Cloud Server: deployment and security

The Vertec Cloud App, Web App, Phone App and Outlook App are cloud clients. Here the business logic runs on the server, the interface is also prepared on the server and the cloud clients only display it and receive the user input. The Vertec Cloud Server is responsible for the deployment.

Overview

• Installing the Vertec Cloud Server
• Vertec Cloud Server as a service
• TLS encryption
• Unencrypted Operation
• Restricted Scripting
• Cloud Server Management Console
• Monitoring Cloud Server

Usually, the Vertec Cloud Server is already installed from the setup. If you want to install the service manually, for example on another server, proceed as described below. The Vertec Cloud Server is usually installed on the Vertec server machine (the machine where the Vertec installation directory and the database server are located). It is also possible to run it on a separate machine, as long as it has access to the database server. If installed on a separate server, a Vertec program directory must be created manually and the files from the Vertec installation directory must be copied into it; if installed on the Vertec server itself, this is already present.

Registration

In order for the Vertec Cloud Server to run as a Windows service, it must be registered with Windows. This is done by the command line  with the command:

Vertec.CloudServer.exe /install

The start of the service is done via the Services control panel or from the command line:

net start Vertec.CloudServer

You can also run several different Vertec Cloud Server services on one machine. For the exact procedure, see the article on multiple cloud server instances.

For testing purposes, it may be useful to start the Vertec Cloud Server as a normal application instead of as a Windows service. This can be done by calling Vertec.CloudServer.exe with the command line parameter /noservice:

Vertec.CloudServer.exe /noservice

The connection to the Vertec cloud server can be secured via TLS (formerly SSL).

With an encrypted connection, the server is required to identify itself to ensure that the client (Cloud App, Web App, Phone App, and Outlook App) is communicating with the real server. An "identification" for the server is called a certificate and is usually issued by a publicly recognized certificate authority (CA) for a fee.

If Vertec is operated in the Cloud Suite, this is already guaranteed by Vertec.

If you put Vertec on the internet yourself, follow these steps:

To obtain a certificate, you must be registered with a certificate authority. There you can purchase a certificate for a specific domain and a specific period of time.

In order to have the certificate issued, the following steps are necessary:

1. Create a certificate enrollment request (CSR): The first step is to create a certificate enrollment request (CSR) on the server that will identify itself with the certificate. The Vertec Cloud Server does this conveniently via the command line parameter /csrcreate. A console opens and asks for some information about the certificate. After that, the certificate enrollment request is saved under the chosen name in the same directory where the command is executed.
2. Obtaining the certificate: The generated text file (PKCS#10) can now be uploaded to a CA. In return, the CA provides the expected certificate for the server. We recommend downloading the certificate in .p7b format and saving it on the server.
3. Importing the certificate into the certificate store: Now the certificate must be stored in the certificate store under My Certificates. There are several ways to do this (often you have the option to complete it by double-clicking on the certificate). The option, which is offered by all supported operating systems, is:
   • In the Microsoft Management Console (Windows Run > mmc), under File > Add/Remove Snap-in, select the certificates and click Add.
   • In the Certificate Snap-In menu that appears, select the computer account and complete it.
   • Select the new entry Certificates (local computer) and right-click on My certificates.
   • In the context menu, under All Tasks, select Import....
   • In the certificate import wizard, click Next and then Browse to select the downloaded certificate. In the next selection, select Automatically select certificate store and confirm with Next and Finish. The Management Console can then be closed.
4. In order for the Vertec Cloud Server to know which certificate to use, there is a Certificate Name setting in the Vertec.ini configuration file. This must match the name (FriendlyName or CommonName of the subject) of your certificate. This step can usually be skipped because an entry was already created in Vertec.ini when creating the CSR.

Then the certificate must be bound to a port:

In order for the certificate to be accessed on a specific port, it must be bound to that port. If Vertec Cloud Server is running as an administrator, this will be completed automatically on startup. If something does not work (for example, because you are not authorized to do so), the Vertec Cloud Server will report an error.

Only if the Vertec Cloud Server is not supported by a user with administrator rights (usually LocalSystem) or a binding error has occurred, the certificate must be manually bound once. To manually bind the certificate, Vertec Cloud Server can be executed with the command line parameter /certbind. The Cloud Server tries to retrieve the certificate indicated in the Vertec.ini – file to bind it to the port specified at the same location. If this fails, the Vertec Cloud Server will issue an error.

/certbind and /certunbind internally use netsh. To inspect certificate bindings, use the command line command show sslcert [ipport=]IP Address:port (see https://docs.microsoft.com/windows/desktop/Http/show-sslcert). Example:

netsh http show sslcert ipport=0.0.0.0:443

Valid only for encrypted operation. As an action against man-in-the-middle attacks, HSTS support has been built into the Vertec Cloud Server. HSTS can be activated by setting the HSTS max age in the Vertec.ini configuration file.

Valid only for encrypted operation. To avoid typing https:// to the browser line, all HTTP requests sent to the server specified in Vertec.ini Server Port will be redirected as HTTPS requests to the specified Secure Server Port .

Windows has a prioritized list of Cipher suites that are taken into account by servers and clients on the machine (Cipher suit priority list). This list is regularly updated by Microsoft with Windows updates, but usually includes protocols that are no longer top in terms of security for reasons of backwards compatibility.

But really problematic cipher suites are removed by Microsoft with updates. Normally, relying on the Windows standard should suffice.

Encryption uses Microsoft’s SSL system, which in turn uses cipher collections and updates them with Windows updates. For Windows backward compatibility reasons, encryption combinations which are classified as insecure by some SSL testing tools, are also supported.

For installations with higher security requirements, e.g. to meet the (high) requirements of the usual SSL test tools, it is possible to define your own priority list of encryption suites (cypher suites). This then replaces the list maintained by Microsoft and must also be updated yourself.

Defining your own cipher suite list is done in the local group policy editor (gpedit.msc).

• Click Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
• Right-click SSL Cypher Suite Order and select Edit.
• In the window that appears, you can activate your own guidelines:

  

The connection to the Vertec Cloud Server can also be operated unencrypted. However, this is only suitable for operation in the LAN or via VPN.

No certificate is required in unencrypted mode. If in the settings Secure Server Port no value is set in the Vertec.ini file (default), the server starts unencrypted.

The Outlook App  can only be operated with a real certificate .

In order to limit access to local cloud host resources via cloud clients, the option to restrict scripting has been introduced in version 6.1.0.9 to prevent file access and import of non-Vertec modules. For more information, see Restrict scripting for cloud sessions .

For the cloud server there is a management console, which runs on port 8082 by default (setting Management Port in the Vertec.ini file). It is called via localhost:8082. The caller must be logged on to the server and the call must be made via localhost. This is not possible from “outside”.

The Management Console looks like this:

Here you can see the idle sessions started from stock (see Process Pool Size in the Vertec.ini file) as well as all up-to-date logged-in clients.

The Management Console provides the following options:

• Server Status NormalOperation / Maintenance: By clicking on the tool button behind the Server Status, you can switch from normal operation to maintenance mode. Existing sessions are not affected, but new clients can no longer log on. As long as the server is in maintenance mode, the following error message appears when a client tries to connect: The Vertec Cloud Server is currently in maintenance mode. Please try again after the maintenance work has been completed.

• Send a message to logged-in users: By clicking on the mail symbol, a message can be sent to the corresponding session.

• Exit a session: Any current session can be closed by clicking on the x. Any unsaved changes made by the corresponding user will be lost.

As of Vertec 6.3, there is an endpoint (URL) for monitoring purposes of the Cloud Server, which starts a new session as a test and returns the time required for it.

The URL responds to the HTTP GET request /monitor_session_start and returns a response timed in milliseconds.

For this to work, it must be turned on in the Vertec.ini file:

[CloudServer]
Monitoring = True

If a monitoring tool calls the URL /monitor_session_start, it receives the data related to the startup as follows:

<Tool_http_custom_check>
   <status>OK</status>
   <response_time>2331.38</response_time>
</Tool_http_custom_check>

The response time is in milliseconds. To protect against denial-of-service attacks, a session with this URL can be started by default only every 10 minutes. This time can also be set in the Vertec.ini file with Monitoring Ban Minutes, e.g. to 15 minutes:

[CloudServer]
Monitoring = True
Monitoring Ban Minutes = 15