Posted: 11/10/2009,
Updated: 10/28/2010
Enabling HTTPS for Enterprise Console 4

Overview

This article applies to Identity Finder Enterprise Console 4.1.0 and greater.

By default, access to the console user interface and communication between clients and the console is configured to occur using HTTP.  It is possible to enable secure HTTPS communication for either or both of these functions.  The procedure in this article requires IIS to have already been configured for HTTPS communication. Configuring IIS is beyond the scope of this article and Identity Finder Support.  Configuration information is available from Microsoft.

NOTE: The IIS website used by Identity Finder Enterprise Console must not use multiple, different host headers.
NOTE: IIS must be configured to ignore client certificates for the Services application.

 

This article includes the following sections:

 

Enabling HTTPS for the Console Web Application

To enable HTTPS for the console web application, the user interface to perform console functions, perform the indicated configuration steps.

NOTE: Before the Console Administrator Tool (CAT) can be used to enable HTTPS, IIS must be configured with the appropriate HTTPS bindings.
  1. Launch the Console Administrator Tool by double-clicking on the ConsoleAdministrator executable. The default location is: 
    C:\Program Files\Identity Finder Console\ConsoleAdministrator\ConsoleAdministrator.exe
    On Windows 2008,there may be a UAC dialog prompt as Administrative privileges are required to run the Console Administrator Tool.
  2. Select the Web Application Settings tab.
  3. In the Console Application group, select the appropriate setting for Enabled Protocols depending on your IIS bindings configuration: HTTP Only, HTTPS Only or HTTP and HTTPS.  If IIS is configured to "Require SSL" for the website or the Console application, then HTTPS Only must be selected.
  4. Click the Save button.
  5. Click the Reload button to instruct the IIS server to reload the configuration.
  6. Click the Test button at the bottom of the dialog.
    1. In the, "Base Console's services address" field, enter https://consoleserver/Console where consoleserver is the name or IP address of the enterprise console.
    2. If the Services application is also using HTTPS, enter https://consoleserver/Services where consoleserver is the name or IP address of the enterprise console.  If the Services application is not using HTTP, enter http://consoleserver/Services where consoleserver is the name or IP address of the enterprise console.
    3. Click the Test button

 

Enabling HTTPS for the Services Web Application

To enable HTTPS for client/console communication, perform the indicated configuration steps.

NOTE: Before the Console Administrator Tool (CAT) can be used to enable HTTPS, IIS must be configured with the appropriate HTTPS bindings.
  1. Launch the Console Administrator Tool by double-clicking on the ConsoleAdministrator executable. The default location is: 
    C:\Program Files\Identity Finder Console\ConsoleAdministrator\ConsoleAdministrator.exe
    On Windows 2008,there may be a UAC dialog prompt as Administrative privileges are required to run the Console Administrator Tool.
  2. Select the Web Application Settings tab.
  3. In the Services Application group, select the appropriate setting for Enabled Protocols depending on your IIS bindings configuration: HTTP Only, HTTPS Only or HTTP and HTTPS.  If IIS is configured to "Require SSL" for the website or the Services application, then HTTPS Only must be selected.
  4. Click the Save button.
  5. Click the Reload button to instruct the IIS server to reload the configuration.
  6. Test the SSL configuration by clicking the Test button at the bottom of the dialog. In the, "Base services address" field, enter https://the-ssl-server-name/Services and click Test.  Testing the, "Base Console's services address" is optional.

 

Endpoint Configuration

Identity Finder clients have a built-in security feature that will prevent them from communicating with any console over HTTPS if the SSL certificate is not trusted.  The SSL certificate used must be valid and signed by certificate authority that is trusted by the endpoint.  Additionally, the URL of the console server, as specified in the serverUrl setting, must be exactly the same as the server name specified in the certificate.

Windows

Windows clients should not require any additional configuration to utilize the secure connection; however, if the SSL certificate is self-signed (e.g., signed by an internal/organizational CA), then the certificate authority must be specified in the trusted root certificate authority container within the computer certificate store.

If the certificate is not properly trusted or the console server specified in the serverUrl setting does not exactly match the server name specified in the certificate, the following errors may appear

  • Errors in the endpointservice.log:
    • Exception: Service call failed (Context: RequestGuid. An HTTP processing error occurred). System Error: 12175.
    • Failed to acquire an endpoint id.
  • Errors in the client log:
    • Identity Finder is configured to communicate with the Enterprise Console but the server specified in the serverUrl setting cannot be contacted  (Unknown Error): https://consoleserver/services  All communication with the Enterprise Console will fail. Please check related Knowledge Base (KB) articles at http://support.identityfinder.com/ for further information.

If the errors above are generated because the CA is untrusted, perform either of the steps below to resolve the issue:

  1. Add the certificate authority that was used to sign the certificate to the trusted root certificate authority container within the computer certificate store.
  2. Allow the client to ignore the fact that the certificate is unknown by configuring the setting 
    Console\ignoreUnknownCA
    To, "Allow untrusted CA" or 1 (this may appear as "Enable" depending on the current version of the policy definitions).  Because communication with the console may not be possible, this setting may need to be manually added in the appropriate location directly to the Windows Registry for current installations.

If the errors above are generated because the console server specified in the serverURL setting does not exactly match the server name specified in the certificate, perform either of the steps below to resolve the issue:

  1. Update the serverUrl setting to use the exact name specified in the certificate.
  2. Issue a new certificate to use the name specified in the serverUrl setting.

If IIS is configured to require or accept client certificates, the following error will appear in the endpointservice.log file:

  • Exception: Service call failed (Context: RequestGuid. End of file or no input: Operation interrupted or timed out). System Error: 12044.
  • Failed to acquire an endpoint id.

To resolve this issue, reconfigure IIS to ignore client certificates for the services application.  It is permissible to require or accept client certificates for the console application so long as the certificate is properly installed on all client systems used to access the console web application.

Mac

Mac clients require several additional deployment steps to utilize the secure connection.   Configuration details and troubleshooting information is available here: