Progress
Version 9
Product Update Bulletin
Using the AppServer Internet Adapter With HTTPS
HTTPS allows Web-enabled clients with the Client-Side Security package to connect to a Secure AppServer over the Internet. Depending on the type of client you use, Client-side security is provided as follows:
- WebClient — This installation includes the Client-Side Security package.
- 4GL Client — This installation does not include the Client-Side Security package. You must install the Client-Side Security package separately as part of your application installation.
- Open Client — This installation comes with a number of distribution packages that provide client-side security. You must select the appropriate package and include it with your application. For more information about the various distribution packages, see the Progress Open Client Developer’s Guide .
Once you have installed a client with the Client-Side Security package and have a Secure AppServer, you can take advantage of HTTPS. HTTPS extends HTTP by executing the HTTP protocol across an SSL connection rather than an unencrypted TCP/IP connection. When an SSL connection is established between the AppServer client and the Web server, the HTTP protocol is executed in the context of the encrypted and authenticated channel. Using the HTTPS protocol to connect to a Secure AppServer (or SonicMQ Adapter) gives the client the capability of tunneling through firewalls and sending encrypted data.
For more information on connecting Progress clients using the AIA, see the "Connecting from Progress Clients Using the AIA" section.
NOTE: If the client uses HTTP to connect, and, on the server side, thehttpsEnabled
property in theubroker.properties
file is set to on (1), and the Secure AppServer package is installed, the AIA instance automatically redirects the client back to the Web server using the same URL except the protocol is changed to HTTPS and the Web server port is changed to thesecurePort
property value.Figure C–2 shows the Secure AppServer Internet Adapter (AIA/S) architecture with HTTPS tunneling running with a Secure AppServer.
Figure C–2: AppServer Internet Adapter Architecture With HTTPS
![]()
When using HTTPS, Progress establishes an SSL connection with the Web server. As part of establishing the connection, Progress authenticates the connection using digital certificates that must be installed on both the client and server machines.
In particular, Progress authenticates the server certificate using an appropriate Root CA certificate that has been installed on the client machine. If Progress determines that the server certificate is not valid, the connection to the AIA/S instance is denied.
When checking a certificate, a Progress client:
- Verifies that the server certificate is signed by one of the trusted Root CA certificates installed on the client machine
- Verifies that the certificate has not expired by comparing the current time to the timestamps included in the certificate
- Verifies that the certificate host name in the URL is the same as the common name in the certificate (CN field)
Step 3 is an optional verification that ensures the host machine that the client connects to is the intended host machine. This verification is done by comparing the host name the user specified in the URL with the host name in the certificate returned by the Web server.
By default, Progress performs host verification. However, when establishing a connection, a client application might indicate that host verification should not be performed. For WebClients and 4GL clients, a client can indicate that host verification should not be performed by using the
–nohostverify
connection parameter. For Open clients, the client uses theRunTimeProperties
.setNoHostVerify method on theruntimeProperties
object to indicate that host verification should not be performed.If any one of these steps determines that the certification is not valid, then the connection to the AIA/S instance fails.
NOTE: For 4GL clients and the WebClient, theInstall-Dir
/certs
directory contains a readme file that provides instructions for configuring certificates. The Progress installation includes a set of publicly available and well-known CA certificates, such as Verisign©, in theInstall-Dir
/certs
directory. These certificates do not require configuration. If you want to use other certificates, see the readme file. For Open Clients, thepsccerts.zip and Psccertsn.jar
file is also in theInstall-Dir
/certs
directory. For more information about these files, see the Progress Open Client Developer’s GuideSupported Client Platforms
For the following clients, HTTPS is supported on these platforms:
Supported Server Platforms
On server machines, you can use any Web server that supports HTTPS. For more information, see the "Installing and Configuring Web Servers and Java Servlet Engines" section.
Copyright © 2004 Progress Software Corporation www.progress.com Voice: (781) 280-4000 Fax: (781) 280-4095 |