{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Certificate","type":"text"}]},{"type":"paragraph","content":[{"text":"A certificate, signed by a certificate authority needs to be created and installed on the web server. How this is done differs if the server is accessible from the public internet or not.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Public Facing Web Server","type":"text"}]},{"type":"paragraph","content":[{"text":"If the web server is public facing then a free certificate can be obtained using Let's Encrypt. Follow the instructions in ","type":"text"},{"text":"SSL/TLS using Let's Encrypt","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/FS/pages/14385435"}}]}]},{"type":"paragraph","content":[{"text":"Alternatively you can use any commercial certificate authority. Ex: DigiCert, Entrust, Thawte, etc.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Internal Web Server","type":"text"}]},{"type":"paragraph","content":[{"text":"If the server is internal then an internal Certificate Authority will be needed.","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Identify the Certificate Authority (CA) - If you need to setup Microsoft Certificate Services the following link may:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Install the Certificate Authority","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority"}}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Install the Certificate - Request and install a certificate for the website under which the application will run. See: ","type":"text"},{"text":"How to Get a Certificate from an internal CA","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/FS/pages/122617869"}}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The certificate must be created for a website (ex: Default Web Site) not the virtual directory for the web application.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A Bit length of 2048 or higher.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select SHA256 for your hash algorithm.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Set the Subject Alternative Name to the FQDN of the server or a wildcard that includes the server (ex: *.mydomain.gov)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Validity period of 389 days or less","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"ExtendedKeyUsage extension containing the id-kp-serverAuth OID","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"See this Microsoft KB article for more information: ","type":"text"},{"text":"http://support.microsoft.com/kb/299875","type":"text","marks":[{"type":"link","attrs":{"href":"http://support.microsoft.com/kb/299875"}}]}]}]}]}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"If an internal certificate authority (CA) is being setup it is strongly advised to configure ","type":"text"},{"text":"Certificate auto-enrollment","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment"}}]},{"text":" so that the issued certificates will auto-renew rather than expire.","type":"text"}]}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"IIS Configuration","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Binding","type":"text"}]},{"type":"paragraph","content":[{"text":"Add an https site binding","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Skip this if ","type":"text"},{"text":"win-acme","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/FS/pages/14385435"}}]},{"text":" was used to obtain the certificate as it will already be done.","type":"text"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select the Website that contains the web application (ex: Sites/Default Web Site)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the Actions pane, click Bindings... ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the Site Bindings dialog click Add...","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add https Binding","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph"},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Type: https:","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"IP Address: All Unassigned","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Port: 443","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SSL certificate: Select the certification you installed","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click OK","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click Close","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"HTTP Redirect to HTTPS","type":"text"}]},{"type":"paragraph","content":[{"text":"Use the URL Rewrite module to change incoming HTTP URLs to be HTTPS.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"If HTTP is going to be blocked then this section can be skipped. What that means is that if HTTP is used the URL will be denied, not redirected to HTTPS.","type":"text"}]}]},{"type":"paragraph"},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Install the URL Rewrite Module for IIS: ","type":"text"},{"text":"http://www.iis.net/downloads/microsoft/url-rewrite","type":"text","marks":[{"type":"link","attrs":{"href":"http://www.iis.net/downloads/microsoft/url-rewrite"}}]},{"text":" (scroll to bottom for installers by language and architecture)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Require SSL must not be checked for either Default Web Site or for any application (ex: AdamsAdmin, AdamsWeb, AdamsBridge, etc) under that. You can check the SSL Settings for each to see that it isn’t.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"IIS Manager must be closed","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add a web.config file to the web server's root directory (ex: c:\\inetpub\\wwwroot) with the below content or the configuration section only if the web.config already exists. The web server's root directory is typically c:\\inetpub\\wwwroot even if you have installed Adams web applications on another drive such as e:\\inetpub\\wwwroot.","type":"text"},{"type":"hardBreak"},{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"web.config","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open IIS Manager","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open Default Web Site → URL Rewite","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select the \"HTTP to HTTPS redirect\" rule and verify it is enabled. If not click Enable Rule ","type":"text"}]}]}]},{"type":"panel","attrs":{"panelType":"success"},"content":[{"type":"paragraph","content":[{"text":"Try to access the website using HTTP. It should succeed and there should be a lock icon because the request was re-directed to HTTPS.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Require SSL/TLS (deny HTTP)","type":"text"}]},{"type":"paragraph","content":[{"text":"Require SSL/TLS/HTTPS for all apps.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Skip this section if incoming HTTP URLs will be redirected to HTTPS. Require SSL denies HTTP requests before they can be redirected.","type":"text"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"IIS Manager","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select Default Web Site","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Double click on IIS > SSL Settings","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Check the \"Require SSL\" box","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Leave Client certificates set to Ignore","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select Apply in the Actions pane","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click to select the Default Web Site","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click Restart","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Service Endpoints (Pre-ADAMS 6.1)","type":"text"}]},{"type":"paragraph","content":[{"text":"Make it so that web services can or must use HTTPS.","type":"text"}]},{"type":"paragraph","content":[{"text":"Edit service endpoints in web.config files for Adams Admin and Adams Web","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open web.config","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Find ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For ","type":"text"},{"text":"each","type":"text","marks":[{"type":"em"}]},{"text":" endpoint within each do one of:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For HTTPS access ","type":"text"},{"text":"only","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":": Edit “Http” in binding value to “Https”. ","type":"text"},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"Ex: “basicHttpBinding” ➔ “basicHttpsBinding”; “mexHttpBinding” ➔ “mexHttpsBinding”","type":"text"},{"type":"hardBreak"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For ","type":"text"},{"text":"both","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":" HTTP and HTTPS access: Add a copy all endpoints with “Http” in binding value and edit value to have Https. ","type":"text"},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"Ex: Copy endpoint line and edit “basicHttpBinding” ➔ “basicHttpsBinding” – Use this if both HTTP and HTTPS will be used.","type":"text"}]}]}]}]}]},{"type":"panel","attrs":{"panelType":"success"},"content":[{"type":"paragraph","content":[{"text":"Test to make sure that users can access the web site and applications using both http:// and https:// with http:// redirecting to https://","type":"text"}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}],"version":1}

Browser not supported