Securing your network connections
For secure transfer of data among ABBYY FlexiCapture components, a secure network connection is required.
By default, ABBYY FlexiCapture is configured to use the HTTP protocol, which is only recommended for staging, testing or demo environments.
Note: The HTTP protocol is also used to transmit data between the Web Scanning Station and the ABBYY Scanning Plugin, since the scanning plugin is designed exclusively to be deployed locally on the user's machine.
For production use, HTTPS must be used to protect sensitive data.
To use HTTPS, enable SSL support in the IIS settings.
To work with IIS over HTTPS, you need to obtain a certificate for the server. Please refer to this section of the Microsoft website for more information about managing certificates.
In the IIS settings, specify HTTPS protocol for the default website. To do this:
- Run the IIS Manager console from the Control Panel.
- Select Default Web Site and click Bindings in the Actions pane.
- In the dialog box that opens, click Add and select https from the Type drop-down list.
- From the SSL Certificate drop-down list, select a desired certificate and click OK.
- If you want a site to be available via HTTPS only, select the site in the tree pane, double-click SSL Settings in the content pane, and select the Require SSL option.
Note: As client certificates are not verified, set the Client certificates option to Ignore when configuring SSL.
Once the certificated has been added, the Application Server address must be prefixed with “https” (i.e. https://<server name>) and the name of each client machine connecting to the Application Server must match the name in the certificate.
You will need to specify the Application Server address on the Processing Server, on user stations, and on web stations.
To specify the Application Server address on the Processing Server:
- Start the Processing Server Monitor.
- Open the Processing Server shortcut menu and select Change Application Server.
- In the dialog box that opens, specify the address: https://<server name>.
The Application Server address must also be specified when you start a user station or open a project.
When working on a web station, enter the URL in the following format: https://<server_name>/FlexiCapture12/<web_station_name>.
Using TLS 1.2 for data encryption
ABBYY FlexiCapture 12 supports the TLS 1.2 protocol, which is the recommended encryption protocol for secure connections.
When connecting to ABBYY FlexiCapture, other protocols can be used at the operating system level. Please refer to this section of the Microsoft website for detailed instructions on how to restrict the use of certain protocols.
Securing your connection with Mutual SSL
By default, when configuring HTTPS, one-way SSL authentication is configured. This means that the client will verify the authenticity of the server certificate. You can make the connection more secure by using Mutual SSL, so that the client will verify the authenticity of the server certificate and the server will verify the authenticity of the client certificate.
To configure Mutual SSL for the Application Server, complete the following steps:
- In IIS, specify HTTPS as the protocol o be used for connections to the Application Server (see Securing your connection with HTTPS above).
- For Default Web Site\FlexiCapture12\Server, select the Require SSL option in SSL Settings.
- For Client certificates, select the Require option.
Now a client will need to provide a certificate when connecting to the Application Server.
- The Project Setup Station and the Verification Station do not require any additional configuration. When connecting, the client will be asked to select a certificate that should be provided to the Application Server.
- For the Processing Server and the Processing Station, you need to specify the thumbprint of the appropriate certificate in the registry. Locate HKLM\Software\ABBYY\FlexiCapture\12.0\FlexiBr in the registry and specify:
- For the Administration and Monitoring Console, you need to specify which certificate to provide. To do this, modify the web.config file as follows:
<add key="UseClientCertificate" value="True" />
<add key="ClientCertificateThumbprint" value="Certificate Thumbprint" />
Note: The client certificate with the specified thumbprint must be stored in Local Computer > Personal. The account providing this certificate must have the permission to use it. Please refer to this section of the Microsoft website for detailed information.
Note: Mutual SSL cannot be configured for the Web Scanning Station or the Web Capture Station.
Securing your connection to the database and file storage
The Application Server interacts with the database and file storage.
To secure your connection to an SQL, SQL Azure, or Oracle database, we recommend using the TLS 1.2 encryption protocol. TLS should be configured in the database:
- If you are using an SQL database, please refer to this section of the Microsoft website for detailed instructions.
- If you are using an SQL Azure database, please refer to this section of the Microsoft website for detailed instructions.
- If you are using an Oracle database, please refer to this section of the Oracle website for detailed instructions.
- If you are using a PostgreSQL database, please refer to this section of the PostgreSQL website for detailed instructions.
The Application Server uses SMB protocols to interact with file storage. A number of security enhancements were introduced in SMB 3.0. Please refer to this section of the Microsoft website for detailed information.