Solved

Is it possible to use http instead of https in IFS app10?


Userlevel 2
Badge +6

We are upgrading to IFS app10. So far we have to install the SSL certificate on every user’s computer. It’s kind of hassle. Our network admin doesn’t like it. Is it http still available? Thanks for any inputs. 

icon

Best answer by GPIE 16 July 2020, 16:48

View original

13 replies

Userlevel 5
Badge +11

You can use Active Directory to automatically install the certificate on every domain device using Group Policy Objects (GPO). Or use a domain issued certificate to encrypt the IFS app, then it is trusted by your clients.

Much better idea than turning off encryption.

Userlevel 2
Badge +6

Thanks, GPIE. Does it mean this needs to be done for each domain? We have companies in a few other countries. 

 

Userlevel 5
Badge +11

Depends on your AD setup, i.e. whether you have trust relationships. Multiple domains was not an issue that we had to deal with. It’s a relatively straight forward process to distribute a certificate via GPO so recreating it multiple times won’t take you too long? Are all of the domains visible in the AD/GPO “Forest”?

Userlevel 2
Badge +6

Hi, GPIE, I am not sure how our network admin sets up the communications with other domains. But I doubt the other domains are visible here in our headquarter office. 

Thanks.

 

Userlevel 5
Badge +11

Have a look in GP Management - do you see just one domain or multiple domains (example below shows just one domain in the forest). If you have to log into every domain then you could export/backup the GPO and then import it to the other domains.

 

 

Userlevel 2
Badge +6

Hi, GPIE. I will check with our network admin since I cannot access the ad controler. Thanks for all the information. 

Is the http still doable if it used in our intranet? The IFS app10 installer doesn’t seem to have the option anymore. 

Userlevel 5
Badge +11

I’m not sure as we haven’t had to create our own app yet and can’t remember the training from a year ago. The other option is to use a commercial certificate that will be accepted by all clients, but you might be limited to one or two years then.

Userlevel 7
Badge +18

A better certificate to use would be one signed by a trusted certificate authority. Each workstation’s operating system has a collection of root certificates installed by default, and it walks up the chain to determine whether your certificate is trusted.

 

Self-signing is not a best practice. It trains your users to click through the error when you forget to install the cert, opening you up to man-in-the-middle attacks.

 

You might consider LetsEncrypt as a free solution if you’re not looking to spend money on a cert right now. The major authorities aren’t issuing long certs anyway in response to pressure from Mozilla and Google.

 

In Apps 9, we use the same certificate for HTTPS as we use to sign our applications with F1MAGE and DEPLOYUI. That’s now an easier option in Apps 10 to do both the HTTPS server and the ClickOnce application with one step.

Userlevel 2
Badge +6

Hello, Durette,

Great information!

We plan to install a proxy server and acquire a CA certificate eventually. Meanwhile we have to baby sit our users (who are testing) to help them install the self signed certificate. Our network guy would rather have it as http in our intranet. I will ask him to following the recommendation by GPIE. 

I will check out LetsEncrypt. So how long can a certificate last? Can it be long enough before our next upgrade? 

So you can use the F1MAGE for the HTTPS certificate. This is the first time I’ve learnt. 

Thanks a lot :)

Userlevel 5
Badge +9

As others have said you’re best either using a public CA certificate, or deploying the self signed certificate via GPO to the network.

Turning off HTTPS for plain HTTP is a VERY BAD idea and would allow for all traffic to and from the IFS server to client to be sniffed in plain text.

TLS/SSL (HTTPS) should always be used where possible.

Userlevel 7
Badge +18

I will check out LetsEncrypt. So how long can a certificate last? Can it be long enough before our next upgrade?

Likely not. The major web browsers don’t trust certificates longer than 398 days, so long certs are no longer issued by the major commercial authorities.

https://www.thesslstore.com/blog/google-chrome-to-join-apple-safari-in-one-year-certificate-validity/

 

LetsEncrypt certs are good for 90 days.

https://letsencrypt.org/2015/11/09/why-90-days.html

 

Userlevel 2
Badge +6

Hi, Durette,

I’ve checked with our network admin. He has a wildcard certificate. But he is not sure how to combine the code signing certificate with it. Do you have some advice on this? Is there a detailed step-by-step instruction we can follow? Is there a different steps to generate CSR for this type of certifcate?

Thank you.

 

Userlevel 7
Badge +18

He has a wildcard certificate. But he is not sure how to combine the code signing certificate with it.

Thank you.

 

You’ll need to convert your certificate to the PFX format.

In Apps 9, you would first reconfigure your extended server, i.e. by calling %IFS_HOME%\installer.cmd, and feed it your PFX file when it asks. You would then need to update your client manifest file by calling F1MAGE. (If you’re running Sales and Marketing, you’ll also need to update that other application manifest by calling DeployUI.)

In Apps 10, F1MAGE is now called by the extended server installer at the end of the process to sign the Enterprise Explorer application, so you can update both the HTTPS cert and the client signing cert in one shot with install.cmd.

Reply