The Genero Web Services secured communication is based on the OpenSSL engine, and allows a 4GL Web Services client, or a 4GL application using the com or xml API, to communicate with any secured server over HTTP
or HTTPS. The configuration is defined from entries in the FGLPROFILE file.
This is useful for deployment purposes, as no additional code modification is necessary, even if the location of the different servers changes.
Note: When using 4GL Web Services on server side, it is the Web Server that is in charge of the 4GL Web Services server security, not the 4GL server application itself. You must refer to your Web Server
manual to secure the server part of the Web Services.
Configuration categories:
The following table lists the FGLPROFILE entries specifying the security certificates and algorithms the Web Services client uses for HTTPS and password encryption. Notice that the entries specify also the way an application using the low-level com or xml API performs secured communications.
| Entry | Description |
security.global.script |
Filename of a script executed each time a password of a private key is required by the client. The security script accepts one argument corresponding to the filename of the private key for which the password is required, and must return the correct password or the client stops. Refer to Windows Password Script Example or Unix Password Script Example (below) for script examples. |
security.global.ca |
Filename of the Certificate Authority list, with the concatenated PEM-encoded third party X.509 certificates considered as trusted, and in order of preference. |
security.global.windowsca |
If set to TRUE, build the Certificate Authority list from the Certificate Authorities stored in the Windows key store. Note: This entry is valid only on Windows systems, and if security.global.ca is not set. |
security.global.cipher |
The list of encryption, digest, and key exchange algorithms the client is allowed to use during a secured communication. If this entry is omitted, all algorithms are supported. For more details about cipher, refer to www.openssl.org. |
security.ident.certificate |
Filename of the PEM-encoded client X.509 certificate. |
security.ident.privatekey |
Filename of the PEM-encoded private key associated to the above X509 certificate. |
security.ident.keysubject |
The subject string of a X.509 certificate and its associated private key registered in the Windows key store. Note: This entry is valid only on Windows systems. |
Notes:
The following table lists the FGLPROFILE entries that specify the login and password to use in the case of HTTP authentication to a server or a proxy. Notice that the entries specify also the login and password to use in an application using the low-level com or xml API.
| Entry | Description |
authenticate.ident.login |
The login identifying the client to a server during HTTP Authentication. |
authenticate.ident.password |
The password validating the login of a client to a server during HTTP Authentication. Note: As passwords should never be in clear text, it is recommended that you encrypt them with the fglpass tool. For more information, see FGLPROFILE password encryption. |
authenticate.ident.realm |
The string identifying the server to the client during HTTP Authentication. If that string doesn't match the server's
string, authentication fails. Note: This parameter is optional, but it is recommended that you check the server identity, especially if the server's location is suspicious. |
authenticate.ident.scheme |
One of the following strings representing the different HTTP Authentication mechanisms.
The client doesn't know anything about the server, and performs a first request to retrieve the server authentication mechanism. Then it uses the login and password to authenticate to the server using the Basic or Digest mechanism, depending on the server returned value. The client authenticates itself to the server at first request, by sending the login and the password using the Basic authentication mechanism. The client performs a first request without any login and password, to retrieve the server information before authenticating itself to the server in a second request using the Digest mechanism. |
Notes:
The following table lists the FGLPROFILE entries that specify how the Web Services client communicates with a proxy. Notice that the entries specify also the way an application using the low-level com or xml API communicates with a proxy.
| Entry | Description |
proxy.http.location |
Location of the HTTP proxy defined as host:port or ip:port Note: if the port is omitted, the port 80 is used |
proxy.http.list |
The list of beginning host names, separated with semicolons, for which the Web Services client doesn't go via the HTTP proxy. |
proxy.http.authenticate |
The HTTP Authenticate identifier the Web Services client uses to authenticate itself to the HTTP proxy. |
proxy.https.location |
Location of the HTTPS proxy defined as host:port or ip:port Note: if the port is omitted, the port 443 is used |
proxy.https.list |
The list of beginning host names, separated with semicolons, for which the Web Services client doesn't go via this HTTPS proxy. |
proxy.https.authenticate |
The HTTP Authenticate identifier the Web Services client uses to authenticate itself to the HTTPS proxy. |
Notes:
The following table lists the FGLPROFILE entries that specify the correct way a Web Services client connects to an end point (usually a server). Notice that the entries specify also the way an application using the low-level com or xml API connects to an end point.
| Entry | Description | ws.ident.url |
The endpoint URL of the server. | ws.ident.cipher |
The list of encryption, digest and key exchange algorithms, the client is allowed to use during a secured communication to that server. It overwrites the global definition. | ws.ident.verifyserver |
If set to TRUE, the client performs a strict server identity validation.
If not fulfilled, it stops the communication; otherwise no server identity verification is performed. The default value is TRUE. | ws.ident.security |
The Security identifier the client uses to perform an HTTPS communication to the server. | ws.ident.authenticate |
The HTTP authenticate identifier the client uses to authenticate itself to the server. |
Notes:
@echo off REM -- Windows password script IF "%1" == "Cert/MyPrivateKeyA.pem" GOTO KeyA IF "%1" == "Cert/MyPrivateKeyB.pem" GOTO KeyB GOTO end :KeyA ECHO PasswordA GOTO end :KeyB ECHO PasswordB GOTO end :end GOTO :EOF
# Unix password script if [ "$1" == "Cert/MyPrivateKeyA.pem" ] then echo PasswordA fi if [ "$1" == "Cert/MyPrivateKeyB.pem" ] then echo PasswordB fi
The following is an FGLPROFILE sample, configured for a connection to a HTTPS
server via a proxy, and with HTTP and Proxy Authentication.
############################ ## Security configuration ## ############################ security.global.script = "Cert/password.sh" security.global.ca = "Cert/CAList.pem" security.global.cipher = "HIGH" # Use only HIGH encryption ciphers security.mykey.certificate = "Cert/MyCertificateA.crt" security.mykey.privatekey = "Cert/MyPrivateKeyA.pem" ############################### ## Proxy HTTP Authentication ## ############################### authenticate.proxyauth.login = "myapplication" authenticate.proxyauth.password = "fourjs" authenticate.proxyauth.scheme = "Basic" ############################### ## HTTPS Proxy configuration ## ############################### proxy.https.location = "10.0.0.170" proxy.https.list = "www.4js.com;www.4js1.com" proxy.https.authenticate = "proxyauth" ################################ ## Server HTTP Authentication ## ################################ authenticate.serverauth.login = "fourjs" authenticate.serverauth.password = "password" ########################## ## Server configuration ## ########################## ws.myserver.url = "https://www.MyMachine.com/cgi-bin/fglccgi.exe/ws/r/MyWebService" ws.myserver.authenticate = "serverauth" ws.myserver.security = "mykey"
Return to top