FoxTrot Search server and secured network connections

FoxTrot Search Server 2.5 supports secured network connections (encrypted using TLS / SSL), however there is currently no user interface to activate this feature that requires to install a certificate on the server side. You can enable it manually.

When this feature is enabled, both FoxTrot Professional Search and FoxTrot Search Admin will systematically use a secured connection when connecting to FoxTrot Search Server.


To enable secured connections manually:


- make sure that the server is not running:

- in the FoxTrot Search Server application, click the "Stop" button

- open the file "/Library/FoxTrot Server/FoxTrot Starter Settings.ftsstg" in TextEdit

- set the path to your certificate file in the TLSCertificate field:

	<TLSCertificate>/System/Library/OpenSSL/certs/YourCompanyCertificate.crt</TLSCertificate>

The certificate file must be in PEM format (.crt or .pem filename extension), or in DER or ASN.1 format (.cer filename extension)

- set the path to your private key file in the TLSPrivateKey field:

	<TLSPrivateKey>/System/Library/OpenSSL/private/YourCompanyPrivateKey.pem</TLSPrivateKey>

The private key file must be in PEM format (.pem filename extension)

- start the server by clicking the "Start" button in FoxTrot Search Server.


Troubleshooting:


If the specified certificate or key files are not found, not readable, or not valid, starting the server will fail silently (the status field will simply report "Not running"). Check the file "{home}/Library/FoxTrot Server/FoxTrotStarter.log" to see if it reports an SSL / TLS error.


Generating a self-signed certificate from Terminal.app


If you do not already have a signed certificate to use, you can create a self-signed one using OpenSSL; type the following in a Terminal window (replacing YourCompany by the actual name of your server or certificate):

	cd /System/Library/OpenSSL/private
	sudo openssl genrsa -des3 -out YourCompanyPrivateKey.key 1024

(note: you will be prompted for your machine's administrator password, then you will be prompted twice for the pass phrase to use to create your private key)

	sudo openssl rsa -in YourCompanyPrivateKey.key -out YourCompanyPrivateKey.pem

(note: you will be prompted for the pass phrase you just defined for your private key)

	sudo openssl req -new -key YourCompanyPrivateKey.key -x509 -out ../certs/YourCompanyCertificate.crt

(note: you will be prompted again for the pass phrase you just defined for your private key, then you will be prompted for the informations to use to generate the certificate)

Note that you can create your certificate and private key in a different location than OpenSSL's default location; in this case, you can omit "sudo" in the previous commands, to avoid to have to type your machine's administrator password.



Using an existing certificate from the Keychain


If you want to use a certificate currently stored in your keychain (which could have been created by /System/Library/CoreServices/Certificate Assistant.app), you must first export and convert it.


- in the "Certificates" category of "Keychain Access.app", export your certificate to a temporary file using the "Personal Information Exchange (.p12)" format, using a temporary export password


- in Terminal.app, type the following command (using the actual path and filename of your exported .p12 file) to convert the certificate to the .pem format:

	openssl pkcs12 -in /Users/john/Certificates.p12 -out /Users/john/MyCertificateAndPrivateKey.pem -nodes

Import Password: specify the export password you used when exporting from the keychain

- you can now delete the .p12 file

- set both TLSCertificate and TLSPrivateKey fields to the path of your pem file.

- note: be careful that this .pem file also contains your private key in an unencrypted form. Keep this file private.