Cases shared by Intella Connect can be accessed in various ways in the browser (the addresses listed below are artificial):
The HTTPS (SSL) communication layer needs to know under which URL Intella Connect’s pages will be served. Knowing that and having a proper certificate validated by a third party vendor (called a Certification Authority) will allow Connect to make use of a secure channel for serving these pages.
Note: SSL 3.0 is no longer supported, to protect against the POODLE attack.
There are a number of things that need to be done before you can use HTTPS in Intella Connect. Please make sure that all of these requirements are met.
These steps depend on whether you already have a working SSL certificate, so please follow the steps most suitable for your situation.
I’m already in possession of an SSL (PKCS12) certificate issued for my company/domain
I do not have a SSL certificate or I want to use a new one
If you decided to use a domain for case sharing, then you need to configure it now. Please log in to the machine (server) where you will be running Connect and check its public IP (when in doubt, please use Google).
After that you need to log in to the management panel for your domain provider and set the DNS records so that the domain points to the current public IP of your Connect PC.
Note: for purposes of this tutorial we will be using an artificial address/domain pair: 1.2.3.4, www.my-site.com
It might happen that the server machine is behind NAT, managed by a router. In that case you will need to set up port forwarding for a TCP port used by Intella Connect.
On the Intella Connect Dashboard page, after clicking on the Settings menu item, one can see the following configuration panel:
The most important thing to notice here are the properties of the so-called Keystore. A keystore is nothing more than a secure database that holds all the certificates needed by a server (in our case - Connect). In order to proceed, we will need to create the keystore manually.
Intella Connect bundles a special utility program for working with keystores. This tool is a part of the bundled Java distribution and is called keytool.exe. It can be found in:
C:\Program Files\Vound\Intella Connect 1.8\jre\bin\keytool.exe
First, let’s prepare a directory to work with. For the sake of this manual, I have created the folder C:\Users\Lukas\Desktop\ssl where I will be temporarily storing all the necessary files.
Note: if you have your own certificate, you do not need to generate the private/public key pair in this step (note the -genkey flag) and you can safely proceed to the adding certificates to the Keystore section.
To create a keystore, please do the following:
Note: this and the following steps apply only if you did not have your own certificate already and you have just created one in the step before.
Since now you are in possession of an unsigned certificate, you need to ask a Certification Authority (CA) to sign it. CAs accept only requests for certificate signature, so you need to create one using the keytool.
On the command line, please enter the following command:
keytool -certreq -keyalg RSA -file C:\Users\Lukas\Desktop\ssl\my-site.com.csr -keystore C:\Users\Lukas\Desktop\ssl\my-site.com.keystore
You will be asked for the master password for the keystore, which you have defined in the first step. This should produce a file called my-site.com.csr
You now have to supply this signature request to the Certification Authority. This process is specific to the authority signing the certificate. After the CA is done with processing your request, you should receive a set of signed (verified) certificates, which can now be added back to the keystore.
You now have to add each certificate that you have received from your CA back to the keystore. Most likely you have received three files: the CA’s certificate, an intermediate certificate and the one which applies to your domain (IP). Please use keytool.exe again to add them using the commands below. Please keep in mind, that for this tutorial our CA has supplied us with three files (AddTrustExternalCARoot.crt, PositiveSSLCA2.crt and www_my-site_com.crt) which are stored in the “signed” subdirectory:
keytool -import -trustcacerts -alias AddTrustExternalCARoot -file C:\Users\Lukas\Desktop\ssl\signed\AddTrustExternalCARoot.crt -keystore C:\Users\Lukas\Desktop\ssl\my-site.com.keystore
keytool -import -trustcacerts -alias PositiveSSLCA2 -file C:\Users\Lukas\Desktop\ssl\signed\PositiveSSLCA2.crt -keystore C:\Users\Lukas\Desktop\ssl\my-site.com.keystore
keytool -import -trustcacerts -alias mykey -file C:\Users\Lukas\Desktop\ssl\signed\www_my-site_com.crt -keystore C:\Users\Lukas\Desktop\ssl\my-site.com.keystore
At this point you can come back to the Intella Connect Dashboard page and finish setting up SSL. The three mandatory fields that are listed there should be set as following:
After that you need to restart Intella Connect to finish the process.
An appropriate warning about this should be displayed after you save the changes.
By default web browsers will try to connect to the 443 port when HTTPS protocol is used. Therefore if you configured Connect to listen on port 80, then you’ll have to change the port to 443.
In the end you should be able to navigate to https://www.my-site.com (note the “https” in the URL and lack of port) and see the Lock icon in the web browser’s address bar, which shows that you are using a secure connection.
After you log in into your dashboard, you may navigate to a shared case which should also be available using HTTPS protocol.
Before a certificate is trusted, browser must verify that the certificate comes from a trusted source. This verification process is called path validation. This involves processing public key certificates and their issuer certificates in a hierarchical fashion until the certification path ends at a trusted certificate. Typically this is a root CA certificate. If there is a problem with one of the certificates in the path, or if it cannot find a certificate, the certification path is considered a non-trusted certification path. A typical certification path includes a root certificate and one or more intermediate certificates.
If the browser shows certificate warning, please verify certificate chain by reading the keystore using 3rd party tool. See references section of Wikipedia article on keystore.
If SSL needs to be disabled, it can be done by clicking on the Disable button. This will however not remove SSL immediately. Intella Connect will only change the status of SSL to be disabled. The actual removal of the SSL channel will be performed when Intella Connect is re-started. This is to prevent any active users that use SSL from receiving errors related to the disabling of the SSL layer.
If your security policy requires it, you may alter the way in which client and server communicate by specifying supported protocols and ciphers used. Intella Connect by default will not use SSLv3, relying on TLS instead. If you override supported protocols, please make sure to add “SSLv3” to the list.
The two settings that you can add to Intella’s Preferences are:
More details about both protocols and cipher suites can be found here: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html Please note that at the time of writing this manual specification required to support following ciphers:
You can learn more about recommended cipher suites in this online reference: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
