Using Secure Transport Layer (HTTPS)

Cloud_Business.png

You can protect the inbound traffic to the HTTP Server Trigger and Web Service Trigger by enabling the HTTPS support. HTTPS secures the transmission of the messages exchanged over the network. The communication security uses X.509 certificates to encrypt the data flowing between the parties. Your information remains confidential from prying eyes because just the client and the Loftware Automation can decrypt the traffic. Even if some unauthorized user does eavesdrop on the communication he would fail to understand the meaning of the messages, because the traffic appears as a stream of random bytes.

It makes a good security practice to encrypt the communication in cases, such as:

  • You work with the sensitive and confidential data that must not be exposed to 3rd party users.

  • The message must pass through networks that are outside of your control. For example, this happens when you send data to Automation over the Internet, and not from the local network.

Enabling the secure transport layer (HTTPS)

To enable secure transport for your trigger, do the following.

In the Windows system:

  1. Obtain the X.509 certificate from the issuer of the digital certificates (certificate authority - CA). You need a certificate type for the 'server authentication'.

    Note

    If you will self-generate the certificate, make sure to import the CA certificate in the Trusted Authority store, so the CA signature can be verified on the server certificate.

  2. Install the X.509 certificate in the system, where Loftware Automation is installed. Make sure the certificate is visible to the user account under which you run Loftware Automation service. It is a good practice to install the certificate in the local computer store, not the current user store. This allows Loftware Automation to use the certificate even if it is not running under your current logged-in user account.

    1. Open a Command Prompt window.

    2. Type mmc and press the ENTER key (make sure you are running it with administrative privileges).

    3. On the File menu, click Add/Remove Snap In.

    4. In the Add Standalone Snap-in dialog box, select Certificates.

    5. Click Add.

    6. In the Certificates snap-in dialog box, select Computer account and click Next.

    7. In the Select Computer dialog box, click Finish.

    8. On the Add/Remove Snap-in dialog box, click OK.

    9. In the Console Root window, expand Certificates>Personal.

    10. Right-click Certificates folder and select All Tasks>Import.

    11. Follow the wizard to import the certificate.

  3. Retrieve the thumbprint of a certificate you have just imported.

    1. While still in the MMC double-click the certificate.

    2. In the Certificate dialog box, click the Details tab.

    3. Scroll through the list of fields and click Thumbprint.

    4. Copy the hexadecimal characters from the box. Remove the spaces between the hexadecimal numbers. For example, the thumbprint "a9 09 50 2d d8 2a e4 14 33 e6 f8 38 86 b0 0d 42 77 a3 2a 7b" should be specified as "a909502dd82ae41433e6f83886b00d4277a32a7b" in code. This is certhash required in the next step.

  4. Bind the certificate to the IP address and port where the trigger is running. This action enables certificate on the selected port number.

    Open the Command Prompt (make sure you are running it with the administrative privileges) and run the following command:

    netsh http add sslcert ipport=0.0.0.0:56000 certhash=7866c25377554ca0cb53bcdfd5ee23ce895bdfa2 appid={A6BF8805-1D22-42C2-9D74-3366EA463245}

    where:

    • ipport is the IP address-port pair, where the trigger is running. Leave the IP address at 0.0.0.0 (local computer), but change the port number to match port number in the trigger configuration.

    • certhash is the thumbprint (SHA hash) of the certificate. This hash is 20 bytes long and is specified as a hex string.

    • appid is GUID of the owning application. You can use any GUID here, even the one from the sample above.

In the trigger configuration:

  1. In your HTTP or Web Service trigger enable the option Secure connection (HTTPS).

  2. Reload the configuration in the Automation Manager.

Disabling the secure transport layer (HTTPS)

In the Windows system:

  • Unbind the certificate from the IP address-port pair. Run the following command in the Command Prompt (make sure you are running it with the administrative privileges):

    netsh http delete sslcert ipport=0.0.0.0:56000

    where:

    • ipport is the IP address-port pair, where the trigger is running and where you bound the certificate to.

In the trigger configuration:

  1. In your HTTP or Web Service trigger disable the option Secure connection (HTTPS).

  2. Reload the configuration in the Automation Manager.