Main Content

Access Secure Programs Using HTTPS

Connecting to a MATLAB® Production Server™ instance over HTTPS provides a secure channel for executing MATLAB functions. To establish an HTTPS connection with a MATLAB Production Server instance using a Java® client:

  1. Ensure that the server is configured to use HTTPS.

  2. Install the required credentials on the client system.

  3. Configure the client's Java environment to use the credentials.

  4. For a proxy-based workflow, create the program proxy using the program's https:// URL.

The MATLAB Production Server Java client API provides:

  • Hooks for disabling security protocols to protect against the POODLE vulnerability.

  • Hooks for providing your own HostnameVerifier implementation.

  • Hooks for implementing server authorization beyond that provided by HTTPS.

Configure Client Environment for SSL

To manage the key store and trust stores on the client machine, use keytool.

At a minimum, the client requires the server's root CA (Certificate Authority) certificate or self-signed certificate in its trust store.

To connect to a server that requires client-side authentication, the client also needs a signed certificate in its key store.

Establish Secure Proxy Connection

Create a secure proxy connection with a MATLAB Production Server instance by using the https:// URL for the desired program:

MWClient client = new MWHttpClient();
URL sslURL = new URL("https://hostname:port/myArchive");
MyProxy sslProxy = client.createProxy(sslURL, MyProxy.class);

The sslProxy object uses the default Java trust store, stored in JAVA_HOME\lib\security\cacerts, to perform the HTTPS server authentication. If the server requests client authentication, the HTTPS handshake fails because the default SSLContext object created by the JRE does not provide a key store.

To use a location other than the default for the client trust store, set the trust store location and password using Java system properties:

System.setProperty("javax.net.ssl.trustStore",
                   "PATH_TO_TRUSTSTORE");
System.setProperty("javax.net.ssl.trustStorePassword",
                   "truststore_pass");
MWClient client = new MWHttpClient();
URL sslURL = new URL("https://hostname:port/myfun");
MyProxy sslProxy = client.createProxy(sslURL, MyProxy.class);

You must provide a custom implementation of the MWSSLConfig interface to use a custom SSLContext implementation, add a custom HostnameVerifier implementation, or use the server authorization of the MATLAB Production Server Java client API.

Establish Secure Connection Using Client Authentication

In some environments, server instances require that clients provide a certificate for authentication. To enable the client to connect with a server instance requiring client authentication, set the key store location and password using Java system properties:

System.setProperty("javax.net.ssl.keyStore", "PATH_TO_KEYSTORE");
System.setProperty("javax.net.ssl.keyStorePassword", "keystore_pass");
MWClient client = new MWHttpClient();
URL sslURL = new URL("https://hostname:port/myfun");
MyProxy sslProxy = client.createProxy(sslURL, MyProxy.class);

Work with Self-signed Certificate

If you are writing a client program for MATLAB Production Server on Azure® that uses a self-signed SSL certificate, you must disable host name verification so that the client can use HTTPS to send requests to the server.

A MATLAB Production Server deployment on Azure uses a self-signed SSL certificate to provide an HTTPS URL to make requests to the server and execute MATLAB functions. Replacing the self-signed certificate with a certificate signed by a certificate authority (CA) is recommended. For information on how to change the self-signed certificate, see Change Self-Signed Certificate to Application Gateway. However, if you continue to use the self-signed certificate, client programs that send HTTPS requests to the server must disable host name verification to avoid encountering an exception caused by a failure in host name verification. The verification fails due to a mismatch between the host names in the HTTPS URL for MATLAB function execution and the common name (CN) of the self-signed certificate. The host name for the MATLAB function execution URL has the value <uniqueID>.<location>.cloudapp.azure.com, but the CN has the value azure.com.

For more information on MATLAB Production Server on Azure, see Azure Deployment for MATLAB Production Server (BYOL) and Azure Deployment for MATLAB Production Server (PAYG).

Related Topics

External Websites