Overview
This article describes the general steps required to configure the Surveyor 6 client-server communication to use HTTPS.
Process
To enable HTTPS between the client and the server, make sure to follow the steps described herein:
Step 1: Import an SSL certificate
After you obtain an SSL (Secure Sockets Layer) certificate from a certification authority, install it on the Surveyor server computer and import it into the personal certificate store. You will need to know the SSL certificate password.
Step 2: Configure IIS for SSL
When using SSL, the Fully-Qualified Domain Name (FQDN) on the certificate must match the web server's address. The configuration examples use servername.domain.local, but the actual domain must match your web server.
Microsoft IIS 6
- Start the Internet Information Services (IIS) Manager.
- Expand Web Sites and right-click Default Web Site.
- Click on Properties.
- Click the Directory Security tab.
- Click the Server Certificate.
- In the wizard, select Import a certificate from a .pfx file. Find your certificate and enter its password. Use port 443 (unless you need this port for some other purpose).
Note: You must use an FQDN in the certificate for authentication. If you use the server short name in the certificate for authentication, a 401 error may occur. - Finish and test by using your browser to connect. The URL will be something similar to https://servername.domain.local/; https://localhost/adminui will not be trusted because the certificate name is the FQDN.
Microsoft IIS 7
- Start the IIS Manager.
- Select the correct server node. In the IIS section, double-click Server Certificates.
- Under Actions, click Import. Find your certificate and enter its password.
- Highlight Default Web Site, and then click Bindings in the Actions menu.
- Click Add in the Site Bindings dialog box.
- Set Type to https.
- Set SSL certificate to the certificate you just imported.
- Finish and test by using your browser to connect. The URL will be something similar to https://servername.domain.local/; https://localhost/adminui will not be trusted because the certificate name is the FQDN.
Recommended Scripted Solution (if used, skip steps 3 through 6 below):
With the release of version 6.1.126, there is a script that can be run from the command line to make the configuration changes in the manual steps 3, 4, 5, and 6 below.
The script is located where Surveyor is installed on the server, typically at C:\Program Files (x86)\Verdiem\Surveyor\Script and it is called ConfigureInstallation.
To run the script, go to the Administrator Command Prompt and run the below commands:
cd \Program Files (x86)\Verdiem\Surveyor\Scripts
ConfigureInstallation -surveyor_url https://surveyor_server_name/
Step 3: Configure Surveyor 6 for SSL
You will need to configure the web.config files for Surveyor web services for SSL by uncommenting the HTTPS option and then marking as comment the HTTP option.
Note: The paths below are relative to the actual install path of Surveyor. The default for 64-bit operating systems is C:\Program Files (x86)\Verdiem and for 32-bit operating systems is C:\Program Files\Verdiem.
- Before performing any web.config edits, stop the Default Web Site either through the IIS Manager or the command line.
- Starting with the web.config file located in the C:\Program Files\Verdiem\Surveyor\Administrator directory, perform the following edits:
- Find the
<bindings>
section of the web.config. - In the
<bindings>
section, beneath the comment<!--Use HTTP or HTTPS - NOT both-->
, mark as comment the HTTP binding section. - Uncomment the HTTPS binding section. The comment start string is
<!--
and the end comment string is-->
. For example:
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<bindings>
<webHttpBinding>
<binding name="webBinding"/>
</webHttpBinding>
<customBinding>
<!--Use HTTP OR HTTPS - NOT both-->
<!--HTTP-->
<!--<binding name="jsonWebBinding">
<webMessageEncoding webContentTypeMapperType="Verdiem.Enterprise.WebServices.Common.JsonWebContentTypeMapper,
Verdiem.Enterprise.WebServices.Common"/>
<httpTransport manualAddressing="true" maxReceivedMessageSize="10000000"
authenticationScheme="Negotiate"/>
</binding>-->
<!--HTTPS-->
<binding name="jsonWebBinding">
<webMessageEncoding webContentTypeMapperType="Verdiem.Enterprise.WebServices.Common.JsonWebContentTypeMapper,
Verdiem.Enterprise.WebServices.Common" />
<httpsTransport manualAddressing="true" maxReceivedMessageSize="10000000"
authenticationScheme="Negotiate"/>
</binding>
</customBinding>
</bindings> - Repeat the same steps for the web.config files in \Surveyor\PMPService and \Surveyor\EnergyWiseProvisioningService.
- Find the
Step 4: Create a custom AdminCommand.exe.config file
Create a custom config file that contains the below XML code, and save it as AdminCommand.exe.config in C:\Program Files (x86)\Verdiem\Surveyor\Tools.
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="ConnectionString" value="https://{0}/Admin/AdminService.svc"/>
</appSettings>
</configuration>
Note: For {0}
above, change the ConnectionString
setting to point to the appropriate web service URL.
Step 5: Disable the loopback check in the DisableLoopbackCheck registry key
To set the DisableLoopbackCheck registry key, follow these steps:
- Set the DisableStrictNameChecking registry entry to 1.
- Navigate to Start > Run, and type 'regedit,' and then click OK.
- In Registry Editor, locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry and click it.
- Right-click on Lsa.
- Go to New > DWORD Value.
- Type
DisableLoopbackCheck
and press ENTER. - Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and click OK.
- Quit Registry Editor, and then restart your computer.
Step 6: Alter the Agent auto-upgrade URL
The URL for the Agent Updater is stored in the database. To edit this, open the SQL Server Management Studio, point to the Surveyor database (usually 'EnterprisePowerManagementDB') and run an update of the form:
UPDATE dbo.DeviceTypeAgentInstaller SET DownloadUrl = 'https://surveyor_server_URL/' WHERE DeviceTypeAgentInstallerId = max(DeviceTypeAgentInstallerId)
You should review the table first to find the row that refers to the current Agent version and set the DeviceTypeAgentInstallerId
value appropriately.
Step 7: Edit the URL for Wake for Remote Access
Edit the admin URL in the Wake for Remote Access service, so it uses HTTPS to contact the Surveyor Server Web Services.
In the web.config file in \Surveyor\WRA, change the ConnectionString
setting to point to the appropriate web service URL.
<add key="ConnectionString" value="https://{0}/Admin/AdminService.svc"/>
Step 8: Edit the URL for SCCM connect (PowerPackConfigMgr)
Edit the ServerAdminAPIFormat
in the Power Pack for Config Manager service, so it uses HTTPS to contact the Surveyor Server Web Services.
In the config file in C:\Program Files (x86)\Verdiem\Power Management Pack for ConfigMgr\Bin\PowerPackForConfigMgrConfig.xml, change the ConnectionString
setting to point to the appropriate web service URL.
<ServerAdminAPIFormat>https://{0}/Admin/AdminService.svc</ServerAdminAPIFormat>
Step 9: Configure and test Surveyor agents
When installing Surveyor Agents, make sure the server URL is configured to use HTTPS rather than the default HTTP.
- For existing clients, you will need to modify the server configuration file on each PC.
- Modify the serverconfig file in \Program Files\Verdiem\Surveyor Agent\Data, changing
http
tohttps
. - Restart the PwrMgrService service.
Otherwise, the client can be reinstalled or upgraded using the new https:// URL.
Note: For Mac agents, use the below command line to configure the package for HTTPS:
sudo perl ~/Desktop/updateinstallerconfig.pl --hostname yourservername --https --package ~/Desktop/SurveyorAgent.pkg
Step 10 (Optional): Configure and test the EnergyWise Proxy Service
To complete configuration for the Surveyor EnergyWise Proxy service, you must change the \Surveyor\EnergyWise Proxy Server\energywise_proxy_server.properties file to point to Surveyor Server’s Web Services using HTTPS and install a trusted certificate for the proxy server:
- Export a DER-encoded binary of the certificate via the browser or another certificate-management tool.
- Use Java's keytool utility to add the certificate to Java's keystore. The key tool utility is located in the JRE bin folder, typically at C:\Program Files\Java\jre6\bin.
The trusted keystore is at \lib\security\cacerts. The following operations will prompt you for a password, which out-of-the-box is changeit
.
Listing installed certs
cd c:\program files\java\jre6\bin
keytool -v -list -keystore ..\lib\security\cacerts > certs.txt
Open the certs.txt and make sure the appropriate certificate is present.
Adding a new cert
This example shows a DER-encoded version of our self-signed certificates called mycert.cer and placed in C:\certs\
keytool -import -keystore ..\lib\security\cacerts -file c:\certs\mycert.cer
Configure Verdiem Surveyor EnergyWise Connector to use HTTPS as follows:
- Stop the Surveyor EnergyWise Connector service.
- Edit \Surveyor\EnergyWise Proxy Server\energywise_proxy_server.properties and change
http
tohttps
in both URLs. - Start the Surveyor EnergyWise Connector service.
Step 10: Test the connections
- Restart the website.
- Connect to https://servername.domain.local/adminui to ensure you can access the Surveyor Administrator console using SSL.
Note: The URL will be something similar to https://servername.domain.local/adminui; https://localhost/adminui will not be trusted because the certificate name is the FQDN.
- Ensure the EnergyWise Proxy Server is connecting to the server by enabling the Last Checkin Time option in Surveyor Administrator.
- Make sure agents are connecting to the server.
- Test Wake for Remote Access.
Step 11: Save the files that you edited to a safe location
If you decide to upgrade at a later time, make sure that you have saved a backup of the files you just edited to another location on the server. This will allow you to replace them after an upgrade.
A good example would be to save them to a folder on your desktop titled Surveyor Configuration Files.
Comments
0 comments
Article is closed for comments.