1. User Guide
  2. Security Server

2 Security Server

FMS Security Server hosts sensitive information like FidelioBK schema password and KEK key. It stores these two parameters in encrypted form in the configuration file. It uses Data Protection Application Programming Interface (DPAPI), a Windows based encryption and machine level key for the encryption.

Security Server Encryption

Fleet Management Security Server hosts sensitive information in an encrypted form in the configuration file. You should run the server with Administrative privilege.

The below examples shows both the FidelioBK schema password and Key Encryption Key(KEK) key in plain text and encrypted format:

Schema password and KEK in plain text. 
<?xml version=1.0 encoding=utf-8 ?> 
<configuration>   
 <appSettings>
<add key="FidelioBkPwd" value="" />   
<add key="KEKKey" value="" />
<add key="ServiceUrl" value="https://localhost/OHCFMSSecurityService/FCTransactionsService.asmx"/>
<add key="TNSNamesPath" value="C:\Oracle\product\19.3.0\dbhome_1\network\admin\tnsnames.ora"/>
</appSettings>

Schema password and KEK in encrypted form:

<?xml version=1.0 encoding=utf-8 ?> 
<configuration>   
   <appSettings configProtectionProvider=DataProtectionConfigurationProvider>     
    <EncryptedData>       
     <CipherData> 
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0rBRLmkdWUumfaBJzssrgwQAAAACAAAAAAADZgAAwAAAABAAAAAjrjZ1Mv9n/9YTWeJObrEGAAAAAASAAACgAAAAEAAAAE7s1WJ6avIdjl/xCJFSHxXAAQAADGvQLFOHv5bbu8yElnDggZyC4g441wOzgpol5Z1SxmmlV0ZF1W+3jE1b0d7JQnGSU5oiJ9IcXicYWUOhFPZuHSHLf3jVVazGOqFVYYuX/PlsJ7KLAWbNIOsYItbj8C5u+fCLasFWd7RTjkJUh/ToqsUMHrPYwqzbeNe6tq9dngHoboA0DrI5tLjqBaQnaqxhMAYd3NllBRPfNPDq2ah5nJoMTOjpsbzGvfzQ9lxBlFaIk4ntdYcn3V9Lo2sn9zSHrFu/DbdeHN+xHtehFuUC4wlzAc+hl20y87tXuI72z5txCEsRwKM7tPqibqlvtje/si8H0SSzu5oA8P2tN1rzun+bd5il//vQG74WxgwWeMLA4gXbRg6Re7yXQDlmqNaqf36SEx7mtZa4TjjjYIkz2LkSxXDUuTiSYNd5w18N2xJyn8rXpV0zZeI8kKIAU/WP1aGWR5fvwtmfUskc+K3a7A23epLY8/fG2IqaVdiIXq8ZpoLPoT+ksL4DTLz6TyIn54Mj7y0+kqaeR7fYxvlwCiZzNTcVtjtcnPneu4f7GOLjsn6Ujyk08b0++YjpfzLRyYNjBuuXp4DPynPKSpAoqhQAAADhdk== 
</CipherValue>       
     </CipherData>     
    </EncryptedData>   
   </appSettings>

Secure Clients

On startup, any client (applications/interfaces/web services) connecting to the server for the first time will fetch and store the FidelioBK password and Encryption Key (KEK) in an encrypted form in their configuration files. Thereafter, the client will use the FidelioBK password and the KEK stored in the configuration files. The client will need to reconnect to the server if there is a change in the FidelioBK password or KEK key.

To update FidelioBK password and Key Encryption Key, open OHC Security Server, Administration and provide the relevant credentials

Figure 2-1 Server Logs for Successful Secure Client Connection


This figure shows the server logs for a successful secure client connection.

Figure 2-2 FidelioBK Password and KEK Key Fields on the Administration Tab


This figures shows the Administration interface for resetting the FidelioBK password and KEK key.

Configuring OHCFMSSecurity Service

  1. Go to C:\inetpub\wwwroot\OHCFMSSecurityService and open Web.Config file
  2. Update TNSNamesPath with the correct path for tnsnames file. Below is the example.
    <appSettings>
<add key="FidelioBkPwd" value="" />
<add key="KEKKey" value="" />
<add key="ServiceUrl" value="https://localhost/OHCFMSSecurityService/FCTransactionsService.asmx/>
<add key="TNSNamesPath" value="C:\Oracle\product\19.3.0\dbhome_1\network\admin\tnsnames.ora"/>
</appSettings>
  3. Update the data source name in the connection string.
    <connectionStrings><add name="OracleDBServer" connectionString="Data Source=OHCFMS;User ID={0};Password={1}" providerName="System.Data.OracleClient"/>
</connectionStrings>

Adding HTTPS Binding

After setting up an Internet Information Services (IIS), the IIS will use the default port 80 and the binding is HTTP. To add HTTPS binding, buy a certificate from service providers and create according to the instructions provided.
  1. In Internet Information Services (IIS) Manager, under Connections, expand your server’s name, and then expand Sites. OHCFMSsecurityService can be seen under the default web sites.
  2. Right-click OHCFMSSecurityService, and then click Convert to Application.
  3. Select the OHCFMSSecurityService website for which you want to install the SSL Certificate.
  4. In the Actions menu, select the Bindings option under Edit Site.

    Figure 2-3 HTTPS Binding option


    This figure shows the Binding option on the Actions menu.
  5. In the Site Bindings window, click Add.
  6. In the Add Site Binding window, enter the following information:

    • For Type, select HTTPS from the drop-down list.

    • For IP Address, select All Unassigned from the drop-down list.

    • For Port, enter 443. If you are using a non-standard port for SSL traffic, enter that port number.

    • For SSL Certificate, select the recently imported SSL Certificate from the drop-down list.

    Figure 2-4 Add Site Binding


    This figure shows the Add Site Binding window.
  7. Click OK. The SSL Certificate is now installed.
  8. To test the HTTPS binding:
    1. Select IIS Web Site, and then select Browse *:443(HTTPS) from the right panel. The IIS home page opens in a web browser.
    2. If you use a self-signed certificate, the browser will show a certificate error. However, if you have a valid self-signed certificate from Certificate Authority, it will not prompt a certificate error but displays the IIS home page with HTTPS instead.

Updating the Configuration File

To run the Security Server application, you must add or update the <appSettings> section in the Configuration file.
  1. For Microsoft Windows applications, open the app.config file for editing.
    For Web applications, open the web.config file for editing.
  2. Ensure the <appSettings> section is added/updated as follows:
    <appSettings>
   <add key="FidelioBkPwd" value="" />
   <add key="KEKKey" value="" />
   <add key="ServiceUrl" value=" value="https://localhost/OHCFMSSecurityService/FCTransactionsService.asmx"/>
	<add key="TNSNamesPath" value="C:\Oracle\product\19.3.0\dbhome_1\network\admin\tnsnames.ora" /> 
</appSettings>

Frequently Asked Questions and Troubleshooting

  • Where is the Security Server installed?

    The Security Server is installed on the IIS Machine.

  • Who uses the Security Server?

    • An IT manager at the client site or

    • An administrator at the client site or

    • A support personnel

  • What is the purpose of the Security Server?

    The Security Server is used to host sensitive information like FidelioBK password and KEK key.

  • What kind of logs are available for the Security Server?

    An Activity Log capturing information of a client connection and is stored in the installation directory (C:\inetpub\wwwroot\OHCFMSSecurityService\bin\Log).

    An Exception Log stored in inetpub folder (C:\inetpub\wwwroot\OHCFMSSecurityService\bin\Error).

    A Trace Log that is used when the above logs information are insufficient for troubleshooting. Tracing can be enabled on the server and client configuration files using the <system.diagnostics> section that generates a detailed trace file called (messages.svxlog) which contain information of the errors messages and warnings. You can view the trace log file with SvcTraceViewer.exe tool. To avoid creating a large trace log, the tracing needs to be disabled once you obtain the information for the troubleshooting.

Importing the Self-Signed Certificates

Importing Self-signed certificates using the Microsoft Management Console (MMC).
  1. To import the PFX into the local computer’s Trusted Root Certification Authority Certificates folder.
    1. Click the Windows Start button and select the Run command.
    2. Enter MMC and click OK.
    3. Select File, and click Add / Remove Snap In.
    4. Double-click Certificates.
    5. Select the computer account, select Local Computer, and then click Finish.
    6. Click OK to close the Snap-In window.
    7. Click [+] to expand the Certificates container, then select Trusted Root Certification Authorities, and Certificates.
    8. Right-click Certificates, select All Tasks, and click Import.
    9. At the Certificate Import Wizard, click Next.
    10. Click Browse, select the PFX to import, and then click Open.
    11. Click Next.
    12. Select Place all certificates in the following store. Ensure the Trusted Root Certification Authorities is visible in the Certificate Store section and click Next.
    13. Click Finish, and then click OK.
  2. To import the PFX file into the local computer’s Personal Certificates folder.
    1. Click the Windows Start button and select the Run command.
    2. Enter the MMC and click OK.
    3. Select File, and click Add / Remove Snap In.
    4. Double-click Certificates.
    5. Select the computer account, followed by Local Computer, then click Finish.
    6. Click OK to close the Snap-In window.
    7. Click [+] to expand Certificates container and select Personal, and Certificates.
    8. Right-click Certificates, select All Tasks, and click Import.
    9. At the Certificate Import Wizard, click Next.
    10. Click Browse, select the PFX to import, and then click Open.
    11. Click Next.
    12. Select Automatically select the certificate store based on the type of certificate.
    13. Click Finish, and then click OK.