Execute MATLAB Functions Using HTTPS
Connecting to a MATLAB® Production Server™ instance over HTTPS provides a secure channel for executing MATLAB functions. To establish an HTTPS connection with a MATLAB Production Server instance:
Ensure that the server instance is configured to use HTTPS. For more information, see Enable HTTPS.
Configure the client environment for using SSL.
Create the program proxy using the HTTPS URL of the deployed application. For more information about writing a client program using a proxy, see Create a C# Client.
Configure Client Environment for SSL
Before your client application can send HTTPS requests to a server instance, the root SSL certificate of the server must be present in the Windows® Trusted Root Certification Authorities certificate store on the client machine. If the server uses a self-signed SSL certificate or if the root certificate of the server signed by a certificate authority (CA) is not present in the Windows certificate store, obtain the server certificate from the MATLAB Production Server administrator or export the certificate using a browser, then add it to the Windows certificate store.
Export and Save SSL Certificate
You can use any browser to save the server certificate on the client machine. The procedure to save the certificate using Google Chrome® follows.
Navigate to the server instance URL
https://
using Google Chrome.server FQDN
:port
/api/healthIn the Google Chrome address bar, click the padlock icon or the warning icon, depending on whether the server instance uses a CA-signed SSL certificate or a self-signed SSL certificate.
Click Certificate > Details > Copy to File. Doing so opens a wizard that lets you export the SSL certificate. Click Next.
Select the format to export the certificate and click Next.
Specify the location and file name to export the certificate, then click Next.
Click Finish to complete exporting the certificate.
Add Certificate to Windows Certificate Store
You can use a certificate management tool or Microsoft® Management Console (MMC) to add the server certificate to the Windows certificate store. The procedure to add the certificate using MMC follows.
Open MMC from your Windows machine.
Click File > Add/Remove Snap-in. Doing so opens the Add or Remove Snap-ins window.
In the Add or Remove Snap-ins window:
Click Certificates from the left pane, then click Add.
Select Computer account, then click Finish. Doing so adds Certificates(Local Computer) to the right pane.
Click OK. Doing so takes you to the home window.
In the left pane of the home window, under Console Root, double click Certificates(Local Computer). Doing so opens all the certificate folders located in the local machine.
Select Trusted Root Certification Authorities > More Actions > All Tasks > Import. Doing so opens the Certificate Import Wizard.
Click Next, then select the location of your server certificate.
Click Next to import the certificate in the Trusted Root Certification Authorities certificate store.
Establish Secure Proxy Connection Without Client Authentication
After your client machine is configured to use the server certificate, you can write your client program to create a secure proxy connection with the server using the following code:
MWClient client = new MWHttpClient(); Uri secureUri = new Uri("https://server FQDN:port/myApplication") MyProxy sslProxy = client.createProxy<MyProxy>(secureUri);
Doing so creates a secure proxy connection with the server instance running at
https://
to communicate with the
deployed application server
FQDN
:port
myApplication
. The connection uses the
MWHttpClient
constructor and the proxy object reference
sslProxy
.
sslProxy
checks the certificate stores of the client machine to perform
the HTTPS server authentication. If the server requests client authentication, the HTTPS
handshake fails because the client does not have a certificate.
Establish Secure Proxy Connection Using Client Authentication
Before a .NET client can communicate with a server instance that requires client authentication, you must create a client certificate bundle on the client machine and save the client certificate on the server instance.
Create and Merge Client Certificate
On the client machine, generate a self-signed SSL certificate and private key, or obtain a CA-signed SSL certificate and private key.
To generate a self-signed SSL certificate, you can use the
openssl
command as follows:The command generates a self-signed certificateopenssl req -x509 -nodes -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem -days 365
client_cert.pem
with a private keyclient_key.pem
. The certificate is valid for 365 days. For more information, see OpenSSL.The MATLAB Production Server administrator must save the client certificate
client_cert.pem
on the server instance and set the x509-ca-file-store in the server configuration filemain_config
. For information on configuring the server for client authentication, see Configure Client Authentication.On the client machine, merge the client certificate and private key into a PKCS#12 (PFX) file by using the following command:
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_certificate.pfx
Write .NET Client Program
Implement the
MWSSLConfig
interface.The
MWSSLConfig
interface has a single property,ClientCertificates
, of typeX509CertificateCollection
. Provide an implementation that returns the client certificate.public class ClientSSLConfig : MWSSLConfig { public X509CertificateCollection ClientCertificates { get { X509Certificate2 clientCert = new X509Certificate2("C:\\temp\\client_certificate.pfx"); return new X509Certificate2Collection(clientCert); } } }
Create a secure proxy connection to the server.
Create a secure proxy connection with a server instance using the
MWHttpClient
constructor. TheMWHttpClient
constructor takes as an argument an instance of yourMWSSLConfig
implementation. Create an interface-based proxy object reference with the HTTPS URL for the desired application using thecreateProxy
method.MWClient client = new MWHttpClient(new ClientSSLConfig()); Uri secureUri = new Uri("https://<server FQDN>:9920/myApplication") MyProxy sslProxy = client.createProxy<MyProxy>(secureUri);
sslProxy
uses the local user trust store to perform the HTTPS server authentication. If the server requests client authentication, the client passes the certificates in the collection returned by your implementation of theMWSSLConfig
interface.
Handle Exceptions
Override Certificate Check
If the self-signed certificate or the root CA certificate of the server is not present in the Windows Trusted Root Certification Authorities certificate store on the client machine, and there is no mismatch between the host name of the HTTPS URL for MATLAB function execution and the common name (CN) of the SSL certificate of the server, then running your client program results in the following exception:
No response received in WebException with status : TrustFailure
Use one of the following options to handle this exception:
Add the SSL certificate of the server to the Windows Trusted Root Certification Authorities certificate store on the client machine. For more information, see Configure Client Environment for SSL.
Override the certificate check and accept the untrusted certificate using the following code:
This option is not recommended for a production environment, as it overrides all certificate checks.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
The
ServerCertificateValidationCallback
property is a delegate that processes the certificates during the SSL handshake. By default, no delegate is implemented, so no custom processing is performed. You can provide an implementation to perform any custom authorization required.
Disable Host Name Verification
If there is a mismatch between the host name of the HTTPS URL for MATLAB function execution and the CN of the SSL certificate on the server, you can override the certificate check to disable host name verification using the following code in your client program:
ServicePointManager.ServerCertificateValidationCallback = delegate ( Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors) { if (errors.ToString().Equals("RemoteCertificateNameMismatch")) { return (true); } return (false); };
A MATLAB
Production Server deployment on Azure® uses a self-signed SSL certificate by default. Replacing the self-signed
certificate with a CA-signed certificate is recommended. However, if you want to use the
self-signed certificate and send HTTPS requests to the server, client programs must disable
host name verification to avoid encountering an exception caused by a failure in host name
verification. The verification fails due to a mismatch between the host names in the HTTPS
URL for MATLAB function execution and the common name (CN) of the self-signed certificate.
The host name for the MATLAB execution endpoint has the value
<
,
but the CN has the value uniqueID
>.<location
>.cloudapp.azure.comazure.com
. For information about MATLAB
Production Server on Azure, see Azure Deployment for MATLAB Production Server (BYOL) and Azure Deployment for MATLAB Production Server (PAYG).
Implement Advanced Authentication Features
The .NET ServicePointManager.ServerCertificateValidationCallback
property allows you to add extra layers of security to achieve the following:
Disable SSL protocols to protect against the POODLE exploit.
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Perform alternate host name verification to authenticate servers when the host name in the server URL does not match the host name in the SSL certificate.
Ensure that the client shares data only with specific servers.
Sample Code
Sample client program for communicating with a server using HTTPS follows.