I have just begun supporting an AIMMS Pro implementation for my customers, and a separate cybersecurity team found that the traffic from the AIMMS Pro web server is unencrypted:
- Unencrypted Network Communication: AIMMS Pro Launch Page: When accessing the web frontend used to launch the application, traffic is transmitted using an unencrypted network protocol.
- Unencrypted Network Communication: Websocket: The application establishes a websocket to communicate with its server using an unencrypted network protocol.
Looking through the support/architecture documentation it appears that AIMMS Pro uses it’s own web services to host the page, so I’m trying to see what effort is involved in changing these settings, and what the implication is on the client side as well.
Best answer by Chris KuipView original
The AIMMS PRO portal can be switched to using HTTPS (secure encrypted connection) using the instructions at https://documentation.aimms.com/pro/config-sections.html#web-configuration.
Please note that an SSL key store file is needed in the PKCS12 format. Perhaps interesting is this reference: https://dzone.com/articles/how-to-create-a-keystore-in-pkcs12-format
Does this answer help?
With kind regards,
Thank you for your reply and I apologize for the delay in responding to you! I’m still learning the process internally for making this work in addition to the changes needed in the AIMMS Pro portal. So I have learned I need to request an internal SSL certificate from my organization and it is requiring a Certificate Signing Request (CSR) file. Is this something that will be generated when I go to configure the https ports or something I can generate from the host server?
Did I mention I’ve never done this before? :).
At AIMMS we are happy to read that your organization takes cybersecurity seriously, for instance by hiring a separate cybersecurity team to analyze your site.
Thus far our experience is that the IT Departments of our customers are entrusted with arranging cybersecurity measures including the governance of certificates, as obtained from a Certificate Authority (https://en.wikipedia.org/wiki/Certificate_authority).
Thus I encourage you to contact your IT department to arrange a certificate such that you and your organization can follow the agreed-upon practices around cybersecurity.
Thanks for understanding and with kind regards,