You can configure the client/server connections so that 4D Server and 4D remote workstations communicate in secured mode. The secured client/server communication is based on TLS (Transport Layer Security) protocol, which was formerly the SSL (Secured Socket Layer).

Note: For a general overview of 4D's security features, see the 4D Security guide.

The TLS protocol has been designed to secure data exchanges between two applications —primarily between a Web server and a browser. It is designed to authenticate the sender and receiver, and to guarantee the confidentiality and integrity of the exchanged information. For a detailed description of the secured protocol, refer to section WEB SERVICE SET PARAMETER in the 4D Language Reference.

Between 4D Server and a remote 4D, authentication and integrity mechanisms are handled transparently by 4D Server and do not require any additional user setting.

Note: Encrypting client/server connections slows connections.

At the network level, the TLS protocol is inserted between the TCP/IP layer (low level) and the high level protocol.

To use TLS in a “classic” client/server architecture, the following certificate files must be present:

• key.pem: document containing private encryption key
• cert.pem: document containing certificate.
  These files must be located in the Resources subfolder of the 4D Server and 4D applications. They must be present on the server machine and on each remote machine. Default key.pem and cert.pem files are provided with 4D. For a higher level of security, we strongly recommend that you replace these files with your own certificates. For more information about creating custom certificates, refer to the section of 4D's Web server documentation (the procedure is identical).

You must also make sure client-server connections are in secured mode. To do this, open the “Client-Server/Network options” page of the Database settings dialog box and check if necessary the Encrypt Client/Server Connections option in the “Encryption” area (see the Network and Client-Server options section). If you change the setting, you must quit and relaunch 4D Server so that it is taken into account.

By default, the option is checked in databases created with 4D v18 and higher. In previous versions, it was unchecked by default. 

When the option is checked, 4D remote stations connects in secured mode.

• Use of ServerNet
  When the new ServerNet network layer is used, the activation of the secured protocol on the server is transparent (the publication mode does not appear in the connection dialog box). The connection and switch to secure mode takes place following an internal negotiation between the server application and the remote application.
   
  
   
  For more information about the ServerNet, refer to the Network and Client-Server options section. 

• Use of legacy network layer
  When the legacy network layer is used, the “circumflex accent” (^) is placed before the name of the databases published in TLS mode in the TCP/IP page of the connection dialog box in 4D Server:
   
  
   
  Note: When a database is not published dynamically on the TCP/IP page of the Connection dialog box, the user can enter its name in the Custom page (see the Connecting to a 4D Server Database and IP Settings sections). In this case, a ^ (circumflex accent) must be placed before the database name if the database is published in secured mode; otherwise the connection will be rejected .