Charlotte PowerBuilder Conference · Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015 Enable SSL in your Application! 14 SSL Activation – Step #1 1. In the

Sponsored by Powered by

Moving at the Speed of Change May 2015

Charlotte PowerBuilder Conference

Securing your Appeon Mobile &

Web Applications

For PowerBuilder, Appeon Web & Appeon Mobile

Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015

• Email: [email protected] • Blog: http://chrispollach.blogspot.ca • PBDJ: http://chrispollach.sys-con.com • LinkedIn: http://ca.linkedin.com/in/chrispollach • SourceForge: http://sourceforge.net/projects/stdfndclass • STD: http://www.softdie.ca

2 Securing your Appeon Applications

An Actual Implementation Case Study!

By Chris Pollach – President: Software Tool & Die Inc.

Ottawa, Canada


3

Implement a Secure

Application Login!


4 Use Appeon’s Built-In LDAP Features

Implement using APPEON’s LDAP Method…

• of_ldaplogon ( string as_username, string as_password )


• Can not use CONNECT command if using Appeon Cache feature! • Need to perform a real DB Connect • Solution: Use a Web Service!

5 Use a DB Login Account!

Tip: Check out the example OrderEntry

application from the STD Foundation

Classes framework!

http://sourceforge.net/projects/stdfndclass




6 Web Service Relationship

Web Service

Command Shell (+)

OCR Imaging

Framework (@)

Log

eMail

Spell

Check

WSDL

Win32/64

WDSL (proxy)

Framework (@)

PDF ??? ...

Application Server

Appeon

Web

WDSL (proxy)

Framework (@)

Appeon

Mobile

WDSL (proxy)

Framework (@)

LDAP

DEMO!


Use AD for … • Login privileges (given Application) • Group participation (given user) • Role participation (given user) • Check out my Active Directory

presentation session for more details!

7 Use Active Directory Directly!


8 Active Directory via Web Services!

Command Shell (+)

Web Service *

Framework (@)

WSDL

Win32/64

WDSL (proxy)

Framework (@) Application Server

Appeon

Web

WDSL (proxy)

Framework (@)

Appeon

Mobile

WDSL (proxy)

Framework (@)

LDAP

Log

eMail

Legend * - Web Service developed in PowerBuilder 12.x

+ - MS-Windows “PowerShell” operating system API.

@ - Open Source GNU/GPL Web Service framework

(STD Foundation Classes)

LDAP: Lightweight Directory Access Protocol

Active

Directory

Server


9

Ensuring an Encrypted

Web Session


10 Installing a Certificate

RHMB

Run: certmgr.msc

Can also be pushed out via

(SMS) Systems Management

Server!


11 Client Certificate

Run: certmgr.msc


12 Server Certificate (IIs)

Run: certmgr.msc


SSL Activation 1. Start the IIS Console from the MS-Windows

Control Panel’s “Administrative Tools” section.

2. In the IIS Console’s SYSTEM TREE, select (highlight) the production web site name.

3. In the centre work area (pane) of thee IIS Console, scroll down to the IIS section and then double-click the SSL Settings entry.

13 Enabling SSL in IIs

SSL Settings 1. In the actual SSL Settings dialogue ensure

that the “Require SSL” check box is not checked (off).

2. Then select either the Require or Accept radio button.


14 Enable SSL in your Application!

SSL Activation – Step #1 1. In the IIS Console’s SYSTEM TREE, select (highlight)

and expand the production web site name. 2. In the expanded list, navigate and select (highlight)

the your Web / Mobile application name. 3. In the centre work area (pane) of thee IIS Console,

scroll down to the IIS section and then double-click the SSL Settings entry.

SSL Activation – Step #2 1. In the resulting “SSL Settings” work area of the IIS

Console, check the “Require SSL” check box (ON). 2. In the “Client Certificates” area, check the “Accept”

radio button (ON). Note: Do not select the “Require” radio button unless two-

way certificates are being used. Most web application use a one-way trust – so the “Accept” setting is the only one to use!


15

Automatic HTTP to

HTTPS Switching!


• Step#1 - Create a Web Page (ie: SSLredirect.htm) as follows:

16 Automatic SSL switching ( HTTP=>HTTPS )



<script type="text/javascript">

function redirectToHttps()

{

var httpURL = window.location.hostname + window.location.pathname ;

var httpsURL = "https://" + httpURL ;

window.location = httpsURL ;

}

redirectToHttps() ;

</script>




17 Install the Redirection Web Page!

Step#1 1. In the IIS Console’s SYSTEM TREE,

select (highlight) the production web

site name.

2. In the centre work area of the IIS

Console, scroll down to the IIS

section.

3. Within this work area, double-click

the “Error Pages” item to open it.


18 Install the Redirection Web Page (Continued)

Step#2 1. To the right of the “Error Pages” work area,

select the “ADD” link in the “Action” pane.

2. In the resulting “Add Custom Error Page”

dialogue, enter the value “403.4” (SSL is

required to view this resource) in the Status

Code field.

3. Next, select the BROWSE command button

and point the 403.4 error code to use the

“SSLredirect.htm” file that you copied in

the previous section to the root of the IIS

web server’s working root folder.


19 Install the Redirection Web Page (Continued)

Step#3 1. In the resulting “Add Custom Error Page”

dialogue, enter the value “403.4” in the Status

Code field.

2. Next, select the BROWSE command button and

point the 404.3 error ode to use the

“SSLredirect.htm” file that you copied in the

previous section to the root of the IIS web server’s

working root folder.

Note: Now, when an HTTP connection is refused the logic in the

“SSLredirect.htm” web page will retry the connection using the

HTTPS protocol instead. If the users’ workstation certificate is

authenticated under HTTPS, then your Appeon application will

now start an encrypted session automatically!


20

Building A Session

Timeout Web Page


21 Locate the default Web Page


22 Revise theSession Timeout Web Page

td style="width: 50%;">Please perform one of the following

actions:<br>

<ul>

<li>Click



<script language="Javascript">

var url = window.location.search;

var pos = url.indexOf( "?" );

var appurl = url.substr( pos + 1 );

appurl = '<a href="' + appurl + '" class="style1"><font face="Verdana" size="2">Restart</font></a>'

document.write( appurl );

</script>

to log into the application again</li>

<li>Click

<a href="#" onclick="closeIE()" class="style1"><font face="Verdana"

size="2">Close</font></a><font face="Verdana" size="2"> to exit the application</font></li>

Tip: To test this, start the PCI Human Image Redaction web application. In the IIS console,

restart the IIS Web server. Now, click on any link in the web application and you should see the

above web page appear!


23

Implement an

Application Timeout !


• Use the IDLE ( ) Method to activate! • Code the IDLE Event to display a

Timeout dialogue! • Provide a link back to the application

but force the user to login again to continue!

24 Use PowerBuilder’s IDLE feature!

Tip: Use a Timer on the application

timeout dialogue to close the dialogue

and exit the application if the user

does not respond in a reasonable time

frame.

This closes a security TRA and forces

Appeon to free up a Web/Mobile

session!


Securing your Applications

Summary

• DB Login

• Active Directory

• SSL

• Session Management

• Timeout Management

Lessons Learned

• Don’t underestimate the extra work to secure your PB/Appeon applications.

• Log everything • Perform a proper TRA

(Threat & Risk Assessment) • Design for security!

25


Questions?

26 Q&A Session


Have you hugged your DataWindow today? 27

Documents

Charlotte PowerBuilder Conference · Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015 Enable SSL in your Application! 14 SSL Activation – Step #1 1. In the