Results 1 to 13 of 13
  1. #1
    Join Date
    Mar 2004
    Posts
    660

    Unanswered: Self-Signed certificate

    Can anybody can tell me how to do self-signed certificate on sql server? What is it ? Do we really need?
    Many thanks.

  2. #2
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    What kind of certificate are you asking about? A code certificate, an SSL certificate, or something different?

    -PatP

  3. #3
    Join Date
    Mar 2004
    Posts
    660
    I just knew this is self-sign certification. Our web server has a SSL. My supervisor want me to write code for the security of the connection from web server to sql server. Later he told me that we need self-sign certifcaiton. I am a programmer, i believe need a code certification. If possible, can you introdue me more as i have no idea about it. Another question, do i need to write code or just buy a certificate?
    Many thanks.

  4. #4
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    Without more detailed direction, you'll need to rummage a bit.

    You can start here, with this being the most likely for code signing, and this being a good starting point for SSL.

    You really need to "go back to the well" for better direction on what he wants, otherwise you'll be fishing a long time on this request!

    -PatP

  5. #5
    Join Date
    Mar 2004
    Posts
    660
    Let me explain this. I have web form need to be secue that is implement using coldfusion. When send the form it will call sql server to process. I use datasource. By creating the datasource, i logon as coldfusion administrator and create a datasource there. In my source code, i just use the datasource. He would like everthing to be secu. He bought ssl certifice for our website. So we are going to put the web form to the secu server. He also tell me that we need to have secue connection from our web server to sql server. He said i need to do programming for 128 bits connections from web server to sql server. But i told him. I couldn't find it. Later he told me that i need to create self-signed certifate. I have no idea about it. So do you have any idea about what i need. What is self-sign certificate for? I check the Signing is for a VBA Project. This is for VB project. But we have web page using coldfusion. I check X.509 Technical Supplement, is this programming? Or i need to buy certificate.
    Thank you very much!
    Last edited by yyu; 03-12-06 at 11:08.

  6. #6
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    I'm making some assumptions in the following discussion that YOU have got to confirm are correct.

    If you can do everything the customer needs in Cold Fusion HTTPS protected pages, and you can secure everything from the server hosting your Cold Fusion pages to your database, you are home free on this one.

    The back end, from the server hosting your Cold Fusion page(s) to your database should be 100% under your control. Everything should be easy to handle for this part, since it should all be your equipment or under control of people that you trust.

    The pieces of the front end that you can control (the web pages) would be protected by HTTPS from the page itself to the ColdFusion server. This is 128 bit security, and covers everything that you can protect. Note that this does not (and can not) cover everything, since MalWare that includes a keystroke logger (which is often found on publically accessible machines in places like libraries, Internet Cafes, etc) could still compromise the security, but that is a client machine problem that you can't control.

    If you can control the backend directly, and can protect the Cold Fusion pages with HTTPS, I think you are "good to go" with 128 bit security from the client browser to the database!

    -PatP

  7. #7
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    sounds good to me

    i haven't used coldfusion with https myself, but what pat outlines is completely accurate, the security is provided by your browser, so if the web page is talking successfully to the coldfusion server via https, you're fine
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL

  8. #8
    Join Date
    Mar 2004
    Posts
    660
    Thank you for all your help. I still have a question about Pats answer and i want to make sure i understand what you said.
    Our coldfusion page is using Https://. I think this is satisfied the first condition (

    If you can do everything the customer needs in Cold Fusion HTTPS protected pages, )

    Now i need the second conditon to make everything is secue. That is (
    and you can secure everything from the server hosting your Cold Fusion pages to your database)

    you said "The back end, from the server hosting your Cold Fusion page(s) to your database should be 100% under your control. Everything should be easy to handle for this part, since it should all be your equipment or under control of people that you trust."

    I do not quite understand this step. How can I control the back end? Can you explain to me a little bit?
    I create a login account in sql server for my webpage. Then in my coldfusion page i use datasource by using this login account. Is this the way i control the security connection from web server to database?
    Also our sql server is behind the firewall. But our web server is outside the firewall.

    You also said If you can control the backend directly, and can protect the Cold Fusion pages with HTTPS, I think you are "good to go" with 128 bit security from the client browser to the database!. That means I still need to control the backend. How can I control?

    I have question for r937s answer. What you mean is if i use https:// in my coldfusion page. Then i dont need to do anything as it is already secue. Am I right?
    I don't need self-signed certificate.

    I just want to make sure i understand what you said.

    Thanks again. You all did big help to me.

  9. #9
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    You have to "step back" from the problem a bit to understand what you can protect, and what you can't... That makes things complex, since you need to look at so many pieces.

    You probably have physical control over your database server, any application server(s), and web server(s) for your application. By this I mean that either you actually have them "in house" where you or your employees control them, or you have contracted a trusted third party to manage them for you. As long as that is the case, you have the "backend" under your control, and you can secure it any way that suits you. One of the best alternatives is to prevent any form of public access to data flowing across your back end, although using 128 bit (or greater) security would be just as good in this example.

    Your clients are probably using web browsers, on machines that either those clients or other parties (such as an Internet Cafe, a public library, or even a client's employer) owns. By using HTTPS, you can secure everything from the browser application to your web server with 128 bit security.

    With only a few exceptions (such as the country of France which forbids the use of more than 56 bit security), this allows you to provide at least 128 bit security from the web browser application to the database on your disk.

    Note that this leaves open the possibility of things such as MalWare that could put keystroke loggers between the client machine's keyboard and the browser. This MalWare would make all of your security meaningless, since the data entered by the user would be intercepted before you/your software could even know that there was an issue! This is a problem that no one can solve, since it lies outside the scope of what you have the ability to protect... If the client machine has been compromised, there is no effective defense.

    -PatP

  10. #10
    Join Date
    Mar 2004
    Posts
    660
    Thanks pat. i learn that. Now i have another question need your help. Our coldfusion server reside on our webserver. We have server websites in IIS. If i use ssl on one of our website this in IIS. Can i use https:// for coldfusion page? I believe only the website that has SSL can use Http://. How about my coldfusion page? Do i have to have SSL on our coldfusion server? Or can i point the page to coldfusion server in one of our website (IIS)?
    Last edited by yyu; 03-13-06 at 17:50.

  11. #11
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    Sorry, that part of the question lies well outside my area of expertise. I'm no Cold Fusion expert, althouh R937 could probably pass for one.

    Based on what I know, as long as the URL for your .cfm file starts with HTTPS: I would presume that you were safe, but you REALLY need to confirm that with someone that really knows Cold Fusion.

    -PatP

  12. #12
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    sorry, i am not an administrator, and i do not have any experience with servers or connectivity (the "point to" part is the part i would have trouble with), and i actually haven't used HTTPS myself, either
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL

  13. #13
    Join Date
    Mar 2004
    Posts
    660
    Thank you all for your nice help. I will do research.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •