10 Replies Latest reply on Jun 27, 2012 3:19 PM by Stephen Huston

    FM10 Server - can't connect to databases when SSL is enabled?

    theboyk

      Hello.

       

      In FileMaker 10 Server, when I enable SSL, once the database server restarts, users can no longer access the databases the server is hosting. We can still see the server, but it no longer displays a list of available databases under the file display filter (via File > Open Remote > Local Hosts). Again, under Hosts, I can see the server, but with SSL is enabled and with the server selected, none of the databases are visible? As soon as I disable SSL, things go back to normal and selecting the server under Hosts results in a listing of all available databases under the file display filter.

       

      As an FYI — we have "List only the databases each user is authorized to access" enabled (under Security > File Display Filter), so, once a user selects the server (via File > Open Remote > Local Hosts), before the list of databases displays in the file display filter, users are required to enter usernames and passwords. This works fine with SSL disabled, but once SSL is enabled, FileMaker never requests a username or password when selecting the server? I assume this is actually the issue, but unsure of the solution?

       

      Regards,

      Kristin.

        • 1. Re: FM10 Server - can't connect to databases when SSL is enabled?
          Stephen Huston

          Can they still select the server and manually enter the name of the file to open, rather than selecting it from the (missing) file list?

           

          If so, this is a valid and secure setup. You might consider leaving it like that and providing users with a Launcher/Opener file which handles the open-remote process for them.

           

          Opener/Launcher files are discussed in some detail in several old topics on the list. The basic idea is that you distribute a local FM file to each user which, when opened, runds a script to close itself, and has file setting to perform a script to open the target file on the server when the local file is closed. Launching the local file on their desktop or Dock then appears to open the targeted server file, asking for their credentials just the one time as the server file itself opens.

          • 2. Re: FM10 Server - can't connect to databases when SSL is enabled?
            theboyk

            I'll give that a try (will have to wait until this evening as I can't take the server offline again for the reboot for re-enabling SSL). That said, is that the way it's SUPPOSED to work (ie. not getting a file listing)? I realize it's more secure that way, in that you'd have to know the name of the database you're trying to access, but is it supposed to work that way — enabling SSL overrides the ability to view database files in the File Display Filter?

             

            The reason I ask is that, almost everyone in the organization uses a launcher file, but a couple of us need to access via File > Open Remote. FileMaker itself doesn't allow incoming access via the WAN (blocked at the firewall). So, with a secure server (secure VPN is the only remote access, SSL enabled and passwords required to view the list of databases the server hosts), I'd be "OK" with displaying the list of available databases from a security point of view. So, before I go trying to figure this out any more, can you confirm that SSL disables the ability of listing available databases in the File Display Filter (and effectly overrides the File Display Filter settings in Configuration > Database Server > Security)?

            • 3. Re: FM10 Server - can't connect to databases when SSL is enabled?
              Stephen Huston

              Not getting the file listing is suppose to work until user validate their credentials at the server level in all cases where the server settings are set to show only file to which users have access.

               

              SSL adds another layer of encryption, but I don't think SSL, by itself, would turn off the list. You do have to restart the server for either of these to take effect, so it may be that they were set at separate times but ended up taking effect together at the next server restart.

               

              The last Server 10 system I managed had SSL OFF but the server file list restriction ON, and the list was visible, but only after the user entered their credentials at the server level. They still had to enter them again to open the selected file, which users hated, so we gave them opener files to jump straight to the file-level credentials without seeing Open Remote at all.

               

              I have not set up a test server with SSL ON but with the server list restriction OFF. It just seems counter-intuitive from a security viewpoint, imposing heavy security on traffic while leaving the server list exposed. Not having tried that, I cannot say whether the SSL only being On would would obsure the file list. I wouldn't expect it to, but I have no server 10 system currently running to test.

              • 4. Re: FM10 Server - can't connect to databases when SSL is enabled?
                theboyk

                Yea, sorry, maybe I wasn't clear in my setup.

                 

                Right now we have:

                 

                - SSL = Off

                - File List Restrictions = ON (ie. list only visible after the user entered their credentials at the server level)

                - Required to again enter credentials when opening the selected file

                - LAN access to FMS only (except for a select few who can access FMS via VPN)

                 

                What I want:

                 

                - SSL = ON

                - File List Restrictions = ON (ie. list only visible after the user entered their credentials at the server level)

                - Required to again enter credentials when opening the selected file

                - LAN access to FMS only (except for a select few who can access FMS via VPN)

                 

                The problem is, when I turn SSL ON, I no longer get pop-up dialog asking to enter user credentials, thus no file list is displayed.

                 

                Thanks,

                Kristin.

                • 5. Re: FM10 Server - can't connect to databases when SSL is enabled?
                  Stephen Huston

                  Hmm...

                  What OS platform/version is your FMS10 server machine? and

                  What are the clients using, or what are you using as a test client computer?

                   

                  Mac and Windows have had different issues with  SSL certificates according to KnowledgeBase.

                  • 6. Re: FM10 Server - can't connect to databases when SSL is enabled?
                    theboyk

                    FM10 Server is:

                    - Mac Xserve (Intel) running OS X Server 10.5.8 (all updated, etc. installed)

                     

                    Test clients are:

                    - FM Pro 8.5 on a PowerMac G5 (PPC) running OS X 10.5.8.

                    - FM Pro 9 on an iMac (Intel) running OS X 10.6.8.

                    - FM Pro 11 on a Mac Mini (Intel) running OS X 10.7.4.

                     

                    In total, I have 30+ FM Pro clients on the network, but those are my test machines (above) — the machines on the network (ie. non-test) run one of the above, or a minor variation).

                     

                    I was only able to test really quick during a short maintenance window this afternoon with — but, I'll do some more exhaustive testing over the coming week or so (evenings, when FM10 Server can be down for longer) and report my findings back here. Just wanted to start the thread incase it was something obvious I missed in the KBs, etc.

                     

                    Thanks,

                    Kristin.

                    • 7. Re: FM10 Server - can't connect to databases when SSL is enabled?
                      Stephen Huston

                      On FileMaker's regular website, from the Support options, go to KnowledgeBase and search for SSL or, specifically,

                      • Answer ID: 6496

                      It covers known issues with OSX Server X and SSL problems. See if that moves you closer to where you need to be.

                      • 8. Re: FM10 Server - can't connect to databases when SSL is enabled?
                        theboyk

                        Thanks Stephen — I was told that a certificate wasn't required for connecting FM Pro to FM Server (which I accepted, especially when I didn't see any references to certificates anywhere in the FileMaker Server GUI or in the documentation regarding enabling SSL), but this KB document leads me to believe otherwise...

                        k.

                        • 9. Re: FM10 Server - can't connect to databases when SSL is enabled?
                          theboyk

                          Actualy, re-reading the KB, that all relates to installing SSL certificates in OS X Server itself. Have you ever set up a FM10 Server with SSL on OS X? Is a valid SSL certificate required to be installed on OS X Server itself for SSL to work in FM10 Server? Again, I ask because the person I originally spoke to regarding enabling SSL on our FM10 Server (whom I'll have to go back to about this depending on the results) said I shouldn't need to do this...

                          • 10. Re: FM10 Server - can't connect to databases when SSL is enabled?
                            Stephen Huston

                            The FM10 Server I worked with the most was a Windows box, though most of the clients were Mac systems. We did not enable SSL in the FM Server admin setup, but did require user authentication to view the file list in Open Remote. We also distributed generic Opern files to all staff to by-pass Open Remote and take them straight to the "Main Menu" entryway to our FM system on the servers for each office.

                             

                            We also had all but a few "aproved entry point" files set in the individual file settings to not be visible in the Open Remote dialog anyway, so that users were directed to files which had specific On-opening scripts. That setting is in the individual file settings, but cannot be changed except while open un-served in single user mode.