Configuring the Server for SSL (HTTPS)

Overview

Decisions support using SSL (Secure Sockets Layer) encryption over HTTPS as an additional protection layer. This allows Administrators to further secure a transaction by creating an encrypted link between Decisions and the browser.

The following document demonstrates how to configure a server for SSL encryption in a v9 Installation. 

IIS Installation 

1. Install/Import the certificate to the Windows certificate store.
2. Set up and enable SSL Bindings for HTTPS. Refer to Microsoft's Documentation for reference: Create an SSL Binding.
3. Open DecisionsServerInstaller.exe via Run as administrator, then click EDIT SETTINGS. 
4. From the Settings window, adjust the listed Settings as follows, then click Save.

   
   

   Setting	Suggested Configuration
   EnableHttps	Set to "true"
   HttpsPort	Set to "443"
   PortalBaseUrl	If required, change "http://" to "https://"
   EnableHttptoHttpsRedirection	If required, set it to "true"

5. Back in the Installation Type screen, click RESTART SERVICE. 

Self-Hosted Installation

The following sections demonstrate the two methods by which HTTPS can be enabled in a Self-Hosted environment. 

Physical File Path: During Installation

1. During installation from the Base Portal URL screen, check the Enable Https box.
2. Provide the proper Port, Certificate location, and, if required, the Certificate Password.
3. Enable the Override Portal Base URL to give a Fully Qualified Domain Name to the server URL.
   HTTPS Redirect 

   If desired, check Enable Http To Https Redirection to redirect all HTTP requests to HTTPS.

   

4. Continue the installation process. 

Physical File Path: After Installation

1. After installation, run DecisionsServerInstaller.exe via Run as administrator. 
2. From the Installation Type screen, click EDIT SETTINGS.
3. From the Settings window, adjust the following settings as shown. Then click Save.
   Alternate Settings Location 

   The following settings can also be adjusted via the Settings.xml file located at C:\Program Files\Decisions\Decisions Server.

   Setting	Suggested Configuration
   EnableHttps	Set to True
   HttpsCertificatePassword	Provide the applicable Password for the Certificate; if there is no Password, leave this blank.
   HttpsCertificatePath	Provide the physical File Path for the certificate.
   HttpsPort	Keep set to 443
   PortalBaseUrl	Change "http://" to "https://"

   

4. Restart Decisions via the RESTART SERVICE button. 

5. Navigate to the Portal Base URL. 

Certificate Store

Users can install Certificates in the Certificate Store and read the respective Certificate Information from it.

Opening Certificate Store

The Certificate Store is the location wherein Windows stores its .cert files. By using the Manage computer certificates panel, Administrators can locate, view, Import, and Export digital Certificates for use throughout the Local Machine. 

1. From the Local File System, via the Search tool, search for and open Manage computer certificates. 
2. From the Folder Tree on the left,  expand the Personal node.
3. View the respective information to the right of each Certificate in the store. 

Installer

Certificates can be added during the installation process of the Decisions server. 

1. From the Portal Base Url screen, check Enable Https. 
2. Under Pick Certificate Source, select Certificate Store. 
3. If required, adjust the Port value, then select the desired Certificate from the drop-down. 
4. Proceed with the rest of the installation process.

Settings.xml

In addition to DecisionsServerInstaller.exe, Certificate Store directions can be defined via the Settings.xml file. 

1. From the Local File System, navigate to C:\Program Files\Decisions\Decisions Server and open Settings.xml in a Text Editor. 
2. Locate the CertificateThumbPrint and HttpsCertificateLocation tags. 
3. Specify CertificateStore value to the HttpsCertificateLocation node.
4. Provide the Certificate Thumbprint to its respective space.
   
5. Save and close the file. 

Self-Signed Certificate Generation Script

By default, Decisions Installations provides a Self-Signed Certificate Generator in the Decisions Server folder.

This Windows PowerShell Script allows the creation of a Certificate that can be used for testing v8 SSL configurations in self-hosted and IIS environments. 

1. From the Local File System, navigate to C:\Programs Files\Decisions\Decisions Server.
2. Locate GenerateCertificate, then run it with PowerShell as an Administrator. 
3. From the PowerShell window, type "./GenerateCertificate.ps1". Then, press enter; verify that the script successfully creates a Certificate called "Decisions.cer".
   

Certification Expiration

If the Certificate for SSL expires, access to the server will not be available until fixed. Fixing this includes getting the new Certificate installed.

If the Certificate Name doesn't change, Recycle IIS. If the Certificate Name changes, then update the SSL Certificate in the Site Bindings to use the new Certificate.

STARTTLS Configuration 

STARTTLS is an email protocol command that uses SSL/TSL to convert an Email Client's connection from an insecure one into a secure one. 

When using STARTTLS with Decisions, users should configure their SMTP Settings as they typically would.

Explicit SSL

By default, Decisions requests that SSL is used explicitly. To enable this:

1. Open DecisionsServerInstaller.exe; from the Installation Type screen, click EDIT SETTINGS. 
2. From the Settings window, navigate to expand Mail > SmtpServer.
3. Under the SmtpServer category, set UseImplicitSSL to False and UseSSL to True. 
4. Click Save, then restart Decisions via RESTART SERVICE.