I was wondering if there was any latent security built in for checking in / retrieving files from the vault server.
Or should I just get an SSL certificate?
Thanks!
-bwh
Vault security?
Moderator: SourceGear
I'm not sure if your question is primarily about authentication of users performing get/checkout/commit operations, or about the visibility of data as it's transfered. I'll answer both.
Vault authenticates connections from clients using user information stored on the server (a valid username and matching password are used). Optionally, the Vault server can be configured to use Active Directory for authentication. A user must authenticate before performing any SOAP operations which would reveal repository information (folder structure, file contents, etc.).
Vault clients communicate with the Vault server using SOAP, which is a remote procedure call technology using XML over HTTP. If you configure IIS to use unencrypted HTTP, all of the XML that Vault sends to the server will be unencrypted. The file contents sent between the Vault client and server are in a compressed delta format, which describes only the changes between the client and server's existing files (for efficiency). This information isn't very easy to decode, but it will not be encrypted if IIS is not configured for SSL. You will need to configure IIS to support SSL, and preferably only accept connections on the HTTPS port, if you want your communications between the Vault client and server encrypted.
A note about SSL certificates: you don't have to buy one from a certificate vendor. Instead, you can install certificate authority software on one of your computers and sign the requests that IIS generates yourself. Microsoft provides free certificate tools for many versions of Windows to do this (usually only server versions of Windows are supported). This article describes PKI setup in Windows Server 2003.
Vault authenticates connections from clients using user information stored on the server (a valid username and matching password are used). Optionally, the Vault server can be configured to use Active Directory for authentication. A user must authenticate before performing any SOAP operations which would reveal repository information (folder structure, file contents, etc.).
Vault clients communicate with the Vault server using SOAP, which is a remote procedure call technology using XML over HTTP. If you configure IIS to use unencrypted HTTP, all of the XML that Vault sends to the server will be unencrypted. The file contents sent between the Vault client and server are in a compressed delta format, which describes only the changes between the client and server's existing files (for efficiency). This information isn't very easy to decode, but it will not be encrypted if IIS is not configured for SSL. You will need to configure IIS to support SSL, and preferably only accept connections on the HTTPS port, if you want your communications between the Vault client and server encrypted.
A note about SSL certificates: you don't have to buy one from a certificate vendor. Instead, you can install certificate authority software on one of your computers and sign the requests that IIS generates yourself. Microsoft provides free certificate tools for many versions of Windows to do this (usually only server versions of Windows are supported). This article describes PKI setup in Windows Server 2003.
Shaw Terwilliger
SourceGear LLC
`echo sterwill5sourcegear6com | tr 56 @.`
SourceGear LLC
`echo sterwill5sourcegear6com | tr 56 @.`
-
grant
thanks for the info
i'm very grateful to read this post. it is very useful information. are there any plans to put such interesting and useful information into some kind of document for people who are wanting to evaluate Vault? i think such issues are pretty much fundamental concerns to someone wanting to evaluate Vault except maybe within a closed LAN.
I added this information to our Vault Knowledge Base:
http://support.sourcegear.com/viewtopic.php?p=17672
Now it should be easier for users to find.
http://support.sourcegear.com/viewtopic.php?p=17672
Now it should be easier for users to find.
Linda Bauer
SourceGear
Technical Support Manager
SourceGear
Technical Support Manager