The easiest and most secure way to pull information out of the MOVEit DMZ configuration and audit database remotely is to use MOVEit DMZ API's "ReportRunCustom()" method and custom queries. This method requires users to authenticate with MOVEit DMZ credentials, protects data in transit with SSL and is firewall friendly because it uses HTTPS on port 443.
For example, to get a list of at most 5 users whose full names start with "A" in XML format, you could use the following VB code with MOVEit DMZ API.
Dim boolOK as Boolean = false Dim fields as String = "Username,RealName,Email,Notes" Dim tables as String = "users" Dim criteria as String = "RealName LIKE 'A%'" Dim groupings as String = "" Dim order as String = "RealName" Dim limit as String = "5" Dim OutputFormat as String = "XML" Dim LocalPath as String = "d:\reports\newest_5_A_users.xml" boolOK = ReportRunCustom( fields, tables, criteria, groupings, order, limit, OutputFormat, LocalPath ) IF boolOK then...
See "Web Interface - Reports - Custom Reports" and the MOVEit DMZ API documentation for more information. (You do not need to "pre-configure" custom reports on MOVEit DMZ to use them from MOVEit DMZ API, but the DMZ "Custom Reports" documentation contains a complete explanation of how each of the fields used in the API function call are used.)
If you desire read/write access to the database that cannot be achieved through MOVEit DMZ API, you may want to use a more complex solution that involves direct access to the database.
To securely access the underlying MySQL database MOVEit DMZ uses to store its configuration and audit logs through a an ODBC connection, you must set up a user in the MySQL database and set up a secure channel using stunnel.
Remote access to the MOVEit DMZ database may also require the 3.51 version of the MySQL ODBC driver ("MyODBC"), available at no charge from MySQL (and installed by default with MOVEit DMZ and MOVEit Central). However, several other MySQL database drivers, including several non-ODBC drivers for .NET, have been tested as well.
These instructions will set up a secure MySQL port listening on TCP port 33062. Modify the necessary stunnel configuration file to change this value.
A complete set of instructions to do remote reporting using this tool (including stunnel CLIENT instructions) can be found in the MOVEit Central manual.
In most cases you will want to set up a read-only user to access the MOVEit DMZ database. While certain tweaks of the database are allowed, unless you really know what you are doing it would be easy to wreck your configuration and/or run afoul of MOVEit DMZ's tamper-evident check feature. (This is essentially the same reason why other software vendors who store configurations in custom flat-file formats instead discourage people from hacking in with their favorite hex editors; yes, it's possible, but watch out!)
D:\mysql\bin>mysql --user=root --password=31r00t0 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 19660 Server version: 5.0.44-classic-nt MySQL Enterprise Server - Classic (Commercial) Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> GRANT SELECT,CREATE TEMPORARY TABLES ON moveitdmz.* TO 'micentral'@'localhost' IDENTIFIED BY 'm1c3ntra1'; Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) mysql> exit Bye
D:\mysql\bin>mysql --user=micentral --password=m1c3ntra1 moveitdmz Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 19660 Server version: 5.0.44-classic-nt MySQL Enterprise Server - Classic (Commercial) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> select count(*) from users; +----------+ | count(*) | +----------+ | 42 | +----------+ 1 row in set (0.08 sec) mysql> insert into log set ID=1; ERROR 1044: Access denied for user: 'micentral@localhost' to database 'moveitdmz' mysql> exit Bye
D:\moveitdmz\Util>stunnel_makecert D:\moveitdmz\Util>openssl genrsa -out stunnel_key.pem 2048 Loading 'screen' into random state - done Generating RSA private key, 2048 bit long modulus ..............+++ ....+++ e is 65537 (0x10001) D:\moveit dmz\Util>openssl req -config stunnel_makecert_parms.txt -new -x509 -key stunnel_key.pem -out stunnel_mysqlserver.pem -days 1096
D:\moveitdmz\util>stunnel stunnel_mysqlserver.conf
After testing your new connection, run the following commands to install stunnel as a service (so it starts automatically).
D:\moveitdmz\util>stunnel -install stunnel_mysqlserver.conf
D:\moveitdmz\util>net start stunnel
If you have selected SQL Server as your database engine, you can securely access the data using standard Microsoft drivers, such as ADO and ADO.NET. To cause all communications between your program and Microsoft SQL Server to be encrypted, simply include the following in your connection string:
TrustServerCertificate=yes; Encrypt=yes;