Skip to main content

Configure a server to use a certificate

Configure a FairCom server to use a server certificate

Abstract

FairCom servers communicate over a variety of secure protocols including HTTPS, MQTTS, MQTTWSS, WSS, SQL, and FairCom's proprietary protocol for its ISAM and CTDB APIs. This section describes how to enable secure TLS communications over all these protocols.

FairCom servers communicate over a variety of secure protocols including HTTPS, MQTTS, MQTTWSS, WSS, SQL, and FairCom's proprietary protocol for its ISAM and CTDB APIs. This section describes how to enable secure TLS communications over all these protocols. For more information on the keywords used here, visit the security page in our Database Administrator's Guide.

Note

On ISAM and SQL ports, a single TCP/IP port handles both TLS encrypted and unencrypted connections.

  • The web protocols (HTTPS, MQTTS, MQTTWSS, and WSS) are configured in the services.json configuration file.

  • FairCom's proprietary protocols (ISAM, CTDB, and SQL) are configured in the ctsrvr.cfg configuration file.

Enable TLS for HTTPS, MQTTS, MQTTWSS, and WSS

  1. Navigate to and open the services.json file in the <faircom>/config folder.

  2. Use the "certificateFilename" property to specify the filename and optional path of the server certificate file.

    Note

    You do not need to specify a path when the file is located in the <faircom>/server folder.

  3. Use the "privateKeyFilename" property to specify the filename and optional path of the server key file.

    Note

    This property is optional if you embedded the server key in the server certificate file.

  4. Optionally, use the "certificateAuthoritiesFilename" property to specify the filename and optional path of the CA certificate file to allow clients to authenticate using X509 client certificates.

  5. Optionally, use the "allowedCipherSuites" property to specify a list of cipher suites that you require clients to use.

Examples

Minimally secure TLS example

"tls": { 
  "certificateFilename": "serverCert.pem", 
  "privateKeyFilename": "serverKey.pem"
}

TLS example with a wide variety of options

"tls": {
  "certificateFilename": "serverCert.pem",
  "privateKeyFilename": "serverKey.pem",
  "certificateAuthoritiesFilename": "caCert.pem",
  "allowedCipherSuites": [
    "TLS_AES_128_GCM_SHA256",
    "TLS_AES_256_GCM_SHA384",
    "TLS_CHACHA20_POLY1305_SHA256",
    "ECDHE-ECDSA-AES128-GCM-SHA256",
    "ECDHE-RSA-AES128-GCM-SHA256",
    "ECDHE-ECDSA-AES256-GCM-SHA384",
    "ECDHE-RSA-AES256-GCM-SHA384",
    "ECDHE-ECDSA-CHACHA20-POLY1305",
    "ECDHE-RSA-CHACHA20-POLY1305",
    "DHE-RSA-AES128-GCM-SHA256",
    "DHE-RSA-AES256-GCM-SHA384"
  ]
}

Enable TLS for SQL, ISAM, and CTDB

  1. Navigate to and open the ctsrvr.cfg file in the <faircom>/config folder.

  2. Edit or add the SUBSYSTEM COMM_PROTOCOL SSL setting.

    Note

    The SUBSYSTEM COMM_PROTOCOL SSL setting normally exists in ctsrvr.cfg but is commented out (comment out a setting by placing a semicolon at the beginning of the section and uncomment by removing the semicolon).

  3. If this setting does not exist, add it using the Default minimally secure configuration for COMM_PROTOCOL SSL example.

  4. Modify Default minimally secure configuration for COMM_PROTOCOL SSL example to match your desired TLS configuration options.

    Note

    The default setting is insecure because it is designed for maximum connectivity and compatibility while evaluating the server.

  5. Create and use a secure configuration for all your environments.

Examples

Default minimally secure configuration for COMM_PROTOCOL SSL example

SUBSYSTEM COMM_PROTOCOL SSL {
  SERVER_CERTIFICATE_FILE serverCert.pem
  SSL_CONNECTIONS_ONLY NO
  SSL_CIPHERS ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
}

Maximally secure configuration for COMM_PROTOCOL SSL example

SUBSYSTEM COMM_PROTOCOL SSL {
  SERVER_CERTIFICATE_FILE serverCert.pem
  SERVER_PRIVATE_KEY_FILE serverKey.pem
  SSL_CONNECTIONS_ONLY YES
  SSL_CIPHERS AES256-SHA256:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256
}

Enable TLS client certificates for MQTTS and MQTTWSS

  1. Ensure you have TLS configured as described in the Enable TLS for SQL, ISAM, and CTDB section.  Minimally you need to have the SERVER_CERTIFICATE_FILE property set to your server certificate.

    SERVER_CERTIFICATE_FILE /Certs/serverCert.pem

    Example

    SUBSYSTEM COMM_PROTOCOL SSL {
  SERVER_CERTIFICATE_FILE /Certs/serverCert.pem
  SSL_CONNECTIONS_ONLY YES
  VERIFY_CLIENT_CERTIFICATE YES
  x509_AUTHENTICATION YES
  x509_PATH CN
}

  2. Configure the TLS block of the protocol (MQTTS) to include the CA certificate and the server keypair.

    "tls": {
  "serverCertificateFilename": "/Certs/serverCert.pem",
  "certificateAuthoritiesFilename": "/Certs/ca.crt", 
  "clientCertificateFilename": "adminClient.pem"
}

  3. While still in services.json, ensure the authenticationMethods block in the mqtt section contains "clientCertificate".

  4. Start or restart the server.

Sample Python script to test the connection

import time

import paho.mqtt.client as mqtt


def message_callback( message_client, userdata, message ):
  print( message.payload.decode( 'utf-8' ) )


if __name__ == "__main__":
  topic = "test/IncrediblySimpleMqttsClientCertTopic"
  mqtts_client = mqtt.Client( client_id = "MQTTS secured client" )
  mqtts_client.tls_set( ca_certs = "/Certs/ca.crt",
                        certfile = "/Certs/AdminClient.pem",
                        keyfile = "/Certs/AdminClient.pem" )
  mqtts_client.on_message = message_callback
  mqtts_client.loop_start()

  mqtts_client.connect( "127.0.0.1", port = 8883 )
  time.sleep( 2 )

  mqtts_client.subscribe( topic )
  mqtts_client.publish( topic, "Incredibly Simple MQTTS client certificate message" )

  count = 0
  while count < 5:
    time.sleep( 1 )
    count += 1
  mqtts_client.unsubscribe( topic )
  mqtts_client.disconnect()
  mqtts_client.loop_stop()

Secure Hypertext Transfer Protocol (HTTP) is the HTTP protocol running over TLS. It provides secure request-response communications between computers.

Secure Message Queueing Telemetry Transport (MQTTS) is the MQTT protocol running over TLS. It provides secure messaging between computers.

Message Queueing Telemetry Transport over WebSocket Secure (MQTTWSS) is the MQTT protocol running over TLS and WebSocket. It provides secure messaging between computers. It is typically used by single-page browser applications.

WebSocket Secure (WSS)is the secure version of WebSocket. It uses TLS to create secure communications.

Structured Query Language (SQL) is a standardized programming language that is used to manage relational databases and perform various operations on the data in them.

FairCom's SQL engine is ANSI compliant and has almost all SQL features up through the SQL:2003 standard.

Indexed Sequential Access Method (ISAM) is FairCom's primary ACE API. ISAM uses the Record Buffer Method, which gives the application full control over the contents of the entire record buffer to store structured or unstructured data.

FairCom's ISAM API provides full control over record processing. This allows developers to implement data processing algorithms that are tailored to precise application needs, and this allows an application to achieve unrivaled performance. FairCom's ISAM API works best in the C and C++ languages.

FairCom ACE APIs include ISAM, CTDB, and Low-level ACE API.

The c-tree Database API (CTDB API) is FairCom's database API in the ACE family of APIs. It provides high performance with less code than the FairCom's ISAM API. The CTDB API introduces database concepts that are compatible with SQL. It requires records to contain predefined field structures. FairCom's CTDB API provides full control over record processing. This allows developers to implement data processing algorithms that are tailored to precise application needs, and this allows an application to achieve unrivaled performance. FairCom's CTDB API works well in a variety of languages, such as C, C++, Java, C#, and Visual Basic.

FairCom ACE APIs include ISAM, CTDB, and Low-level ACE API.