Setting up HTTPS: Difference between revisions

From NEOSYS Technical Support Wiki
Jump to navigationJump to search
No edit summary
No edit summary
Line 1: Line 1:
== Creating a single HTTPS web site on Windows 2008 ==
== Setting up HTTPS for NEOSYS website ==


Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys Win3 download folder) only the SSL utility is needed. selfssl.exe is already installed and available on NEOSYS hosted servers.
NEOSYS has a very simple way of enabling https for all the clients. Every client have been set up with domain name " *.hosts.neosys.com " where "*" is the clientname.


There might be an alternative way to generate certificates using makecert.exe that doesnt have the bug like selfssl which requires a workaround and extra steps to export and import the certificate to avoid the certificate being deinstalled on the next run of selfssl.
Pre prepared certificate for *.hosts.neosys.com web sites is present on the nl10r/win3 server. The certificate is signed by COMODO and supports SHA2 security algorithm. It is portable, ensures authenticity and is widely supported.


http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en
=== Creating a single HTTPS web site on Windows 2008 ===


[[image:sslwin2008-1.jpg]]
To create a single HTTPS web site on Windows 2008, follow three simple steps:


 
*Copy the "hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server. (password to be used is present in a text file in the same folder)
Execute selfssl.exe with the following parameters.
*Import the certificate to IIS. See [http://techwiki.neosys.com/index.php?title=Setting_up_HTTPS&action=submit#Steps_to_follow_while_importing_certificate_and_why Importing certificate in IIS] for detailed steps.
 
*Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and click OK.
C:\Program Files\IIS Resources\SelfSSL>selfssl.exe /N:CN=NEOSYS-SERVER /K:2048 /V:9999 /S:8 /P:4430
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.
Do you want to replace the SSL settings for site 1 (Y/N)?y
Error opening metabase: 0x80040154
C:\Program Files\IIS Resources\SelfSSL>
 
*/n:CN='''hostname''' indicates the full domain name of the site and depends on what you want to use (eg. clientname.hosts.neosys.com if the site is hosted on Win3/Win4 or clientname.support.neosys.com (if fixed IP) / clientname.redirectme.net (if dynamic IP) IF the site is hosted on the client server.
*/K:Key size. Use 2048 (not the default of 1024 which is no longer considered highly secure)
*/V:9999 means valid for 9999 days
*/S:8 is the site number in this case (site number is shown in IIS management screen)
*/P:4430 is the non-standard port number NEOSYS uses by convention for SSL/HTTPS instead of the standard 443. 4430 can be replaced with custom port numbers in case the installation is on a NEOSYS server. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_site_in_IIS Creating a site in IIS on NEOSYS hosted server]
Ignore the '''Error opening metabase: 0x80040154'''
 
Next go to the IIS Manager and make sure the certificate was created and stored. Note that creating a certificate does not make it automatically bind to the website.  


[[image:sslwin2008-2.jpg]]
[[image:sslwin2008-2.jpg]]
'''Client Server:''' Click on Sites > Default Website and in the right pane select Bindings
'''WIN3:''' Click on Sites > Client Folder > Bindings
[[image:sslwin2008-3.jpg]]
[[image:sslwin2008-3.jpg]]
In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and press click on OK:


[[image:sslwin2008-4.jpg]]
[[image:sslwin2008-4.jpg]]


Then test the site from explorer to make sure it works.
Test the site from explorer to make sure it works.


== Creating a single HTTPS web site on Windows 2003 ==
=== Creating a single HTTPS web site on Windows 2003 ===


Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys Win3 download folder) only the ssl utility is needed.
*Copy the "hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server. (password to be used is present in a text file in the same folder)
*Click on Sites > Properties > Directory Security > Server certificate. Follow the steps in the wizard to import/bind the certificate to port 4430. See [http://techwiki.neosys.com/index.php?title=Setting_up_HTTPS&action=submit#Steps_to_follow_while_importing_certificate_and_why Importing certificate in IIS] for detailed steps to import.


http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en
=== Creating multiple HTTPS web sites on NEOSYS hosted server ===


then
All clients hosted on NEOSYS servers use the same IP address, but different unique HTTPS port numbers starting from 4431 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.


[[Image:SelfSSL.png]]
*Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the "hosts.neosys.com.pfx" certificate from the drop down and click OK.
 
C:\Program Files\IIS Resources\SelfSSL>selfssl /v:9999 /s:'''''866651215''''' /p:4430 /n:CN='''''hostname'''''
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.
Do you want to replace the SSL settings for site 866651215 (Y/N)?y
The self signed certificate was successfully assigned to site 866651215.
 
/v:9999 means valid for 9999 days
/s:'''''866651215''''' is the site number in this case  (site number is shown in IIS management screen)
/p:4430 is the non-standard port number neosys uses by convention for ssl/https instead of the standard 443
/n:CN='''''hostname''''' indicates the full domain name of the site and depends on what you want to use (eg. clientname.hosts.neosys.com if the site
  is hosted on Win3/Win4 or clientname.support.neosys.com (if fixed IP) / clientname.redirectme.net (if dynamic IP) IF the site is
  hosted on the client server.
 
You probably made a mistake in the site number if you get the following message.
 
Error opening site metabase key: 0x80070003
 
== Creating multiple HTTPS web sites on NEOSYS hosted server ==
 
=== Creating a site in IIS ===
 
All clients hosted on NEOSYS servers use the same IP address, but different unique HTTPS port numbers starting from 4431 onwards. Similarly HTTP ports are configured with unique port numbers starting from 8123 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites. 
 
==== Creating a site in IIS in Windows 2008 ====
 
A port binding for HTTP is already created while configuring IIS.
 
Follow the procedures as explained in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008 Creating a Site in Win 2008] and add a port binding for HTTPS.
 
==== Creating a site in IIS in Windows 2003 ====
 
The https options are only available after running selfssl (see below).
 
[[Image:httpadvancedwebsitesetup.png]]


=== Testing access to the new HTTPS web site. ===
=== Testing access to the new HTTPS web site. ===
Line 98: Line 39:
If you get certificate error:
If you get certificate error:


#check that the selfsll /n:CN='''clientname'''.hosts.neosys.com matches the domain name used in IE
#Check if the https binding has been done properly in the IIS as per procedures.
#install the certificate into the client computer (double click the padlock, view certificates etc)
 
Closing all internet explorer versions and restarting is necessary for installed certificates to become effective.
===Export, Remove and Import Certificates ===
 
This step applies to both Windows 2003 and Windows 2008.
 
The EXPORT/REMOVE/IMPORT stage is necessary where there are multiple https sites on one server since any subsequent SELFCERT seems to destroy all other sites done with SELFCERT that have not been exported/REMOVED/imported.  


Exporting and Importing certificates in Windows 2008 is just one part of the step to add certificates to sites and you need to follow the usual instructions to "bind" the certificate to a particular site.
=== Steps to follow while importing certificate and why ===


Certificates must be saved in d:\hosts\certificates preferably by name for easy reference otherwise by site number. If this is not done then if certificates need to be regenerated then you have the pain of supporting re-import of certificates by all users.  
#It MUST be imported  WITHOUT OPTION TO EXPORT and
#It MUST be deleted after import.  


#Export the certificate to a pfx file from IIS Manager > Click on Server Certificate > Export (to d:\hosts\certificates  - password to be set is in a text file in the same folder)
It is especially important to keep pfx files off clients own servers because they are commonly directly exposed to potentially infected employees computers and/or personal devices via the corporate LAN so they may be far less secure than NEOSYS own servers which are reasonably well isolated. If a pfx file is obtained by criminal hackers, perhaps using automated tools, and the pfx password guessed, brute forced, or broken in some way, the keys contained could in principle be used against us or our clients. If the pfx file is a wildcard that supports any subdomain, then loss in one place could affect others. The chances of all this happening is probably very low but NEOSYS needs to be prepared to pass IT audits and leaving keys around will be viewed as having a culture of low security standards.
#Remove the certificate from IIS Manager
#Import pfx certificate back to IIS Manager
#*Use PASSWORD found in certificates folder
#*Make sure you select the "mark certificate as exportable" option <br>[[image:import-export.jpg]]<br>


==Setting up HTTPS for installations with more than 1 database==
==Setting up HTTPS for installations with more than 1 database==


In cases where there are multiple databases within the same installation, the website can be made accessible via different URLs, one for each database, like database1.hosts.neosys.com and database2.hosts.neosys.com, though they will finally be pointing to the same website. In order to assign multiple URLs to the same website, simply repeat the steps for Creating a Single website in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2003 Windows 2003] or [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008 Windows 2008] for each HTTPS URL that is required.
In cases where there are multiple databases within the same installation, you can use the same website to access all the databases. In case the Client asks for separate domain names for multiple databases, use the same steps as explained in [http://techwiki.neosys.com/index.php?title=Setting_up_HTTPS&action=submit#Setting_up_HTTPS_for_NEOSYS_website Setting up HTTPS] as the case maybe.


== Troubleshooting setup of multiple HTTPS websites ==
== Troubleshooting setup of multiple HTTPS websites ==


SelfSSL allows only one website to have SSL at a time in Windows 2003. However to avoid any issues in the future the solutions below have been provided for both Windows 2003 and 2008.
TO DO
 
=== Re-installing Certificates ===
 
Sometimes due to an unknown issue, site/s stop working and hence there is a need to re-install the site certificate.
 
===== Re-installing Certificates from saved PFX files =====
 
#Unbind the certificate from the site
#Remove and import the certificate as explained in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Export.2C_Remove_and_Import_Certificates Export, Remove and Import Certificates]
#Rebind the certificate
 
===== Re-installing Certificates from selfssl =====
 
In case there is no saved PFX file available to import(probably because the export/remove/import certificate step was not done during installation), then a new certificate must be created using selfSSL.
 
If users have installed certificates in their browsers then they will have to reinstall them again to avoid the usual "certificate not trusted/matching" type problems.
 
'''Steps'''
#Unbind the certificate from the site
#Remove the certificate from IIS Manager
#Create a new certificate as shown in [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008 Creating a single HTTPS website in Windows 2008]
#Bind the new certificate to the website
#Do the export/remove/import step to have a working PFX file and avoid problems in the future. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Export.2C_Remove_and_Import_Certificates Export,Remove and Import]

Revision as of 08:33, 13 January 2016

Setting up HTTPS for NEOSYS website

NEOSYS has a very simple way of enabling https for all the clients. Every client have been set up with domain name " *.hosts.neosys.com " where "*" is the clientname.

Pre prepared certificate for *.hosts.neosys.com web sites is present on the nl10r/win3 server. The certificate is signed by COMODO and supports SHA2 security algorithm. It is portable, ensures authenticity and is widely supported.

Creating a single HTTPS web site on Windows 2008

To create a single HTTPS web site on Windows 2008, follow three simple steps:

  • Copy the "hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server. (password to be used is present in a text file in the same folder)
  • Import the certificate to IIS. See Importing certificate in IIS for detailed steps.
  • Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and click OK.

Sslwin2008-2.jpg Sslwin2008-3.jpg

Sslwin2008-4.jpg

Test the site from explorer to make sure it works.

Creating a single HTTPS web site on Windows 2003

  • Copy the "hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server. (password to be used is present in a text file in the same folder)
  • Click on Sites > Properties > Directory Security > Server certificate. Follow the steps in the wizard to import/bind the certificate to port 4430. See Importing certificate in IIS for detailed steps to import.

Creating multiple HTTPS web sites on NEOSYS hosted server

All clients hosted on NEOSYS servers use the same IP address, but different unique HTTPS port numbers starting from 4431 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.

  • Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the "hosts.neosys.com.pfx" certificate from the drop down and click OK.

Testing access to the new HTTPS web site.

Make a subdomain clientname.hosts.neosys.com

Open "https://clientname.hosts.neosys.com:44XX/neosys" in IE where 44XX is the designated port number

If you get certificate error:

  1. Check if the https binding has been done properly in the IIS as per procedures.

Steps to follow while importing certificate and why

  1. It MUST be imported WITHOUT OPTION TO EXPORT and
  2. It MUST be deleted after import.

It is especially important to keep pfx files off clients own servers because they are commonly directly exposed to potentially infected employees computers and/or personal devices via the corporate LAN so they may be far less secure than NEOSYS own servers which are reasonably well isolated. If a pfx file is obtained by criminal hackers, perhaps using automated tools, and the pfx password guessed, brute forced, or broken in some way, the keys contained could in principle be used against us or our clients. If the pfx file is a wildcard that supports any subdomain, then loss in one place could affect others. The chances of all this happening is probably very low but NEOSYS needs to be prepared to pass IT audits and leaving keys around will be viewed as having a culture of low security standards.

Setting up HTTPS for installations with more than 1 database

In cases where there are multiple databases within the same installation, you can use the same website to access all the databases. In case the Client asks for separate domain names for multiple databases, use the same steps as explained in Setting up HTTPS as the case maybe.

Troubleshooting setup of multiple HTTPS websites

TO DO