Configure the Use of Encryption for Data In Transit

Digitise Apps allows you to encrypt data in transit between the App Server and your Digitise Apps Clients/Standalone Apps. By default, it uses an AES 256-bit Cypher Block Chaining SHA-256 encryption cipher, but you can further enhance the encryption by adding a certificate-based private key exchange mechanism or you can switch off encryption altogether. You can also enable or disable a data compression algorithm. The enhanced encryption provides:

  • Elliptic Curve Diffie-Hellman Key Exchange

  • Elliptic Curve Digital Signature Algorithm

  • AES 256-bit Cipher

  • Cipher Block Chaining

  • SHA 256-bit Digest

Encryption and compression are enabled and disabled on an individual app basis and these options are configured using App Manager.

Within App Manager, the Server category Properties tab includes Default Encryption and Default Compression options. These options provide default settings for whether you want to use encryption and/or compression, respectively. The shipping values for both options are On, which means encryption and compression will be used by default. To disable either encryption or compression, change the appropriate option to Off.

Having configured the default settings, you can then overwrite the default values for each of your individual Digitise apps under the Application category in App Manager. When developing your apps, you need to publish each app to your App Server before that app can be run, whether for testing or live by your end-users. Once published, the app will appear under the Application category in App Manager. The Properties for each app include Encryption and Compression options. When an app is first published, these options are set to Default, which means that the app will use the default setting configured under the Server Properties. If you want a particular app to use a different setting than the default server settings for one or both of these options, display the app’s Properties under the Application category and set the option(s) to On or Off to turn the appropriate feature on or off, respectively.

If encryption is enabled for an app, by default Digitise Apps will use its standard AES 256-bit encryption. Alternatively, you can configure the App Server to use the enhanced encryption, in which case this will be used in place of the standard encryption. The type of encryption used is App Server wide, so all your Digitise apps configured to use encryption which connect to a particular App Server will use the same type of encryption.

In order to use the enhanced encryption, you will need to obtain and install an SSL Certificate and then select it within App Manager. This will automatically enable the enhanced encryption for that App Server.

You can get an SSL certificate from one of the commercial or non-profit Certificate Authorities, such as GoDaddy or CACert, or create a self-signed certificate of your own. You may be happy to use self-signed certificates for development purposes but we recommend using a trusted third-party certificate in your live environment. The commercial Certificate Authorities make a charge for issuing the certificate which varies considerably between different Authorities. You would normally need to renew the Certificate on an annual basis.

We also recommend that your certificate be linked to your App Server machine, i.e. that you specify the server’s full computer name as the certificate’s common name, e.g. appserver01.mycompany.co.uk, or, if available, as an alternative name. Wildcard certificates, e.g. *.mycompany.co.uk, are also supported which can be used with any machine within the specified domain, although linking the certificate to your server is more secure and means that the certificate can only be used with that machine.

You can obtain an SSL certificate from one of the commercial or non-profit Certificate Authorities, such as GoDaddy or CACert. For details of how to obtain a certificate refer to your chosen Certificate Authority’s web site.

When creating your certificate, you may need the following configuration information:

Option

Value

Certificate type

X.509v3

Signature Algorithm

SHA-256RSA

Public Key Algorithm

RSA (2048-bit)

Subject

The subject includes information about the owner of the certificate and links the certificate to your App Server machine. You should include the following values:

Parameter

Value

Common Name (CN)

To link the certificate to your App Server machine, specify the full computer name of the machine your Clients will be connecting to, e.g. appserver01.mycompany.co.uk.

Note that this may not be the actual App Server machine if users will be connecting via a proxy, but the DNS name that will be specified in the Clients to connect to their App Server must match one of the names entered here or in the Alternative Names field below.

Alternatively, you can create a wildcard certificate which will work with any machines in your specified domain by specifying the first element as ‘*’, e.g. *.mycompany.co.uk

Organization Name (O)

Your company or organisation’s name.

Locality Name (L)

This would usually be the town or city in which your organisation is based, e.g. London.

State or Province Name (S)

In the UK, this would normally be the county in which your organisation is based, e.g. Lincolnshire.

Country Name (C)

A two-letter code indicating the country in which your organisation is based. For the UK use the code GB

If you are required to specify the subject as a single line, enter the above values in a comma separated list, e.g.:

CN=appserver01.mycompany.co.uk, O=MyCompany Ltd, L=Townsville, S=Countyshire, C=GB

Subject Alternative Name

This option allows you to specify alternative names (aliases) by which your App Server or proxy server may be identified or it can be used to link the certificate to both a specific computer (e.g. appserver01.mycompany.co.uk) and a general domain (e.g. *.mycompany.com).

If you include alternative names you must also repeat the hostname specified in the Common Name field (see above) within your list of alternatives, as in this case the Common Name field may be ignored.

If you are required to enter your alternative names in a single line, specify a comma separated list, e.g.:

DNS Name=appserver01.mycompany.co.uk, DNS Name=appserver01.mycompany.com

Key Usage

Digital Signature, Key Encipherment

 

When you have created your certificate, you will need to download it from your supplier, along with its Root Certificate and any Intermediate Certificates which are required to complete the certificate chain.

 

Once you have obtained or created an SSL Certificate, you will need to install it to the certificate store on your App Server machine.

If you are using a certificate from a trusted third-party Certificate Authority, your certificate may come with additional certificates which make up a certificate chain. Typically, this will consist of your SSL Certificate, a Root Certificate and one or more Intermediate Certificates. You will need to install all the certificates making up your certificate chain to the certificate store on your App Server machine.

If you are using a certificate which doesn’t have a trusted Root Certificate, such as a self-signed certificate, you will probably only have a single certificate, which you will need to install to the certificate store on your App Server machine.

To install your certificates to the App Server’s certificate store:

  1. First check whether the Root and any Intermediate Certificates supplied along with your SSL Certificate are already installed to the Certificate Store on the App Server machine.

    You can do this using the Windows Manage computer certificates applet – search for Manage computer certificates at the Windows Start screen. Load the applet and check under Trusted Root Certification Authorities for the Root Certificate and under Intermediate Certification Authorities for the Intermediate Certificates.

    If any of the required Root and Intermediate Certificates are not already installed in the certificate store, you can install them now.

  2. To install a Root or Intermediate Certificate locate the file in Windows File Explorer and right click on the file.

  3. Choose Install Certificate.

  4. The Certificate Import Wizard will be displayed.

  5. Select Local Machine and then click Next.

  6. If you get a UAC message asking if you want to allow the program to make changes to the machine, click Yes.

  7. Select Automatically select the certificate store based on the type of certificate and then click Next.

  8. Click Finish to install the certificate.

  9. Repeat for any additional Root or Intermediate Certificates you need to install.

  10. You can now install the SSL Certificate. Repeat the steps above for installing your Root or Intermediate Certificates but, when it asks you to specify the certificate store, select Place all certificates in the following store instead of Automatically select the certificate store… Click Browse and then select Personal. Click on OK to return to the Certificate Import Wizard and continue as above.

Your SSL certificate will have an expiry date after which it cannot be used. You will, therefore, need to renew and re-install the Certificate before the current one expires.

 

To install a self-signed certificate to your App Server machine’s certificate store:

  1. Locate the certificate file in Windows File Explorer and right click on the file.

  2. Choose Install Certificate.

  3. The Certificate Import Wizard will be displayed.

  4. Select Local Machine and then click Next.

  5. If you get a UAC message asking if you want to allow the program to make changes to the machine, click Yes.

  6. Select Place all certificates in the following store.

  7. Click on the Browse button to display the Select Certificate Store dialog box.

  8. Select Personal and then click OK to return to the Certificate Import Wizard.

  9. Click Next.

  10. Click Finish to install the certificate.

Your SSL certificate will have an expiry date after which it cannot be used. You will, therefore, need to renew and re-install the Certificate before the current one expires.

 

To enable the enhanced encryption, you need to instruct App Server to use an SSL Certificate which automatically enables the extended encryption for data travelling between your Digitise Apps Clients/Standalone Apps and the App Server:

  1. Load App Manager using the Run as administrator option, e.g. by right-clicking on the App Manager shortcut under Picture showing the Windows Start button. → NDL Software Digitise Apps. If you don’t use the Run as administrator option, the program will restart with elevated privileges for you later.

  2. If you get a UAC message asking if you want to allow App Manager to make changes to your computer, click Yes.

  3. The utility will load and display its initial window.

  4. Click on the Connect button.

  5. The Server Properties will be displayed.

  6. Click on the Select Certificate button.

    If you didn’t run the utility using the Run as administrator option, you will now see a message explaining that you need elevated privileges to select a certificate. Clicking on the Continue button will automatically restart App Manager with the required elevated privileges for you. Continue from Step 2 above again.

  7. Scroll through the list of certificates displayed and select your SSL Certificate.

  8. Click OK.

  9. You should now see your certificate’s Common Name displayed against the Server Certificate field to the left of the Select Certificate button. If no certificate has been selected, this will read None Selected instead.

  10. Click on the Update button in the top right-hand corner of the window.

  11. Restart the NDL Digitise App Server service using the Windows Services applet.

    Note that if you don’t restart the service, the service will automatically pick up the change of certificate but it could take up to 15 minutes for the change to be recognised.

  12. Connections between the App Server and your Clients/Standalone Apps will now be using the enhanced certificate-based private key exchange encryption.

If you later want to change the certificate, simply repeat the above process and select your new certificate.

When your current Certificate expires and you obtain a new one, after installing the new certificate to the certificate store on the App Server machine, you will need to select the Certificate in App Manager again and then restart the NDL Digitise App Server service.

After you first select a certificate or select a new certificate, App Server will log an information message reporting that it is using the certificate in both the standard Digitise Apps Audit Log and the Windows Event Log. The message will be logged either when you restart the App Server service or when the configuration change is next read by the App Server.

 

If you want to stop using the enhanced certificate-based private key exchange encryption and revert back to the standard AES 256-bit encryption without SSL certificate verification and private key exchange, simply clear the SSL Certificate association within App Manager:

  1. Load App Manager using the Run as administrator option, e.g. by right-clicking on the App Manager shortcut under Picture showing the Windows Start button. → NDL Software Digitise Apps. If you don’t use the Run as administrator option, the program will restart with elevated privileges for you later.

  2. If you get a UAC message asking if you want to allow App Manager to make changes to your computer click Yes.

  3. The utility will load and display its initial window.

  4. Click on the Connect button.

  5. The Server Properties will be displayed.

  6. Click on the Clear Certificate button.

  7. The Server Certificate field to the left of the Select Certificate button should change to read None Selected.

  8. Click on the Update button at the top right of the Server Properties window.

  9. Restart the NDL Digitise App Server service using the Windows Services applet.

    Note that if you don’t restart the service, the service will automatically pick up the change of certificate but it could take up to 15 minutes for the change to be recognised.

  10. Connections between the App Server and your Clients/Standalone Apps will now be using the default AES 256-bit encryption.

The App Server will log an error message reporting that the certificate is no longer in use in both the standard Digitise Apps Audit Log and the Windows Event Log. The message will be logged either when you restart the App Server service or when the configuration change is next read by the App Server.

 

If you delete the SSL Certificate which is currently in use by App Server from the certificate store, App Server will continue to use a copy of the certificate cached in memory until you restart the NDL Digitise App Server service, either manually, using the Windows Service applet, or by rebooting the machine.

The App Server will log an error message reporting that the certificate is no longer available in both the standard Digitise Apps Audit Log and the Windows Event Log and will revert to using the default AES 256-bit encryption for data communications.

 

If you are using an SSL Certificate issued by a trusted third-party Certificate Authority, your mobile devices also need to have a suitable Root Certificate from that authority installed in order to use the new encryption.

Most mobile devices should automatically have Root Certificates from the major Certificate Authorities pre-installed, but if your device doesn’t include the required Root Certificate you will need to install this on the device as well. You should have received a copy of the required Root Certificate with your SSL Certificate. You don’t need to install any Intermediate Certificates as these will be dealt with by Digitise Apps.

If the device doesn’t have the relevant certificate you will not be able to connect to the App Server once the App Server has been configured to use the new encryption and you will get an error message on the device, such as connection refused.

 

If you are using a Certificate which hasn’t been issued by a trusted third-party Certificate Authority, such as a self-signed certificate, Clients and Standalone Apps have an option to allow untrusted certificates, which instructs the client to allow certificates which don’t have a trusted root certificate installed.

You will find this option within the Settings in the Client or Standalone App. By default, the option is Off or not selected. If you get a message on the device when trying to run a Client or Standalone App to the effect that the certificate is not trusted, select this option within the Settings. This option can also be configured and locked when building a pre-configured version of a Digitise Apps Client or a Standalone App. For more information about using the Settings option on the different mobile Platforms refer to the topics under User Guide → Install & Run Clients and Standalone Apps from the top menu.