of encryption/hash combinations here, from which you can choose during negotiation.
      • Only procedures supported by both the installed Stunnel/OpenSSL version and the .NET-Framework, are relevant for negotiation.
      • Information on this can be requested in Stunnel via the openssh ciphers -v command.
      • Procedures supported by the client can be found here: here (encryption procedurehere (hash procedure).
    • accept : Specification of the TLS secured port for connecting to the client
    • connect : Specification of the server port (as specified during the installation)

  • Furthermore, a certificate must be created, as exemplified below:
openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/planta.pem
Notes
  • The certificate created this way is a self-signed certificate which the PLANTA client trusts.
  • This can serve for test purposes or for initial setup; in production operation, a certificate signed by a certification authority should be used here.

  • Now, Stunnel is configured for automatic start and starts subsequently (details on this can be found in the Stunnel documentation or in the distribution)

  • For testing purposes, the openssl s_client -connect <host>:<port> command can be used - upon success, a message indicating a new session in the PLANTA server log is displayed
  • For configuration with xinetd, /etc/xinetd.d/planta is to be created with the following content:
# default: off
# description: PLANTA Server, wrapped in stunnel
service planta
{
        disable = no
        flags           = IPv4
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/bin/stunnel
        server_args     = /etc/stunnel/planta.conf
        log_on_failure  += USERID
}
The /etc/stunnel/planta.conf is to be reduced to
syslog = yes

verify = 0
ciphers = HIGH:!RC4

accept = 22004
connect = 127.0.0.1:21004
cert = /etc/stunnel/planta.pem
.

Configuration of PLANTA project server for Stunnel

From S 39.5.13

Information
  • The use of Stunnel is transparent for the PLANTA server, hence, no configuration changes must be made before implementation.
  • If, however, unencrypted communication is to be prevented, you have to block direct access to the server port.
  • To do so, you can set the host parameter in config/globals.conf to, e.g., localhost.
  • This enables you, e.g., to assign Stunnel and PLANTA Server to the same port. However, a network interface which can be reached from outside is to be used here.

Up to S 39.5.12

Information
  • Using Stunnel is transparent for the PLANTA server, hence, no configuration changes must be made before implementation.
  • If, however, unencrypted communication is to be prevented, you have to block direct access to the server port.
  • Since previously there was no configuration option for this, it must be done via the operation system functionality (firewall).

Configuration of the PLANTA project Client

Information
  • The encrypted=yes parameter activates the use of SSL for the client
  • You have to consider that, upon activating the option, the client demands TLS. Hence, it cannot connect to an unsecured port.
  • The secured port is to be configured as server port; the secured port is the port specified as accept parameter in the stunnel.conf file.

         PLANTA project









 
  • Suche in Topic-Namen

  • Suche in Topic-Inhalten
This site is powered by the TWiki collaboration platform Powered by Perl