SSL is configured through the server:certificate and server:certificate_password settings in the appSettings.json file located in the DryvIQ (SkySync) installation folder. These changes can be made after a successful installation. The DryvIQ Manager service will need to be restarted for the changes to take effect. Follow the steps below to configure SSL.
1. Place your server certificate file in the installation directory or other secure location.
2. Edit the appSettings.json file in the installation directory to include the certificate file name and password. If the certificate is located outside the installation directory, specify the absolute path to the file, escaping backslashes. For example, "C:\\some-dir\\cert.pfx". The port settings will also need to be updated to reflect the environment. See the example below.
Optional server:check_certificate_revocation and server:load_full_cert_chain properties are also provided. By default both values are set to true. This means that by default, certificate revocation lists will be checked and the full certificate chain (as provided in the given PKCS12 certificate specified in server:certificate) is loaded into the user's trust store. In some cases server:check_certificate_revocation should be set to false, for example when blocking outbound traffic through port 80.
If outbound traffic through port 80 is blocked, the port must be opened the first time DryvIQ is started. This allows the root and intermediate certificates to be verified before placement in the trust store. The port may be closed again once DryvIQ has finished its startup process.
If setting server:load_full_cert_chain to false and DryvIQ was already started with server:load_full_cert_chain is unset or set to true, the applicable certificates will need to be removed from the user's trust store and the DryvIQ service restarted. In the case of Linux deployments, the user's trust store is typically located in the user's home directory that is running DryvIQ under .dotnet/corefx/cryptography/x509stores/ca.
It is highly recommended that weak TLS ciphers are disabled, such as RC4 based cipher suites and those using authentication and encryption less than 128 bits. The use of weak ciphers creates risk of compromise of SSL or TLS communications, allowing a man-in-the-middle attacker the ability to potentially decrypt network traffic. DryvIQ disables all protocols other than TLS 1.2. However, the system administrator must also ensure that the underlying system configuration excludes weak cipher suites. It is also recommended that system administrators disable client renegotiation and enable perfect forward secrecy. For additional information, please see Mozilla's recommendations.
These settings are not configurable in DryvIQ, as the server inherits these settings from the host operating system in the case of Windows environments.
For Windows environments, see this Microsoft Support Article for instructions on disabling individual ciphers. For Linux environments, a reverse-proxy server with the appropriate SSL/TLS protocol and cipher configuration is recommended. Please see your reverse-proxy's documentation for how to configure these settings.