The goal is to provide protection of our customer’s personal data transmitted by the Internet and imported to Exponea application by creating SSL/TLS connection or SSH tunnel or both types at once.
Keeping customer data secure is our priority
You must either create and use SSH tunnel or setup encrypted communication with SSL/TLS.
Open port 443 on the firewall for SSL/TLS connection or port 22 on his firewall for SSH connection. For SSH tunnel you can use also other ports than 22.
Exponea supports some of the secure connections for all databases. See the list of databases and supported configurations in a table below.
Every database integration has the same configuration form. For each database you need to fill in these attributes:
- Hostname (Public ip or hostname of your database, e.g. 28.783.11.22 or db.exponea.com)
- Port (e.g. 1433 - TCP destination port for this database)
- Username (Name of a user who has allowed access to your local database, e.g. "exponea". MS Azure SQL username must be in format "[email protected]",
e.g. "[email protected]")
- Password (Password of a user who has allowed access to your local database)
- Database name (Name of a database you want to access data from)
Exponea offers two options for protecting communication between customer’s server and Exponea application. You can pick one of the preferred options or have active both at once.
Click on enable SSL/TLS connection
- Import SSL/TLS certification authority certificate (load SSL/TLS CA file)
- Import customer´s SSL/TLS certificate (load SSL/TLS Cert file)
- Import private key of your customer´s server (load SSL/TLS Key file)
The example of how to enable SSL/TLS with MySQL:
SSH tunnels have own configuration window. The configuration window is available in Project settings -> SSH tunnels. Only users with Dev. tools permissions have an access to SSH tunnel configuration. Take a look at roles and permissions in an Access management
- Hostname - hostname of SSH server with its port separated by the colon
- Username - identification of user
- Host key - (it is the fingerprint of customer´s server public key - used for identification/verification of the customer´s host). You can find the fingerprint in the known_hosts file on any device that was successfully connected through SSH to your server. You can read more about host keys here.
Importance of Host keys
Host keys serve an important role in securing your communication with the remote server, by checking it really is the server you think it is. Without them, you would be possibly open to various attacks, such as DNS spoofing.
Steps to find the Host key:
If this is your first time connecting to your SSH server, you need to log in to your server. You can skip this step if you have already created a successful connection in the past:
- Connect to SSH server:
ssh [email protected]_ip_addresswhere user_name is the name of the user that you want to log in as and server_ip_address is the IP address of your server. Now you have made a successful connection and you can terminate it by typing:
- Connect to the SFTP server using some FTP client (e.g. FileZilla or CyberDuck); Try both or others in order to find the host_key
- Navigate to the
.sshdirectory on your local machine
Display the content of the known_hosts file. This file contains information about all SSH servers you have been successfully connected to. Each line of the file contains details about the server in the following format:
server_ip_address server_host_key. Copy the host key that belongs to your server IP address and paste it into the “Host key” field.
- Navigate to the '.putty' directory on your local machine 'cd ~/.putty'
Display the content of the 'sshhostkeys' file and find the host key in the following format
server_ip_address server_host_key. Copy the host key that belongs to your server IP address and paste it into the “Host Key” field.
If the host key doesn't work, contact the hosting admin/support for the key. Please note that OpenSSH is the protocol that manages SSH connections, thus the OpenSSH version on your local machine has to be supporting the encryption protocol on the server; otherwise the OpenSSH KeyGen will not show you the Host Key in the proper format.
- SSH key (A new key pair can be generated. Then import a Public key to the SSH server)
- Password (Enter the password to the SSH server)
All supported integrations have the option to enable SSH integration. When you Enable SSH integration, you need to choose an active SSH tunnel.
Updated 2 months ago