Skip to Content

8.9.2. Operations over a secure channel

<< Prev   Next >>

When a client interacts with an Internet services server, data can be exchanged over a secure channel. Secure communication channels prevent unauthorized viewing and alteration of data. The secure channel is TLS-based (version 1.2). TLS connections support cryptographic algorithms that comply with GOST R 34.10-94, R 34.10-2001, R 34.10-2012, R 34.11-94, R 34.11-2012, and 28147-89. The obsolete SSL 3.0 protocol can be enabled using the command line to start a client connection.

TLS (Transport Layer Security) is a protocol used to provide secure interaction between a client and a server. TLS is based on:

  • Mutual authentication of the client and the server, so that both the client and the server are sure they are who they say.
  • Digital signatures to ensure data integrity (protecting data from unauthorized alteration).
  • Encryption to ensure the confidentiality of data (protecting data from unauthorized viewing).

TLS protocol supports various encryption options, digital signatures, certificates, and so on, in order to provide a secure channel with the required robustness.

TLS protocol uses a TLS session to establish a secure connection between a client and a server. Session is established by exchanging a sequence of messages between a client and a server. When establishing a session, the following actions can be performed:

  • Defining cryptography algorithms that will be used to encrypt and digitally sign the transmitted data.
  • Setting the session key.
  • Performing server authentication on the client side.
  • Performing client authentication on the server side.

To authenticate client on the server side and server on the client side, TLS uses certificates. A certificate is a document that describes a set of parameters of the party being authenticated. For example, the certificate can contain the username or the name of the server website. The certificate also contains a digital signature, which is used to verify its validity. Chains of certificates are used to prevent the possibility of uncontrolled issuance of certificates. The beginning of the chain of certificates is the Certificate Authority. It is an organization issuing certificates. If a particular user needs a certificate, they sends a request to the Certificate Authority to issue a certificate. Certificate Authority issues a certificate that is signed with its own private key. The user to whom the certificate is issued may, in turn, act as a Certificate Authority for other users. Thus, a chain of certificates is formed, the root of which is the Root Certificate Authority, which is, as a rule, a well-known organization. For a client to accept this certificate, it must be on the list of the certificates that this client trusts. The list can include both this certificate and any other certificates from the certificate chain of this certificate. As a rule, this is a certificate from the Root Certificate Authority. Please remember that 1C:Enterprise operates correctly with certificates only if the certificate fields contain data in US ASCII or characters encoded with Punycode. Certificate fields must not contain data in Unicode.

One of the most common uses of the TLS protocol is sending HTTP requests (the HTTPS). In this case, HTTPS is a URL scheme for addressing such resources, and the default port is 443.

The client part of the Web services engine automatically, using the URL scheme (HTTPS) of the location of the Web service, determines that the interaction with the Web service should be performed over a secure communication channel. The client also requires that a valid certificate be linked to the server issued by a Certificate Authority known to the client.

A server certificate is valid if its digital signature matches the content of the certificate, its validity date is not expired, and the website, for which the certificate was issued, corresponds to the server website. If the certificate is not valid, for example, the certificate website does not match the server website, then the client will not be able to communicate via TLS with the Web services of this website.

In order to enable the operation via TLS protocol, you need to:

  • Obtain a server certificate for the website, for which you plan to use TLS. The certificate is issued by a Certificate Authority and is linked to this website.
  • TLS support must be enabled for the web server.
  • In order for an application using a Web service to use a secure connection, you must explicitly specify this when connecting to the Web service. To do this, when creating WS Determinations and WS Proxy objects, you must specify the SecureConnection parameter. When using a secure connection, you must specify the SecureConnectionOpenSSL object as the value of this parameter.

<< Prev   Next >>

Icon/Social/001 Icon/Social/006 Icon/Social/005 Icon/Social/004 Icon/Social/002