filemaker cloud

filemaker cloud

FileMaker Database Development
The Cloud
Products
Database Creation
FileMaker WebHelp
About Us
FileMaker History
Site Map

e: info@filemakerdatabases.co.uk

 

FileMaker

Home > FileMaker Server 14 SSL Certificate Setup For Windows Server

FileMaker Server 14 SSL Certificate Setup For Windows 2012 Server

The following was documented during our initial FileMaker Server 14 setup. We hope it will short circuit for others much of the investigations and testing we carried out.

For additional information setting up a 2-server deployment see below

Data

The procedures below assume we are setting up a server as follows:

Server name:
myserver
Domain name:
craftict.co.uk
My company name (Organisation):
Craft ICT Ltd
My contact details:
me myself
My email address:
me.myself@craftict.co.uk
My location (City/Locality):
Mytown
My State/Country/Region
Mystate
My country:
GB

Please substitute any of the above with your own details when referenced below.

Preparation

Before starting any work on with FileMaker Server, we strongly suggest you make some DNS preparations. For the example below we are using a server name of:

myserver.craftict.co.uk

Your server must be named in the FileMaker Server admin console (General Settings, Server Information tab, Server Name) as per the fully qualified domain name (FQDN) used on the SSL certificate; in this case as above 'myserver.craftict.co.uk'

If you've already set the server name in the FileMaker Server admin Console, this can be changed after the SSL certificate has been installed if necessary.

if 'Use SSL for database connections' is selected, any access to the server after the certificate has been installed must be via the FQDN for the green padlock to appear in FileMaker Pro. Access to the FileMaker Server via an IP address will result in the grey padlock, not the green.

However, it is not quite as straight forward as that. For instance you can follow the procedures below, try to upload your first database using FileMaker Pro File:Sharing menu and receive a message such as:

filemaker 14 server ssl certificate

This is a particular problem if the server being configured is to replace a server still in use using the FQDN, therefore our new myserver.craftict.co.uk server cannot be accessed via this name (say, for example a new FileMaker Server 14 is replacing an existing FileMaker Server 13).

Even more obvious is if you connect to the FileMaker admin console via a web browser. Connecting to https://1.12.123.4:16000 will display a certificate error. Connecting to the same server using https://myserver.craftict.co.uk:16000 will not display a certificate error.

To overcome this while configuring a replacement server, or if the server's DNS entry hasn't been setup, we recommend editing the host file on the new server and any computer you're using to configure this. Therefore, assuming our server address is 1.12.123.4, we would enter into the host file:

1.12.123.4 myserver.craftict.co.uk

(we normally separate these with a tab)

If we are deploying 2 servers for FileMaker (master) and WebDirect (worker), we'd also add a line for the worker computer on both servers (and any computer you're connecting to these). When you go live, you can remove these host file entries.

To edit the hosts file in Windows:

Open Notepad using 'Run as Administrator' (this will not work if you right click on the hosts file and open Notepad), File:Open, ensure 'All Files' is selected, navigate to C:\Windows\System32\drivers\etc\hosts and enter the appropriate lines as above, then save and close - the DNS cache can by cleared by using 'ipconfig /flushdns' in the command line or just restart the computer

To do the above on Macs:

Open Terminal, enter 'sudo pico /private/etc/hosts' and enter your computer password. Add the required lines, use ctrl O and Enter/Return to save and then ctrl X to close - the DNS cache can be cleared by using 'dscacheutil -flushcache'

In both cases # in front of any entry will disable it (sound familiar?)

As a precaution, use of the command line below was run with elevated permissions by right clicking and selecting 'Run as Administrator'

Create the certificate request

In the command line for the details listed above enter:

fmsadmin CERTIFICATE CREATE "/CN=myserver.craftict.co.uk/O=Craft ICT Ltd/C=GB/ST=Mystate/L=Mytown"

Press enter

Navigate to C:\Program Files\FileMaker\FileMaker Server\CStore\

Open serverRequest.pem with Notepad (created by the above)

Select all, copy contents, close and use below

Purchase the certificate

Go to your chosen certificate issuer's website

Use the contents of your clipboard to paste into the online certificate signing request (CSR) and follow through the website until you receive your certificate by email for the FQDN you've requested.

During the process you will have to enter the appropriate company and personal details for the domain. The application will include an email to the person who must approve the request for the domain before the certificate can be issued.

Create and install the certificate

Upon receipt of the email containing the SSL certificate or a link to the certificate

Copy all contents including and between '---BEGIN CERTIFICATE---' and '---END CERTIFICATE---'

Open Notepad on the server and paste the certificate contents

Save as: myserver_craftict_co_uk.crt

Ensure 'Save as type:' is set to 'All Files'
Leave 'Encoding' at 'ANSI'
Note underscores entered

to: C:\Program Files\FileMaker\FileMaker Server\CStore\

In the command line enter (substituting your own certificate name):

fmsadmin CERTIFICATE IMPORT "C:\Program Files\FileMaker\FileMaker Server\CStore\myserver_craftict_co_uk.crt"

Note - we seemed to have a problem using paste in the command line, the above failed until we typed it in rather than copying and pasting from our notes. This may be due to us not including the speech marks to begin with.

Providing the above runs without any error messages

Open FileMaker Server admin console

Click Database Server

In the Security tab

Select 'Use SSL for database connections'
Select 'Use SSL for progressive downloading' (if wanted)
Click Save

Go to Status
Stop Server
Start Server

As a precaution, we restarted the Windows server here

When restarted, log into the admin console using:

myserver.craftict.co.uk:16000

Depending on the browser, view the certificate, which should be valid

The browser should now display the FileMaker Server 14 Start Page with a valid https URL, for instance double click the padlock in Chrome, which will allow the valid certificate details to be viewed

Opening a database using 'Open Remote' using the FileMaker Server FQDN (not IP address) should now display the green padlock in the lower left hand corner . Using the IP address will result in a grey padlock being displayed.

It is worth noting that the FQDN we were using was already in use on one of our live hosted servers running on another VM. Extensive editing and clearing of Windows and Mac (used for remote testing) hosts file and flush cache were used to swap between the live server and the replacement server.

2-Server Deployment

The 2-server deployment had us scratching our heads for some time and we did have to request help from FileMaker tech support. We are running both master server (FileMaker Server 14) and a worker server (WebDirect) on the Internet with their own fully qualified domain names. If we follow the example from above, we have:

myserver.craftict.co.uk - 1.12.123.4 (FileMaker 14 Master Server)

myworkerserver.craftict.co.uk - 1.12.123.5 (WebDirect Worker Server)

Our interpretation of the following from the fms14_getting_started_.pdf guide was wrong:

'The Database Server and web server components must use the same certificate. Do not add a separate certificate for the web server, for example, by using IIS certificate tools or by using OpenSSL certificate tools. Either use the Admin Console import certificate feature or use the CLI command to import the certificate.

If you are using a two-machine deployment, you must run the certificate import command on both machines'

We read from the above that you must use the same certificate on both master and worker server. We were further confused with the following taken from the FileMaker list of supported SSL certificates:

NOTE: Wildcard and SAN (Subject Alternative Names) SSL certificates and are not currently supported.

At this point we were scratching our heads. How can you have 2-servers with different FQDNs using the same SSL certificate, based on the master server, but not use wildcards?

The answer is simple, which has come directly from FileMaker. You should use 2 separate SSL certificates, one for each server. Therefore, repeating the procedures above but using the fmsadmin CERTIFICATE command on the worker server to create and then subsequently import a second worker certificate will enable a secure encrypted connection from a browser to the WebDirect server and a secure encrypted connection from FileMaker Pro or FileMaker Go to the FileMaker Server 14 master.

For reference, the certificate request for the worker in this example would be:

fmsadmin CERTIFICATE CREATE "/CN=myworkerserver.craftict.co.uk/O=Craft ICT Ltd/C=GB/ST=Mystate/L=Mytown"

Assuming the certificate file was created and saved as 'myworkerserver_craftict_co_uk.crt' in C:\Program Files\FileMaker\FileMaker Server\CStore

fmsadmin CERTIFICATE IMPORT "C:\Program Files\FileMaker\FileMaker Server\CStore\myworkerserver_craftict_co_uk.crt"

Using these procedures we now have green padlocks when making connecting using the FQDNs for each server.

 

filemaker 14 server ssl certificate