Author: Kumar Navneet & Sharath Gabbeta

Author: Kumar Navneet & Sharath Gabbeta

Ver: 1.2

Date: 22 June, 2016

Contents

1. SET UP and Login DETAILS

LAB – 1: Is your Private conversation PRIVATE?

LAB – 2: Demonstrate SSL Handshake

LAB – 3: Creating DIGITAL CERTIFICATE

Generate Public/Private Key pair

Optionally verify your CSR

Sign the Certificate

Create your Self-Signed server certificates

Create a ROOT CA and sign your own server certificate

Import the CA signed server certificate (for server)

Import the ROOT CA certificate in Client Cert Store (for Clients)

LAB – 4: Enabling and configuring SSL

AppServer:

Database:

PASOE:

LAB – 5: PASOE ROUND TRIP with HTTPS client authentication

LAB – 6: Trouble shoot and find where Lies the PROBLEM

ABLClient

Dot net client

Java OpenClient

Configure and troubleshoot AIA

Troubleshooting wsa

1. SET UP and Login DETAILS

Two Arcade instances:

Instance I – Will be used as Server Machine. This has preconfigured brokers and PAS Instances.

ec2-52-77-235-42.ap-southeast-1.compute.amazonaws.com (This machine should not be accessed)

Instance II – Each registered user will be given details to login to this instance. For Lab I, this instance will be used as client machine. From later excercises, this machine will be used as both client and server for sake of simplicity.

You will be asked to login to this machine for your lab excericses.

To Login:

1. Go to start and type mstsc.exe

1. Enter the Computer name as provided to you
2. Expand the Options and select Full screen in the Display tab (see below). Press connect.

1. Select “Use another account”. Refer below screenshot.

1. Enter your user credentials as:

User Name: \Administrator

Password: Progress!2009

1. If you see the below mentioned dialog (“The identity of the remote computer cannot be verified. Do you wish to connecy anyway?”): Click Yes to connect to the machine.

1. Open “proenv” from Start -> All Programs -> Progress -> OpenEdge 11.6 (64-bit) -> Proenv

LAB – 1: Is your Private conversation PRIVATE?

Configuration/Dramatis personae:

1. Alice a.k.a PAS OE server with a REST Service deployed (IP: ec2-52-77-235-42.ap-southeast-1.compute.amazonaws.com)
2. Bob a.k.a Firefox/Chrome Browser on the client machine (IP: Use the machine name provided))
3. Eves a.k.a Wireshark on client machine

Aim of the Lab: To show using Network sniffer that your data can be very easily intercepted in absence of SSL

1. If you are not logged in already, log on to the client Machine (Use the machine name provided). Refer SET UP AND LOGIN DETAILS section above

2. Start Wireshark Legacy

Start > All Programs > Wireshark Legacy

3. Choose the Network Interface and click Start

4. In your browser (Open Chrome Browser from Start -> Google Chrome), copy following URL1from C:\PugArtifacts\Lab1.txt following and press enter.

5. In the Wireshark:

1. press Stop.
2. Thentype “http.request.uri matches "1"” in Filter area and press apply.
3. Locate the HTTP GET /rest/RESTService/customers/1
4. Right click and press “Follow TCP Stream”

NOTE that you can see all the data in clear text.

Step 6: Start a fresh capture in Wireshark by clicking “Start a new live capture” button. Please refer below screenshot. Continue without saving.

Step 7: Select “Continue without Saving” button if you see below screen.

Step 8: Like in the Step5: Modify the filter and add the value “tcp.port==8811” and press Apply button.

Step 9: In your browser, copy following “URL2” from C:\PugArtifacts\Lab1.txt following and press enter.

You will note that you get following message. Press Advanced and select “Proceed to ec2-52-77-235-42.ap-southeast-1.compute.amazonaws.com (unsafe)”.

NOTE: Why we this exception is discussed later in the workshop. This brings up topics like Digital certificate and non-repudiation (origin of source guarantee).

Step 8: If you repeat Step:5, you will not be able to find any plain text message sent by the Server.

Conclusion:

• Use of HTTPs makes private conversation safe from Eavesdroppers (Wireshark in our example).
• HTTPs uses SSL/TLS communication for securing data in transit.

LAB – 2: Demonstrate SSL Handshake

1. Go to Wireshark that is already open.

1. Select any row with Source and Destination corresponding to Client and Server IP.

1. Right Click and select “Decode As…”.

Exercise:

1. Select Client Hello and expand the middle pane to inspect the “Secure Socket Layer”

1. Similarly inspect Server Hello and to answer:
2. What is the SSL Version agreed?
3. What is the Cipher suite agreed?

LAB – 3: Creating DIGITAL CERTIFICATE

Generate Public/Private Key pair

In this example, we’ll generate a 2,048-bit RSA key pair. A smaller key, such as 1,024 bits, is insufficiently resistant to brute-force guessing attacks. A larger key, such as 4,096 bits, is overkill.

Execute following commands from proenv.

1. Open “proenv” from Start -> All Programs -> Progress -> OpenEdge 11.6 (64-bit) -> Proenv
2. proenv> set RANDFILE=.rnd
3. proenv>pkiutil -keysize 2048 -newreq pugDemo
4. For PEM Passphrase: Provide the passphrase as “pugws” (without quotes). This is the password for encrypting the private key.
5. Please check the below screenshot for reference.

NOTE: While entering the Server DNS Name, if you enter * for the subdomain e.g *.progress.com

Instead of the certificate so created will be known as a WILDCARD certificate. Such certificates can be used to secure multiple domains like pug.progress.com, oe.progress.com, etc.

Keep in mind that in wildcard certificates the wildcard applies to only 1 DNS label. A certificate good for *.example.com will work for foo.example.com and bar.example.com, but not for foo.bar.example.com.

NOTE: We have modified the policy file %DLC%\keys\policy\pscpki.cnf by adding:

prompt = no

and providing the Distinguished Name detail so that you don’t need to type them. These steps are not mandatory and are done for ease of lab

[req_distinguished_name]

C = US

ST = MA

L = Bedford

O = Progress Software Corporation

OU = OpenEdge

CN =

1. The result of above step will be that there will be two files viz. following generated in %DLC%\keys\requests

Proenv> dir %DLC%\keys\requests

1. pugDemo.pk1 – private key
2. pugDemo.pk10 – public key + information about your organization. This will serve as a Certificate Signing Request to a CA (certificate authority). This is in PKCS#10

Optionally verify your CSR

1. proenv>sslc req -text -in %DLC%\keys\requests\pugDemo.pk10 -noout
2. Check the Subject, signature algorithm and validate if they match what you supplied either in command line or policy file.

Sign the Certificate

• You can submit your CSR to a CA (like Verisign, Digicert, Globalsign, GoDaddy etc) who will charge you a fees for the service of vouching your Public Key (in the CSR). This is what you would do for a production scenario.

• For testing your set up, you can create a self-signed server certificate.
• For testing purpose, you can also create your own private CA to create a signed server certificate.
• There are a number of public CA which can be used to sign your CSR. These are free CAs and can be used for testing purposes.

For e.g. You can use below steps to sign using some free public CA’s. (NOTE:Below steps are for your reference. They are simple and you can try it out later. We will not follow these steps for our lab.)

copy the content of %DLC%\keys\requests\pugDemo.pk10 and paste it in the area provided for Submitting the CSR and press SubmitCSR button

This will give you your signed public certificate/key in .cer and .pem format. It will also give you Getacert’s public certificate/key(.cer) that needs to installed at Client machine.

Create your Self-Signedserver certificates

Following steps are for your reference only. We will not create self-signed server certificate in this lab.

1. For testing you can self-sign server certificates in using below command.

NOTE:self-signed certificates must NOT be used in production.

proenv>sslc x509 -req -days 365 -in %DLC%\keys\requests\pugDemo.pk10 -signkey %DLC%\keys\requests\pugDemo.pk1 -out %DLC%\keys\requests\pugDemo.cer

Create a ROOT CAand sign your own server certificate

1. Create a new directory named “newcerts” in %DLC%\keys. Create an index.txt and serial files inside %DLC%\keys\
2. md %DLC%\keys\newcerts
3. copy con %DLC%\keys\serial

Type 01, press enter

Type CTRL + Z, press enter

1. copy con %DLC%\keys\index.txt

Type CTRL + Z, press enter

1. A ROOT CA certificate is a self-signed certificate. We have generated a root CA certificate and private key for you. You can find them in %DLC%\keys\requests\. Use this CA private key (workshopCA.pk1) to sign the certificate request (pugDemo.pk10) and generate a server certificate (pugDemo.cer).

For this lab we have created a batch script (viz. signPugDemo.bat) that you can run to sign the pugDemo.cer (and save yourself from ordeal of typing  )

proenv>signPugDemo.bat

Following is the content of the signPugDemo.bat for your perusal

======

sslc ca -cert %DLC%\keys\requests\workshopCA.cer -in %DLC%\keys\requests\pugDemo.pk10 -keyfile %DLC%\keys\requests\workshopCA.pk1 -days 365 -md sha256 -out %DLC%\keys\requests\pugDemo.cer

======

Provide password as “pugws” when prompted and give the value as “y” (without quotes) when asked for “Sign the certificate” and “1 out of 1 certificate requests certified. Commit?” Refer below screenshot.

Import the CA signed server certificate(for server)

1. Use pkiutil to generate this server’s .pem file containing the server’s private key and digital certificate.
2. Proenv> pkiutil -import pugDemo %DLC%\keys\requests\pugDemo.cer
3. For PEM Passphrase: Provide the passphrase as “pugws” (without quotes)
4. Please check the below screenshot for reference.

1. Use pkiutil -list to check if pugDemo is listed

Proenv> pkiutil -list pugDemo

1. There must be a pugDemo.pem created inside %DLC%\keys folder now
2. Optionally view the server’s .pem

proenv> pkiutil -print pugDemo

NOTE: if subject and issuer are same it is a self-signed certificate

Import the ROOT CA certificate in Client Cert Store (for Clients)

1. proenv>certutil -import %DLC%\keys\requests\workshopCA.cer

Importing trusted certificate to alias name: 11145b1d

1. proenv>certutil -import %DLC%\keys\pugDemo.pem

Importing trusted certificate to alias name: fa4f279a

1. Import the %DLC%\keys\requests\pugDemo.cer to psccerts.jar

(Note: This will be needed in Troubleshooting Lab while working on JavaOpenClient and AIA labs)

1. Create a folder clientcerts.
2. proenv> md clientcerts
3. proenv> copy %DLC%\keys\requests\pugDemo.cer clientcerts\pugDemo.pem
4. NOTE: you need to rename the .cer to .pem for it to get imported using procertm utility
5. proenv> copy %DLC%\certs\psccerts.jar clientcerts\pugDemocerts.jar
6. proenv> cd %WRKDIR%

LAB – 4: Enabling and configuring SSL

NOTE: In this exercise we will use the client machine as both client and server

AppServer:

1. Start AdminServer (If it is not started already).
2. proenv> cd %WRKDIR%
3. proenv> proadsv -start
4. proenv> fathom -query
5. Once you see the status as Running in the console continue with the below step.

1. In the chrome browser enter URL
2. Login with admin/4admin
3. Go to Resources -> AppServer. Refer below screenshot.

1. Enter the name “mysslbroker” and press “Save”

1. If you see below validation message, Select OK to proceed further.

1. Select Edit button to edit the configuration and change following in
2. Broker:
3. General > Port Number: 3098
4. General > Operating Mode: Stateless

NOTE: You may use any operating mode for SSL.However, for this exercise we will keep it as stateless.

1. Logging Setting > Broker Logging Level: Extended
2. Optional Step:For Lab you may skip this.
3. Logging Setting > Broker logging entry types: UBroker.Basic,UBroker.SSL
4. Advanced setting >Jvmargs Section:

-Djavax.net.debug=ssl-Dcom.rsa.jsse.logFile=@{WorkPath}\mysslbroker.ssl.log

NOTE:

• This is needed for the logging of AppServer broker which uses “BSAFE RSA SSLJ” implementation of SSL stack.
• In “stateless” operating mode, the broker does the SSL handshake with the client.
• For state-reset/state-aware, the SSL handshake is done between broker and agent during AppServer start-up when agents are spawned. However, for SSL handshake between AppServer client and AppServer, it is the agent that takes active part. The Agent uses OpenSSL implementation; thus the above setting doesn’t help in OpenSSL logging. For state-reset/state-aware, setting SSLSYS_DEBUG_LOGGING is more helpful

1. Navigate to SSL Tab
2. Check Enable SSL client connections
3. Private key/Digital certificate alias name: Select the certificate that we created (pugDemo) from the list of Private key alias in the drop down

NOTE: we will use server certificate created in previous lab, pugDemo

1. In the Password field provide the password as “pugws” (Without quotes)

1. Environment

SSLSYS_DEBUG_LOGGING=5

NOTE:

(*) SSLSYS_DEBUG_LOGGING = 5, will cause detailed logging from the AppServer agent dumped as cert.server.log

1. Press Save and Navigate to the AppServer home page (Press AppServer Name link) to Start the AppServer. Refer below screenshot to navigate.

NOTE: The mysslbroker starts with default SSL protocol of TLSv1.2and default set of

SSL ciphers viz.AES128-SHA256, AES128-GCM-SHA256, AES256-SHA256, DHE-RSA-AES256-SHA256,

DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256

If you wish to start the broker with a different set of protocols and ciphers, you can do so by setting following in the Environment section e.g.:

PSC_SSLSERVER_PROTOCOLS=TLSv1.1,SSLv3

PSC_SSLSERVER_CIPHERS=AES128-SHA,RC4-MD5

1. Open the ABLClient_lab4.p in “prowin” and run it. abl_lab4.pf is configured to connect to the above created broker. Follow below steps in proenv.
2. proenv>prowin
3. proenv> Press F3 and select ABLClient_lab4.p to open.
4. proenv> Press F2 to run the file.
5. The connection succeeds and you will see a welcome message.
6. Take a look at abl_lab4.pf.

NOTE: The ABL client uses a default SSL protocol and cipher to make a connection to the SSL Enabled broker.

If you need the ABL client to connect using different protocol or ciphers you will need to add -sslprotocols, -sslciphers. However, for this lab DON’T change the protocol and ciphers

E.g.

===

-H localhost

-S 3098

-AppService mysslbroker

-DirectConnect

-ssl

-nohostverify

-sslprotocols TLSv1

-sslciphers AES128-SHA,RC4-MD5

====

When the server certificate doesn’t contain the hostname in the CN field, we use -nohostverify to skip host name verification.

Database:

1. Close all existing proenv shells.
2. Open a new proenv shell. Start-> All Programs -> Progress -> OpenEdge 11.6 (64-bit) -> proenv
3. At proenv shell set following. This will create client.cert.log for ABL or any other client connecting to the database broker. The SSL logs for database broker will be dumped to server.cert.log

proenv>set SSLSYS_DEBUG_LOGGING=5

The default SSL protocol and cipher that the database broker will start with is as follows:

PSC_SSLSERVER_PROTOCOLS=TLSv1.2

PSC_SSLSERVER_CIPHERS= AES128-SHA256, AES128-GCM-SHA256, AES256-SHA256, DHE-RSA-AES256-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256

If you wish to use non-default protocol and ciphers, you can set these environment variables in the proenv shell

1. Create an OpenEdge database

Proenv> prodb mydb sports2000

1. proserve the Database with SSL options. Provide the pugDemo.pem as the server certificate

====

Proenv> genpassword -password pugws

2027283021

• The genpassword is used to encrypt the password so we don’t pass the password as clear text in command line. Use the above generated password for the -keyaliaspasswd

Proenv> proserve mydb -S 15000 -H localhost -ssl -keyalias pugDemo-keyaliaspasswd2027283021

====

1. proenv> prowin -db mydb -S 15000 -H 127.0.0.1-nohostverify
2. When the server certificate doesn’t contain the hostname in the CN field, we have to specify nohostverify for the connection to succeed.
3. To test if the client session and database have ssl is enabled run the following code from an ABL/4GL session, SelectF3 and select the test_ssl_db.p and then select F2 to run it:

=====

message ssl-server-name (ldbname(1)) ldbname(1) view-as alert-box .

====

If ssl is enabled for a networked connection you will see message as below screenshot:

If the connection is self-service to a ssl enabled database (encryption will not be enabled for self-service session) you will see:

If ssl is not enabled on the database and a network connection is made and the code is run, the program returns:
? db_name

1. Close the procedure editor.
2. Now connect to the database using SQLEXP in proenv:
3. proenv> sqlexp -driverUrl"jdbc:datadirect:openedge://localhost:15000;databaseName=mydb;user=Administrator;password=Progress!2009;EncryptionMethod=ssl;CryptoProtocolVersion=TLSv1.2;EnableCipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA256;validateServerCertificate=false"

(NOTE the highlighted entries above. In case you are troubleshooting a handshake failure, you must first examine these values. validateServerCertificate is used to turn off host verification.)

1. This will bring up SQLEXP prompt
2. Type any SQL query like:

SQLExplorer>select * from PUB.customer where custNum < 5;

1. Type “exit” to return to the Proenv prompt

PASOE:

All PASOE instances are preconfigured with default https settings.