Skip to main content

Tutorial: Configure a FairCom server to use a server certificate

FairCom servers communicate over a variety of secure protocols including HTTPS, MQTTS, MQTTWSS, WSS, SQL, and FairCom's proprietary protocol for its ISAM and CTDB APIs. This section describes how to enable secure TLS communications over all these protocols.

Note

A single TCP/IP port handles both TLS encrypted and unencrypted connections.

  • The web protocols (HTTPS, MQTTS, MQTTWSS, and WSS) are configured in the services.json configuration file.

  • FairCom's proprietary protocols (ISAM, CTDB, and SQL) are configured in the ctsrvr.cfg configuration file.

Enable TLS for HTTPS, MQTTS, MQTTWSS, and WSS

  1. Navigate to and open the services.json file in the <FairComInstallationFolder>/config folder.

  2. Use the "certificateFilename" property to specify the filename and optional path of the server certificate file.

    Note

    You do not need to specify a path when the file is located in the <FairComInstallationFolder>/server folder.

  3. Use the "privateKeyFilename" property to specify the filename and optional path of the server key file.

    Note

    • You do not need to specify a path when the file is located in the <FairComInstallationFolder>/server folder.

    • This property is optional if you embedded the server key in the server certificate file.

  4. Optionally, use the "certificateAuthoritiesFilename" property to specify the filename and optional path of the CA certificate file to allow clients to authenticate using X509 client certificates.

  5. Optionally, use the "allowedCipherSuites" property to specify a list of cipher suites that you require clients to use.

Examples

Minimally secure TLS example

"tls": { 
  "certificateFilename": "cert.pem", 
  "privateKeyFilename": "key.pem"
}

Insecure TLS example with a wide variety of options

"tls": {
  "certificateFilename": "cert.pem",
  "privateKeyFilename": "key.pem",
  "certificateAuthoritiesFilename": "ca.pem",
  "allowedCipherSuites": [
    "TLS_AES_128_GCM_SHA256",
    "TLS_AES_256_GCM_SHA384",
    "TLS_CHACHA20_POLY1305_SHA256",
    "ECDHE-ECDSA-AES128-GCM-SHA256",
    "ECDHE-RSA-AES128-GCM-SHA256",
    "ECDHE-ECDSA-AES256-GCM-SHA384",
    "ECDHE-RSA-AES256-GCM-SHA384",
    "ECDHE-ECDSA-CHACHA20-POLY1305",
    "ECDHE-RSA-CHACHA20-POLY1305",
    "DHE-RSA-AES128-GCM-SHA256",
    "DHE-RSA-AES256-GCM-SHA384"
  ]
}

Enable TLS for SQL, ISAM, and CTDB

  1. Navigate to and open the ctsrvr.cfg file in the <FairComInstallationFolder>/config folder.

  2. Edit or add the SUBSYSTEM COMM_PROTOCOL SSL setting.

    Note

    The SUBSYSTEM COMM_PROTOCOL SSL setting normally exists in ctsrvr.cfg but is commented out (comment out a setting by placing a semicolon at the beginning of the section and uncomment by removing the semicolon).

  3. If this setting does not exist, add it using the Default minimally secure configuration for COMM_PROTOCOL SSL example.

  4. Modify Default minimally secure configuration for COMM_PROTOCOL SSL example to match your desired TLS configuration options.

    Note

    The default setting is insecure because it is designed for maximum connectivity and compatibility while evaluating the server.

  5. Create and use a secure configuration for all your environments.

Examples

Default minimally secure configuration for COMM_PROTOCOL SSL example

SUBSYSTEM COMM_PROTOCOL SSL {
  SERVER_CERTIFICATE_FILE ctree_ssl.pem
  SSL_CONNECTIONS_ONLY NO
  SSL_CIPHERS ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
}

Maximally secure configuration for COMM_PROTOCOL SSL example

SUBSYSTEM COMM_PROTOCOL SSL {
  SERVER_CERTIFICATE_FILE my_company_CA_certificate.pem
  SERVER_PRIVATE_KEY_FILE my_company_CA_key.key
  SSL_CONNECTIONS_ONLY YES
  SSL_CIPHERS AES256-SHA256:AES256-GCM-SHA38:DHE-RSA-AES256-SHA256
}

Secure Hypertext Transfer Protocol (HTTP) is the HTTP protocol running over TLS. It provides secure request-response communications between computers.

Secure Message Queueing Telemetry Transport (MQTTS) is the MQTT protocol running over TLS. It provides secure messaging between computers.

Message Queueing Telemetry Transport over WebSocket Secure (MQTTWSS) is the MQTT protocol running over TLS and WebSocket. It provides secure messaging between computers. It is typically used by single-page browser applications.

WebSocket Secure (WSS)is the secure version of WebSocket. It uses TLS to create secure communications.

Structured Query Language (SQL) is a standardized programming language that is used to manage relational databases and perform various operations on the data in them.

FairCom's SQL engine is ANSI compliant and has almost all SQL features up through the SQL:2003 standard.

Indexed Sequential Access Method (ISAM) is FairCom's primary ACE API. ISAM uses the Record Buffer Method, which gives the application full control over the contents of the entire record buffer to store structured or unstructured data.

FairCom's ISAM API provides full control over record processing. This allows developers to implement data processing algorithms that are tailored to precise application needs, and this allows an application to achieve unrivaled performance. FairCom's ISAM API works best in the C and C++ languages.

FairCom ACE APIs include ISAM, CTDB, and Low-level ACE API.

The c-tree Database API (CTDB API) is FairCom's database API in the ACE family of APIs. It provides high performance with less code than the FairCom's ISAM API. The CTDB API introduces database concepts that are compatible with SQL. It requires records to contain predefined field structures. FairCom's CTDB API provides full control over record processing. This allows developers to implement data processing algorithms that are tailored to precise application needs, and this allows an application to achieve unrivaled performance. FairCom's CTDB API works well in a variety of languages, such as C, C++, Java, C#, and Visual Basic.

FairCom ACE APIs include ISAM, CTDB, and Low-level ACE API.