8 Replies Latest reply on Apr 12, 2017 10:49 AM by CICT

    Two Machine Configuration - SSL dual certificate support

    delltechservices

      Can FileMaker server in a two machine deployment, be used with 2 different certificates?

       

      Are there any problems with this configuration?

       

      The domain of the to 2 servers don't match, so the same certificate can't be used on both machines. The DB server is inside the corporate LAN with an internal domain name. The proposed web server (worker) will reside in the DMZ using a different domain. See the configuration below.

       

      Current configuration:

      The 2 servers can communicate with each other by opening the required ports in the firewall.

       

      Server 1

      DB server name: DBserver.prod.corp

      (internal LAN domain name. There is an internal corporate cert file I can install on DB Server)

       

      Server 2

      Webserver (worker) name:  webserver.example.com

      (Webserver in the DMZ with WAN access to ports 443 and 80. There is an external cert available for install on this server.)

       

      Clients:

      FileMaker Pro users are inside the corporate network and will be authenticated using active directory.

      Webdirect users may be inside or outside the corporate network and will also authenticate via active directory.

      PHP connections may be inside or outside the corporate network and will authenticate via a local filemaker account.

        • 1. Re: Two Machine Configuration - SSL dual certificate support
          CICT

          We've not tried this using different domains and since FMS15 have used wildcard certificates.

           

          However, pre v15 we used separate certificates for 2 server deployment. I don't see why it wouldn't work and our original documentation for v14 maybe of help: FileMaker Server SSL Certificate Setup

           

          Hope this helps

           

          Andy

          1 of 1 people found this helpful
          • 2. Re: Two Machine Configuration - SSL dual certificate support
            databuzz

            I have several deployments with exactly this type of 2 machine configuration (DB server internal, web server in DMZ) each with their own certificates on different domains, all working fine for many years.

            1 of 1 people found this helpful
            • 3. Re: Two Machine Configuration - SSL dual certificate support
              delltechservices

              Hi databuzz,

               

              Does your method for using 2 certificates match the included link from CICT above?

               

              Can the already existing corporate certificate files for internal and external servers be imported as is, or is there a process needed to use them?

              • 4. Re: Two Machine Configuration - SSL dual certificate support
                databuzz

                I first set this up with FileMaker Server v13 and have used the fmsadmin certificate commands to create the CSR and import the certificate:

                 

                Configuring security for FileMaker Server 14 and earlier | FileMaker

                 

                FileMaker Server v15 lets you use the Admin Console to import a certificate (and also create the CSR) without having to resort to using the fmsadmin command line:

                 

                Securing a two-machine deployment with SSL | FileMaker

                1 of 1 people found this helpful
                • 5. Re: Two Machine Configuration - SSL dual certificate support
                  delltechservices

                  The SSL certificates already exist for the 2 domains since they were bought prior to the deployment of the FileMaker servers. They are used for multiple servers for the corporation.

                   

                  Can I import these certificates without creating a CSR using the methods in this link you included above?

                  Securing a two-machine deployment with SSL | FileMaker

                  • 6. Re: Two Machine Configuration - SSL dual certificate support
                    CICT

                    Yes you can. It's late here but will try to explain in the morning.

                     

                    Regards

                     

                    Ansy

                    • 7. Re: Two Machine Configuration - SSL dual certificate support
                      delltechservices

                      Both answers from CICT and Databuzz are correct.

                      The CICT link, FileMaker Server SSL Certificate Setup has some explanation for using 2 certificates in a 2 server deployment. The article is for earlier versions of FileMaker server, but it still applies.

                       

                      The Databuzz link to Securing a two-machine deployment with SSL | FileMaker to the FileMaker knowledge base article is the correct application of the process.

                      You can just import the existing wildcard certificates without creating a signing request, CSR.

                       

                      A followup question is what if the server has two FQDN's, one internal and one external? Is it possible to have 2 certificates installed so that users coming from the internal network will not get the error that shows on the webdirect launcher?

                      2 of 2 people found this helpful
                      • 8. Re: Two Machine Configuration - SSL dual certificate support
                        CICT

                        Sorry for the delay, but here is an overview as to how to use existing certificates. I don't believe you've mentioned the platform, so the following is for Windows servers, but I believe the procedure works for Macs by placing the files in the appropriate folder.

                         

                        First if you have the certificate CSR, private server key, server certificate and intermediate text:

                             Copy the certificate request (CSR) text into Notepad and save as serverRequest.pem

                             Copy the Private Server Key text into Notepad and save as serverKey.pem

                             Copy the Web Server Certificate into Notepad and save as a .cer file, call it Server Certificate.cer

                             Copy the Intermediate Certificate into Notepad and save as a .cer file, call it Intermediate Certificate.cer

                         

                        Copy the serverRequest.pem and serverKey.pem files into c:\Program Files\FileMaker\FileMaker Server\CStore\

                         

                        In Server Admin, click Database Server

                             Security

                                  Restrict access to databases per user

                                       Select 'List only the databases each user is authorised to access'

                                            Click 'Save'

                         

                                  SSL Connecctions

                                       Click 'Use SSL for database connections'

                                            Click 'Save'

                         

                                  Progressive Downloading

                                      Click 'Use SSL for progressive downloading'

                            

                             Click 'Save'

                                  Ignore restart server messages, as we'll be doing this shortly

                         

                        Click 'Import Certificate'

                             Signed Certificate File

                                    Click 'Browse'

                                         Select the server .cer file

                                              Click 'Open'

                               'Intermediate Certificate File'

                                    Click 'Browse'

                                    Select intermediate certificate .cer file

                                         Click 'Open'

                               Private Key File:

                                    Click 'Browse'

                                         Navigate to Program Files\FileMaker\FileMaker Server\CStore\serverKey.pem

                                              Click 'Open'

                               Private Key Password:

                                    Enter the private key password

                          Click 'Import'

                         

                          A red 'Certificate imported successfully' will confirm success

                                  We always restart the server after this, partially down to disabling any anti-virus software before commencing the above

                         

                        On the 2nd server we usually copy the appropriate .pem files and server certificate file to the CStore folder and use the command line to install:

                             fmsadmin CERTIFICATE IMPORT "C:\Program Files\FileMaker\FileMaker Server\CStore\myworkerservercertificate.crt"

                         

                        If you only have the certificate on existing servers, you can export these including the private key. There are online tools that will allow you to extract the various files you need for the above. There are warnings about this method not being secure, but if your back is against the wall.....

                         

                        I hope the above helps.

                         

                        Andy

                        1 of 1 people found this helpful