Documente Academic
Documente Profesional
Documente Cultură
with Proficy Portal, which could allow intercepting the password of a user during the login process. To mitigate this issue, configured Proficy Portal using one of the two following configuration options:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Lib rary/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=true.
If domain security is being utilized, the easiest and perhaps most secure method of transmitting username and password information is to enable Windows Authentication within IIS. In this mode, IE and IIS will negotiate the security mechanisms to use and automatically authenticate the user logged into the machine running IE from the IIS server. No password is ever passed between the two computers and therefore cannot be intercepted.
To enable IIS Windows Authentication, select the Properties page of the Proficy Portal virtual directory web site within IIS.
Select the Directory Security tab and then select the Edit button form Authentication and access control. Make sure you clear the Enable anonymous access checkbox and select Integrated Windows authentication
SSL Encryption
Windows Authentication is an easy and effective way to ensure that authentication happens securely between the client and the server. If this is not sufficient or your facility is not using domain user authentication, the other option is to encrypt all traffic between the client and server over an SSL (Secure Sockets Layer) connection. This will ensure that all network messages are encrypted. This will include username and password information along with all the data that is returned to populate displays. As a result, there is a trade-off between security and performance.
Support has been added info Proficy Portal 2.5 to support the establishment of secure connections between the client and server. This connection utilizes
the Secure Socket Layer (SSL) protocol to encrypt the messages during travel across the network. SSL technology is dependent on the existence of public/private keys to perform the encryption/decryption as well as a certificate to authenticate that the keys are legitimate.
Certificate
If a certificate does not already exist for the server, then a certificate needs to be acquired from a Certificate Authority (CA) that is specific to the server
and supports SSL. These can be purchased from companies such as Verisign, Thawte, etc.
Before Java RMI can be used with SSL, the certificate needs to be exported from IIS and made available to the Proficy Portal. To do this, use the certificate export wizard in the IIS Manager as follows:
Select the Directory Security tab from the web site properties page.
Hit the Next button to bring up the Export Private Key dialog.
The default is not to export the private key, however without it, the SSL sockets in Java RMI cannot encrypt/decrypt the messages. Select Yes, export the private key. This will require a password to be entered later in the procedure. It is important that Proficy Portal to be aware of this password so it may access the keys. You will configure Proficy Portal to use the correct file and password later.
Select Finish when prompted at the final dialog to complete the export.
keyconfig
The certificate and its keys have now been exported to a PKCS#12 format file. This file will be used by Proficy Portal as its keystore. For this to work, Proficy Portal needs to know the location and name of the file, as well as the password you provided so it may actually load the contents of the file. To do this, a utility is provided in the \webapps\infoAgentSrv\WEB-INF folder called keyconfig.cmd. When it runs, it simply prompts for the name and location of the exported file
This utility will create a file in the WEB-INF folder called .keyconfig. It contains the name and location as well as password in an encrypted format. This key is loaded at startup and used to access the actual keystore file.