{"id":230,"date":"2018-06-01T18:20:18","date_gmt":"2018-06-01T18:20:18","guid":{"rendered":"https:\/\/panditaseaman.com\/infocypher\/?p=230"},"modified":"2023-06-09T18:36:54","modified_gmt":"2023-06-09T18:36:54","slug":"using-ssl-on-filemaker-server","status":"publish","type":"post","link":"https:\/\/panditaseaman.com\/infocypher\/using-ssl-on-filemaker-server\/","title":{"rendered":"Using SSL on FileMaker Server"},"content":{"rendered":"<p>To secure your data from hackers while traveling the Internet, the\u00a0<a href=\"https:\/\/www.infocypher.com\/node\/8\">FileMaker Platform<\/a>\u00a0provides way to use the SSL Protocol with its FileMaker Server software. Information on how to do this is provided in detail in the\u00a0<a href=\"https:\/\/www.filemaker.com\/support\/product\/documentation.html\">FileMaker Server product documentation<\/a>. However, unless you know a little about how\u00a0the Internet works, just\u00a0<em>what\u00a0<\/em>one is doing and\u00a0<em>how<\/em>\u00a0it keeps your server secure\u00a0when you follow the instructions to install an SSL certificate\u00a0may remain a mystery. I wrote this article to provide some background.<\/p>\n<h3>TCP\/IP, the Communication Language of the Internet<\/h3>\n<p>The Internet is a network of devices serving as connection points for moving data at various speeds while a governing body called\u00a0<a href=\"https:\/\/www.icann.org\/\">ICANN<\/a>\u00a0(Internet Corporation for Assigned Names and Numbers) watches over the process. The Internet is run by protocols, a set of rules that determines how this data is sent back and forth. The underlying communication language of the Internet is a 2-layer protocol called TCP\/IP. TCP stands for Transmission Control Protocol, and IP stands for Internet Protocol.<\/p>\n<p>Network packets are the smallest unit of information transmitted over the Internet. IP is responsible for mapping out how to get the network packets to the correct destination via a series of &#8220;hops&#8221; between Internet connection points, identified by an IP address. A network packet using IP carries with it a &#8220;header,&#8221;\u00a0which holds information about the source and destination of the packet, its size, etc. IP has some limitations: it does not control the order by which the data packets arrive at the destination, whether it arrives at all, how fast they arrive, and the size of packets are limited. It&#8217;s like waiting for a friend\u00a0at the airport without a phone, while not\u00a0knowing\u00a0whether all the bags arrived because they were sent separately on unidentified planes.<\/p>\n<p>Like a good airport authority,\u00a0TCP adds a control layer on top of IP to make it more reliable. TCP allows one device to talk to another device by establishing a connection tunnel called a &#8220;socket&#8221; between two endpoints. A socket is created as the end result of a &#8220;3-way handshake&#8221;, a series of negotiations between a sending device and a receiving device, which determine the parameters of the socket connection. The negotiation goes like this:<\/p>\n<p>\u2022 Device A sends a TCP SYN (synchronize) packet to Device B.<br \/>\n\u2022 Device B receives A&#8217;s SYN packet and sends a SYN-ACK (acknowledgement) packet back to Device A.<br \/>\n\u2022 Device A receives B&#8217;s SYN-ACK packet and sends an ACK packet back to Device B.<br \/>\n\u2022 Device B receives A&#8217;s ACK, and a socket connection is established.<\/p>\n<p>Once the connection has been established, the socket remains open for the duration of communication between the endpoints. TCP then compiles units of data called network packets into the correct size, organizes them into a sensible sequential order, sends them to the destination in a data stream, resends lost or out-of-sequence packets, acknowledges receipt of each packet, and controls the speed of data flow so that the receiving device is not overwhelmed. Once the communication ends, another set of negotiations is performed to tear down the TCP socket connection.<\/p>\n<p>TCP is great, but it doesn&#8217;t concern itself with the safety of\u00a0where network packets are going. Like airports in the U.S. before 9\/11, TCP doesn&#8217;t care\u00a0whether a device&#8217;s identity is valid\u00a0or a\u00a0&#8220;<a href=\"https:\/\/www.icann.org\/news\/blog\/what-is-a-man-in-the-middle-attack\">man in the middle<\/a>&#8221; pretending to be the device.<\/p>\n<h4>Enter SSL<\/h4>\n<p>When hosting a server, it is important to be able to assure visiting clients\u00a0that the destination point of any data being transmitted back and forth from the server is a location verified by a trusted authority.\u00a0It is also important to know that when transmitting sensitive data like personal contact information and credit card numbers, the data itself is encrypted and inaccessible\u00a0even if it is intercepted.<\/p>\n<p>The Secure Sockets Layer (SSL) is the most basic internet\u00a0security protocol that provides the data security described above. The SSL protocol\u00a0operates on top of TCP. It\u00a0is another series of negotiations that results in a secure socket connection between the two endpoints established by TCP:<\/p>\n<p>\u2022 After a TCP socket is established, an SSL handshake is initiated by a request from client software such as a browser or other app on the sending device. The client sends which version of SSL it is running, what ciphersuites it wants to use, and what compression methods it wants to use.<\/p>\n<p>\u2022 The recipient (server) determines the highest SSL version supported by both endpoints, chooses a ciphersuite from the client&#8217;s options, and optionally chooses a compression method. Then it sends its SSL certificate.<\/p>\n<p>\u2022 The certificate must be trusted by either a trusted third party known as a Certificate Authority (CA) that has cryptographically signed the server&#8217;s certificate or by the client itself (which is when you get the dialog box asking if you want to trust the server). Once the certificate is verified and\/or the client is certain this server really is who it claims to be, an encryption key, created according to the chosen ciphersuite, is exchanged. The server and client can then compute the private key for symmetric encryption. The client sends an encrypted and authenticated message to the server.<\/p>\n<p>\u2022 The server verifies that the MAC is correct, and that the message can be correctly decrypted. It returns a message to be verified by the client.<\/p>\n<p>\u2022 The client verifies the message. The handshake is finished and secure communication between the client and server is established.<\/p>\n<p>Faster and friendlier\u00a0than an airport security checkpoint, SSL\u00a0allows the encrypted data\u00a0to travel freely\u00a0to its destination.\u00a0On a web browser, you will\u00a0see the\u00a0SSL connection by checking\u00a0the address bar. The URL will start with https:\/\/ instead of http:\/\/, and\u00a0you&#8217;ll see a lock icon in the address bar. When connecting to a FileMaker Server, you will see a green lock in the top right corner of the solution window.<\/p>\n<p>Using SSL doesn&#8217;t make it completely impossible to steal network traffic data, but it certainly makes it much more difficult. Even if\u00a0a hacker could steal or mimic\u00a0an SSL certificate, s\/he\u00a0would still need to have\u00a0the private encryption key provided when the original connection was established to be able to decipher the data into a human-readable format.<\/p>\n<p>As more FileMaker solutions move to the cloud and data is shared over the Internet,\u00a0SSL has become a much\u00a0more prominent feature of\u00a0FileMaker Server, and I expect that trend will continue.<\/p>\n<h3>Resources and Links for Using SSL With FileMaker Server<\/h3>\n<p>Now that you know how it works, you can create secure connections to and from your FileMaker Server installation by importing an SSL Certificate using the FileMaker Server Admin Console. You can get more information about configuring security for FileMaker 17 here:<\/p>\n<p>Configuring Security for FileMaker 17:\u00a0<a href=\"https:\/\/support.filemaker.com\/s\/answerview?language=en_US&amp;anum=000026004\">https:\/\/support.filemaker.com\/s\/answerview?language=en_US&amp;anum=000026004<\/a><\/p>\n<p>Note that FileMaker Server does not officially work with every Certificate Authority. Here is a link to help you figure out which CA is right for your setup and FileMaker Server version:<\/p>\n<p>FileMaker Network Security and supported SSL Certificates:\u00a0<a href=\"https:\/\/support.filemaker.com\/s\/answerview?language=en_US&amp;anum=11413\">https:\/\/support.filemaker.com\/s\/answerview?language=en_US&amp;anum=11413<\/a><\/p>\n<p>In the case you&#8217;re not interested in paying a CA for an SSL certificate, David Nahodyl, of\u00a0<a href=\"https:\/\/bluefeathergroup.com\/\">Blue Feather Group<\/a>, does a wonderful job of explaining how to install a free one from Let&#8217;s Encrypt, a non-profit Certificate Authority on\u00a0<a href=\"https:\/\/bluefeathergroup.com\/blog\/lets-encrypt-ssl-certificates-for-filemaker-server-for-mac\/\">Mac<\/a>\u00a0and\u00a0<a href=\"https:\/\/bluefeathergroup.com\/blog\/how-to-use-lets-encrypt-ssl-certificates-with-filemaker-server\/\">Windows<\/a>.<\/p>\n<p>Please let me know if this article was helpful, and\/or feel free to\u00a0<a href=\"https:\/\/www.infocypher.com\/contact\">contact us<\/a>\u00a0at infoCypher if you would like us to set up SSL on a FileMaker Server for you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To secure your data from hackers while traveling the Internet, the\u00a0FileMaker Platform\u00a0provides way to use the SSL Protocol with its FileMaker Server software. Information on how to do this is provided in detail in the\u00a0FileMaker Server product documentation. However, unless you know a little about how\u00a0the Internet works, just\u00a0what\u00a0one is doing and\u00a0how\u00a0it keeps your server [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-230","post","type-post","status-publish","format-standard","hentry","category-filemaker"],"_links":{"self":[{"href":"https:\/\/panditaseaman.com\/infocypher\/wp-json\/wp\/v2\/posts\/230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/panditaseaman.com\/infocypher\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/panditaseaman.com\/infocypher\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/panditaseaman.com\/infocypher\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/panditaseaman.com\/infocypher\/wp-json\/wp\/v2\/comments?post=230"}],"version-history":[{"count":1,"href":"https:\/\/panditaseaman.com\/infocypher\/wp-json\/wp\/v2\/posts\/230\/revisions"}],"predecessor-version":[{"id":231,"href":"https:\/\/panditaseaman.com\/infocypher\/wp-json\/wp\/v2\/posts\/230\/revisions\/231"}],"wp:attachment":[{"href":"https:\/\/panditaseaman.com\/infocypher\/wp-json\/wp\/v2\/media?parent=230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/panditaseaman.com\/infocypher\/wp-json\/wp\/v2\/categories?post=230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/panditaseaman.com\/infocypher\/wp-json\/wp\/v2\/tags?post=230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}