Skip to main content
Mitratech Success Center
Client Support Center

Need help? Click a product group below to select your application and get access to knowledge articles, webinars, training content, and release notes or to contact our support team.

Authorized users - log in to create a ticket, view tickets status and check your success plan details.

 

ESM Server Side SSL Setup

  1. Last updated
  2. Save as PDF
This article will illustrate the necessary steps for setting up SSL functionality across ESM:

Please note that this article applies to ESM version 9 onwards. 

Creating and registering an SSL certificate

  1. Open IIS Manager on the ESM application server and navigate to the server name on the left-hand pane. Clicking on this will display a number of options in the main window.
  2. Open ‘Server Certificates’ and use the options on the right-hand pane either to create a certificate request and then import the signed certificate, or to create a domain certificate using an online certification authority.

Instructions on installing certificates in IIS can be found at http://technet.microsoft.com/en-us/library/cc731977(v=ws.10).aspx

NB: The server name specified for the certificate will be the server name that you will need to navigate to in order to access the web client - e.g. https://[servername on certificate]/clusterseven.webclient/

Adding HTTPS bindings to the ClusterSeven site in IIS

  1. Open IIS Manager on the ESM application server.
  2. In the Connections pane, expand the Sites node in the tree, and select the ClusterSeven site.
  3. In the Actions pane, click Bindings.
  4. In the Site Bindings dialog box, click Add
  5. In the Add Site Binding dialog box, add the following binding information: (Type: https , IP Address: All unassigned,  Port: 443, SSL certificate: [select the certificate from the dropdown]). Note that IP Address and port are examples and are do not need to be configured in exactly the same manner.
  6. Tick Disable HTTP/2
  7. Click on OK

Set up HTTPS bindings for the ClusterSeven WCF service

The following changes will need to be made to [ClusterSeven Install Directory]\ESM Server\WcfService\web.config in addition to those outlined in the WCF bindings section below:

  1. Open [ClusterSeven Install Directory]\ESM Server\WcfService\web.config with a text editor, such as Notepad.
  2. Edit the line that reads:
<bindings configSource="bindingsHttp.config">

  to read as follows:

<bindings configSource="bindingsHttps.config">

Also change both instances of the element: 

<serviceMetadata httpGetEnabled="false"/>

and amended to read: 

<serviceMetadata httpsGetEnabled="false"/>

Please note that after setting up https access for the web client, you will no longer be able to access the client over http without reverting these settings. In order to do so, it would be necessary to be roll back the above steps, i.e. the <bindings configSource="bindingsHttps.config"> will need to be changed back to <bindings configSource="bindingsHttp.config">

Configuring the Desktop Client for SSL

  1. Open [DesktopClientInstallationDirectory]\Configuration\URL.txt with a text editor, such as Notepad
  2. Replace the URLC7GeneralWebService variable with the new HTTPS address and port. e.g. https://[servername]/ClusterSeven.WebService/C7WebService.asmx

Configuring the Ribbon for SSL (if applicable)

  1. Navigate to [RibbonInstallationDirectory]\wcfBindings.config
  2. Inside the <bindings> element, replace the <httpTransport> element with a matching <httpsTransport> element inside every <binding> element.

Note for Ribbon versions prior to v2.0:

It is also necessary to enter the URL, using the load balancer / web server's SSL URL, in the WebService key of EsmAddin.config file (in C:\Users\All Users\ClusterSeven Ltd\ClusterSeven Ribbon\, or for an individual user in their %LocalAppData%\ClusterSeven Ltd\ClusterSeven Ribbon\) as the UI regards https addresses as invalid (A fix is planned for the next release). It is also recommended to set AllowChangingWebServiceAddress to 0 in the All Users version of the file in order to avoid accidental resetting of the URL from the UI.

In Ribbon 2.0 and above, the https address is no longer considered invalid so this workaround does not have to be performed. The URL can be set through the Settings in Ribbon as normal.

Hardening IIS

IIS may be vulnerable in its default configuration. Recommendations on how to mitigate this will change as protocols or cipher suites are found to be insecure, so it is outside the scope of this article to give specific guidance. The following Microsoft articles provide information on how to configure SSL on the server:

In addition, the following best practices guide from Qualys SSL Labs gives a good idea of what is currently considered to be a secure configuration. We would always recommend reviewing this with your own infrastructure team.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.