The DALI server supports restricting access to board features based on username. DALI currently supports HTTP Basic Authentication for transmission of the username and password over the network. This protocol does not encrypt the login information. On untrusted networks this should only be used in combination with SSL encryption. A future version of DALI will support the WS-Security SOAP standard which enables secure transmission of login information without SSL.
The DALI server comes with a pre-generated SSL certificate which can be used to provide SSL encrypted access to the DALI server. This is a self signed certificate which functionally enables SSL but should be replaced with a real certificate by the customer.
SSL encryption is expensive in terms of processor time and memory used. The DALI server will process SSL encrypted requests much slower than unencrypted requests. For this reason only requests sending login information should use SSL.
If SSL encrypted is not required see the server options page for instructions on disabling this port.
These instructions require OpenSSL which is installed with the dali-apache
package or can be obtained directly from openssl.org.
The CA.sh utility installed with OpenSSL assist in creating new
certificates. The dali-apache package installs this file in the directory
/usr/local/dali-apache/ssl/misc/. Go to the directory where
this utility is located on your system.
The SSL certificate contains information about your organization which will be confirmed later by a certificate signing authority. This certificate provides encryption keys for encrypting communication with your server, and also provides this confirmed contact information so that clients can be sure they really are connected to you. If you are only interested in the encryption features of SSL and will be responsible for all the client software in your system you may not need a real SSL certificate. Instead see the next section for generating self-signed certificates.
Run the following command to generate an SSL certificate request:
./CA.sh -newreq.
This program will ask a number of organizational and contact questions about
you and your company. When the program is finished it will generate a new file
called newreq.pem. This file is ready to be sent to the
certificate signing authority of your choice. For a fee, this company will
cryptographically sign your certificate to mark it as valid. thawte.com is one
such authority.
This company will send back a signed certificate file which is ready for use by the DALI server. See the server options section of the manual for information on directing the DALI server to use your new certificate
Some customers only need an SSL certificate for encryption, and do not need it to certify their identity or work with 3rd party client software which may have strict SSL certificate checking requirements. In this case the example certificate provided by Diamond Systems may be sufficient. However, it is more secure to generate your own.
The first step is to create your own certificate signing authority.
The command to do this is:
./CA.sh -newca.
The next step is to create a certificate request with the command:
./CA.sh -newreq.
Finally you cryptographically sign your request using your own
certificate signing authority with the command:
./CA.sh -sign.
Finally you combine the request part of the certificate with the signed
certificate using this command:
cat newreq.pem newcert.pem > server.pem.
This certificate is now ready to be used by the DALI server. See the server options section of the manual for information on directing the DALI server to use your new certificate.