0 Replies Latest reply on Mar 31, 2016 6:44 PM by jwmickelson

    Two Machine Configuration SSL Cert Confusion

    jwmickelson

      I have a scenario which should be a very common one, it is a two machine configuration, where the web machine resides in a corporate DMZ network and a Database Server that resides within the protected Corporate network.  We want SSL protection across these paths, and thus have been trying to get Certificates/SSL to work, and have been having trouble.  An additional project requirement is the Streaming of (Remotely Stored) Interactive Container Fields.  There are problems that seem to be SSL related because every@@@@thing works perfectly over http/port 80.


      THE NETWORK:

      Inline image 1

      ** NOTE: ALL Recommended ports are open between the servers.

       

      WHAT WORKS & DOESN'T:


      In the above configuration (not requiring SSL) all of the below works, over HTTP port 80:

      • SUCCESS - FMP Clients - They see the files in the Remote Databases Dialogs can connect and Streams Video!
      • SUCCESS - Web Direct - it sees the files in the Web Direct Launch page, connects and Streams Video!
      • SUCCESS - Embedded Video streaming of interactive Container Contents, including externally stored containers!
      • SUCCESS - PHP Custom Web Publishing pieces all all work as expected!

       

      If we turn ON "Require SSL for Database Connections", the below fails, ver HTTPS port 443:

      • FAILS - FMP Clients - They cannot see any files in the Remote Databases Dialogs cannot connect to a known file
      • FAILS - Web Direct - Files in WebD Launch Page disappear, but the WebD Launch page is there and published.
      • CAN'T TEST - Embedded Video streaming of interactive Container Contents, including externally stored containers.
      • FAILS - PHP Custom Web Publishing pieces don't work, error

       

      THE CERTIFICATES WE OBTAINED:


      Documentation seems to indicate that each server needs it's own Cert, like the following, but it wasn't obvious at first, so some mis-installed certs may have occurred, below is where we stand now.:

       


      1) Cert 1 - WEB SERVER:  "web1.shoes.com"  for installing on the public facing Web Server IP, via Command Line Interface.

        1. Built Certificate Request against "fmsadmin" on Web Server Machine, with Command Line.
        2. Received Certificate from Client who procured the certificate from Entrust - Advantage SSL.
        3. Installed via Command Line on Web Server.

      Cert 1 - WebServer.png

      2) Cert 2 - DATABASE SERVER:  "COMPCORP21.shoesinc.com for installing on the Filemaker Master Server, via Command Line Interface.

        1. Built Certificate Request against "fmsadmin" on Master Database Server Machine, with Command Line.
        2. Received Certificate from Client who procured the certificate from Entrust - Advantage SSL.
        3. Installed via Command Line on Master Database Server Machine.

      Cert 2 - DatabaseServer.png


      CURRENT QUESTIONS:


      1. Is it true that both server's require a Certificate?  Is the way I've configured above the correct way? I'm not sure how to handle the inside the corporate network traffic, since the domain "shoesinc.com" is not publicj facing and only exists within the internal DNS... does this still work?
        • We're getting conflicting reports about having to name the FMS name the same as on the Cert 2 for the Databse Server?
      2. Some Developers have reported that The Name within Filemaker Server (ie. within the Admin tool), must somehow match the Certificate or the Fully Qualified Domain Name (FQDN).  Is this true?
        • If Yes, then which Server Name and Which FQDN?  The Database Server or the Publicly
      3. FileMaker Server Lists Entrust as an approved CA:  but ***asterisks seem to indicate that you can't use Entrust after Oct 2015? What is the deal here?
        • Also, note this is a Huge Multinational Corporation with a longstanding, and InfoSec approved, relationship with Entrust, including an internal corporate web portal to generate Entrust Certs.  If the CA is the issue, what should be told to this company to keep FileMaker from looking badly for not utilizing a very trusted CA source?  Because they already have said they will have to go through a CA vetting process with InfoSec to generate a Cert from a CA that isn't on THEIR Approved list.
      4. In some Cert configurations The Streaming Container data appears only as a link, but still will download, but doesn't stream.
        • It's possible this is because the stream is port 80 but the main page is SSL?
        • What SSL related issues can force normally streaming behavior to turn to a Link instead (this isn't well documented) ?
      5. When the "Force SSL for Database Connections" is turned on, the Web Direct Files disappear from their launcher page (as well as remote hosts for internal Pro clients), we cannot find any documentation from FMI that this is intended behavior, can anyone confirm what mechanism is at work here?

       

      CONCLUSIONS:


      This is a very large client (entertainment industry, not really shoes), whose ripples could be felt widely within the FileMaker pool of clients, so I want to make sure we're collectively giving them the best information about Filemaker's current capabilities, or any known limitations.  They have 3 more duplicate environments planned for various groups, so nailing thie the first time is important to them, us & FMI.

       

      Thanks in advance for any help you can lend.

      Jonathan

       

      wimdecorte - I'd given you partial info in another location, here's more detail if you have any ideas, thanks!