Secure Network Connections.

The following page documents how to configure secure connections using the KCML 6.20 & 6.90 versions of the Connection Manager and is only intended for use on legacy systems that do not support the KCML 7 Connection Manager.
To secure network connections using the KCML 7 Connection Manager see Connection Policy: Network Encryption

Versions 06.20 & 06.90 onwards of the Connection Manager, KCML and KClient are able to encrypt network traffic using the SSL/TLS protocols. All network traffic, from the initial connection, is encrypted.

However, this configuration has the disadvantages of requiring the use of an additional network port & service and also changing KClient settings. Later versions of the Connection Manager (07.02) & KClient (06.90) overcome this drawback by implementing a Connection Policy. The connection policy centralises all the configuration on the server. The Connection Manager can then use this policy to inform KClient what type of connection is required.

Setting up a secure Connection Manager

Secure Connection Mode is supported in versions 6.20 and 6.90 of the Connection Manager for the Linux and AIX5 operating systems. AIX5 will require the OpenSSL Runtime package to be installed, see: System Requirements

The default port for Secure Network Connections is 4790. This port number will need to be reserved in /etc/services.

For example:

KCCSSL        4790/tcp         # KCML Connection Mgr with SSL

If the server is using PAM to authenticate, you will also need to register this network service. The PAM service name is a lower-case version of the network service name.

Linux, just copy the PAM configuration file for the standard Connection Manager service:

$ cd /etc/pam.d
$ cp kcc kccssl

AIX5.3+, use the addpam.ksh script that is shipped with KCML:

$ cd /usr/local/kcml
$ ./addpam.ksh kccssl

Secure Connection mode is enabled by using the -x SSLcert flag in /etc/inetd.conf or /etc/xinet.d/KCCSSL

Linux:

# default: on
# description: KCML Connection Manager
service KCCSSL
{
	flags           = REUSE NAMEINARGS
	socket_type     = stream
	wait            = no
	user            = root
	env		= LD_LIBRARY_PATH=/usr/local/kcml
	server          = /usr/local/kcml/kwebserv
	server_args     = /usr/local/kcml/kwebserv -x server.pem
	log_on_failure  += USERID
	log_on_success	=
	disable         = no
	per_source	= UNLIMITED
	instances       = UNLIMITED
}

AIX5.2+, OpenSSL 0.9.7 only :-

KCCSSL  stream  tcp     nowait  root    /usr/local/kcml/kwebserv  /usr/local/kcml/kwebserv -x server.pem

KCML7.01+ and KCML 06.20 (build 16217 or later) compiled for AIX5.2 running on AIX5.3 or AIX6.1 that have both OpenSSL 0.9.7 & 0.9.8 installed will require the -z flag :-

KCCSSL  stream  tcp     nowait  root    /usr/local/kcml/kwebserv  /usr/local/kcml/kwebserv -z -x server.pem

The -z flag forces the operating system to load the OpenSSL 0.9.7 libraries from /opt/freeware/lib and ignore the OpenSSL 0.9.8 libraries in /usr/lib.

You will then need to refresh the inetd or xinetd daemon.

KCML compiled for AIX5.3 uses OpenSSL 0.9.8 and does not require the -z flag.

If the SSLcert argument for the -x flag is not an absolute pathname, as above, the Connection Manager will assume the SSL certificate is in the same directory as kwebserv. In this case, /usr/local/kcml/server.pem. You can create an SSL certificate with the openssl utility, see SSL Certificates for more information.

The SSL certificate should have read access for everyone: 

$ ls -l /usr/local/kcml/server.pem
-rw-r--r--   1 root     system         2548 Nov 26 2009  /usr/local/kcml/server.pem

Using a Secure Connection Manager

KClient

To enable Secure Network Connections in KClient, choose the Connect with encryption option in the Connection Page, or use the -l command-line switch. When KClient is running in Secure Connection mode, it will use a default port number of 4790. This can be overidden, as always, by setting the Service Port on the Options Page or by using the -V port switch.

Web browser

The Connection Manager's built-in web browser and Remote Adminstration Functions can be accessed using a web browser that supports https:

You would use a URL of the form:

https://myhost:4790

Applications that use the Connection Manager to serve documentation can make use of the $SERVER_HTTP_URI environment variable to construct the $HELPSERVER URL.

For example:

dim uri$16
dim helpUrl$
uri$=ENV("SERVER_HTTP_URI")
IF (uri$ == " ")
  REM Not set, older version of kwebserv that did not support SSL, assume http:
  uri$="http:"
ENDIF
REDIM helpUrl$ = uri$ & "//" & ENV("SERVER_NAME") & ":" & ENV("SERVER_PORT") & "/" & ENV("SERVICE") & "/" & "Help"
ENV("HELPSERVER") = helpUrl$

Applications can check if a secure connection is being used by inspecting the $KSSL_SERVER_CERT environment variable.

If the Connection Manager is unable to negotiate a secure connection then a suitable error is reported to syslog.

See Also:

Secure Sockets SSL Certificates SSL Error Codes System Requirements