Configuring Surveyor 6 Client-Server Communications to Use HTTPS

Overview

This article describes the general steps required to configure the Surveyor 6 client-server communication to use HTTPS.

Process

To enable HTTPS between the client and the server, make sure to follow the steps described herein:

Step 1: Import an SSL certificate

After you obtain an SSL (Secure Sockets Layer) certificate from a certification authority, install it on the Surveyor server computer and import it into the personal certificate store. You will need to know the SSL certificate password.

 

Step 2: Configure IIS for SSL

When using SSL, the Fully-Qualified Domain Name (FQDN) on the certificate must match the web server's address. The configuration examples use servername.domain.local, but the actual domain must match your web server.

Microsoft IIS 6

  1. Start the Internet Information Services (IIS) Manager.
  2. Expand Web Sites and right-click Default Web Site.
  3. Click on Properties.
  4. Click the Directory Security tab.
  5. Click the Server Certificate.
  6. In the wizard, select Import a certificate from a .pfx file. Find your certificate and enter its password. Use port 443 (unless you need this port for some other purpose).

    Note: You must use an FQDN in the certificate for authentication. If you use the server short name in the certificate for authentication, a 401 error may occur.
  7. Finish and test by using your browser to connect. The URL will be something similar to https://servername.domain.local/; https://localhost/adminui will not be trusted because the certificate name is the FQDN.

 Microsoft IIS 7

  1. Start the IIS Manager.
  2. Select the correct server node. In the IIS section, double-click Server Certificates.
  3. Under Actions, click Import. Find your certificate and enter its password.
  4. Highlight Default Web Site, and then click Bindings in the Actions menu.
  5. Click Add in the Site Bindings dialog box.

    • Set Type to https.
    • Set SSL certificate to the certificate you just imported.
  6. Finish and test by using your browser to connect. The URL will be something similar to https://servername.domain.local/; https://localhost/adminui will not be trusted because the certificate name is the FQDN.

 

Recommended Scripted Solution (if used, skip steps 3 through 6 below):

With the release of version 6.1.126, there is a script that can be run from the command line to make the configuration changes in the manual steps 3, 4, 5, and 6 below.

The script is located where Surveyor is installed on the server, typically at C:\Program Files (x86)\Verdiem\Surveyor\Script and it is called ConfigureInstallation.

To run the script, go to the Administrator Command Prompt and run the below commands:

cd \Program Files (x86)\Verdiem\Surveyor\Scripts
ConfigureInstallation -surveyor_url https://surveyor_server_name/

 

Step 3: Configure Surveyor 6 for SSL

You will need to configure the web.config files for Surveyor web services for SSL by uncommenting the HTTPS option and then marking as comment the HTTP option.

Note: The paths below are relative to the actual install path of Surveyor. The default for 64-bit operating systems is C:\Program Files (x86)\Verdiem and for 32-bit operating systems is C:\Program Files\Verdiem.

  1. Before performing any web.config edits, stop the Default Web Site either through the IIS Manager or the command line.
  2. Starting with the web.config file located in the C:\Program Files\Verdiem\Surveyor\Administrator directory, perform the following edits:

    1. Find the <bindings> section of the web.config.
    2. In the <bindings> section, beneath the comment <!--Use HTTP or HTTPS - NOT both-->, mark as comment the HTTP binding section.
    3. Uncomment the HTTPS binding section. The comment start string is <!-- and the end comment string is -->. For example:
      <system.serviceModel> 
      <serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
      <bindings>
      <webHttpBinding>
      <binding name="webBinding"/>
      </webHttpBinding>
      <customBinding>
      <!--Use HTTP OR HTTPS - NOT both-->
      <!--HTTP-->
      <!--<binding name="jsonWebBinding">
      <webMessageEncoding webContentTypeMapperType="Verdiem.Enterprise.WebServices.Common.JsonWebContentTypeMapper,
      Verdiem.Enterprise.WebServices.Common"/>
      <httpTransport manualAddressing="true" maxReceivedMessageSize="10000000"
      authenticationScheme="Negotiate"/>
      </binding>-->
      <!--HTTPS-->
      <binding name="jsonWebBinding">
      <webMessageEncoding webContentTypeMapperType="Verdiem.Enterprise.WebServices.Common.JsonWebContentTypeMapper,
      Verdiem.Enterprise.WebServices.Common" />
      <httpsTransport manualAddressing="true" maxReceivedMessageSize="10000000"
      authenticationScheme="Negotiate"/>
      </binding>
      </customBinding>
      </bindings>
    4. Repeat the same steps for the web.config files in \Surveyor\PMPService and \Surveyor\EnergyWiseProvisioningService.

 

Step 4: Create a custom AdminCommand.exe.config file

Create a custom config file that contains the below XML code, and save it as AdminCommand.exe.config in C:\Program Files (x86)\Verdiem\Surveyor\Tools.

<?xml version="1.0"?> 
<configuration>
<appSettings>
<add key="ConnectionString" value="https://{0}/Admin/AdminService.svc"/>
</appSettings>
</configuration>

Note: For {0} above, change the ConnectionString setting to point to the appropriate web service URL.

 

Step 5: Disable the loopback check in the DisableLoopbackCheck registry key

To set the DisableLoopbackCheck registry key, follow these steps:

  1. Set the DisableStrictNameChecking registry entry to 1.
  2. Navigate to Start > Run, and type 'regedit,' and then click OK.
  3. In Registry Editor, locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry and click it.
  4. Right-click on Lsa.
  5. Go to New DWORD Value.
  6. Type DisableLoopbackCheck and press ENTER.
  7. Right-click DisableLoopbackCheck, and then click Modify.
  8. In the Value data box, type 1, and click OK.
  9. Quit Registry Editor, and then restart your computer.

 

Step 6: Alter the Agent auto-upgrade URL

The URL for the Agent Updater is stored in the database. To edit this, open the SQL Server Management Studio, point to the Surveyor database (usually 'EnterprisePowerManagementDB') and run an update of the form:

UPDATE dbo.DeviceTypeAgentInstaller SET DownloadUrl = 'https://surveyor_server_URL/' WHERE DeviceTypeAgentInstallerId = max(DeviceTypeAgentInstallerId)

You should review the table first to find the row that refers to the current Agent version and set the DeviceTypeAgentInstallerId value appropriately.

 

Step 7: Edit the URL for Wake for Remote Access

Edit the admin URL in the Wake for Remote Access service, so it uses HTTPS to contact the Surveyor Server Web Services. 

In the web.config file in \Surveyor\WRA, change the ConnectionString setting to point to the appropriate web service URL.

<add key="ConnectionString" value="https://{0}/Admin/AdminService.svc"/>

 

Step 8: Edit the URL for SCCM connect (PowerPackConfigMgr)

Edit the ServerAdminAPIFormat in the Power Pack for Config Manager service, so it uses HTTPS to contact the Surveyor Server Web Services.

In the config file in C:\Program Files (x86)\Verdiem\Power Management Pack for ConfigMgr\Bin\PowerPackForConfigMgrConfig.xml, change the ConnectionString setting to point to the appropriate web service URL.

<ServerAdminAPIFormat>https://{0}/Admin/AdminService.svc</ServerAdminAPIFormat>

 

Step 9: Configure and test Surveyor agents

When installing Surveyor Agents, make sure the server URL is configured to use HTTPS rather than the default HTTP.

  • For existing clients, you will need to modify the server configuration file on each PC.
  • Modify the serverconfig file in \Program Files\Verdiem\Surveyor Agent\Data, changing http to https.
  • Restart the PwrMgrService service.

Otherwise, the client can be reinstalled or upgraded using the new https:// URL.

Note: For Mac agents, use the below command line to configure the package for HTTPS:

sudo perl ~/Desktop/updateinstallerconfig.pl --hostname yourservername --https --package ~/Desktop/SurveyorAgent.pkg

 

Step 10 (Optional): Configure and test the EnergyWise Proxy Service

To complete configuration for the Surveyor EnergyWise Proxy service, you must change the \Surveyor\EnergyWise Proxy Server\energywise_proxy_server.properties file to point to Surveyor Server’s Web Services using HTTPS and install a trusted certificate for the proxy server:

  • Export a DER-encoded binary of the certificate via the browser or another certificate-management tool.
  • Use Java's keytool utility to add the certificate to Java's keystore. The key tool utility is located in the JRE bin folder, typically at C:\Program Files\Java\jre6\bin.

The trusted keystore is at \lib\security\cacerts. The following operations will prompt you for a password, which out-of-the-box is changeit.

Listing installed certs

cd c:\program files\java\jre6\bin
keytool -v -list -keystore ..\lib\security\cacerts > certs.txt 

Open the certs.txt and make sure the appropriate certificate is present.

Adding a new cert

This example shows a DER-encoded version of our self-signed certificates called mycert.cer and placed in C:\certs\

keytool -import -keystore ..\lib\security\cacerts -file c:\certs\mycert.cer

 

Configure Verdiem Surveyor EnergyWise Connector to use HTTPS as follows:

  1. Stop the Surveyor EnergyWise Connector service.
  2. Edit \Surveyor\EnergyWise Proxy Server\energywise_proxy_server.properties and change http to https in both URLs.
  3. Start the Surveyor EnergyWise Connector service.

 

Step 10: Test the connections

  1. Restart the website.
  2. Connect to https://servername.domain.local/adminui to ensure you can access the Surveyor Administrator console using SSL.

    Note: The URL will be something similar to https://servername.domain.local/adminui; https://localhost/adminui will not be trusted because the certificate name is the FQDN.
  1. Ensure the EnergyWise Proxy Server is connecting to the server by enabling the Last Checkin Time option in Surveyor Administrator.
  2. Make sure agents are connecting to the server.
  3. Test Wake for Remote Access.

 

Step 11: Save the files that you edited to a safe location

If you decide to upgrade at a later time, make sure that you have saved a backup of the files you just edited to another location on the server. This will allow you to replace them after an upgrade.

A good example would be to save them to a folder on your desktop titled Surveyor Configuration Files.

Comments

0 comments

Article is closed for comments.