SSL when and why? Novice questions.

[filomena]

Hi,

When is it recommended to create an SSL certificate and why?

Currently running a couple small files - mostly project management stuff - with a couple inhouse computers. We're not hosting anything on the web or connecting anywhere outside of the physical building where the server is located. The set up is a mac mini server thats running FMS 18, connecting to about four iMacs.

How important is the encryption?

Can other people get on the server and use the files?

Can they alter the files or the servers if the files are required to sign in to access?

 

Kind regards,

Filo

 

[filomena]

To clarify, I'm already hosting a file, with two other users to the main file on the server.

Just curious if someone unwanted would be able to see the password and username being filled in and later on do it themselves to mess the file up.

[Fitch]

The point of installing an SSL certificate is essentially to protect you from "man-in-the-middle" attacks, i.e. someone impersonating your server. What you describe sounds like relatively low risk. The question is what level of risk you're willing to accept vs. spending less than $100/yr (domain + godaddy cert) for "doing it right."

https://www.soliantconsulting.com/blog/demystifying-ssl/

Welcome to the forums.

[Wim Decorte]

On 2/28/2020 at 1:45 PM, filomena said:

Hi,

 

How important is the encryption?

 

 

An SSL certificate encrypts the traffic as it flows between the client and the server This is also known as 'encryption in transit'.  There is another form of encryption that protects the file on the server (and its backups): encryption at rest (EAR).  If you are worried that people can get access to the server itself then you can use EAR in addition to an SSL cert.

As to you question about what they can do to the files: keep in mind that there re two separate things: authentication and authorization.  in FM terms the authentication is the username and pw.  Authorization is what is defined in the privilege set.

If the file is not set to auto-login then someone would need to know a set of credentials that works.  What they can do in the file once in then depends on the rights given to them with the priv set.

[MacFileman]

I am running server 17 on a Mac mini with no issues. I have about 7 Macs in my office that regularly access the FM Server internally, however, I access my data from my home computers and iPhones and iPads, and we use Web Direct a lot so clients can log in through the web and see live job statuses when they please...without SSL, its beyond frustrating to connect with a web browser. So I have to have use SSL certificates. It is also beyond frustrating to add a certificate...mine just expired so I have to go through the pain again. While I am not actually worried about being hacked, etc....security is always a good thing. The certificate is around $100 and a few hours of pain.

[Wim Decorte]

There's many cheaper certificates that are supported.  You can get them for around $10.

It also shouldn't take hours, so do let us know what parts you are struggling with. Especially around renewals.  The vendor just gives you a new key, you issue an FMSADMIN CERTIFICATE DELETE on your server and use the admin console UI to import the new cert using the old serverKey.pem

I just did two of them yesterday, took me less than 10 minutes to do both.

A common misunderstanding is that people think that you need to start the whole process again when your cert expires: generate a CSR, rekey the cert.  You don't.  Just save the serverKey.pem from your original CSR generation and just import the new cert that the vendor automatically gives you.  As long as you don't change the name on the cert you don't need a new CSR.

[MacFileman]

1 hour ago, Wim Decorte said:

There's many cheaper certificates that are supported.  You can get them for around $10.

It also shouldn't take hours, so do let us know what parts you are struggling with. Especially around renewals.  The vendor just gives you a new key, you issue an FMSADMIN CERTIFICATE DELETE on your server and use the admin console UI to import the new cert using the old serverKey.pem

I just did two of them yesterday, took me less than 10 minutes to do both.

A common misunderstanding is that people think that you need to start the whole process again when your cert expires: generate a CSR, rekey the cert.  You don't.  Just save the serverKey.pem from your original CSR generation and just import the new cert that the vendor automatically gives you.  As long as you don't change the name on the cert you don't need a new CSR.

Hey....who do you recommend for an SSL? I am starting the process over. Was about to purchase a FM certified certificate, they are around $200...but you mentioned $10 ones. Thanks...much appreciated!

[Wim Decorte]

There are many SSL shops around, as long as you pick one from the supported list of issuers you'll be fine.  My situation is not typical since I usually deal with multi-server deployments so I almost always work with wildcard certs or SAN certs, I typically us GoDaddy for those.

[ggt667]

You can have certs for free, here is how to do this on a Mac, with my comments: https://gist.github.com/TyrfingMjolnir/01c5f47693f1096991c3c21c20d137cf the script is by David Nahodyl, Blue Feather

And you should have your certificates for free as the non-free ones adds a party to the chain that is not necessarily desirable. Let us hope that Let's Encrypt does a better job than LinkedIn when it comes to keeping track of your credentials.

Ideally you should be able to run some sort of command to stop FileMaker Server that you can time for your solution, avoiding to start the database before fully stopped.

My 2 cents worth: Let's Encrypt or any similar programmatical way of signing.

Edited June 8, 2020 by ggt667