Running the deployment service on HTTPS

About this task

To run the deployment service on HTTPS you require a certificate to start the communication between client and server. The Datacap Deployment program is the client and Deployment service is the server. Hence the certificate should be present on all the nodes running the Deployment service and should be bound to the listening port. To bind the HTTPS certificate with the service you need to follow the below mentioned process.

Procedure

  1. Import the SSL certificate.
    1. Use Microsoft Management Console (MMC) to import the certificate. After importing, verify that the certificate is valid, trusted, and that the private key is in the store.
    2. Use certutil -store My to get the certificate details. Replace 'My" with your store location.
    3. Copy the cert hash without spaces before proceeding to next step.
  2. Update the Port. By default Deployment Service uses the port 9543. You can change the port if required before port binding process.
    1. Enter the command:
      • Enter the following command netsh http add urlacl url=https://+:9543/service/ user=\Everyone

        Check if reservation is successful and run netsh http show urlacl to view the URL.

    2. Ensure there is no existing SSL certificate binding to port 9543 using the command netsh http show sslcert.
    3. Add SSL certificate binding using the command netsh http add sslcert ipport=0.0.0.0:9543 certhash= 0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={51c1b00f-15c6-423f-a459-aca10e7d2bbe } clientcertnegotiation=enable

      The certhash parameter specifies the thumbprint of the certificate. The ipport parameter specifies the IP address and port. The appid should be the GUID of Deployment Service and should not be changed - 51c1b00f-15c6-423f-a459-aca10e7d2bbe.

    4. Ensure that the SSL certificate binding to the port is successful using the command netsh http show sslcert.
  3. This step is required if the default port number was changed. If the port number was changed from 9543 to some other, changes are required in Deployment service configuration file.
    1. Open \Datacap\support\DBCopy\DCDeploymentWinService.exe.config.
    2. Change <add baseAddress="https://localhost:9543/DCDeploymentService"/> to <add baseAddress="https://localhost:<new port number>/DCDeploymentService"/>.
  4. Restart Deployment Service to run on port 9543 or the updated port with SSL certificate binding.
  5. To avoid security vulnerabilities due to older versions of SSL protocols (for example SSL version 2 and SSL version 3) and RC4 Cipher Suites, complete the following steps.
    Steps for the Server on which the deployment takes place and API calls are prerequisite.
    1. Identify 2 Servers: Client (Containing the package.zip) Server (On which the application will be deployed and the application will be updated in datacap.xml)
    2. The URL used in the Service Call's will be that of the Server.
    3. Disable SSLv2.0 and SSLv3.0, using steps mentioned in Section A
    4. Disable the RC4 Cipher Suites on the Server machine on Regedit.exe using steps mentioned in Section B
    Section A: Microsoft IIS: Disabling the SSL v3 Protocol
    Depending on how your Windows servers are configured, you may need to disable SSL v3.
    Note: Older versions of Internet Explorer may not have the TLS protocol enabled by default. If you disable SSL versions 2.0 and 3.0, the older versions of Internet Explorer will need to enable the TLS protocol before they can connect to your site.

    Microsoft IIS: How to Disable the SSL v3 Protocol

    1. Open the Registry Editor and run it as administrator.

      For example, in Windows 2012:

      1. On the Start screen type regedit.exe.

      2. Right-click regedit.exe and click Run as administrator.

    2. In the Registry Editor window, go to:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

      1

    3. In the navigation tree, right-click Protocols, and in the pop-up menu, click New > Key.

      2

    4. Name the key, SSL 3.0.

    5. In the navigation tree, right-click the new SSL 3.0 key that you just created, and in the pop-up menu, click New > Key.

      3

    6. Name the key, Client.

    7. In the navigation tree, right-click on the new SSL 3.0 key again, and in the pop-up menu, click New > Key.

      4

    8. Name the key, Server.

    9. In the navigation tree, under SSL 3.0, right-click Client, and in the pop-up menu, click New > DWORD (32-bit) Value.

      5

    10. Name the value DisabledByDefault.

    11. In the navigation tree, under SSL 3.0, select Client and then, in the right pane, double-click the DisabledByDefault DWORD value.

      6

    12. In the Edit DWORD (32-bit) Value window, in the Value Data box change the value to 1 and then, click OK.

    13. In the navigation tree, under SSL 3.0, right-click Server, and in the pop-up menu, click New > DWORD (32-bit) Value.

      7

    14. Name the value Enabled.

    15. In the navigation tree, under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD value.

    16. In the Edit DWORD (32-bit) Value window, in the Value Data box leave the value at 0 and then, click OK.

    17. Restart your Windows server.

      You have successfully disabled the SSL v3 protocol.

    Section B: Disable RC4

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000

    OR

    Powershell Commands:RC4 128/128
    ([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128')
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    RC4 40/128
    ([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128')
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    RC4 56/128
    ([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$env:COMPUTERNAME)).CreateSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128')
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null