Is the communication between QAWeb Agent and QAWeb Server safe

Article number: [3394] - Legacy code: [11670]

The communication between QAWeb Agent and QAWeb Server is safe. As soon as the Agent receives the Relay’s SSL certificate via an HTTP connection, during the installation, it only connects with the Relay via HTTPS (= secured)

Here is some background to understand how it all works...

QAWEB SERVER

QAWeb server is making use of two hosts:

  1. The host secureservice.medical.barco.com is meant to be used by the Relay and uses a self-signed certificate that is trusted by the Relay.
  2. The host service.medical.barco.com is meant to be used by a browser and uses a GlobalSign certificate, which is trusted by all browsers. So, if the user browses directly to this Server, the browser should not show any security warnings. 

QAWEB RELAY

QAWeb Relay has two roles:

  1. It acts as a web server and directs HTTP calls to the server (over a secure HTTPS connection). It accepts both HTTP and HTTPS requests.
  2. The most important role of the Relay is however to act as an intermediate station (aka “relay”) for messages being sent between QAWeb Agent and QAWeb Server (using that same secure HTTPS connection).

The QAWeb Relay server accepts HTTP connections for the following use cases:

  1. Installation of QAWeb Agent: at installation time, the Agent receives the Relay’s SSL certificate via an HTTP connection. From that time onwards, the Agents only connect with the Relay via HTTPS (= secured)
  2. The Relay allows users on the internal network to browse the server via the Relay. This can be done over HTTP or HTTPS. In this way, the user can browse the QAWeb Server application instead of browsing to https://service.medical.barco.com directly. This is mainly meant for users that do not have an internet connection and have only access to the Relay Server which runs in the local network. When users want to browse to the Server via the Relay over HTTPS, the browser will typically give a security warning, since the Relay uses a self-signed certificate that is not in the browser’s trust store, meaning that it is not trusted by the browsers by default. A user can safely accept this certificate and proceed. This HTTPS connection is mainly used by Agents to send and receive messages to and from the Server.

Note that the Relay always uses a secure connection (HTTPS) to connect with the Server, also when browsing the web application via the Relay over HTTP ----> users may access the web application directly if they have internet access. Furthermore, there are no specific steps recommended by Barco to disable the login page over HTTP.

HTTP connections are not encoded. They are needed for Agents at installation time. HTTP connection with the Relay can be used to browse the QAWeb web interface, but the communication is not encoded between browser and Relay. Since Relays are only accessible from within the local network, and the local network is basically a safe environment, an HTTP connection is possible and used by most users with the Relay to browse the QAWeb web interface.

Communication between Relay and Server is always securely encoded (HTTPS) however! Since Relays are only accessible from within the local network this is acceptable for most users. If there is no trust of browsing the Relay with the HTTP protocol, HTTPS can be used instead or it can be browsed to the server directly.

 

 

Properties

Last updated Aug 1, 2023