1. Configure the Certificate
A certificate is required for SSL to work. This can either be done by creating a self signed certificate, or installing a certificate from a CA.
A. Self Signed Certificate
Open the Server 2008 “Server Manager” (Start -> Administrative Tools -> Server Manager)
Expand Roles->Web Server (IIS) and click on Internet Information Services (IIS) Manager
Click on “Server Certificates”. It’s the second to last option available in the IIS section.
On the far right, under actions, are the options for Importing a current certificate, or creating a self signed certificate. Skip to the next step if you wish to import a certificate.
To generate a self signed certificate, open the action:
Specify a friendly name for the certificate. This will be the name that users will use to access the server. Hit OK and you’re done generating the certificate.
You can double check that this certificate is in the Trusted Certificates by opening the certificate manager snap-in (certmgr.msc) and looking for the certificate in the “Trusted Root Certificate Authorities”.
B. Installing a provided Certificate
If you want to install a provided certificate, Click on the “Import” option and navigate to the location of the provided certificate.
Follow the configuration steps to completion.
1. 2. Configure the IIS Application
a. Configure an SSL Port.
By default, IIS does not have a binding for HTTPS. This can continue to be modified from within the server manager. Navigate to the Default Website in IIS
Under actions, select “Bindings”
Click on Add to put in a new site binding:
Select “https” from the drop down, assign to All Unassigned IP addresses and type in port “443”. Select the proper SSL Certificate from the drop down and click “OK”. That’s all the configuration to allow https to the Default Website.
a. Modify the HTTP Header Expiration for both ReporterAnalyzer, NPC, NV, SA, or UCM.
The Content expiration for HTTP headers needs to be modified only on the flex_bin of the product site. Navigate to the flex_bin directory, and select “HTTP Response Headers” from the IIS group.
Double Click on HTTP Response Headers and then from the Action Pane select “Set Common Headers…”
Check “Expire Web content” and choose “After 1 Day”. Hit OK.
1. 3. Configure Application for HTTPS (NPC only)
Once IIS has been configured to respond to SSL requests, and the certificates have been inserted…the next step is to enable HTTPS through the single sign on configuration tool. This tool is located on the Desktop of the NPC, and will propagate all changes down to the underlying datasources.
Modify the following options (by clicking on the Blue hyperlinks):
Web Site Scheme – Override this to be “https”
Web Site Port – Override this to be “443”
Web Site Host – Override this to be the name indicated in either the Self Signed Certificate, or the Certification from the CA
***Please note that while we are changing the Web Site Scheme, the web services will continue to run on HTTP.
Now switch over to the Single Sign-On Tab:
Modify the following options:
Scheme – Override this setting with “https”
Port – Override this setting with “443”
***These settings are to control the Single Sign-On (login pages) for the product.
4. Modify SSO XML Files
While most of the settings are contained in the Config Utility, it’s still best practice to update the Single Sign-On Config XML files. These are located in the following directory:
The name of the file indicates the product you’re modifying the configuration for. We’ll modify the NPC (on the NPC box), and the RA (on the RA Master Console) and so on for the rest of the products.
Modify the Scheme (from http to https) and the Port (put in 443, the entry is blank by default). Do not modify the Web Service Scheme or Port!
After these changes have been made, run an “iisreset” from the command line to force the website to reload and you should be able to access the product via HTTPS.
1. 5. Modify the Datasource Connection Method.
It’s best practice to configure SSL after the product is up and configured, to verify proper functionality of the product before making these changes. Once the product has been migrated to HTTPS, you will want to modify the NPC Datasource settings to reflect this.
Open NPC GUI and navigate to the “Data Sources” Administration Page.
Edit the Data Source (NV used in example) to bring up the options:
Since the Web Services are still running on HTTP, uncheck the “Same as above” check box underneath Web Console.
The “Host Name” should be modified to the name provided in your SSL Cert, protocol changed to https and the Port switched to 443. These changes will update the drill down links to https (into the web UI).