Showing results for 
Search instead for 
Do you mean 

Setup Apollo 2018 with public-facing server name and https/SSL

by Technical Evangelist ‎04-19-2018 07:49 AM - edited ‎02-20-2020 09:55 AM (1,105 Views)

Setup APOLLO 2018 with Public-facing server name and https/SSL

 

[1] Obtain proper SSL certificate *.pfx.
The *.pfx file contains both certificate and private keys and the ASCII file contains the password.

 01.jpg

 

 

[2] Import Certificate to local computer.
This section instructs you on how to import a trusted certificate into your Local Computer's certificate store.


1. Run mmc.exe to launch the Microsoft Management Console or, open a pre-configured MMC console if you have one.
NOTE: You should run mmc.exe with Administrator rights.
2. Before you can add certificates to the Windows Certificate Store, you must add the Certificate snap-in to the Microsoft Management Console (MMC) on the Windows Server host on which the View server is installed.

For more details and screen copies, see attached PDF

 

[3] Import certification to IIS.


1. Open Administrative Tools > Internet Information Services (IIS) Manager
2. Click on the server name in the Connections pane.
3. In the main pane, double-click on the Server Certificates icon to open the Server Certificates view.
4. Once in “Server Certificate” view, click on the Import... link in the far right Actions pane to open the Import Certificate dialog.
5. Select the Certificate file (*.pfx) you received from a Certificate Authority and also the password that comes with the certification.
6. Click OK to complete the import.
The certificate will be imported into IIS and you can click View to see the details about the certificate.

 

[4] HTTPS port Binding

 

Adding an https Binding to the ERDAS APOLLO Web Site.
This section instructs you on how to add an https Binding associated with an SSL trusted certificate to your ERDAS APOLLO web site.


1. Open Administrative Tools > Internet Information Services (IIS) Manager.
NOTE: If you have just completed Importing an SSL Certificate into IIS (on page 17), the IIS Manager should already be opened.
2. Expand the Sites folder.
3. Select the site to be secured.
NOTE: This will either be the Default Web Site or the web site that you added and configured in Configuring the ERDAS APOLLO Web Site.
4. From the Actions menu (on the right), select Bindings... to open the Site Bindings dialog box.

5. In the Site Bindings dialog box, click Add... to open the Add Site Binding dialog box.
6. Under Type, choose https.
7. The IP address should be the IP address of the site or All Unassigned.
8. The port over which traffic will be secured by SSL is usually 443.
9. The SSL Certificate field should specify the SSL certificate that was imported into IIS in Importing an SSL Certificate into IIS.
 In this case, the SSL certificate is “*.ingrnet.com”, select it from the drop down list. See the following screen copy
10. Click OK to add the https binding.

1.jpg


Your Server SSL certificate is now installed and the website configured to accept secure connections through https.

 

[4.1]Disable Client SSL Certificate

 

Apollo Essential doesn’t support Client SSL certificate, so need to disable it in order for WMS to work.

 

Go to IIS Manager->Sites->Default Web Site->SSL Settings: Uncheck “Requrie SSL”, and choose either “Ignore” or “Accept”

 1.jpg

 


• Ignore: IIS no longer request any client certificate from the client. 
• Accept: IIS will request for a client certificate but don’t care if one is present or not. It will of cource accept any presented.
• Required: IIS will request and demand a valid client certificate before servicing the request.

 

A client certificate is different from an SSL server certificate. In basic terms, an SSL server certificate provides encryption (i.e. HTTPS), while a client certificate provides user authentication. When you configure IIS with an SSL server certificate, you provide IIS the ability to establish an SSL/HTTPS connection and encrypt and decrypt the connection (via public and private keys). SSL support is achieved without any talk about client certificates at all.

 

Client certificate adds another level of security and is an authentication mechanism. A client certificate allows a server to identify the user/client that is requesting the resource. When a user/client request a resource from the server, the server will ask the client to prove their identify via a client certificate. It is very similar (in fact serves the same purpose) as providing a username and password to the server. If the client certificate checks fails, the connection or resource request is rejected. A client certificate is obtained from a certificate authority (public or private), and the sever will have a list of trusted certification servers. You can configure IIS to “Ignore”, “Accept” or “Require” client certificates.

 

An SSL connection is established first, and if a client certificate is configured, then it is requested, but always after a successful SSL establishment. APOLLO Core supports SSL, but does not support client certificates.

 

The workflow is always,
1. Establish a secure connection, i.e. SSL
2. If configured, authenticate via either username/password or client certificate.

 

PS. In practice, I don’t see many (public) companies using client certificates. To get client certificate to work, the client needs a valid certificate from a certificate authority that the server trust. In the case of a public facing server, it will only trust public certificate authorities, so a client will need to buy a certificate from one of these public certification authorities so it can have and provide a client certificate that the server will trust. As a random internet user, most if not all, will not spend the money to purchase one.

 

 

[5] Configure Geospatial Portal for SSL.


If IIS is configured to receive requests on a public address and that address is not resolved as the localhost IP (if it is an IP address of another server that redirects requests), configure the host machine to resolve the public host name as the localhost IP address.
To configure the host machine, add the following line to C:\Windows\System32\drivers\etc\hosts file.

For example, the hostname is vmapollosupport, and the public-facing name is external.

 

[1] Change the C:\Windows\System32\drivers\etc\hosts

From:

127.0.0.1 vmapollosupport.ingrnet.com

To:

127.0.0.1 external.ingrnet.com

 

[2] Do “C:\NBTstat -R”, and then restart Server.

NOTE, you need to run command line as adminstrator.

 

 

 

[6] Install APOLLO 2016 & Run ERDAS APOLLO Configure Wizard


During configure wizard → HTTP Server settings, the “HTTPS on port 443” should show up - make sure it is highlighted/selected and make sure to use the public-facing server name“external.ingrnet.com” as HTTP server name.

 

 

[7] Configuring ERDAS APOLLO Services for SSL


If you have configured Secure Sockets Layer as described in Configuring Secure Sockets Layer (SSL) (on page 16), you can now configure your ERDAS APOLLO services to use https and SSL.
Configuring the ERDAS APOLLO Catalog WMS Service for SSL.

  1. Navigate to C:\Program Files\Common Files\Hexagon\Services\Instances\ApolloCatalogWMS.
    2. Open web.config with a text editor and search for the comment, "If you plan on using SSL, please switch httpsGetEnabled below to true".
    3. In the line that follows, set httpsGetEnabled="true"
    4. Just a few lines further down in web.config, locate the lines,
    <bindings>
      <basicHttpBinding>
        <binding name="basicHttpBinding">
          <security mode="None">
    5. Change <security mode="None"> to <security mode="Transport">.
    6. Search a little further down in web.config and locate the lines,
    <webHttpBinding>
      <binding name="webHttpBinding">
        <security mode="None">
    7. Again, change <security mode="None"> to <security mode="Transport">.
               if you are using Windows Authentication, change from <security mode="TransportCredentialOnly"> to 
                                                                                              <security mode="Transport">
    8. Save and close the file. The ERDAS APOLLO Catalog WMS service will automatically restart.
    9. Optionally, you may also choose to restart the APOLLO and IIS services.

 02.jpg

 

Do the same thing for public WMS again.

C:\Program Files\Common Files\Hexagon\Services\Instances\ApolloCatalogWMSPublic.

 

 

[8] Overwrite Intergraph.GeoMedia.Web.SDI.HostName

Modify the following files

C:\Program Files\Common Files\Hexagon\Services\Instances\ApolloCatalogWMS\web.config

C:\Program Files\Common Files\Hexagon\Services\Instances\ApolloCatalogWMSPublic\web.config

 

Change from:

<!-- <add key="Intergraph.GeoMedia.Web.SDI.HostName" value="[hostname]"/> -->

 

to

<add key="Intergraph.GeoMedia.Web.SDI.HostName" value="external.ingrnet.com"/>

 

[9] Modify Apollo end points

Make sure that all Apollo end points defined in both ApolloCatalogWMS and ApolloCatalogWMSPublic web.config files use correct URI, i.e.:

  • HTTPS protocol
  • Fully qualified domain (or host) name for which was the certificate issued
  • Correct port

Example:

FQDN.png

 

[10] Apollo legacy Services

For Apollo legacy services, user may need check all URLs @ providers.fac files. Basically change the links manually for all the providers.fac placed in each folder at C:\Program Files\Hexagon\ERDAS APOLLO\config\erdas-apollo\providers\, change from "http" to "https", and change port from "80" to "443".

 

 

Issue A – Enable Hostname Aliases @ AdminConsole

 

If User enable “hostname aliases” @ AdminConsole; By default hostname aliases is disabled @ Adminconsole.

01.jpg

Then user could not configure any Portal instance, user got the following error. (user can still configure ApolloCatalogWMS and ApolloCatalogWMSPublic without issue)

02.jpg

But “run ApolloCatalogWMS” from AdminConsole will use public-facing name in the URL.

https://external.ingrnet.com:443/ApolloCatalogWMS/Service.svc/get?request=GetCapabilities&service=WM... ,

https://external.ingrnet.com:443/ApolloCatalogWMSPublic/Service.svc/get?request=GetCapabilities&serv...

and get correct results.

 

 

 

Issue B – Disable Hostname Aliases @ AdminConsole

 

If User disable“hostname aliases” @ AdminConsole; By default hostname aliases is disabled @ Adminconsole.

01.jpg

Then user could configure any Portal instance, but user will get the wrong URL from ApolloCatalogWMS and ApolloCatalogWMSPublic, and wrong URL from banner location.

 

02.jpg