Encrypt internal traffic to Agent
In some cases, the agent at the client is on a different server than the proxy (such as IIX or NginX). This means that the traffic from outside first goes to the proxy and then is routed internally to another server. It is possible to encrypt this internal traffic with a certificate. You can enable this encryption as follows:
- When starting the agent via salureconnect-agent.exe, provide parameters. Add the parameter --ssl true to enforce encryption. You can (you don't have to) also change the port to e.g. 443. This looks like this: `salureconnect-agent.exe --ssl true --port 443`
- When SSL is enforced, the agent needs a certificate to actually encrypt traffic. Make sure you have a certificate and a key file in a folder on the server where the agent is running. For example, in the certs folder. The certificates should be named as follows:
- salureconnect_agent_cert.pem
- salureconnect_agent_key.pem
- After placing the certificates in the folder, add the following parameter: --certfolder <folder certificates>. Suppose you have placed the certificates on c:--certfolder, then the parameter will be `--certfolder c:--certfolder certificates`. Combined with the previous parameter, the whole thing now looks like this: `-salureconnect-agent.exe --ssl true --certfolder c:agentcerts --port 443`
Note that if you use the ssl parameter, the certfolder parameter is mandatory.
Certificaat aanmaken
- install chocolatey if you don't have it installed already: see https://docs.chocolatey.org/en-us/choco/setup
- install mkcert if you don't have it installed:
- open **Windows Terminal** or **Windows PowerShell** as an administrator and run `choco install mkcert`
- run `mkcert -install`
- For the following step you have to be patient. When it looks frozen, it just takes a while:
- run `mkcert -key-file salureconnect_agent_key.pem -cert-file salureconnect_agent_cert.pem localhost 127.0.0.1 0.0.0.0 ::1`
- run `copy salureconnect_agent_*.pem C:\data_analytics\salureconnect_agent\certs\`
- The following step is optional if the root certificate is expired (should be valid for 10 years):
- run `copy "C:\Users\$env:UserName\AppData\Local\mkcert\rootCA.pem" "C:\data_analytics\salureconnect_agent\certs\rootCA.pem"`
- Now send this rootcertificate to the client, they have to install this certificate in their certificate store.
Client instruction for windows server how to do this:
- Open "Manage computer certificates", rightclick on "Trusted Root Certification Authorities" and choose "All tasks" -> "Import" -> "Next" -> "Browse" -> Select rootCA.pem -> "Next" -> "Finish")
- Restart browser and verify if https://localhost:7070:salureconnect-agent is reachable (agent must be running).
- Run the agent now with the option --ssl true to enable SSL.
Related Articles
Requirements and installation
In order to run the agent correctly, the following setup is required. Hard- en software requirements Windows Server 2012 64 bit or 2016 64 bit with 8 GB Ram, minimal of 2 CPU cores with 2.40 GhZ, 150 GB hard drive; Connection to the internet ...Security
SalureConnect'sagent is a web server without a front-end. This means that security issues suchas CORS, XSS, CSRF etc. are not applicable. The main security issues are authentication,encryption and rate-limiting. Authenticatie A request to the agent ...Introduction
Many organizations use the information architecture principle that one data source is leading. In order to realize this principle, an interface has been developed that exchanges data between various applications. For the exchange of data, the ...Example configuration IIS
Install Application Request Routing (ARR for short) The first step is to install the add-on module for Application Request Routing for IIS. With Windows Server 2012 R2 or later versions of Windows Server 2016 and 2018, you can use the Microsoft Web ...