Skip to end of metadata
Go to start of metadata

Purpose

Note: the use of the Mobilink redirector has been deprecated. Relay Server should be used instead. This document is retained for historical purposes only.

The purpose of this page is to discuss configuring MobiLink clients for HTTPS communication with the MobiLink redirector using Apache.

Introduction

Data security should be the top concern of every IT administrator in today’s information marketplace. The task of securing all corporate data can be a daunting task, since the data can be distributed among hundreds of devices in the field. Ensuring that each mobile device communicates in a secure fashion to your consolidated database protects your data from interception, modification, and intellectual property theft.

With an increased concern for IT security, simply opening a port on a corporate firewall for data communications may face strong resistance in a corporate IT department. However, many corporate networks already allow for the presence of a web server to be exposed to the Internet. With Sybase iAnywhere’s MobiLink data synchronization technology, the MobiLink Redirector component allows MobiLink data traffic to be transmitted via an intermediate web server, eliminating the need for additional data ports to be opened.

This article outlines how to use the MobiLink synchronization technology securely through the Apache HTTPD Server to provide a secure connection from the field device right to the MobiLink server.

The image below illustratesthe architecture of the synchronization that is set up in this tutorial:

Software Requirements

The following software is required:

  • Apache HTTPD Server 2.0.x with the Open SSL package (mod_ssl):
  • SQL Anywhere with MobiLink 10.0.1 or later, with the included RSA encryption option
  • The MobiLink Contact Sample, found in "%SQLANYSAMP10%\Mobilink\Contact"

Note: The export of encryption technologies is restricted in some countries. Consult the Apache documentation for more information.

Software Installation

For illustration purposes,  the remainder of this document assumes that Apache has HTTPD set up to accept connections on ports 80 (HTTP) and 443 (HTTPS) and that the MobiLink server is configured to accept HTTPS connections on port 20000. For clarity, assume that the Apache server is hosted on a computer named apache-srv and MobiLink is hosted on a computer named mobilink-srv.

If you are running the sample on your own computer, you can replace all instances of apache-srv and mobilink-srv with localhost.

Setting Up the Sample and Generating the Certificates

To set up the sample and generate certificates:

  1. 1. Choose Start > Run and type cmd.
    1. Run the following commands:
      • cd %SQLANYSAMP10%\MobiLink\Contact
      • build
    2. Generate a certificate to be used for dbmlsync-to-Apache communications by running the following command:
           Createcert
      The following line appears:
           SQL Anywhere X.509 Certificate Generator Version 10.0.1.3662
    3. Enter the following values, shown in bold, at each corresponding prompt:
           Choose encryption type ((R)SA or (E)CC): R
           Enter RSA key length (512-16384): 2048
           Generating key pair...
           Country Code: CA
           State/Province: ON
           Locality: Waterloo
           Organization: SAP
           Organizational Unit: Technical Support
           Common Name: Apache Certificate
           Enter file path of signer's certificate:
           Certificate will be a self-signed root
           Serial number [generate GUID]:
           Generated serial number: 8cf1176d05e443e198c360093e176365
           Certificate valid for how many years (1-100): 30
           Certificate Authority (Y/N) [N]: N
           1. Digital Signature
           2. Nonrepudiation
           3. Key Encipherment
           4. Data Encipherment
           5. Key Agreement
           6. Certificate Signing
           7. CRL Signing
           8. Encipher Only
           9. Decipher Only
           Key Usage [3,4,5]:
           Enter file path to save certificate: dbmlsync.crt
           Enter file path to save private key: apache-pw.key
           Enter password to protect private key: password
           Enter file path to save identity: apache.crt
      Caution: Not specifying a password for the private key in createcert (when generating apache.crt) causes OpenSSL to fail when reading in the certificate for re-encoding (see below for details) and gives the following error:
           unable to load Private Key
           508:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn
           1\tasn_dec.c:1007:
           508:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error
           :.\crypto\asn1\tasn_dec.c:629:
           508:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:.\
           crypto\asn1\tasn_dec.c:567:Field=n, Type=RSA
           508:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:.\crypto\asn1\
           d2i_pr.c:96:
           508:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:.\crypto\pem\pem_pkey
           .c:122:
      As a result, Apache is not able to natively read this private key.
    4. Generate another certificate to be used for Apache-to-MobiLink communications by running the following command:
           Createcert
      The following line appears:
           SQL Anywhere X.509 Certificate Generator Version 10.0.1.3662
    5. Enter the following values, shown in bold, at each corresponding prompt:
           Choose encryption type ((R)SA or (E)CC): R
           Enter RSA key length (512-16384): 2048
           Generating key pair...
           Country Code: CA
           State/Province: ON
           Locality: Waterloo
           Organization: SAP
           Organizational Unit: Technical Support
           Common Name: MobiLink Certificate
           Enter file path of signer's certificate:
           Certificate will be a self-signed root
           Serial number [generate GUID]:
           Generated serial number: 8cf1176d05e443e198c360093e176365
           Certificate valid for how many years (1-100): 30
           Certificate Authority (Y/N) [N]: N
           1. Digital Signature
           2. Nonrepudiation
           3. Key Encipherment
           4. Data Encipherment
           5. Key Agreement
           6. Certificate Signing
           7. CRL Signing
           8. Encipher Only
           9. Decipher Only
           Key Usage [3,4,5]:
           Enter file path to save certificate: apache-cli.crt
           Enter file path to save private key: mobilink-pw.key
           Enter password to protect private key: password
           Enter file path to save identity: mobilink.crt
    6. Re-encode the Apache server key with the OpenSSL utility so that the key is no longer encoded with a password:
           C:\Program Files\Apache Group\Apache2\bin\openssl rsa -in apache-pw.key –passin pass:password -out apache.key
      Caution: If you do not re-encode the private key without a password, Apache mod_ssl is prevented from loading the certificate automatically on Microsoft Windows. This behavior is caused by the fact that when Apache attempts to load the certificate, it is required to provide the encrypted password. On Unix and Linux systems, Apache prompts the user to supply the password on the console upon server start-up. Unfortunately, the build of Apache for Windows does not support this capability and instead reports the following in the error log on start-up:
           [error] Init: SSLPassPhraseDialog builtin is not supported on Win 32
      You can specify a password only if you also provide a command line to an executable that provides the password to Apache on Windows.
    7. Open the current folder in Windows Explorer and type start.
  2.  Edit the script files to allow MobiLink to accept connections via HTTPS on port 20000, and dbmlsync to communicate to the Apache server via port 443 (HTTPS)
    1. Open step1.bat in a text-editor such as Notepad. On line 10, change the line that looks like this:
           start mlsrv10 -c "dsn=dsn_consol" -o mlserver.mls -v+ -dl
      to look like this:
           start mlsrv10 -c "dsn=dsn_consol" -o mlserver.mls -v+ -dl –x https
                (port=20000;tls_type=rsa;certificate=mobilink.crt;certificate_password=password)
    2. Open step2.bat in a text-editor such as Notepad. For any lines that start with dbmlsync, append the following text to the end of the line (all on one line):
           -e "CTP=https;ADR='host=apache-srv;port=443;trusted_certificates=dbmlsync.crt;certificate_name
                =Apache Certificate;url_suffix=/iaredirect/ml'"

Setting Up Apache or SSL (mod_ssl)

Note: This section requires configuring the Apache HTTPD web server. Comments are denoted by # in the configuration files. Removing the leading # from these lines activates the directives required.

To set up Apache for SSL:

  1. From the Contact sample directory, copy the apache.crt, apache-cli.crt, and apache.key files to the Apache2\conf directory. For example, C:\Program Files\Apache Group\Apache2\conf.
  2. Enable SSL connections to the Apache Server:
    1. Open the file C:\Program Files\Apache Group\Apache2\conf\httpd.conf in a text editor such as Notepad.
      • On line 172 which loads the module ssl_module, remove the leading # from the line. It should now read:
            LoadModule ssl_module modules/mod_ssl.so
      • Ensure that the directive to include the SSL configuration file on line 919 is active, as shown below:
             <IfModule mod_ssl.c>
                  Include conf/ssl.conf
             </IfModule>
      • Save the changes to httpd.conf.
    2. Open the file Apache2\conf\ssl.conf in a text editor such as Notepad.
      • Find line 108 that reads:
             SSLCertificateFile conf/ssl.crt/server.crt
        and change it to:
             SSLCertificateFile conf/apache.crt
      • Find line 116 that reads:
             SSLCertificateKeyFile conf/ssl.key/server.key
        and change it to:
             SSLCertificateKeyFile conf/apache.key
      • Save the changes to ssl.conf.
    3. Re-configure the Apache service to start the SSL options by specifying the SSL parameter for the Apache service. Run the following commands:
      • cd \Program Files\Apache Group\Apache2\bin
      • apache -k stop
      • apache -k uninstall
      • apache -k install -D SSL
      • apache -k start
    4. Ensure the Apache server is accepting SSL connections:
      • Open Microsoft Internet Explorer and type the following in the address bar: https://apache-srv/
      • You will receive warnings about accepting a certificate that Microsoft Internet Explorer cannot verify. This is expected behavior. Click OK.

Setting up the Apache MobiLink Redirector

The MobiLink Redirector is a web-server plug-in that acts as a reverse HTTP proxy for MobiLink client HTTP requests. It acts as an intermediary to repeat HTTP requests from clients to a MobiLink server, and then returns the results back to the client.

To set up the Apache MobiLink Redirector:

  1. Copy the MobiLink Redirector DLL to the Apache Modules directory. Run the following command:
         Copy "%SQLANY10%\MobiLink\redirector\apache\v20\mod_iaredirect.dll" "C:\Program Files\Apache Group\Apache2\modules"
  2. Open the file C:\Program Files\Apache Group\Apache2\conf\httpd.conf in a text editor such as Notepad.
  3. Add the following lines to the bottom of the file and save it:
         # Sybase iAnywhere MobiLink Redirector Setup
         LoadModule iaredirect_module modules/mod_iaredirect.dll
         <Location /iaredirect/ml>
              SetHandler iaredirect-handler
              iaredirectorConfigFile conf/redirector.conf
         </Location>
  4. Create a blank text document in C:\Program Files\Apache Group\Apache2\conf called redirector.conf and open the file in a text editor such as Notepad.
  5. Add the following lines to the file and save it:
         ML="https=true;host=mobilink-srv;port=20000;trusted_certificates=apache-cli.crt"
         ML_CLIENT_TIMEOUT=600
         SLEEP=1800
    Note: The redirector.conf file acts as a configuration file for the redirector component and specifies any additional client settings that are required for the redirector to connect to the MobiLink server.
    The directives are:
         ML=address:port
    or
         ML="<mobilink-client-network-protocol-options>"
    Additional information about the MobiLink client network protocol options can be found in the Related Documents section.
    This directive specifies how the MobiLink Redirector should connect to the MobiLink server. If you specify multiple "ML=" directives, Apache round-robins amongst the servers to load balance requests from MobiLink clients.
         ML_CLIENT_TIMEOUT=seconds
    This directive specifies the amount of time a particular remote is assigned to a MobiLink server (that is, the "stickiness" of a connection). This is a particularly important setting when multiple "ML=" directives have been specified. The default is 600 seconds (10 minutes).
         SLEEP=seconds
    This directive specifies how often the MobiLink Redirector should check the MobiLink servers to see if they are still responding. The default is 1800 seconds (30 minutes).
    Apache does not support servour groups in the redirector.conf file. Server groups are only available for NSAPI and ISAPI web servers.
  6. After modifying the redirector.conf file, restart Apache from the command prompt by running the following command:
         C:\Program Files\Apache Group\Apache2\bin\apache –k restart
  7. Ensure that the MobiLink Redirector is responding to requests.
    1. Open Microsoft Internet Explorer and type the following in the address bar: https://apache-srv/iaredirect/ml
    2. You receive warnings about accepting a certificate that Microsoft Internet Explorer cannot verify. This is expected behavior. Click OK.
    3. You should see a message that reads: The page cannot be found and you should see the error HTTP 400 - Bad Request at the bottom of the page. This is expected behavior.

Running the Modified MobiLink Contact Sample

  1. Run Step1.bat to start the MobiLink server and the database.
  2. Run Step2.bat to initiate a synchronization session through Apache via HTTPS, which connects to the running MobiLink server. Check the generated remote_1.mlc and remote_2.mlc files to ensure that the sync was successful.
  3. Run Step3.bat to stop the MobiLink server.

Summary

Strong encryption technologies allow businesses to transfer sensitive corporate data across public networks. Since Apache has traditionally been the most popular web server, the ability to transfer data securely through an existing technology can save many IT organizations from opening additional external ports on their corporate firewalls. This allows corporate users in the field to synchronize seamlessly and securely to the corporate consolidated database.

The MobiLink Redirector acts as a reverse proxy that can communicate securely between MobiLink clients and the MobiLink server. The MobiLink clients connect via HTTPS to the Apache web server, and the MobiLink Redirector forwards those requests to the MobiLink server, providing a client-to-server secure link.

Related Content

Related Documents

MobiLink client network protocol options

Related SAP Notes/KBAs

  • No labels