Sawmill Documentation
Technical ManualFAQUser GuideWWW Sawmill

Newsletters



Sawmill Newsletter

  September 15, 2009



Welcome to the Sawmill Newsletter!

 You’re receiving this newsletter because during the downloading or purchase of Sawmill, you checked the box to join our mailing list. If you wish to be removed from this list, please send an email, with the subject line of “UNSUBSCRIBE” to newsletter@sawmill.net (please include the entire message, as the identifying information is at the bottom).


News

Sawmill 8.1.0 shipped on September 9, 2009. This is an intermediate release--it adds a few significant features, including HTTPS and a network API framework with a few plug-ins, and it fixes a number of bugs. This release is free to existing Sawmill 8 users.  It is recommended for anyone who is experiencing problems with Sawmill 8.0.9 or earlier, and for those requiring HTTPS support. You can download it from http://sawmill.net/download.html .

Sawmill 7 users can upgrade to Sawmill 8 for half of the license price; or if you have Premium Support, the upgrade is free. Major features of Sawmill 8 include support for Oracle and Microsoft SQL Server databases, real-time reporting, a completely redesigned web interface, better multi-processor and multi-core support, and role-based authentication control.

This issue of the Sawmill Newsletter describes how to use a self-signed certificate with the new HTTPS feature.


Get The Most Out Of Sawmill With Professional Services

Looking to get more out of your statistics from Sawmill? Running short on time, but need the information now to make critical business decisions? Our Professional Service Experts are available for just this situation and many others. We will assist in the initial installation of Sawmill using best practices; work with you to integrate and configure Sawmill to generate reports in the shortest possible time. We will tailor Sawmill to your environment, create a customized solution, be sensitive to your requirements and stay focused on what your business needs are. We will show you areas of Sawmill you may not even be aware of, demonstrating these methods will provide you with many streamlined methods to get you the information more quickly. Often you'll find that Sawmill's deep analysis can even provide you with information you've been after but never knew how to reach, or possibly never realized was readily available in reports. Sawmill is an extremely powerful tool for your business, and most users only exercise a fraction of this power. That's where our experts really can make the difference. Our Sawmill experts have many years of experience with Sawmill and with a large cross section of devices and business sectors. Our promise is to very quickly come up with a cost effective solution that fits your business, and greatly expand your ROI with only a few hours of fee based Sawmill Professional Services. For more information, a quote, or to speak directly with a Professional services expert contact consulting@flowerfire.com.


Tips & Techniques: Using HTTPS With A Self-Signed Certificate

Sawmill 8.1.0 introduces an HTTPS (secure web browsing) option in the built-in web server. Prior version supported HTTPS only through third-party encryption channels, e.g., by running in CGI mode with an external HTTPS server, or using a proxy, or using an SSL tunnel wrapper. Sawmill 8.1.0 adds direct support for HTTPS in its own built-in web server, so secure access is possible without third-party components.

To enable HTTPS,
  1. Install a certificate in LogAnalysisInfo, as server.crt and server.key.
  2. Check the "Use HTTPS" checkbox, in Preferences -> Server.
  3. Restart the Sawmill server.
The description below uses the free openssl command line tools for creating a certificate. These tools are available on all platforms. The same tools can be used to configure and install a commercially purchased certificate.


Step 1: Generate A Private Key (server.key)

Run the following openssl command line to generate a private key into a file named server.key.


  openssl genrsa -des3 -out server.key 1024

You will be prompted for a private key password; enter something secure. After the command completes, there will be a file server.key in the current directory.


Step 2: Generate a Certificate Signing Request file (server.csr)

Now, you need to generate a Certificate Signing Request. This can be done again with the openssl command, as shown below. Boldface sections are those that you type. Enter your own company information, etc. Be sure to enter the actual hostname of the server where Sawmill will be running--if the hostname in this request doesn't match the hostname typed in the web browser to access Sawmill, that will cause a certificate error.


  $ openssl req -new -key server.key -out server.csr
  Enter pass phrase for server.key: (enter password from above here)
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [GB]:US
  State or Province Name (full name) [Berkshire]:CA
  Locality Name (eg, city) [Newbury]:Santa Cruz
  Organization Name (eg, company) [My Company Ltd]:Flowerfire, Inc.
  Organizational Unit Name (eg, section) []:Documentation
  Common Name (eg, your name or your server's hostname) []:stats.flowerfire.com
  Email Address []:support@sawmill.net 


After the command completes, there will be a server.csr file in the current directory.


Step 3: (optional) Remove The Password From server.key

If you skip this step, OpenSSL will prompt for the server.key password when the Sawmill server is started. This is ideal for security, but if you want to be able to start the Sawmill server automatically, you can remove this password with the following commands:


  cp server.key server.key.withpassword
  openssl rsa -in server.key.withpassword -out server.key

The security ramifications of this, and the possible approaches to automatically starting the server security without a password, are beyond the scope of this simple tutorial, but it is more secure to keep the password. The OpenSSL documentation can be consulted for other, more secure, approaches.


Step 4: Generate a Self-Signed Key (server.key)

Now, run the following command to self-sign the key:


   openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

It will prompt you for the password; enter the password for server.key that you entered in Step 2 (unless you removed it in Step 3). When this command completes, it there will be a server.crt file in the current directory.

Security Note On Step 4

Self-signing is not the most secure solution--it is just the easiest and cheapest solution. For best security, you must submit the Certificate Signing Request file to a certificate authority, and they will send you an official, verified certificate. There will be an annual charge for such a certificate, but without it, your server will not be confirmed as authentic by web browsers, and most web browsers will give a warning when first entering the Sawmill site. This newsletter does not describe the process for installing a full certificate--the certificate assigning authority can provide that information--but focuses on the simple self-signed approach.

The full security ramifications of self-signing are beyond the scope of this document, but in a nutshell, self-signed servers cannot be confirmed to be authentic, which makes it possible for unauthorized users to intercept traffic intended for the Sawmill server, to pose as the Sawmill server, and acquire passwords and other information through their server. By purchasing a certificate from a certificate authority, you can eliminate this potential vulnerability, and have a truly secure web browser connection to Sawmill.


Step 5: Copy The Files To LogAnalysisInfo

Copy server.key and server.crt to the LogAnalysisInfo folder of your Sawmill installation, to install your key into Sawmill.


Step 6: Restart the Sawmill Server

Restart Sawmill, and the Sawmill server will start in HTTPS mode, using the same port as before (8988), but listening as an HTTPS server with the server.key and server.crt files you installed. It can now be accessed using https://hostname/, where hostname is the hostname you entered in Step 2. If the certificate is self-signed, it will show a warning on first access, but you will be able to ignore the warning and use Sawmill as before.


Credits

This article uses some information from Akadia's public web page, http://www.akadia.com/services/ssh_test_certificate.html .



Professional Services

This newsletter describes a specific use of Sawmill's RBAC feature. Sawmill's RBAC functionality is extensive, and can be used to create very detailed authentication and access controls. If you need assistance with configuring access control in your Sawmill installation, or with any other Sawmill tasks, our Sawmill Experts can help. Contact sales@sawmill.net for more information.



[Article revision v1.0]
[ClientID: 43726]