Secure IIS Web Server with SSL

Secure IIS Web Server with SSL EventTracker v7.x Publication Date: Sep 30, 2014 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com

Abstract The purpose of this document is to help users to Install and configure Secure Socket Layer (SSL) Secure the IIS Web server with SSL It is supported for all EventTracker Enterprise v7.x versions. Target Audience The document holds good for EventTracker Users and Administrators who wish to access EventTracker via a secured layer. The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2014 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1

Table of Contents Secure IIS Web Server with SSL...3 Secure Sockets Layer (SSL)...3 Mandatory Requirements...3 Operating System...3 Software and Components...3 Windows Server 2012 Enterprise...4 Install Active Directory Certificate Services (AD CS) in Win 2012...4 Configure Active Directory Certificate Services (AD CS) in Win 2012... 19 Create a certificate request in Win 2012... 31 Get Pending Request Accepted by the Certificate Authority (CA) in Win 2012... 38 Complete the certificate request in Win 2012... 42 Bind the certificate to Default Web Site in Win 2012... 49 Configure SSL Settings in Win 2012... 54 Windows Server 2K8/2K8 R2 Enterprise... 56 Install and configure the Certificate Authority (CA) in Win 2K8 / 2K8 R2... 56 Create Certificate Request in Win 2K8 / 2K8 R2... 71 Get Pending Request Accepted by the Certificate Authority (CA) in Win 2K8 / 2K8 R2... 77 Install the Certificate in Win 2K8 / 2K8 R2... 84 Bind the Certificate to the Default Web Site in Win 2K8 / 2K8 R2... 89 EventTracker 7.5 and below... 89 EventTracker 7.6... 89 Test the SSL Enabled Default Web Site in Win 2K8 / 2K8 R2... 93 Configure SSL Settings in Win 2K8 / 2K8 R2... 96 Windows Server 2003... 101 Install IIS 6.0 Resource Kit Tools in Win 2K3... 101 Assign the Certificate to Default Web Site in Win 2K3... 110 Create a Certificate Request in Win 2K3... 114 Configure 128-bit Encryption for Default Web Site in Win 2K3... 121 EventTracker 7.5 and below... 121 EventTracker 7.6... 121 2

Secure IIS Web Server with SSL Secure Sockets Layer (SSL) The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. Source: http://searchsecurity.techtarget.com/sdefinition/0,,sid14_gci343029,00.html You need SSL if you, Offer a login or sign in on your site Process sensitive data Need to comply with security requirements Mandatory Requirements This section describes the mandatory software and components requirements to create SSL digital certificate and secure Web site hosted on IIS server with SSL digital certificate. Operating System Windows 2003 Server Windows 2008 / 2008 R2 Server Windows 2012 Server Software and Components Active Directory and Domain Controller. Internet Information Server (IIS) 6.0 and above. Browser, which supports 128-bit encryption (IE 6 or above). 3

Windows Server 2012 Enterprise Windows Server 2012 uses Internet Information Services (IIS) 8.0. Summary: Install and configure the Certificate Authority (CA) Create the Certificate Request Get the Pending Request Accepted by the Certificate Authority Install the Certificate Bind the Certificate to the Default Web Site Test the SSL enabled Default Web Site Configure SSL Settings Install Active Directory Certificate Services (AD CS) in Win 2012 1. Select the Start button, select Administrative Tools, and then select Server Manager. Server Manager displays. The Dashboard is displayed by default. 4

Figure 1 2. Select Add Roles and Features. Add Roles and Features Wizard displays. 3. In the Before You Begin page, select the Next > button. 5

Figure 2 4. On the Select installation type page, select Role-based or feature-based installation, and then select the Next > button. 6

Figure 3 5. On the Select destination server page, select Select a server from the server pool, select a server from Server Pool list, and then select the Next > button. 7

Figure 4 6. On Select server roles page, select Active Directory Certificate Services option and then select the Next> button. 8

Figure 5 Add Features that are required for Active Directory Certificate Services? window displays. 9

Figure 6 7. Verify the required features and then select the Add Features button. Select server roles window displays. 10

Figure 7 8. Select the Next > button. Select features page displays. 11

Figure 8 9. Select the Next > button. Active Directory Certificate Services page display. 12

Figure 9 10. Select the Next > button. 11. In Select role services page, select the Certificate Authority (if not selected) and Certification Authority Web Enrollment option. 13

Figure 10 Add features that are required for Certificate Authority Web Enrollment? window displays. 14

Figure 11 12. Select the Add features button. The selected role services are enabled. 15

Figure 12 13. Select the Next > button. Confirm installation selections window displays. 16

Figure 13 14. Select the Restart the destination server automatically if required option and then select the Install button. A successful message displays. 17

Figure 14 The installation of Active Directory Certificate Services is complete but is yet to be configured. 18

Configure Active Directory Certificate Services (AD CS) in Win 2012 The server manager displays a notification that AD CS is not yet configured. 1. Click on the notification and continue to configure AD CS. AD CS Configuration window displays to enter credentials. Figure 15 2. Select the Next > button. Role Services page displays. 19

Figure 16 3. Select role services Certification Authority, Certification Authority Web Enrollment option and then select the Next > button. 20

Figure 17 4. Select the Next > button. Setup Type page displays to specify Certification Authority. 21

Figure 18 By default, Standalone CA option is selected as Setup Type. 15. Select the Next > button. CA Type page displays. By default, Root CA is selected as CA Type. 22

Figure 19 16. Select the Next > button. Private Key page displays. By default, Create a new private key option is selected. 23

Figure 20 17. Select the Next > button. Cryptography for CA page displays. By default, RSA#Microsoft Software Key Storage Provider is selected as Cryptographic provider and Key character length is 2048. 24

Figure 21 18. In Select the hash algorithm for signing certificates issues by this CA: list, select SHA1. 19. Select the Next > button. CA Name page displays. 25

Figure 22 20. Type a distinctive common name and distinctive name in the Common name for this CA: and Distinguished name suffix: fields respectively or leave as it is. 21. Select the Next > button. Validity Period page displays. 26

Figure 23 22. Set the Specify the validity period and then select the Next > button. CA Database page displays. 27

Figure 24 23. If required, change the path of Certificate database location: and Certificate database log location: or leave it as it is. 24. Select the Next > button. 28

Figure 25 25. Crosscheck the configuration settings, and then select the Configure button. A message stating Configuration succeeded displays. 29

Figure 26 26. Select the Close button. Server Manager displays the newly installed Role Services. 27. Restart the server. 30

Create a certificate request in Win 2012 1. Select the Start button, select Administrative Tools, and then select Internet Information Services (IIS) Manager. Figure 27 2. Select the server node. 31

Figure 28 3. In IIS pane, double click Server Certificates icon. Figure 29 Server Certificates page displays. 32

Figure 30 4. In Actions pane, select Create Certificate Request link. Request Certificate window displays. 33

Figure 31 5. In Distinguished Name Properties page, type the system name (FQDN- Fully qualified domain name) as common name in the Common name text box. Example: mcloon.toons.local 34

Figure 32 6. Enter organization and geographical details, and then select the Next button. Cryptographic Service Provider Properties page displays. 35

Figure 33 Microsoft RSA SChannel Cryptographic Provider is selected by default as Cryptographic service provider. 7. In Bit length: dropdown, set the bit length to 2048, and then select the Next button. File Name page displays. 36

Figure 34 8. In Specify a file name for the certificate request:, type name and path of the file to save the CSR (Certificate Server Request). 9. Select the Finish button. Send this request file to the certificate vendor. 37

Get Pending Request Accepted by the Certificate Authority (CA) in Win 2012 Now you have a pending certificate request, and it needs to be accepted by the CA. 1. Open Internet explorer. 2. Type http://server/certsrv in the Address field. Here server is the name of the server for which you are creating the certificate. Example: elcwin2k8 or localhost Figure 35 3. Click the Request a certificate hyperlink. Figure 36 4. Click the advanced certificate request hyperlink. 38

Figure 37 5. Click the Submit a certificate request by using a Base64-encoded CMC or PKCS #10 file, or submit a renewal request using a base64-encoded PKCS #7 file hyperlink. Figure 38 6. In Saved Request: box, enter the content of the certreq.txt file. 7. In Certificate Template: drop-down, select Web Server. 39

Figure 39 8. Click the Submit > button. Once you click Submit, the certificate is issued to you. 9. Select Base 64 encoded option. Figure 40 10. Click Download certificate hyperlink. 40

Figure 41 11. To save the certificate on local drive, click the Save button. Figure 42 12. Close the Microsoft Certificate Services IE window. 41

Complete the certificate request in Win 2012 NOTE: Certificate received from the vendor needs to be copied to the system. 1. Select the Start button, select Administrative Tools, and then select Internet Information Services (IIS) Manager. Internet Information Services (IIS) Manager window is displayed. 2. Click the server node. 3. In IIS pane, double click the Server Certificates icon. Figure 43 4. In Actions pane, click Complete Certificate Request hyperlink. 42

Figure 44 5. In Complete Certificate Request window, click the browse button to specify File name containing the certification authority s response:. 43

Figure 45 6. Locate the server certificate that has been received from the certificate authority and then click Open. 44

Figure 46 Specify Certificate Authority Response page displays. 45

Figure 47 7. Type a relevant name in Friendly name: box to keep track of the certificate on this server and then click OK. 46

Figure 48 If successful, the newly installed certificate will be shown in the list. 47

Figure 49 If an error stating the request or private key cannot be found occurs, then make sure that the correct certificate is being used and is getting installed on the same server where the CSR (Certificate Server Request) is generated. If these two things are in place then proceed to create a new Certificate Request and reissue/replace the certificate. 48

Bind the certificate to Default Web Site in Win 2012 1. Expand the server node, expand the Sites node, and then select Default Web Site node. 2. In the Actions pane, select Bindings. Figure 50 Site Bindings window displays. 49

Figure 51 3. Select the Add button. Add Site Binding window displays. Figure 52 50

4. In Type: drop down, select https. By default, system will select the port number as 443. The default port number can be changed, if required. Figure 53 5. In SSL certificate: drop down, select the recently installed SSL certificate, and then select the OK button. Figure 54 51

The binding for port number 443 is listed. Figure 55 6. Select the Close button. The newly added https website is listed in Actions pane under Browse Website. 52

Figure 56 53

Configure SSL Settings in Win 2012 1. To configure SSL Settings to interact in a specific way with client certificates, expand the Sites node, and then select Default Web Site node. 2. In IIS pane, double-click SSL Settings icon. Figure 57 SSL Settings page display. 54

Figure 58 3. Select Require SSL option. 4. In Actions pane, select the Apply button. After successful SSL settings modification, a message will be displayed in the Actions pane. 5. Close the IIS Manager. 55

Windows Server 2K8/2K8 R2 Enterprise Windows Server 2K8 uses Internet Information Services (IIS) 7.0.and 7.5 Summary: Installing and configuring the Certificate Authority (CA) Creating the Certificate Request Getting the Pending Request Accepted by the Certificate Authority Installing the Certificate Binding the Certificate to the Default Web Site Testing the SSL enabled Default Web Site Configuring SSL Settings Install and configure the Certificate Authority (CA) in Win 2K8 / 2K8 R2 1. Select the Start button, select Settings, and then select Control Panel. 2. Select Programs and Features, and then select Turn Windows Features on or off. Figure 59 Server Manager displays. 56

Figure 60 3. Select Roles node, and then select Add Roles. Figure 61 57

Add Roles Wizard displays. Figure 62 4. Select the Next > button. Select Server Roles page display. Figure 63 58

5. Select Active Directory Certificate Services option and then select the Next > button. Figure 64 Introduction to Active Directory Certificate Services page displays. Figure 65 59

6. Select the Next > button. 7. Select Certificate Authority (if not selected), Certification Authority Web Enrollment option, and then select the Next > button. Figure 66 Specify Setup Type page displays. By default, Enterprise option is selected as Setup Type. 60

Figure 67 8. Select the Next > button. Specify CA Type page displays. By default, Root CA is selected as CA Type. 61

Figure 68 9. Select the Next > button. Set Up Private Key page displays. By default, Create a new private key option is selected. 62

Figure 69 10. Select the Next > button. Figure 70 63

By default, RSA#Microsoft Software Key Storage Provider is selected as Cryptographic Service Provider (CSP) and Key character length as 2048. Leave as it is. 11. In Select the hash algorithm for signing certificates issued by this CA: list, select the Hash Algorithm as sha1. Figure 71 12. Select the Next > button. Configure CA Name page displays. 64

Figure 72 13. Type a distinctive common name and distinctive name in the Common name for this CA: and Distinguished name suffix: fields respectively or leave as it is. 14. Select the Next > button. Set Validity Period page displays. 65

Figure 73 15. In Select validity period for the certificate generated for this CA:, set validity period and then select the Next > button. Configure Certificate Database page displays. 66

Figure 74 16. If required, change the path of Certificate database location: and Certificate database log location:, select the Browse button and specify the path of the folder. 17. Select the Next > button. Confirm Installation Selections page display. 67

Figure 75 18. Crosscheck the configuration settings, and then select the Install button. Installation Progress is displays. Figure 76 68

After successful installation, installation results are displayed. Figure 77 19. Select the Close button. Server Manager displays the newly installed Role Services. 69

Figure 78 20. Restart the server. 70

Create Certificate Request in Win 2K8 / 2K8 R2 1. Select the Start button, select Programs, and then select Administrative Tools. 2. Select Internet Information Services (IIS) Manager. Internet Information Services (IIS) Manager is displayed. Figure 79 3. Click the server node. 71

Figure 80 4. Double-click Server Certificates icon. Figure 81 72

5. In Actions pane, click Create Certificate Request link. Request Certificate window displays. Figure 82 Figure 83 73

6. Enter/select appropriate data in the relevant fields. 7. Select the Next button. Figure 84 Figure 85 74

Leave the default Cryptographic service provider as it is. Increase the Bit length if desired. Higher is more secure but slower. 8. Select the Next button. File Name page displays. Figure 86 9. Type name and path of the file or browse the location of the file to save the Certificate Request. 75

Figure 87 10. Select the Finish button. Open the certreq.txt file in the Notepad. Figure 88 76

Get Pending Request Accepted by the Certificate Authority (CA) in Win 2K8 / 2K8 R2 Now you have a pending certificate request, and it needs to be accepted by the CA. 1. Open the Internet explorer. 2. Type http://server/certsrv in the Address field. Here server is the name of the server you are creating the certificate. Example: elcwin2k8. Figure 89 3. Click the Request a certificate hyperlink. 77

Figure 90 4. Click the advanced certificate request hyperlink. 78

Figure 91 5. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file hyperlink. Submit a Certificate Request or Renewal Request page displays. 79

Figure 92 6. In the Saved Request: box, insert the content of the certreq.txt file. 7. In Certificate Template: drop-down, select Web Server. 80

Figure 93 8. Click the Submit > button. Once you click Submit, the certificate is issued to you. 9. Select Base 64 encoded option. 10. Click Download certificate. 81

Figure 94 11. Select the Save button. Save the certificate on your local drive. Figure 95 82

12. Select the Save button. Figure 96 13. Close the Microsoft Certificate Services IE window. 83

Install the Certificate in Win 2K8 / 2K8 R2 1. Select the Start button, select Programs, and then select Administrative Tools. 2. Select Internet Information Services (IIS) Manager. 3. Select the server node. 4. In IIS pane, double-click Server Certificates icon. Server Certificates page displays. Figure 97 5. In Actions pane, click Complete Certificate Request. Complete Certificate Request window displays. 84

Figure 98 6. Click the Browse button and select the server certificate that you received from the CA. Figure 99 85

7. Click Open. Figure 100 8. Type any Friendly name to keep track of the certificate on this server. 86

Figure 101 9. Click OK. If successful, you will see your newly installed certificate in the list. 87

Figure 102 If you receive an error stating that the request or private key cannot be found, make sure you are using the correct certificate and that you are installing it to the same server that you generated the CSR on. If you are sure of those two things, you may just need to create a new Certificate Request and reissue/replace the certificate. 88

Bind the Certificate to the Default Web Site in Win 2K8 / 2K8 R2 EventTracker 7.5 and below 1. Expand the server node, expand the Sites node. 2. Select the Default web Site node. 3. In Actions pane, select Bindings. Figure 103 EventTracker 7.6 1. Expand the server node, expand the Sites node. 2. Select the EventTracker node. 89

3. In Actions pane, select Bindings. Figure 104 Site Bindings window displays. Figure 105 4. Select the Add button. Add Site Binding window displays. 90

Figure 106 5. In Type drop down, select https. Figure 107 6. In SSL certificate: dropdown, select the certificate that is just installed. Figure 108 91

7. Click OK. The binding for port 443 is listed. Figure 109 8. Click Close. The newly added https web site is listed under Browse Web Site pane. For EventTracker 7.5 and below refer the figure below: Figure 110 92

For EventTracker 7.6, refer the figure below: Figure 111 93

Test the SSL Enabled Default Web Site in Win 2K8 / 2K8 R2 1. Open the Internet Explorer. 2. Type http://localhost/eventtracker/login.aspx in the Address field. Internet Explorer displays the Security Alert. 3. Click OK. Figure 112 Internet Explorer displays an error page because the self-signed certificate was issued by your machine, not a trusted Certificate Authority (CA). Internet Explorer will trust the certificate if you add it to the list of Trusted Root Certification Authorities in the certificates store on the local machine or in Group Policy for the domain. 94

Figure 113 4. Click Continue to this website (not recommended). Internet Explorer displays the Security Alert. 5. Click OK. Figure 114 Internet Explorer displays the Login page. 95

Configure SSL Settings in Win 2K8 / 2K8 R2 For EventTracker 7.5 and below: Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates. 1. Expand the Sites node, and then select Default Web Site node. 2. Double-click SSL Settings. Figure 115 SSL Settings page display. 96

Figure 116 3. Select Require SSL option. 4. Select Require 128-bit SSL option, if 128-bit encryption is required. Figure 117 97

5. In Actions pane, select Apply. A successful message displays. Figure 118 6. Close the IIS Manager. For EventTracker 7.6, Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates. 1. Expand the Sites node, and then select EventTracker node. 2. Double-click SSL Settings. 98

Figure 119 SSL Settings page display. Figure 120 99

3. Select Require SSL option. Figure 121 4. In Actions pane, select Apply. A successful message displays. Figure 122 100

Windows Server 2003 All you need is the IIS 6.0 Resource kit tools installed on your computer. Summary Install IIS 6.0 Resource Kit Tools Assign the certificate to the Default Web Site Configure 128-bit Encryption for the Default Web Site Install IIS 6.0 Resource Kit Tools in Win 2K3 IIS 6.0 Resource Kit Tools is available for free download at: http://www.microsoft.com/downloads/details.aspx?familyid=56fc92ee-a71a-4c73-b628- ade629c89499&displaylang=en 1. Open Internet Explorer and access the link given above. 2. Click Download and then install the executable file. Figure 10423 3. Click Run. 101

Figure 124 Once the download is completed, Internet Explorer displays the Security Warning. Figure 125 4. Click Run. InstallShield Wizard displays the Preparing to Install screen. 102

Figure 126 InstallShield Wizard displays the Welcome screen. Figure 127 5. Click Next >. 103

InstallShield Wizard displays the License Agreement dialog. Figure 128 6. Select the I Agree option and then select the Next > button. InstallShield Wizard displays the Customer Information dialog. 104

Figure 129 7. Type the User Name and Company Name. 8. Select an appropriate Install this application for: option. 9. Click Next >. InstallShield Wizard displays the Setup Type dialog. 105

Figure 130 10. In Setup Type page, select Custom, and then select the Next > button. InstallShield Wizard displays the Choose Destination Location dialog. Figure 131 106

11. To change the destination folder other than the default folder, click Browse and select an appropriate destination folder. 12. Click Next >. InstallShield Wizard displays the Select Features dialog. Figure 132 13. Select SelfSSL 1.0 option and clear everything else. 107

Figure 133 14. Click Next >. InstallShield Wizard displays the Start Copying Files screen. 15. Click Next >. Figure 134 108

InstallShield Wizard displays the Setup Status screen. Figure 135 InstallShield Wizard displays the InstallShield Wizard Complete screen. Figure 136 16. Click Finish to complete the installation. 109

Assign the Certificate to Default Web Site in Win 2K3 1. Select the Start button, select Programs, and then select IIS Resources. 2. Select SelfSSL, and then select SelfSSL. Figure 137 SelfSSL command prompt displays. 110

Figure 138 3. Type SelfSSL/T. Figure 139 4. Press ENTER key on your keyboard. 111

Figure 140 5. When prompted, type Y. Figure 141 6. Press ENTER key on your keyboard. 112

Figure 142 7. Exit the command prompt. Self signed certificate is successfully assigned to the Default Web Site. 113

Create a Certificate Request in Win 2K3 1. Select the Start button, select Settings, and then select Control Panel. 2. Select Administrative Tools, and then select Internet Information Services (IIS) Manager. 3. Expand the server node, expand the Web Sites node. 4. Right-click Default Web Site node, and then select Properties. Figure 143 5. Select the Directory Security tab. 114

Figure 144 6. In Secure Communications pane, select the Edit button. Welcome to The Web Server Certificate Wizard window displays. Figure 145 115

7. Select the Next> button. IIS Certificate Wizard window displays. 8. Select Create a new certificate and then select the Next> button. IIS Certificate Wizard window displays. Figure 146 9. Select Prepare the request now, but send it later and then click Next> button. 116

Figure 147 10. Type a name for the new certificate in the Name column and then click Next>. Figure 148 11. Enter the Organization and Organizational unit details and then select the Next > button. 117

Figure 149 12. Enter the Common name of the site and then click Next>. Figure 150 13. Enter the Geographical Information and then click Next > button. 118

Figure 151 14. Enter the file name for the certificate request and then click the Next> button. Figure 152 15. To generate Request File Summary, and then click the Next> button. 16. Click Finish to complete the IIS certificate process. 119

Figure 153 120

Configure 128-bit Encryption for Default Web Site in Win 2K3 EventTracker 7.5 and below 1. Select the Start button, select Settings, and then select Control Panel. 2. Select Administrative Tools, and then select Internet Information Services (IIS) Manager. 3. Expand server node, expand Web Sites node. 4. Right-click Default Web Site node, and then select Properties. Figure 154 For EventTracker 7.6, refer to the below figure: 121

Figure 155 (Applies to 7.6) Default Web Site Properties window displays. 122

Figure 156 5. Select the Directory Security tab. 6. In Secure Communications, click Edit. 123

Figure 157 7. Select Require secure channel (SSL) option. 8. Select Require 128-bit encryption option. 124

9. Click OK. Figure 158 Open your browser and type the URL of the Web site that is under the Default Web Site. Example: http://localhost/eventtracker/login.aspx You should get the following message. Figure 159 125

Security Alert is displayed. 10. Click Yes. Figure 160 Internet Explorer securely moves you through your Web site. 126