3 Replies Latest reply on Feb 16, 2016 12:05 PM by tcfitzgerald

    Setting Up an SSL Cert Only for CWP

    AlanBrooks

      I have SSL running on the Filemaker Server Advanced for Filemaker Pro clients and all is running well with that.  I believe I have determined that this limitation in SSL cert providers only affects the Filemaker client to Filemaker Server connection.

       

      In the very near future, I would like to deploy SSL on the web server for browser encryption as well but there are a few ambiguities I’d like to clarify first.  I intend on using Digicert since they are my provider for all other certs and hopefully the above determination is correct.

       

      My set up is a two-machine deployment running FMSA 14.0.1.204 on Macs running 10.10.5 each.  I plan on using CLI to generate a CSR and import the certificate once received.

       

      In the Filemaker Server 14 Getting Started document, under Chapter 7 - Setting up the web server, on page 71 it states:

      "server_name is the value used by clients to open hosted files with the FileMaker Network protocol, fmnet.

      For example, if FileMaker Pro clients use fmnet:/salesdbs.mycompany.com/sales to open the hosted database sales, then use the following command with salesdbs.mycompany.com as the server_name:
      fmsadmin certificate create salesdbs.mycompany.com

       

      I assume this is just used as an example but they entire article seems to be written as if it’s for a one-machine deployment.  Certainly, in a two-machine mode, if requesting a CSR for the web server (as the chapter title suggests) one wouldn’t use the database machine’s server_name.

       

      Then, again on page 72 it states:

      "To use the certificate import command:
      1 Windows: You must have administrator permission to the CStore folder.
      1 OS X: You must have read and write access permissions to the CStore folder.
      After using the certificate import command, you must restart the Database Server.”

      making me think this is written for one-machine or at the very least, the procedure for the database server and not for the web server.

       

      And in the Notes on page 72, this confuses me:

      "The Database Server and web server components must use the same certificate.”

      It does go on to say that one shouldn’t use OpenSSL certificate tools (or IIS on Win) and to use either the Admin Console or CLI but that, too, is vague in that I could read it to mean not to use one method on the database server and another on the web server.

       

      What I am wondering is:

      • Can I use the CLI to generate a CSR on the web server in a two machine deployment?
      • Can I use the CLI to import the resultant cert on the web server in a two machine deployment?
      • Will the installation of a cert on the web server disturb the present connection between it and my database server?

       

      I guess I'm over-thinking this but the document seems a bit vague.  Thank you for any input you can offer.

       

        • 1. Re: Setting Up an SSL Cert Only for CWP
          tcfitzgerald

          The documentation is vague, and actually doesn't really make sense in a two-machine configuration.

           

          We have several two-machine configs, all running Windows Server.  Here are the steps that we took.

           

          1. On the Database server, run the fmsadmin certificate create command to generate the CSR using the FQDN of the Database Server
          2. Use this CSR to get a certificate file from a FileMaker approved vendor
          3. Import that certificate on the Database server using the fmsadmin certificate import command
          4. Copy the serverKey.pem file from the CStore folder on the Database server to the CStore folder on the Web Publishing Server
          5. Also copy the certificate you received from your FileMaker approved vendor
          6. Import the certificate on the Web Publishing server using the fmsadmin certificate import command
          7. Using IIS on the Web Publishing server (or OpenSSL, etc.) generate a NEW CSR that uses the FQDN of the Web Publishing server
          8. Use this CSR at your preferred vendor to get an SSL cert for the web server (IIS, Apache)
          9. Import the web server certificate into IIS (or Apache) and change the bindings on port 443

           

          I don't know for sure that step #4 is needed, but I can't imagine how it would work any other way.

           

          From what I can gather, the files in the CStore folder are used by the FileMaker Database server <-> FileMaker client connections AND by the FileMaker Web Publishing Engine <-> FileMaker Database server connections.  They are not used for CWP/Web Direct <-> Web Browsers.

          • 2. Re: Setting Up an SSL Cert Only for CWP
            AlanBrooks

            Thank you tcfitzgerald.  I will leave this open a bit longer to see what else I can glean before I mark this as answered.  ~Alan

            • 3. Re: Setting Up an SSL Cert Only for CWP
              tcfitzgerald

              I wanted to add that I have no idea if how we handle the situation makes sense or is correct.  In fact, if you look at this:

               

              Re: Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients & Admin Console


              I'm not sure even FileMaker Inc. knows the answer.