Search
HomeResourcesPlatform DocumentationSystem AdministrationSecurity
0

Certificate Verification

  • updated 2 yrs ago

Description

When you use HTTPs, outbound connections are secured using certificates. These connections include ones that are triggered by a call_webservice part or by the LogicNets runtime for functions like SSO. With HTTPS, other parties cannot view data the system passes; however, there are scenarios where man-in-the-middle attackers can manipulate networks to serve their own keys, thereby compromising any communication.

When you enable server certificate verification with the Use certificate option, the system checks the validity of the certificate (chain) provided by end-point. A valid certificate must be signed by trusted Certificate Authority (CA). LogicNets requires an up-to-date list of all trusted CAs to perform this check.

LogicNets offers 3 options to deliver a list of trusted CAs:

Use the Operation System Certificate Store

This is the recommended option, since the OS certificate store is updated regularly using the OS-specific update routines. Revoked CA certificates are also automatically removed from these stores. LogicNets automatically connects to the Windows Certificate Store. For CentOS, LogicNets expects that all trusted CA certificates are stored in /etc/pki/tls/cert.pem, which is the default location of CentOS. You can change this location in the e LogicNets configuration _session.centos_certificate_store_path.

To use this option the "Security" / "Use OS Certificate Store" option must be enabled in the System Configuration and in case of a call_webservice the 'Server certificate path' parameter must be left empty.

Use a Default Local Certificate Store

LogicNets provides a default local certificate store in PEM-format. This local certificate store is located in <installation>/dat/certificates/CA.pem. You can change the default location of this store in the configuration file using _session.cert_filename.

To use this option, you must disable the Security/Use OS Certificate Store option in the System Configuration module. For call_webservice, you must leave the Server certificate path parameter empty.

Use a Connection-specific Local Certificate Store

This is only available when using the call_webservice part. You can choose a different certificate store per connection by using the Server certificate path parameter.

More information about CAs and certificate verification can be found here:
https://en.wikipedia.org/wiki/Certificate_authority

More information about the Certificate PEM format can be found here:
https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail

Install/Update CA certificates on CentOS:
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
https://www.systutorials.com/docs/linux/man/8-update-ca-trust/

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Login to reply
Like Follow
  • 2 yrs agoLast active
  • 16Views
  • 3 Following
cancel
Mention someone by typing their name
No matching users

Use the breadcrumbs or the browser's BACK button to return to earlier pages.

Powered by Forumbee

Home

 View all topics

Tags

Home