Securing Designer Connections

Securing connection between Lumisan Sanbox Designer and Lumisan Sanbox Runtime

This guide will show you how to secure the connection between your Runtime instance and Sanbox Designer using SSL - encrypting all data flowing between the Designer and Runtime. This is not needed if you are running the Designer and Runtime on the same machine but recommended for connecting to a Runtime on your network and highly recommended when connecting to a Runtime over the internet. Unfortunately, due to technology limitations the Runtime requires a separate configuration than your HTTPS configuration.

1. Download OpenSSL

If you haven't already had OpenSSL tools installed then you must install OpenSSL on your workstation computer in order to generate the required public/private key pair to secure your Runtime/Designer connections. You can visit the OpenSSL Wiki which lists trusted links to OpenSSL installers and binaries for Linux and Windows.

If you install OpenSSL and cannot access it via command line with command openssl then make sure you add the installation directory or directory containing openssl.exe: usually %ProgramFiles%\OpenSSL-Win64\bin\ to your Path environment variable for your computer.

2. Generate Keys

The following commands can be ran in PowerShell or Command Prompt when working in Windows or just the terminal when working in Linux.

You will be generating two files. The first will be the private key used only by the Runtime. Run the following command to generate the private key file:

openssl genrsa -out server.key 2048

The second file will be your public key certificate, this file will be used by the Runtime and Designer. Run the following command in the same directory where you ran the last:

openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650

You will be asked a series of questions when running this command. Some of these can be left blank. The most important question will be the Common Name of the public key certificate. The Common Name must be the domain or server name of the Runtime instance you are trying to secure. This means you will be following this tutorial for each Runtime instance you wish to access securely via the Designer. If the Runtime is accessed via eastus.example.org for example than the Common Name must be eastus.example.org

If the Common Name is incorrect, then the Designer will not be able to connect to the Runtime.

Once you've completed these commands, you should have the following files created:

  • server.key

  • server.crt

3. Configuring Sanbox Runtime

Copy Files

Copy server.key and server.crt to the working directory of your Sanbox Runtime instance or somewhere where they will be accessible to the Runtime.

Modify Configuration

Modify the Runtime configuration (runtime.json or environment variable), changing the Designer section.

  • Set SecureServer to true

  • Set CertPath to server.crt if you placed the file in the working directory, or an absolute path to wherever you did place it.

  • Set PrivateKeyPath to server.key if you placed the file in the working directory, or an absolute path to wherever you did place it.

Example configuration:

"Designer": {
"AllowDesigner": true,
"HostName": "0.0.0.0",
"Port": 50155,
"SecureServer": true,
"CertPath": "server.crt",
"PrivateKeyPath": "server.key"
},

4. Configuring Sanbox Designer

Distribute server.crt to each workstation that will be connecting to the Runtime in question. You can either use the file as is, or install it to your workstation's certificate manager.

Do not distribute the private key file server.key to anywhere but the Runtime, it must be kept secret.

Option 1: Using Certificate File As Is

First, open Sanbox Designer and edit the Runtime connection using the Runtime Connection Manager screen located under the Other Windows button.

Location of Other Windows button

Edit the connection and check the Secure Connection checkbox. If the Use System Root Certificates box is checked, uncheck it, then browse to the server.crt file. Finally, connect to the Runtime. Your connection is now secure. The server.crt file should not be moved or deleted from the location you specified.

Option 2: Installing the Certificate File

With the certificate file on the workstation running Sanbox Designer, double-click the file and click the install certificate button.

On the next screen, choose Local Machine as the store location.

Click Next. On the next screen choose the Place all certificates in the following store option and browse to the Trusted Root Certification Authorities store.

Finally, click Next then Finish. Open Sanbox Designer and modify your Runtime Connection using the Runtime Connection Manager mentioned in Option 1. Check the Secure Connection check box then make sure Use System Root Certificates is checked. You are now able to connect to the Runtime securely.