Now that we have support for different types of SSL certificates in FileMaker Server 15, and we have more intuitive tools to generate the ‘Certificate Signing Request’ to get the certificate generated and then imported and installed on FileMaker Server; the threshold for getting one and properly securing your data is getting lower.
A common problem though that you may run into is this one:
What is happening here? I have my FileMaker Server properly protected with a certificate that matches in name. Why then is FileMaker Pro complaining that it can not trust my server?
Note that the name that FileMaker Pro is using is not actually the Fully Qualified Domain Name (FQDN) of my server, but rather an abbreviation of it that ends in “.local”.
That’s because Bonjour is in play here. Bonjour – as you know – allows for easy discovery of devices on your network. But in this case it is working against us by generating an SSL challenge.
In the FileMaker Pro (or FileMaker Go) ‘Open Remote’ dialog I can see my server listed under the ‘Local servers’. That’s bonjour; that’s what is making them show up here. And you’ll note that the server is listed with the proper name that is on the SSL certificate.
However when you try to open one of its files you will get the SSL challenge that states that “.local” can not be verified.
Obviously you can choose to trust the server after inspecting the certificate by toggling the ‘Always permit connection to this host’. But that will not get you the proper encryption state that you are after. FileMaker will not give a ‘green lock’ and Get( ConnectionState ) will be 2. As per the FileMaker Help: “2 = for a secured connection (SSL) when the server name doesn’t match the certificate”.
So how to get around this? Bonjour is an optional component of FileMaker Server but it is very much the default installation path to have it included. How do you get rid of it without having to uninstall and reinstall FileMaker Server?
For that we turn to our FileMaker Server. You will need to stop the FileMaker Server service in the Windows control panel so you will need to plan on doing this when nobody is connected to your hosted files.
- Open a Command prompt and type in
SC query “FileMaker Server” - It should tell you that the service is stopped as shown in Figure 5.
Next we are going to delete the service entry:
- Type in:
SC delete “FileMaker Server” - and wait for the confirmation. See Figure 6.
Now this sounds a lot more scary that it really is. The service that we see in the Windows Services control panel is basically just a wrapper that we can easily recreate. So let’s do that by typing in:
SC create "FileMaker Server" displayname= "FileMaker Server" binpath= "C:Program FilesFileMakerFileMaker ServerDatabase serverfmshelper.exe" type= own start= auto
and wait for the confirmation. See Figure 7.
In the Services control panel you can bring up the properties for the services and confirm on the “Dependencies” tab that there are none. See Figure 8.
As the final step; stop the Bonjour service.
When you now go back to your FileMaker Pro or FileMaker Go you will notice that the server is no longer listed in the local hosts. In order to get to it you will now have to add it as a favorite host. And you need to do that using the same Fully Qualified Domain Name (FQDN) that is on the SSL certificate. Once you do that you will not get an SSL challenge and you will get both a green lock (see Figure 9) and Get( ConnectionState) will be 3 ‘for a secured connection with a fully verified server name in the certificate.’
You can of course use a launcher file or the FMP URL protocol or even a snapshot link to give to your users so that they can easily open your solution. Just make sure that you make your initial link using that same FQDN as is on your SSL certificate. Do not use an IP address for instance or you will be back to getting SSL challenges and black locks.
If at some point you want to have the Bonjour functionality back, follow the same steps but use this command line when you recreate the service to add the bonjour dependency back in:
SC create "FileMaker Server” displayname=
“FileMaker Server” binpath= “C:\Program Files\FileMaker\FileMaker
Server\Database server\fmshelper.exe” type= own start= auto depend="Bonjour Service"
I’m starting to wonder about Bonjour being a security risk. I installed a FileMaker client in a datacenter and thanks to bonjour I could see about 15 other FMServers running, including FMPHosts Australian servers etc.
It shouldn’t be an issue to a properly configured server, except that it allows very simple discovery of the location of FMServers (with bonjour installed) in data centres. To an improper configures server then it opens up opportunistic hacking / data theft by anyone with an FM client in a datacenter.
Bonjour is an optional component for FMS on Windows and you are correct: leaving it enabled should be considered carefully, especially where auto-discovery does not add any value.
Wim, thanks for writing this up. What is your recommendation for a Mac FMS? Can Bonjour be disabled on the Mac?
Hi Shawn,
I don’t think it can be disabled on OSX. I have not found anything in the documentation that would led me to believe that you can disable it.
Best regards,
Wim
Well written article Wim, thanks! I understand that the point here is that you have to connect to the server using the same hostname as specified on the SSL certificate. Even with Bonjour disabled, this can be challenging in situations where you have FileMaker users outside of the local network. If you are not using VPN, you will have to edit DNS setting of the domain associated with the hostname and create a DNS record which links the hostname on the SSL certificate with the IP address on the external interface of the firewall.
Hi Jeroen,
Absolutely; there is a whole slew of complexity that comes with maintaining the FQDN and DNS for both LAN and WAN connectivity. And that sort of brings us back to https://www.soliantconsulting.com/blog/2013/01/development-vs-deployment
A solid and secure FileMaker Server really is the corner-stone to a successful deployment. Things like SSL and DNS may look daunting to many FileMaker devs and that is why we are here. And you at clickworks.eu and Claus at datamanix.com.
Great article, Wim.
You are not forced to disable bonjour. If you add the host as a favourite with it’s FQDN, it will work as well.
For hosting centers, they should not have all servers on the same LAN and/or they can disable/block the Bonjour port in their firewalls. There is no real reason that hosting centers should allow for site-wide Bonjour, though it might be handy if a company has several machines to access.
If you want to disable Bonjour on Mac, you can use this terminal command:
sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array-add “-NoMulticastAdvertisements”
To enable it again, use this terminal command:
sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array “/usr/sbin/mDNSResponder” “-launchd”
Thanks for the additional info on disabling Bonjour on OSX, Claus!
I’ve had very spotty success with leaving Bonjour turned on and using the FQDN to connect through a favorite host. The only sure way I found was to stop Bonjour, which you can’t do without first removing the dependency – at least on the Windows side.
Thank you, Wim. This is very useful and I appreciate you posting it for the community
Thanks!
Wim there is a typo you have /fmshelper.exe should be \fmshelper.exe
Just wanted you to know
Thank you, Scott. The typo has been fixed. Cheers!
Pingback: System Implementation, Bonjour, Seth Godin - FileMakerProGurus
I suffer from confidence issues when adding to a Claus post with regard to server setup. However you might struggle to write to the /System/ folder in later versions of OS X as Apple are tying this down. You can disable Bonjour broadcasting with the com.apple.mDNSResponder.plist in the accessible /Library/Preferences/ directory.
defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES
Hi,
Could this issue the reason for a performance problem? On the same network, my local machine is very slow but in the other departments, the clients with green lock, are working normal.
Thanks
Tanja
Hi Tanja,
It typically wouldn’t contribute to performance issues once you are logged in. But that should be easy to prove or disprove: from your local machine, also use the full DNS name of the server instead of the Bonjour-driven entry in the Hosts menu.