Configuring SSL (Windows)

It is possible to configure an AppBridge service host to use SSL. The steps are the same for both a hub and a node. This document goes through all the necessary steps including creating a self-signed certificate. It is important to note that self-signing is not recommended. Actually using self-signing requires that you configure all computers communicating with the host to trust your self-signed certificate which is a difficult task not covered in this document.

Enable SSL on the Service Host

To do this you need to open a command window as administrator, navigate to the host’s install directory, and run the following command.

HostSettings –hostusesssl True

This will enable SSL for the host. Alternatively you can use the management console. To do this right click on the management console icon and select “Edit Host Settings”.

In the dialog that pops up check “Enable SSL” as shown below and save your changes.

Note that you will have to stop and start the hosting service before these changes will be applied.

Add a Certificate

Your host is now running using “https” but if you visit it you will notice that nothing loads. This is because you have to associate an SSL certificate with the host’s port before SSL can work. The below page gives an excellent explanation of how to associate a certificate with a port in different versions of Windows.

How to: Configure a Port with an SSL Certificate

(https://msdn.microsoft.com/en-us/library/ms733791%28v=vs.110%29.aspx)

The application ID you have to us differs depending on which type of host you have installed in your system. See below for a list of application IDs.

Service Hub: {3e3783f6-b92c-4546-8dee-672bf5c665ef}

Service Node: {f6a3d635-e0fc-4dee-bfb2-2910e05ed5d5}

You should now be good to go. If you visit your host in a web browser again you should be able to see the web UI and use the host as normal. If your web browser gives you a warning about the security of the site when you try to visit it this means you have installed an expired or untrusted certificate. This is fine as long as you are working with the single host but will cause problems in you include service nodes in your setup.

How to create a self-signed SSL certificate

I don’t recommend doing this when you actually want to use your host for something and this will cause problems for any nodes in your system but for testing purposes here are the steps you need for creating a self-signed SSL certificate.

Step 1: Install the Windows Software Developer Kit

In order to do this we’re going to us a tool called “makecert”. To get it you need to download and install the Windows Software Developer Kit from the link below.

http://msdn.microsoft.com/en-us/library/windows/desktop/hh852363.aspx

Note that when asked which features you want to install you only need the “Windows Software Developer Kit” feature.

Step 2: Create the PFX certificate file

Now that you have “makecert” you need to run the following commands. Replace the values with appropriate values for your own certificate.

makecert -r -pe -n "CN=CompanyXYZ Server" -b 01/01/2007 -e 01/01/2017 -sky exchange Server.cer -sv Server.pvk

pvk2pfx.exe -pvk Server.pvk -spc Server.cer -pfx Server.pfx

Step 3: Install the certificate in your computer

You do this from the Microsoft Management Console. You can find this easily by typing “mmc” into the search section of your start menu.

Once open you need to add the “Certificates” snap-in for your local computer. Select “File > Add/Remove Snap-in…” the select “Certificates” from the list and click “Add”. Then select “Computer Account” and “Local Computer” and click “Finish”.

Now in the left hand tree view expand “Certificates” and “Personal” and click on the “Certificates” folder under it. Then, in the certificate list in the center right click in empty space and select “All Tasks > Import…”

If the first page of the import wizard gives you a choice select “Local Machine” and click “Next”. After this the steps should be pretty straight forward. When browsing for a file be sure to select the “pfx” file you generated in step 2. The “cer” and “pkv” values will not work even though the “cer” file can be imported.


 

(Multiple server installation) Next: Installation - Transformation Node (Windows)

(Single server installation) Next: Configuration - Team selection