Main Content

Execute MATLAB Functions Using HTTPS

Connecting to a MATLAB® Production Server™ instance over HTTPS provides a secure channel for executing MATLAB functions. To establish an HTTPS connection with a MATLAB Production Server instance:

  1. Ensure that the server instance is configured to use HTTPS. For more information, see Enable HTTPS.

  2. Configure the client environment for using SSL.

  3. Create the program proxy using the HTTPS URL of the deployed application. For more information about writing a client program using a proxy, see Create a C# Client Using MWHttpClient.

Configure Client Environment for SSL

Before your client application can send HTTPS requests to a server instance, the root SSL certificate of the server must be present in the Windows® Trusted Root Certification Authorities certificate store on the client machine. If the server uses a self-signed SSL certificate or if the root certificate of the server signed by a certificate authority (CA) is not present in the Windows certificate store, obtain the server certificate from the MATLAB Production Server administrator or export the certificate using a browser, then add it to the Windows certificate store.

Export and Save SSL Certificate

You can use any browser to save the server certificate on the client machine. The procedure to save the certificate using Google Chrome™ follows.

  1. Navigate to the server instance URL https://server FQDN:port/api/health using Google Chrome.

  2. In the Google Chrome address bar, click the padlock icon or the warning icon, depending on whether the server instance uses a CA-signed SSL certificate or a self-signed SSL certificate.

  3. Click Certificate > Details > Copy to File. Doing so opens a wizard that lets you export the SSL certificate. Click Next.

  4. Select the format to export the certificate and click Next.

  5. Specify the location and file name to export the certificate, then click Next.

  6. Click Finish to complete exporting the certificate.

Add Certificate to Windows Certificate Store

You can use a certificate management tool or Microsoft® Management Console (MMC) to add the server certificate to the Windows certificate store. The procedure to add the certificate using MMC follows.

  1. Open MMC from your Windows machine.

  2. Click File > Add/Remove Snap-in. Doing so opens the Add or Remove Snap-ins window.

  3. In the Add or Remove Snap-ins window:

    1. Click Certificates from the left pane, then click Add.

    2. Select Computer account, then click Finish. Doing so adds Certificates(Local Computer) to the right pane.

    3. Click OK. Doing so takes you to the home window.

  4. In the left pane of the home window, under Console Root, double click Certificates(Local Computer). Doing so opens all the certificate folders located in the local machine.

  5. Select Trusted Root Certification Authorities > More Actions > All Tasks > Import. Doing so opens the Certificate Import Wizard.

  6. Click Next, then select the location of your server certificate.

  7. Click Next to import the certificate in the Trusted Root Certification Authorities certificate store.

Establish Secure Proxy Connection Without Client Authentication

After your client machine is configured to use the server certificate, you can write your client program to create a secure proxy connection with the server using the following code:

MWClient client = new MWHttpClient();
Uri secureUri = new Uri("https://server FQDN:port/myApplication")
MyProxy sslProxy = client.createProxy<MyProxy>(secureUri);

Doing so creates a secure proxy connection with the server instance running at https://server FQDN:port to communicate with the deployed application myApplication. The connection uses the MWHttpClient constructor and the proxy object reference sslProxy.

sslProxy checks the certificate stores of the client machine to perform the HTTPS server authentication. If the server requests client authentication, the HTTPS handshake fails because the client does not have a certificate.

Establish Secure Proxy Connection Using Client Authentication

Before a .NET client can communicate with a server instance that requires client authentication, you must create a client certificate bundle on the client machine and save the client certificate on the server instance.

Create and Merge Client Certificate

  1. On the client machine, generate a self-signed SSL certificate and private key, or obtain a CA-signed SSL certificate and private key.

    To generate a self-signed SSL certificate, you can use the openssl command as follows:

    openssl req -x509 -nodes -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem -days 365
    The command generates a self-signed certificate client_cert.pem with a private key client_key.pem. The certificate is valid for 365 days. For more information, see OpenSSL.

    The MATLAB Production Server administrator must save the client certificate client_cert.pem on the server instance and set the x509-ca-file-store in the server configuration file main_config. For information on configuring the server for client authentication, see Configure Client Authentication.

  2. On the client machine, merge the client certificate and private key into a PKCS#12 (PFX) file by using the following command:

    openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_certificate.pfx

Write .NET Client Program

  1. Implement the MWSSLConfig interface.

    The MWSSLConfig interface has a single property, ClientCertificates, of type X509CertificateCollection. Provide an implementation that returns the client certificate.

    public class ClientSSLConfig : MWSSLConfig
    {
      public X509CertificateCollection ClientCertificates
      {
        get
        {
          X509Certificate2 clientCert = new X509Certificate2("C:\\temp\\client_certificate.pfx");
          return new X509Certificate2Collection(clientCert);
        }
      }
    }
    

  2. Create a secure proxy connection to the server.

    Create a secure proxy connection with a server instance using the MWHttpClient constructor. The MWHttpClient constructor takes as an argument an instance of your MWSSLConfig implementation. Create an interface-based proxy object reference with the HTTPS URL for the desired application using the createProxy method.

    MWClient client = new MWHttpClient(new ClientSSLConfig());
    Uri secureUri = new Uri("https://<server FQDN>:9920/myApplication")
    MyProxy sslProxy = client.createProxy<MyProxy>(secureUri); 

    sslProxy uses the local user trust store to perform the HTTPS server authentication. If the server requests client authentication, the client passes the certificates in the collection returned by your implementation of the MWSSLConfig interface.

Handle Exceptions

Override Certificate Check

If the self-signed certificate or the root CA certificate of the server is not present in the Windows Trusted Root Certification Authorities certificate store on the client machine, and there is no mismatch between the host name of the HTTPS URL for MATLAB function execution and the common name (CN) of the SSL certificate of the server, then running your client program results in the following exception:

No response received in WebException with status : TrustFailure

Use one of the following options to handle this exception:

  • Add the SSL certificate of the server to the Windows Trusted Root Certification Authorities certificate store on the client machine. For more information, see Configure Client Environment for SSL.

  • Override the certificate check and accept the untrusted certificate using the following code:

    ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
    
    This option is not recommended for a production environment, as it overrides all certificate checks.

    The ServerCertificateValidationCallback property is a delegate that processes the certificates during the SSL handshake. By default, no delegate is implemented, so no custom processing is performed. You can provide an implementation to perform any custom authorization required.

Disable Host Name Verification

If there is a mismatch between the host name of the HTTPS URL for MATLAB function execution and the CN of the SSL certificate on the server, you can override the certificate check to disable host name verification using the following code in your client program:

ServicePointManager.ServerCertificateValidationCallback = delegate (
Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)
{
  if (errors.ToString().Equals("RemoteCertificateNameMismatch"))
  {
    return (true);
  }
  return (false);
};

A MATLAB Production Server deployment on Azure® uses a self-signed SSL certificate by default. Replacing the self-signed certificate with a CA-signed certificate is recommended. However, if you want to use the self-signed certificate and send HTTPS requests to the server, client programs must disable host name verification to avoid encountering an exception caused by a failure in host name verification. The verification fails due to a mismatch between the host names in the HTTPS URL for MATLAB function execution and the common name (CN) of the self-signed certificate. The host name for the MATLAB execution endpoint has the value <uniqueID>.<location>.cloudapp.azure.com, but the CN has the value azure.com. For information about MATLAB Production Server on Azure, see Azure Deployment for MATLAB Production Server (BYOL) and Azure Deployment for MATLAB Production Server (PAYG).

Implement Advanced Authentication Features

The .NET ServicePointManager.ServerCertificateValidationCallback property allows you to add extra layers of security to achieve the following:

  • Disable SSL protocols to protect against the POODLE exploit.

    System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
  • Perform alternate host name verification to authenticate servers when the host name in the server URL does not match the host name in the SSL certificate.

  • Ensure that the client shares data only with specific servers.

Sample Code

Sample client program for communicating with a server using HTTPS follows.

 MagicProxy.cs

Related Topics

External Websites