...
SSL is configured through the server:certificate
and server:certificate_password
settings in the appSettings.json file located in the DryvIQ (SkySync) installation folder. These changes can be made after a successful installation. The SkySync DryvIQ Manager service will need to be restarted for the changes to take effect. Follow the steps below to configure SSL.
1. Place your server certificate file in the SkySync installation directory or other secure location.
2. Edit the appSettings.json file in the SkySync installation directory to include the certificate file name and password. If the certificate is located outside the SkySync installation directory, specify the absolute path to the file, escaping backslashes.
For example, "C:\\some-dir\\cert.pfx"
. The port
settings will also need to be updated to reflect the environment. See the example below.
Code Block |
---|
{ ... "server": { "port": 443, "certificate": "skysync.pfx", "certificate_password": "skysync" }, ... } |
3. Restart the SkySync DryvIQ Manager service.
Optional server:check_certificate_revocation
and server:load_full_cert_chain
properties are also provided. By default both values are set to true
. This means that by default, certificate revocation lists will be checked and the full certificate chain (as provided in the given PKCS12 certificate specified in server:certificate
) is loaded into the user's trust store. In some cases server:check_certificate_revocation
should be set to false
, for example when blocking outbound traffic through port 80.
Panel | ||
---|---|---|
| ||
If outbound traffic through port 80 is blocked, the port must be opened the first time SkySync DryvIQ is started. This allows the root and intermediate certificates to be verified before placement in the trust store. The port may be closed again once SkySync DryvIQ has finished its startup process. |
Panel | ||
---|---|---|
| ||
If setting |
...
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
Warning! It is highly recommended that weak TLS ciphers are disabled, such as RC4 based cipher suites and those using authentication and encryption less than 128 bits. The use of weak ciphers creates risk of compromise of SSL or TLS communications, allowing a man-in-the-middle attacker the ability to potentially decrypt network traffic. SkySync DryvIQ disables all protocols other than TLS 1.2. However, the system administrator must also ensure that the underlying system configuration excludes weak cipher suites. It is also recommended that system administrators disable client renegotiation and enable perfect forward secrecy. For additional information, please see Mozilla's recommendations. These settings are not configurable in SkySyncDryvIQ, as the server inherits these settings from the host operating system in the case of Windows environments. For Windows environments, see this Microsoft Support Article for instructions on disabling individual ciphers. For Linux environments, a reverse-proxy server with the appropriate SSL/TLS protocol and cipher configuration is recommended. Please see your reverse-proxy's documentation for how to configure these settings. |
...