Certificate
A certificate, signed by a certificate authority needs to be created and installed on the web server. How this is done differs if the server is accessible from the public internet or not.
Public Facing Web Server
If the web server is public facing then a free certificate can be obtained using Let's Encrypt. follow Follow the instructions in SSL/TLS using Let's Encrypt
Alternatively you can use any commercial certificate authority. Ex: DigiCert, Entrust, Thawte, etc.
Internal Web Server
If the server is internal then an internal Certificate Authority will be needed.
Identify the Certificate Authority (CA) - If you need to setup Microsoft Certificate Services the following
...
link may
...
:
Install the Certificate - Request and install a certificate for the website under which the application will run. See: How to Get a Certificate from an internal CA
The certificate must be created for a website (ex: Default Web Site) not the virtual directory for the web application.
A Bit length of 2048
...
or higher.
Select SHA256 for your hash algorithm.
Set the Subject Alternative Name to the FQDN of the server or a wildcard that includes the server (ex: *.mydomain.gov)
Validity period of 389 days or less
ExtendedKeyUsage extension containing the id-kp-serverAuth OID
See this Microsoft KB article for more information: http://support.microsoft.com/kb/299875
Note |
---|
If an internal certificate authority (CA) is being setup it is strongly advised to configure Certificate auto-enrollment so that the issued certificates will auto-renew rather than expire. |
IIS Configuration
Binding
Add an https site binding
Info |
---|
Skip this if |
...
win-acme was used to obtain the certificate as it will already be done. |
...
Select the Website that contains the web application (ex: Sites/Default Web Site)
In the Actions pane, click Bindings...
In the Site Bindings dialog click Add...
Add https Binding
Type: https:
IP Address: All Unassigned
Port: 443
SSL certificate: Select the certification you installed
Click OK
Click Close
Service Endpoints
Make it so that web services can or must use HTTPS.
Edit service endpoints in web.config files for Adams Admin and Adams Web
...
URL Rewrite
...
HTTP Redirect to HTTPS
Use the URL Rewrite module to change incoming HTTP URLs to be HTTPS.
Info |
---|
If HTTP is going to be blocked then this section can be skipped. What that means is that if HTTP is used the URL will be denied, not redirected to HTTPS. |
Install the URL Rewrite Module for IIS: http://www.iis.net/downloads/microsoft/url-rewrite (scroll to bottom for installers by language and architecture)
Require SSL
...
must not be checked for either Default Web Site or for
...
any application (ex: AdamsAdmin, AdamsWeb, AdamsBridge, etc) under that. You can check the SSL Settings for each to see that it isn’t.
...
- Requested URL: Matches the Pattern
- Using: Regular Expressions
- Pattern: (.*)
- Ignore case: checked
...
- Condition input: {HTTPS}
- Check if input string: Matches the Pattern
- Pattern: ^OFF$
- Ignore case: checked
- Click OK
...
IIS Manager must be closed
Add a web.config file to the web server's root directory (ex: c:\inetpub\wwwroot) with the below content or the configuration section only if the web.config already exists. The web server's root directory is typically c:\inetpub\wwwroot even if you have installed Adams web applications on another drive such as e:\inetpub\wwwroot.
web.config
Code Block language xml <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <rule name="HTTP to HTTPS redirect" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/
...
{R:1}" redirectType="Permanent" /> </rule> </rules> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" ignoreCase="true" /> </conditions> <action type="Rewrite" value="max-age=31536000" /> </rule> </outboundRules> </rewrite> </system.webServer> </configuration>
Open IIS Manager
Open Default Web Site → URL Rewite
Select the "HTTP to HTTPS redirect" rule and verify it is enabled. If not click Enable Rule
Tip |
---|
Try to access the website using HTTP. It should succeed and there should be a lock icon because the request was re-directed to HTTPS. |
Require SSL/TLS (deny HTTP)
Require SSL/TLS/HTTPS for all apps.
Info |
---|
Skip this section if incoming HTTP URLs will be redirected to HTTPS. Require SSL denies HTTP requests before they can be redirected. |
IIS Manager
Select Default Web Site
Double click on IIS > SSL Settings
Check the "Require SSL" box
Leave Client certificates set to Ignore
Select Apply in the Actions pane
Click to select the Default Web Site
Click Restart
Service Endpoints (Pre-ADAMS 6.1)
Make it so that web services can or must use HTTPS.
Edit service endpoints in web.config files for Adams Admin and Adams Web
Open web.config
Find <services>
For each endpoint within each <service> do one of:
For HTTPS access only: Edit “Http” in binding value to “Https”.
Ex: “basicHttpBinding” ➔ “basicHttpsBinding”; “mexHttpBinding” ➔ “mexHttpsBinding”For both HTTP and HTTPS access: Add a copy all endpoints with “Http” in binding value and edit value to have Https.
Ex: Copy endpoint line and edit “basicHttpBinding” ➔ “basicHttpsBinding” – Use this if both HTTP and HTTPS will be used.
Tip |
---|
Test to make sure that users can access the web applicationsite and applications using both http:// and https:// with http:// redirecting to https:// |