New

SSL Features in FileMaker Server 12

By:

Wim Decorte and Steven H. Blackwell

Copyright 2012, Wim Decorte and Steven H. Blackwell. All rights reserved.


he new version of FileMaker Server has two important new features related
to SSL encryption. These are intended to provide greater flexibility for
configuration as well as greater security for connected guests.

In earlier versions, FileMaker Server automatically installed a self-signed SSL

certificate. This procedure will continue in FileMaker Server 12. However, FileMaker
has added a new option as well. There will be new command lines to get a custom
certificate and then to install the certificate. This will rely on one of five well known
certificate authorities. This feature will work both with FileMaker Pro and FileMaker
GO for encrypting data in transit.
Here are the new Command lines for FileMaker Server 12 that are to be run
from the Terminal (Macintosh OS) or the Command Line Interface (Windows OS):
fmsadmin CERTIFICATE CREATE server_name
fmsadmin CERTIFICATE CREATE subject
fmsadmin CERTIFICATE IMPORT certificate_file
What do these commands do?
Use the CERTIFICATE CREATE command to create the certificate request file
that you send to the Certificate Authority (serverRequest.pem), plus an encrypted
private key file that is used by the CERTIFICATE IMPORT command
(serverKey.pem).
Use the CERTIFICATE IMPORT command to create a custom server.pem file
that combines the certificate file that you get back from the certificate authority
with the encrypted private key file created by the CERTIFICATE CREATE command.
The subject parameter, as shown above, should be used to create a file with
more information than just the server name. Some Certificate Authorities require
this additional information.

New SSL Features

Certificates can be obtained from any of the following Certificate
Authorities:1
Verisign
Thawte
GoDaddy
GeoTrust
Comodo

When the CERTIFICATE CREATE command line process is completed, it will
have created two files:

The request file: serverRequest.pem that you send to the Certificate
Authority; and,

The private key file: serverKey.pem.

These files are placed by the command line in a directory in the parent
FileMaker Server directory called cStore, as shown below.

Figure 1. The cStore directory holds the certificate request files

1 It is possible that certificates from other Authorities can be used. These are the ones that

have been tested. FileMaker GO supports only these custom certificates.

New SSL Features

The CERTIFICATE IMPORT command line, when run will then create a new
file called serverCustom.pem by combining the Certificate you get back from the
Certificate Authority2 with the serverKey.pem file created earlier.
The two original documents (ServerRequest.pem and serverKey.pem)
are important; they contain sensitive and confidential information.
Therefore, do not leave them in an unprotected location. We recommend that
they not be stored on the server or on other network locations.
As a result of this process, the certificates can now determine that server
names and certificates3 match. This is to thwart Man-in-the-Middle Attacks.
A Man-in-the-Middle Attack, also known as a Bucket Brigade Attack, is a
form of active eavesdropping in which the attacker makes independent connections
with the victims and relays messages between them, making them believe that they
are talking directly to each other over a private connection, when in fact the entire
conversation is controlled by the attacker. 4 The new certificates in FileMaker
Server 12 will compare that the certificate and server names match.
In Figure 2, Wim and Steven each think they are communicating directly with
one another over an encrypted channel. However, the Forces of Evil are spying on
them, have hijacked their session, and are routing their communications through
the Evil Forces Server, possibly substituting pieces of information along the way.
This is the essence of the Man-in-the-Middle Attack.

Please note this command does not work with the default, generic FileMaker certificate.

3 Please note that FileMaker Server does not support validation using a certificate

revocation list (CRL validation)

4

Man-in-the-middle attack http://en.wikipedia.org/wiki/Man-in-the-middle_attack

New SSL Features

Figure 2. Man-in-the-middle-attack

As part of this enhancement, FileMaker has added a new Get Function,

Get(ConnectionState) that returns a number representing the security state of the
network connection:

1 for a non-secured connection (FileMaker Server with SSL disabled, or to a
FileMaker Pro host).
2 for a secured connection (SSL) when the server name doesnt match the
certificate (default FileMaker Server installation).
3 for a secured connection with a fully verified server name in the
certificate.

Please note that Get(ConnectionState) does not check the encryption of data
in transit for web published files all the way to the users Web browser. FileMaker
Server encrypts the connection between the hosted database and FileMaker Pro
clients, FileMaker GO clients, and the Web Publishing Engine. Connections between
the Web Publishing Engine and the Web Server and between the Web Server and
the browser clients must be separately managed and configured. In both Instant
Web Publishing and Custom Web Publishing, the Web Server (IIS or Apache
depending on the OS) must have its own certificate. The users web browser verifies
that SSL connection.
4

New SSL Features

This new Get Function also offers some interesting possibilities for testing
access to the solution, either through Record Level Access or through scripted
actions.
In conclusion, FileMaker Server 12 now offers the ability to generate custom
certificates that assure that the server and the certificates match. In order to take
advantage of this capability, developers or administrators must obtain a certificate
from one of the Certificate Authorities.


ABOUT WIM DECORTE
Wim Decorte is a Senior Architect and Senior Technical Project Lead at Soliant
Consulting Inc, a long-standing reputable FileMaker development company and a
Platinum member of the FileMaker Business Alliance.
Wim is a FileMaker 7, 8, 9, 10 and 11 Certified Developer and the author of
numerous Tech Briefs and articles on FileMaker Server. He is also a frequent
speaker at the FileMaker Developer Conference and at FileMaker Developer groups
throughout the world. For his numerous contributions to the FileMaker community
he was awarded with the FileMaker Excellence Award in 2002. In addition to being
a renowned expert on FileMaker Server, Wim also specializes in integrating
FileMaker with other applications and systems across many technologies. His pet
project is the open source fmDotNet connector class that he created
(www.fmdotnet.org). Sometimes referred to as the Developers developer, Wim has
been a true nomadic developer trekking from Belgium to Canada, through Germany
to Holland, and from Bermuda to his current home on the East Coast.

ABOUT STEVEN H. BLACKWELL
Steven H. Blackwell is a Platinum Member Emeritus of the FileMaker
Business Alliance, the first person ever so designated by FileMaker, Inc. in August
2011. From May of 2007 until October of 2011, he was a Platinum Level Member of
the FileMaker Business Alliance. From December of 1997 to April of 2007, he was a
Partner Level Member of both the Claris Solutions Alliance (CSA) and the FileMaker
Solutions Alliance (FSA). He has been developing business management solutions in
FileMaker Pro and its predecessor applications since 1986.
He is the author of the definitive volume FileMaker Security: The Book,
available at www.filemakersecurity.com. He is the creator and author of the new
FileMaker Security Blog [http://fmforums.com/forum/blog/13-filemaker-security-
blog/]

5