Server Authentication in OutsideView SSL Sessions

Introduction

SSL encryption of the terminal data stream is supported with OutsideView versions 7.2 and greater. The NonStop SSL proxy (NSSL) allows encrypted telnet sessions with OutsideView terminal emulation clients as well as SSL secured communication with virtually any SSL-enabled client. In addition to the privacy provided by encryption, one of the key security capabilities provided by SSL is validation of the identity of the parties corresponding in the session (authentication). The SSL handshake protocol defines an exchange of certificates between the client (e.g. OutsideView) and the server (e.g. NSSL) that uniquely identify their owners. While the protocol requires authentication of the server by the client, delivery and validation of the client certificate is optional and is not currently supported by OutsideView or NSSL.

Certificates are issued by Certificate Authorities (CA’s) which are trusted to insure the authenticity of the certificates they issue. These CA’s may be independent third parties (e.g. Verisign®) or organizations may operate their own certificate generation servers. During the SSL handshake, certificates returned to the client by the server will include the server’s certificate as well as that of the CA which issued that certificate.

NonStop SSL Proxy (NSSL) Certificates

By default, NSSL will use test certificates which are included in the installation as the Guardian files SERVCERT and CACERT with subject names “mynonstop.mydomain” and “NSSL Test CA”. For production implementations, you should create and use your own certificates or obtain these certificates from a third party CA. Tools for creation of CA and server certificates are included with NSSL. Please refer to the “Certificate Tools” section of the documentation for detailed instructions.

Server Authentication in OutsideView

OutsideView provides two methods for authenticating the SSL server; validation against the local certificate store and validation of the root CA fingerprint (MD5 message digest).

For intranet access where the users are likely to be employees of the organization, validation of the root CA fingerprint is probably sufficient. This method will insure that the server being accessed has obtained a certificate signed by a CA trusted by the organization. The NonStop administrator can create and distribute OutsideView session configuration files (*.cps) which contain the fingerprint of the root CA certificate.

If you wish to authenticate the server based on the fingerprint of the root CA certificate, you may obtain the fingerprint by viewing the certificate using the Certificate Tools. To include the root CA certificate fingerprint in the session settings:

1. the Session Settings I/O tab, select “Encrypt datastream using SSL”.
2. Select “Validate root CA fingerprint”.
3. Enter the value displayed in the Certificate Tools for the fingerprint value.

For connection by remote users, the end user should be provided with some means to independently validate the identity of the signing CA as well as the target host. Validation against the browser certificate store requires that the root CA certificate received from the server match a certificate already in the list of trusted certification authorities at the workstation. In addition, the common name included in the server certificate must match the fully qualified DNS name of the host being contacted. These steps assure that the communication is with a known host whose identity has been validated by a trusted authority virtually eliminating the possibility of “man-in-the-middle” spoofing.

If an organization maintains their own certificate authority, it is unlikely that the certificate from that CA will be in the certificate store of remote computers. The CA certificate may be distributed as a file and imported into the local computer’s certificate store through the Microsoft Management Console (mmc) or it may be directly imported using Internet Explorer. A detailed description on importing certificates into the local computer’s certificate store in Windows XP using mmc is available on the Microsoft site at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmprocsimport.mspx.

To import the certificate directly using Internet Explorer:

1. IE and connect with HTTPS protocol to the host and port you the proxy process is listening on (e.g. https://mytandem.mydomain.com:8423).
2. A security alert dialog will pop up with information about the certificates received during the SSL handshake with the proxy. Click on the “View Certificate” button.
3. Click on the “Certification Path” tab and select the certificate of the issuing CA.
4. Click on the “View Certificate” button.
5. After validating that the source of the certificate is known and trusted, in the “Certificate” dialog, click on the “Install Certificate…” button and follow the steps of the “Certificate Import Wizard” (accept all defaults).

To create an encrypted OutsideView session which validates against the browser certificate store; In the session settings I/O tab in OutsideView:

1. “Encrypt datastream using SSL”.
2. Select “Validate Certificate against browser certificate store” (default).
3. The “Advanced Certificate/Encryption Options” will allow selection of a cipher suite