Secure IIS Web Server with SSL

(1)

Secure IIS Web Server with SSL

EventTracker v7.x

(2)

1

Abstract

The purpose of this document is to help users to

• Install and configure Secure Socket Layer (SSL)

• Secure the IIS Web server with SSL

It is supported for all EventTracker Enterprise v7.x versions.

Target Audience

The document holds good for EventTracker Users and Administrators who wish to access EventTracker via a secured layer.

The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided.

Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

(3)

EventTracker: Secure IIS Web Server with SSL

Secure IIS Web Server with SSL

Secure Sockets Layer (SSL)

The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet.

Source: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci343029,00.html You need SSL if you,

• Offer a login or sign in on your site

• Process sensitive data

• Need to comply with security requirements

Mandatory Requirements

This section describes the mandatory software and components requirements to create SSL digital certificate and secure Web site hosted on IIS server with SSL digital certificate.

Operating System

• Windows 2003 Server

• Windows 2008 / 2008 R2 Server

• Windows 2012 Server

Software and Components

• Active Directory and Domain Controller.

• Internet Information Server (IIS) 6.0 and above.

• Browser, which supports 128-bit encryption (IE 6 or above).

(5)

Windows Server 2012 Enterprise

Windows Server 2012 uses Internet Information Services (IIS) 8.0.

Summary

• Install and configure the Certificate Authority (CA) :

• Create the Certificate Request

• Get the Pending Request Accepted by the Certificate Authority

• Install the Certificate

• Bind the Certificate to the Default Web Site

• Test the SSL enabled Default Web Site

• Configure SSL Settings

Install Active Directory Certificate Services (AD CS) in

Win 2012

1. Select the Start button, select Administrative Tools, and then select Server Manager.

Server Manager displays. The Dashboard is displayed by default.

(6)

5

Figure 1

2. Select Add Roles and Features.

Add Roles and Features Wizard displays.

3. In the Before You Begin page, select the Next > button.

(7)

Figure 2

4. On the Select installation type page, select Role-based or feature-based installation, and then select the Next > button.

(8)

7

Figure 3

5. On the Select destination server page, select Select a server from the server pool, select a server from Server Pool list, and then select the Next > button.

(9)

Figure 4

6. On Select server roles page, select Active Directory Certificate Services option and then select the Next> button.

(10)

9

Figure 5

Add Features that are required for Active Directory Certificate Services? window displays.

(11)

Figure 6

7. Verify the required features and then select the Add Features button.

Select server roles window displays.

(12)

11

Figure 7

8. Select the Next > button.

Select features page displays.

(13)

Figure 8

Active Directory Certificate Services page display.

(14)

13

Figure 9

11. In Select role services page, select the Certificate Authority (if not selected) and Certification Authority Web Enrollment option.

(15)

Figure 10

Add features that are required for Certificate Authority Web Enrollment? window displays.

(16)

15

Figure 11

12. Select the Add features button.

The selected role services are enabled.

(17)

Figure 12

Confirm installation selections window displays.

(18)

17

Figure 13

14. Select the Restart the destination server automatically if required option and then select the Install button.

A successful message displays.

(19)

Figure 14

The installation of Active Directory Certificate Services is complete but is yet to be configured.

(20)

19

Configure Active Directory Certificate Services (AD CS)

in Win 2012

The server manager displays a notification that AD CS is not yet configured.

1. Click on the notification and continue to configure AD CS.

AD CS Configuration window displays to enter credentials.

Figure 15

Role Services page displays.

(21)

Figure 16

3. Select role services Certification Authority, Certification Authority Web Enrollment option and then select the Next > button.

(22)

21

Figure 17

Setup Type page displays to specify Certification Authority.

(23)

Figure 18

By default, Standalone CA option is selected as Setup Type.

CA Type page displays. By default, Root CA is selected as CA Type.

(24)

23

Figure 19

Private Key page displays.

By default, Create a new private key option is selected.

(25)

Figure 20

Cryptography for CA page displays.

By default, RSA#Microsoft Software Key Storage Provider is selected as Cryptographic provider and Key character length is 2048.

(26)

25

Figure 21

18. In Select the hash algorithm for signing certificates issues by this CA: list, select SHA1.

CA Name page displays.

(27)

Figure 22

20. Type a distinctive common name and distinctive name in the Common name for this CA:

and Distinguished name suffix: fields respectively or leave as it is.

Validity Period page displays.

(28)

27

Figure 23

22. Set the Specify the validity period and then select the Next > button.

CA Database page displays.

(29)

Figure 24

23. If required, change the path of Certificate database location: and Certificate database log location: or leave it as it is.

(30)

29

Figure 25

25. Crosscheck the configuration settings, and then select the Configure button.

A message stating ‘Configuration succeeded’ displays.

(31)

Figure 26

26. Select the Close button.

Server Manager displays the newly installed Role Services.

27. Restart the server.

(32)

31

Create a certificate request in Win 2012

1. Select the Start button, select Administrative Tools, and then select Internet Information Services (IIS) Manager.

Figure 27

2. Select the server node.

(33)

Figure 28

3. In IIS pane, double click Server Certificates icon.

Figure 29

Server Certificates page displays.

(34)

33

Figure 30

4. In Actions pane, select Create Certificate Request link.

Request Certificate window displays.

(35)

Figure 31

5. In Distinguished Name Properties page, type the system name (FQDN- Fully qualified domain name) as common name in the Common name text box.

Example: mcloon.toons.local

(36)

35

Figure 32

6. Enter organization and geographical details, and then select the Next button.

Cryptographic Service Provider Properties page displays.

(37)

Figure 33

Microsoft RSA SChannel Cryptographic Provider is selected by default as Cryptographic service provider.

7. In Bit length: dropdown, set the bit length to 2048, and then select the Next button.

File Name page displays.

(38)

37

Figure 34

8. In Specify a file name for the certificate request:, type name and path of the file to save the CSR (Certificate Server Request).

9. Select the Finish button.

Send this request file to the certificate vendor.

(39)

Get Pending Request Accepted by the Certificate Authority (CA) in

Win 2012

Now you have a pending certificate request, and it needs to be accepted by the CA.

1. Open Internet explorer.

2. Type http://server/certsrv in the Address field.

Here “server’ is the name of the server for which you are creating the certificate.

Example: elcwin2k8 or localhost

Figure 35

3. Click the Request a certificate hyperlink.

Figure 36

(40)

39

Figure 37

5. Click the Submit a certificate request by using a Base64-encoded CMC or PKCS #10 file, or submit a renewal request using a base64-encoded PKCS #7 file hyperlink.

Figure 38

6. In Saved Request: box, enter the content of the certreq.txt file.

7. In Certificate Template: drop-down, select Web Server.

(41)

Figure 39

8. Click the Submit > button.

Once you click Submit, the certificate is issued to you.

9. Select Base 64 encoded option.

Figure 40

10. Click Download certificate hyperlink.

(42)

41

Figure 41

11. To save the certificate on local drive, click the Save button.

Figure 42

12. Close the Microsoft Certificate Services IE window.

(43)

Complete the certificate request in Win 2012

NOTE:

Certificate received from the vendor needs to be copied to the system.

1. Select the Start button, select Administrative Tools, and then select Internet Information Services (IIS) Manager.

‘Internet Information Services (IIS) Manager’ window is displayed.

2. Click the server node.

3. In IIS pane, double click the Server Certificates icon.

Figure 43

4. In Actions pane, click Complete Certificate Request hyperlink.

(44)

43

Figure 44

5. In Complete Certificate Request window, click the browse button to specify File name containing the certification authority’s response:.

(45)

Figure 45

6. Locate the server certificate that has been received from the certificate authority and then click Open.

(46)

45

Figure 46

Specify Certificate Authority Response page displays.

(47)

Figure 47

7. Type a relevant name in Friendly name: box to keep track of the certificate on this server and then click OK.

(48)

47

Figure 48

If successful, the newly installed certificate will be shown in the list.

(49)

Figure 49

If an error stating ‘the request or private key cannot be found’ occurs, then make sure that the correct certificate is being used and is getting installed on the same server where the CSR (Certificate Server Request) is generated. If these two things are in place then proceed to create a new Certificate Request and reissue/replace the certificate.

(50)

49

Bind the certificate to ‘Default Web Site’ in Win 2012

1. Expand the server node, expand the Sites node, and then select Default Web Site node.

2. In the Actions pane, select Bindings….

Figure 50

Site Bindings window displays.

(51)

Figure 51

3. Select the Add… button.

Add Site Binding window displays.

(52)

51 4. In Type: drop down, select https.

By default, system will select the port number as 443. The default port number can be changed, if required.

Figure 53

5. In SSL certificate: drop down, select the recently installed SSL certificate, and then select the OK button.

Figure 54

(53)

The binding for port number 443 is listed.

Figure 55

The newly added https website is listed in Actions pane under Browse Website.

(54)

53

Figure 56

(55)

Configure ‘SSL Settings’ in Win 2012

1. To configure ‘SSL Settings’ to interact in a specific way with client certificates, expand the Sites node, and then select Default Web Site node.

2. In IIS pane, double-click SSL Settings icon.

Figure 57

SSL Settings page display.

(56)

55

Figure 58

3. Select Require SSL option.

4. In Actions pane, select the Apply button.

After successful SSL settings modification, a message will be displayed in the Actions pane.

5. Close the IIS Manager.

(57)

Windows Server 2K8/2K8 R2 Enterprise

Windows Server 2K8 uses Internet Information Services (IIS) 7.0.and 7.5 Summary

• Installing and configuring the Certificate Authority (CA) :

• Creating the Certificate Request

• Getting the Pending Request Accepted by the Certificate Authority

• Installing the Certificate

• Binding the Certificate to the Default Web Site

• Testing the SSL enabled Default Web Site

• Configuring SSL Settings

Install and configure the Certificate Authority (CA) in

Win 2K8 / 2K8 R2

1. Select the Start button, select Settings, and then select Control Panel.

2. Select Programs and Features, and then select Turn Windows Features on or off.

(58)

57

Figure 60

3. Select Roles node, and then select Add Roles.

Figure 61

(59)

Add Roles Wizard displays.

Figure 62

Select Server Roles page display.

(60)

59 5. Select Active Directory Certificate Services option and then select the Next > button.

Figure 64

Introduction to Active Directory Certificate Services page displays.

Figure 65

(61)

7. Select Certificate Authority (if not selected), Certification Authority Web Enrollment option, and then select the Next > button.

Figure 66

Specify Setup Type page displays.

By default, Enterprise option is selected as Setup Type.

(62)

61

Figure 67

Specify CA Type page displays.

By default, Root CA is selected as CA Type.

(63)

Figure 68

Set Up Private Key page displays.

By default, Create a new private key option is selected.

(64)

63

Figure 69

Figure 70

(65)

By default, RSA#Microsoft Software Key Storage Provider is selected as Cryptographic Service Provider (CSP) and Key character length as 2048. Leave as it is.

11. In Select the hash algorithm for signing certificates issued by this CA: list, select the Hash Algorithm as sha1.

Figure 71

Configure CA Name page displays.

(66)

65

Figure 72

13. Type a distinctive common name and distinctive name in the Common name for this CA:

and Distinguished name suffix: fields respectively or leave as it is.

Set Validity Period page displays.

(67)

Figure 73

15. In Select validity period for the certificate generated for this CA:, set validity period and then select the Next > button.

Configure Certificate Database page displays.

(68)

67

Figure 74

16. If required, change the path of Certificate database location: and Certificate database log location:, select the Browse button and specify the path of the folder.

Confirm Installation Selections page display.

(69)

Figure 75

18. Crosscheck the configuration settings, and then select the Install button.

Installation Progress is displays.

(70)

69 After successful installation, installation results are displayed.

Figure 77

Server Manager displays the newly installed Role Services.

(71)

Figure 78

20. Restart the server.

(72)

71

Create Certificate Request in Win 2K8 / 2K8 R2

1. Select the Start button, select Programs, and then select Administrative Tools.

2. Select Internet Information Services (IIS) Manager.

Internet Information Services (IIS) Manager is displayed.

Figure 79

3. Click the server node.

(73)

Figure 80

4. Double-click Server Certificates icon.

(74)

73 5. In Actions pane, click Create Certificate Request link.

Figure 82

Request Certificate window displays.

Figure 83

(75)

6. Enter/select appropriate data in the relevant fields.

Figure 84

7. Select the Next button.

(76)

75 Leave the default Cryptographic service provider as it is. Increase the Bit length if desired.

Higher is more secure but slower.

8. Select the Next button.

File Name page displays.

Figure 86

9. Type name and path of the file or browse the location of the file to save the Certificate Request.

(77)

Figure 87

10. Select the Finish button.

Open the certreq.txt file in the Notepad.

(78)

77

Get Pending Request Accepted by the Certificate Authority (CA) in

Win 2K8 / 2K8 R2

Now you have a pending certificate request, and it needs to be accepted by the CA.

1. Open the Internet explorer.

2. Type http://server/certsrv in the Address field.

Here “server’ is the name of the server you are creating the certificate. Example: elcwin2k8.

Figure 89

3. Click the Request a certificate hyperlink.

(79)

Figure 90

4. Click the advanced certificate request hyperlink.

(80)

79

Figure 91

5. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file hyperlink.

Submit a Certificate Request or Renewal Request page displays.

(81)

Figure 92

6. In the Saved Request: box, insert the content of the certreq.txt file.

7. In Certificate Template: drop-down, select Web Server.

(82)

81

Figure 93

8. Click the Submit > button.

Once you click Submit, the certificate is issued to you.

9. Select Base 64 encoded option.

10. Click Download certificate.

(83)

Figure 94

11. Select the Save button.

Save the certificate on your local drive.

(84)

83 12. Select the Save button.

Figure 96

13. Close the Microsoft Certificate Services IE window.

(85)

Install the Certificate in Win 2K8 / 2K8 R2

1. Select the Start button, select Programs, and then select Administrative Tools.

2. Select Internet Information Services (IIS) Manager.

3. Select the server node.

4. In IIS pane, double-click Server Certificates icon.

Server Certificates page displays.

Figure 97

5. In Actions pane, click Complete Certificate Request….

Complete Certificate Request window displays.

(86)

85

Figure 98

6. Click the Browse button and select the server certificate that you received from the CA.

Figure 99

(87)

7. Click Open.

Figure 100

8. Type any Friendly name to keep track of the certificate on this server.

(88)

87

Figure 101

9. Click OK.

If successful, you will see your newly installed certificate in the list.

(89)

Figure 102

If you receive an error stating that the request or private key cannot be found, make sure you are using the correct certificate and that you are installing it to the same server that you generated the CSR on. If you are sure of those two things, you may just need to create a new Certificate Request and reissue/replace the certificate.

(90)

89

Bind the Certificate to the Default Web Site in Win 2K8

/ 2K8 R2

EventTracker 7.5 and below

1. Expand the server node, expand the Sites node.

2. Select the Default web Site node.

3. In Actions pane, select Bindings….

Figure 103

EventTracker 7.6

1. Expand the server node, expand the Sites node.

2. Select the EventTracker node.

(91)

3. In Actions pane, select Bindings….

Figure 104

Site Bindings window displays.

Figure 105

(92)

91

Figure 106

5. In Type drop down, select https.

Figure 107

6. In SSL certificate: dropdown, select the certificate that is just installed.

Figure 108

(93)

7. Click OK.

The binding for port 443 is listed.

Figure 109

8. Click Close.

The newly added https web site is listed under Browse Web Site pane.

For EventTracker 7.5 and below refer the figure below:

(94)

93 For EventTracker 7.6, refer the figure below:

Figure 111

(95)

Test the SSL Enabled Default Web Site in Win 2K8 /

2K8 R2

1. Open the Internet Explorer.

2. Type http://localhost/EventTracker/Login.aspx in the Address field.

Internet Explorer displays the Security Alert.

Figure 112

3. Click OK.

Internet Explorer displays an error page because the self-signed certificate was issued by your machine, not a trusted Certificate Authority (CA). Internet Explorer will trust the certificate if you add it to the list of Trusted Root Certification Authorities in the certificates store on the local machine or in Group Policy for the domain.

(96)

95

Figure 113

4. Click Continue to this website (not recommended).

Internet Explorer displays the Security Alert.

Figure 114

5. Click OK.

Internet Explorer displays the Login page.

(97)

Configure SSL Settings in Win 2K8 / 2K8 R2

For EventTracker 7.5 and below:

Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates.

1. Expand the Sites node, and then select Default Web Site node.

2. Double-click SSL Settings.

Figure 115

(98)

97

Figure 116

4. Select Require 128-bit SSL option, if 128-bit encryption is required.

Figure 117

(99)

5. In Actions pane, select Apply.

Figure 118

6. Close the IIS Manager.

For EventTracker 7.6,

Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates.

1. Expand the Sites node, and then select EventTracker node.

2. Double-click SSL Settings.

(100)

99

Figure 119

Figure 120

(101)

Figure 121

4. In Actions pane, select Apply.

(102)

101

Windows Server 2003

All you need is the IIS 6.0 Resource kit tools installed on your computer.

Summary

• Install IIS 6.0 Resource Kit Tools

• Assign the certificate to the Default Web Site

• Configure 128-bit Encryption for the Default Web Site

Install IIS 6.0 Resource Kit Tools in Win 2K3

IIS 6.0 Resource Kit Tools is available for free download at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628- ade629c89499&displaylang=en

1. Open Internet Explorer and access the link given above.

2. Click Download and then install the executable file.

Figure 10423

3. Click Run.

(103)

Figure 124

Once the download is completed, Internet Explorer displays the Security Warning.

Figure 125

4. Click Run.

InstallShield Wizard displays the Preparing to Install… screen.

(104)

103

Figure 126

InstallShield Wizard displays the Welcome screen.

Figure 127

5. Click Next >.

(105)

InstallShield Wizard displays the License Agreement dialog.

Figure 128

6. Select the I Agree option and then select the Next > button.

InstallShield Wizard displays the Customer Information dialog.

(106)

105

Figure 129

7. Type the User Name and Company Name.

8. Select an appropriate Install this application for: option.

InstallShield Wizard displays the Setup Type dialog.

(107)

Figure 130

10. In Setup Type page, select Custom, and then select the Next > button.

InstallShield Wizard displays the Choose Destination Location dialog.

(108)

107 11. To change the destination folder other than the default folder, click Browse and select an

appropriate destination folder.

InstallShield Wizard displays the Select Features dialog.

Figure 132

13. Select SelfSSL 1.0 option and clear everything else.

(109)

Figure 133

InstallShield Wizard displays the Start Copying Files screen.

(110)

109 InstallShield Wizard displays the Setup Status screen.

Figure 135

InstallShield Wizard displays the InstallShield Wizard Complete screen.

Figure 136

16. Click Finish to complete the installation.

(111)

Assign the Certificate to Default Web Site in Win 2K3

1. Select the Start button, select Programs, and then select IIS Resources.

2. Select SelfSSL, and then select SelfSSL.

Figure 137

SelfSSL command prompt displays.

(112)

111

Figure 138

3. Type SelfSSL/T.

Figure 139

4. Press ENTER key on your keyboard.

(113)

Figure 140

5. When prompted, type Y.

Figure 141

6. Press ENTER key on your keyboard.

(114)

113

Figure 142

7. Exit the command prompt.

Self signed certificate is successfully assigned to the Default Web Site.

(115)

Create a Certificate Request in Win 2K3

2. Select Administrative Tools, and then select Internet Information Services (IIS) Manager.

3. Expand the server node, expand the Web Sites node.

4. Right-click Default Web Site node, and then select Properties.

Figure 143

5. Select the Directory Security tab.

(116)

115

Figure 144

6. In Secure Communications pane, select the Edit button.

Welcome to The Web Server Certificate Wizard window displays.

Figure 145

(117)

7. Select the Next> button.

IIS Certificate Wizard window displays.

8. Select Create a new certificate and then select the Next> button.

Figure 146

IIS Certificate Wizard window displays.

9. Select Prepare the request now, but send it later and then click Next> button.

(118)

117 10. Type a name for the new certificate in the Name column and then click Next>.

Figure 148

11. Enter the Organization and Organizational unit details and then select the Next > button.

Figure 147

(119)

12. Enter the Common name of the site and then click Next>.

Figure 150 Figure 149

(120)

119 14. Enter the file name for the certificate request and then click the Next> button.

Figure 152

15. To generate Request File Summary, and then click the Next> button.

16. Click Finish to complete the IIS certificate process.

Figure 151

(121)

Figure 153

(122)

121

Configure 128-bit Encryption for Default Web Site in

Win 2K3

EventTracker 7.5 and below

2. Select Administrative Tools, and then select Internet Information Services (IIS) Manager.

3. Expand server node, expand Web Sites node.

4. Right-click Default Web Site node, and then select Properties.

Figure 154

For EventTracker 7.6, refer to the below figure:

(123)

Figure 155 (Applies to 7.6)

Default Web Site Properties window displays.

(124)

123

Figure 156

5. Select the Directory Security tab.

6. In Secure Communications, click Edit.

(125)

Figure 157

7. Select Require secure channel (SSL) option.

8. Select Require 128-bit encryption option.

(126)

125

Figure 158

9. Click OK.

Open your browser and type the URL of the Web site that is under the Default Web Site.

Example: http://localhost/EventTracker/Login.aspx You should get the following message.

Figure 159

(127)

Security Alert is displayed.

Figure 160

10. Click Yes.

Internet Explorer securely moves you through your Web site.

Secure IIS Web Server with SSL

Secure IIS Web Server with SSL

EventTracker v7.x

Abstract

Target Audience

Table of Contents

Secure IIS Web Server with SSL

Secure Sockets Layer (SSL)

Mandatory Requirements

Operating System

Software and Components

Windows Server 2012 Enterprise

Install Active Directory Certificate Services (AD CS) in

Win 2012

Configure Active Directory Certificate Services (AD CS)

in Win 2012

Create a certificate request in Win 2012

Get Pending Request Accepted by the Certificate Authority (CA) in

Win 2012

Complete the certificate request in Win 2012

NOTE:

Bind the certificate to ‘Default Web Site’ in Win 2012

Configure ‘SSL Settings’ in Win 2012

Windows Server 2K8/2K8 R2 Enterprise

Install and configure the Certificate Authority (CA) in

Win 2K8 / 2K8 R2

Create Certificate Request in Win 2K8 / 2K8 R2

Get Pending Request Accepted by the Certificate Authority (CA) in

Win 2K8 / 2K8 R2

Install the Certificate in Win 2K8 / 2K8 R2

Bind the Certificate to the Default Web Site in Win 2K8

/ 2K8 R2

EventTracker 7.5 and below

EventTracker 7.6

Test the SSL Enabled Default Web Site in Win 2K8 /

2K8 R2

Configure SSL Settings in Win 2K8 / 2K8 R2

Windows Server 2003

Install IIS 6.0 Resource Kit Tools in Win 2K3

Assign the Certificate to Default Web Site in Win 2K3

Create a Certificate Request in Win 2K3

Configure 128-bit Encryption for Default Web Site in

Win 2K3

EventTracker 7.5 and below