Vertec Cloud Server: deployment and security

The Cloud App, the Web App the Phone App and the Outlook App are cloud clients. Here the business logic runs on the server, the interface is also prepared on the server and the cloud clients only display it and receive the user input. The Vertec Cloud Server is responsible for the provision.

Overview

• Vertec Cloud Server installation
  • Register Vertec Cloud Server service
• Local operation (LAN, VPN)
• Putting Vertec on the internet
  • TLS encryption
  • HTTP to HTTPS redirect
  • HTTP Strict Transport Security (HSTS)
  • Security
    • Restrict Scripting
    • Restrict Local IP
    • Restrict Filesystem Access
    • Restrict Session Process
• Management Tools
  • Cloud Server Management Console
  • Monitoring Cloud Server

Usually, the Vertec Cloud Server is already installed from Setup. If you want to install the service manually, e.g. on another server, follow the steps below. The Vertec Cloud Server is usually installed on the Vertec Server machine (the machine where the Vertec installation directory and the database server are located). It is also possible to run it on a separate machine, as long as it has access to the database server. If installed on a separate server, a Vertec program directory must be created manually and the files from the Vertec installation directory must be copied into it; if installed on the Vertec server machine, this is already present.

In order for the Vertec Cloud Server to run as a Windows service, it must be registered with Windows. This is done from the Command Line with the command:

Vertec.CloudServer.exe /install

Starting the service is done via the Services control panel or from the command line:

net start Vertec.CloudServer

You can also run several different Vertec Cloud Server services on one machine. For details, see the article on multiple Cloud Server instances.

For testing purposes, it may be useful to start Vertec Cloud Server as a normal application rather than as a Windows service. This can be done by calling Vertec.Cloudserver.exe with the Command Line Parameters /noservice:

Vertec.CloudServer.exe /noservice

Local operation (LAN, VPN)

If Vertec is only accessible on the local network (LAN) or via VPN, everything is already done with the installation.

In this case, the connection to the Cloud Server can be operated unencrypted. If the setting Secure Server Port setting in the Vertec.ini file is not set (default), the server starts unencrypted.

No certificate is required in unencrypted operation. However, note that the Phone App and Outlook App can only be operated with a Certificate.  

Under no circumstances may an unencrypted Vertec instance be accessible from the Internet.

Customers of a Vertec On-Premises installation have two options to put their Vertec on the Internet. Either they use the Webaccess service of Spektra Netcom AG, or they put their Vertec Cloud Server on the Internet themselves. In this case, the connection must be encrypted and a certificate must be deposited:

TLS encryption

The connection to the Vertec Cloud Server can be secured via TLS (formerly SSL).

With an encrypted connection, the server must be able to identify itself to ensure that the client (Cloud App, Web App, Phone App and Outlook App) is communicating with the real server. An “identification” for the server is called a certificate and is usually issued by a publicly recognized certification authority (CA) for a fee.

To obtain a certificate, you need to be registered with a certificate authority. There you can purchase a certificate for a specific domain and for a specific period of time.

In order to have the certificate issued, the following steps are required:

1. Creating a Certificate Enrollment Request (CSR): The first step is to create a Certificate Enrollment Request (CSR) on the server that is to identify itself with the certificate. The Vertec Cloud Server does this conveniently via the /csrcreate command line parameter. A console opens and asks for some information about the certificate. The certificate enrollment request is then saved under the chosen name in the same directory where the command is executed.
2. Obtaining the certificate: The generated text file (PKCS#10) can now be uploaded to a certificate authority. In return, it will deliver the expected certificate for the server. We recommend downloading the certificate in .p7b format and saving it on the server.
3. Importing the certificate to the certificate store: Now the certificate has to be stored in the certificate store under My Certificates. There are several ways to do this (often you have the option of double-completing on the certificate). The option offered by all supporting operating systems is as follows:
   • In the Microsoft Management Console (Windows Run > mmc), under File > Add/Remove Snap-in, select the certificates and click Add.
   • In the Certificate snap-in menu that appears, select the computer account and complete.
   • Select the newly appeared Certificate (Local Computer) entry and right-click on My Certificates.
   • In the context menu, under All Tasks, select Import....
   • In the Certificate Import Wizard, select the downloaded certificate. In the selection that follows, select Automatically select certificate store and confirm with Next and Finish. The Management Console can then be closed.
4. In order for the Vertec Cloud Server to know which certificate to use, there is a Certificate Name setting in the Vertec.ini configuration file. This setting must match the name (FriendlyName or CommonName of the subject) of your certificate. This step can usually be skipped, since an entry was already created in the Vertec.ini when creating the CSR.

The certificate must then be bound to a port:

In order for the certificate to be addressed on a specific port, it must be bound to that port. If Vertec Cloud Server is running as an administrator, this is completed automatically at startup. If SOMETHING DON’T WORK (for example, because you don’t have authorized), Vertec Cloud Server reports an error.

Only if the Vertec Cloud Server is not run by a user with Administrator Rights (e.g. LocalSystem in normal case) or if a binding error has occurred, the certificate must be manually bound once. To manually bind the certificate, Vertec Cloud Server can use the command line parameter /certbind The Cloud Server will attempt to bind the certificate you specified in the Vertec.ini – file to the port specified in the same location. If this fails, the Vertec Cloud Server will issue an error.

Internally use /certbind and /certunbind netsh. To inspect certificate bindings, use the command line command show sslcert [ipport=]IP Address:port(see https://docs.microsoft.com/windows/desktop/Http/show-sslcert). Example:

netsh http show sslcert ipport=0.0.0.0:443

Microsoft’s SSL system is used for encryption. Microsoft uses a prioritized list of cipher suits that are considered by servers and clients on the computer (Cipher suit priority list). This list is regularly updated by Microsoft with Windows updates, but usually includes protocols that some SSL testing tools consider to be insecure for backward compatibility reasons. But really problematic cipher suites are removed by Microsoft with updates. In normal cases, it should be enough if you rely on the Windows standard.

For installations with higher security requirements, e.g. that want to meet the (high) requirements of the usual SSL testing tools, it is possible to define your own priority list of encryption suites (cypher suites). This then replaces the list maintained by Microsoft and must also be updated yourself.

Defining your own cipher suite list is done in the Local Group Policy Editor (gpedit.msc).

• Click Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
• Right-click Order of SSL Encryption Collections and select Edit.
• In the window that appears, you can activate your own guidelines:

  

To avoid having to write https:// to the browser line, all HTTP requests to the server port specified in Server Port are redirected to the Secure Server Port (HTTPS). Once a Secure Server Port is specified, all requests to the server port are redirected to it.

As a measure against man-in-the-middle attacks, HST (HTTP Strict Transport Security) support has been supported into the Vertec Cloud Server. This allows the browser to remember how long access is automatically made to HTTPS (and no longer via HTTP redirection).  

HSTS is activated by settings Hsts max age in the Vertec.ini configuration file. This controls the duration for which the browser remembers this access. For good security, 1 to 2 years (or 365 to 730 days) are recommended.  

In addition to the encryption of the Cloud Server connection, there are other measures that ensure increased security in Vertec itself. See also the article Vertec’s security on the internet

This is about what can be reached and controlled from Vertec via scripting. There are various Cloud Server settings that can be enabled in the Vertec.ini – file:  

Restrict Scripting

To restrict access to local resources of the Cloud Server Hosts via the cloud clients, the Restrict Scripting option is available to prevent file access and the import of non-Vertec modules. For more information, see Restrict Scripting for Cloud Sessions.

Restrict Local IP

If Restrict Scripting is enabled, the option Restrict Local IP can also be activated. This will block IP connections to local addresses. Access from Vertec is therefore only possible to publicly accessible IP addresses.

Restrict Filesystem Access

The Restrict Filesystem Access option restricts access to the server file system when saving documents.

• Reports are stored on the client side
• No saving of reports in the Web App, just download.
• Error message when running a report with a configured storage path via Web App, unable to save a document and create an activity.

Restrict Session Process

If the option Restrict Session Process is enabled, the session processes activated start with limited capabilities (low integrity).

This means that no further subprocesses can be started on the server from Vertec.  

All of these measures are designed to ensure that if unauthorized persons gain access to Vertec in any way, they will not be able to access the server and thus the entire system. We strongly recommend that these measures be implemented as soon as Vertec is made available via the Internet.  

Cloud Server Management Console

For the Cloud Server there is a management console, which runs by default on port 8082 (Management Port setting in the Vertec.ini file). It is called via localhost:8082. The caller must be logged on to the server and the call must be made via localhost. This is not possible from “outside”.

The Management Console looks like this:

Here you can see the idle sessions started on stock (see Process Pool Size in the Vertec.ini file) as well as all current logged-in clients.

The Management Console provides the following options:

• Server Status NormalOperation / Maintenance: By clicking on the tool behind the server status you can switch from normal operation to maintenance mode (maintenance). Exist sessions are not affected by this, but new clients can no longer log in. As
  long as the server is in maintenance mode, the following error message appears when a client tries to connect: The Vertec Cloud Server is currently in maintenance mode. Please try again after the maintenance work has been completed.

• Send a message to logged in users: By clicking on the mail symbol, a message can be sent to the corresponding session.

• Exit a session: Any running session can be closed by clicking on the X. Unsave changes of the user will be lost.

As of Vertec 6.3, there is an endpoint (URL) for monitoring purposes of the Cloud Server, which starts a new session as a test and returns the required time.

The URL responds to the HTTP GET request /monitor_session_start and returns a response timed in milliseconds.

For this to work, it has to be enabled in the Vertec.ini file:

[CloudServer]
Monitoring=True

If a monitoring tool now calls the URL /monitor_session_start, it receives the data concerning the start-up as follows:

<Tool_http_custom_check>
   <status>OK</status>
   <response_time>2331.38</response_time>
</Tool_http_custom_check>

The response time is in milliseconds. To protect against denial-of-service attacks, a session with this URL can only be started every 10 minutes by default. This time can also be set in the Vertec.ini file with Monitoring Ban Minutes, e.g. to 15 minutes:

[CloudServer]
Monitoring=True
Monitoring Ban Minutes=15