All 4D servers can communicate in secured mode through the TLS (Transport Layer Security) protocol:
- the web server
- the application server (client-server desktop applications)
- the SQL server
The TLS protocol (successor of SSL) has been designed to secure data exchanges between two applications —mainly between a web server and a browser. This protocol is widely used and is compatible with most web browsers.
At the network level, the security protocol is inserted between the TCP/IP layer (low level) and the HTTP high level protocol. It has been designed mainly to work with HTTP.
Network configuration using TSL:
The TLS protocol is designed to authenticate the sender and receiver and to guarantee the confidentiality and integrity of the exchanged information:
- Authentication: The sender and receiver identities are confirmed.
- Confidentiality: The sent data is encrypted so that no third person can understand the message.
- Integrity: The received data has not been changed, by accident or malevolently.
TLS uses a public key encryption technique based on a pair of asymmetric keys for encryption and decryption: a public key and a private key. The private key is used to encrypt data. The sender (the website) does not give it to anyone. The public key is used to decrypt the information and is sent to the receivers (web browsers) through a certificate. When using TLS with the Internet, the certificate is delivered through a certification authority, such as Verisign®. The website pays the Certificate Authority to deliver a certificate which guaranties the server authentication and contains the public key allowing to exchange data in a secured mode.
For more information on the encryption method and the public and private key issues, refer to the
ENCRYPT BLOBcommand description.
By default, the minimum version of the secured protocol accepted by the server is TLS 1.2. You can modify this value by using the
Min TLS version selector with the
SET DATABASE PARAMETER command.
You can control the level of security of your web server by defining the minimum TLS version accepted for connections.
How to get a certificate?
A server working in secured mode means that you need a digital certificate from a certification authority. This certificate contains various information such as the site ID as well as the public key used to communicate with the server. This certificate is transmitted to the clients (e.g. Web browsers) connecting to this server. Once the certificate has been identified and accepted, the communication is made in secured mode.
Les navigateurs Web autorisent uniquement les certificats émis par une autorité de certification référencée dans leurs propriétés.
The certification authority is chosen according to several criteria. If the certification authority is well known, the certificate will be authorized by many browsers, however the price to pay will be expensive.
To get a digital certificate:
- Generate a private key using the
GENERATE ENCRYPTION KEYPAIRcommand.
Warning: For security reasons, the private key should always be kept secret. Actually, it should always remain with the server machine. For the Web server, the Key.pem file must be placed in the Project folder.
GENERATE CERTIFICATE REQUESTcommand to issue a certificate request.
Send the certificate request to the chosen certificate authority.
To fill in a certificate request, you might need to contact the certification authority. The certification authority checks that the information transmitted are correct. The certificate request is generated in a BLOB using the PKCS format encoded in base64 (PEM format). This principle allows you to copy and paste the keys as text and to send them via E-mail without modifying the key content. For example, you can save the BLOB containing the certificate request in a text document (using the
BLOB TO DOCUMENTcommand), then open and copy and paste its content in a mail or a Web form to be sent to the certification authority.
Once you get your certificate, create a text file named “cert.pem” and paste the contents of the certificate into it.
You can receive a certificate in different ways (usually by email or HTML form). 4D accepts all platform-related text formats for certificates (OS X, PC, Linux, etc.). However, the certificate must be in PEM format, i.e., PKCS encoded in base64.
CR line-ending characters are not supported on their own; you must use CRLF or LF.
- Place the “cert.pem” file in the appropriate location.
The 4D server can now work in a secured mode. A certificate is valid between 3 months to a year.
Installation et activation
Installer des fichiers
Pour pouvoir utiliser le protocole TLS avec le serveur, vous devez installer key.pem (document contenant la clé de chiffrement privée) et cert.pem (document contenant le certificat) au(x) emplacement(s) approprié(s). Différents emplacements sont nécessaires en fonction du serveur sur lequel vous souhaitez utiliser TLS.
Default key.pem and cert.pem files are provided with 4D. For a higher level of security, we strongly recommend that you replace these files with your own certificates.
Avec le serveur Web
Pour être utilisés par le serveur web de 4D, les fichiers key.pem et cert.pem doivent être placés :
- avec 4D en mode local ou 4D Server, à côté du dossier du projet
- avec 4D en mode distant, dans le dossier de la base de données cliente sur la machine distante (pour plus d'informations sur l'emplacement de ce dossier, consultez la commande
Get 4D folder).
You must copy these files manually on the remote machine.
Avec le serveur d'applications (applications de bureau client-serveur)
Pour être utilisés par le serveur d'applications de 4D, les fichiers key.pem et cert.pem doivent être placés :
- dans le dossier Resources de l'application 4D Server
- et dans le dossier Resources de chaque application 4D distante (pour plus d'informations sur l'emplacement de ce dossier, consultez la commande
Get 4D folder).
Avec le serveur SQL
Pour être utilisés par le serveur SQL de 4D, les fichiers key.pem et cert.pem doivent être placés à côté du dossier du projet.
The installation of key.pem and cert.pem files makes it possible to use TLS with the 4D server. However, in order for TLS connections to be accepted by the server, you must enable them:
- With the 4D web server, you must enable HTTPS. You can set the HSTS option to redirect browsers trying to connect in http mode.
- With the application server, you must select the Encrypt Client-Server Communications option in the "Client-server/Network options" page of the Settings dialog box.
- With the SQL server, you must select the Enable TLS option in the "SQL" page of the Settings dialog box.
Le serveur web 4D prend également en charge l'option HSTS pour déclarer que les navigateurs doivent interagir avec lui uniquement via des connexions HTTPS. sécurisées.
Perfect Forward Secrecy (PFS)
PFS adds an additional layer of security to your communications. Rather than using pre-established exchange keys, PFS creates session keys cooperatively between the communicating parties using Diffie-Hellman (DH) algorithms. The joint manner in which the keys are constructed creates a "shared secret" which impedes outside parties from being able to compromise them.
When TLS is enabled on the server, PFS is automatically enabled. If the dhparams.pem file (document containing the server's DH private key) does not already exist, 4D will automatically generate it with a key size of 2048. The initial generation of this file could take several minutes. The file is placed with the key.pem and cert.pem files.
If you use a custom cipher list and want to enable PFS, you must verify that it contains entries with DH or ECDH (Elliptic-curve Diffie–Hellman) algorithms.