You are viewing limited content. For full access, please sign in.

Question

Question

Simple stepwise Guide for installing SSL

How To Directory Server Laserfiche Web Client Forms
Updated July 8
asked on June 28

Hello Everyone,

Please can anyone please provide a STEP-WISE guide for installing a self-sgned certificate in Laserfiche.Most of the guides I see are so technical and assume everyone is so technical and there are some questions not attended to. For instance, if i buy an SSL from a CA, usually they give you cerficates files cert, cabundle and one other one. Which of these files will installed?

How does one install these files and where?

I just want a simple guide.

What i am trying to do is secure communication between browser and the forms server as well as when accessing the Repository over the web client.

 

Also, I just also wanted to find out if Self-signed Certficates is OK for this Purpose and if there are any cons?

0 0

Answers

APPROVED ANSWER
replied on July 1 Show version history

First, do NOT use self-signed certificates for TLS in Production systems. There are many cons, and no real pros. I'm not going to write them all out because so much has been written elsewhere about why self-signed certificates are a bad idea. Just don't even go down that path.

Generally speaking:

  1. You do not install SSL/TLS certificates "in Laserfiche". You install them in the Windows operating system, then configure an IIS Site Binding to associate the installed certificate with port 443 for HTTPS.
  2. Any CA you purchase a certificate from should have instructions on installing the certificate files they provide in Windows and configuring the https binding in IIS. For example: Digicert - IIS 10: Create CSR and Install SSL Certificate
  3. Once the IIS https/443 binding is configured with a valid certificate, configure the Laserfiche web applications to use https.
    1. For Web Client, in Web Client Configuration > Services > General Services:
      1. Set the "Laserfiche Web Client Host URL" to be "https://fqdnOrAliasInCertificate.example.com/laserfiche" (replace with correct value for your system)
      2. Set "HTTPS Redirection" to "On".
    2. For Forms, in /FormsConfig:
      1. In the Forms Server tab of the config page, under "Primary Forms Server URL", select the "Use TLS connection" checkbox. See: Configuring TLS between Forms and the Internet Browser
      2. If using Directory Server (LFDS) auth, in the User Authentication tab of the config page, under "Laserfiche Forms Host URL", ensure the URL uses a fully-qualified name covered by the certificate, like "//fqdnOrAliasInCertificate.example.com/Forms".
    3. The Forms Notification Service uses TCP port 8181, which is not covered by the IIS https/443 certificate binding. To configure TLS for this service, follow the instructions under Configuring Notification Service When Using TLS. You launch a simple utility (NotificationConfigurationUtility.exe), select the "Use TLS" checkbox, select your certificate from the Certificate dropdown list, and Save.
  4. IMPORTANT: For manually configured public CA certificates, note the certificate expiration date and set reminders/alerts in an IT calendar or ticketing system to renew and rebind them in IIS and the Forms NotificationConfigurationUtility prior to their expiration.

 

If you are doing this for the first time, I strongly recommend finding someone who has worked with installing and configuring SSL/TLS certificates in IIS before to guide you. It's a common IT task and there is nothing Laserfiche-specific for the actual Windows/IIS certificate installation and binding steps. 

1 0
View 2 previous replies
replied on July 1

Thank you so much Samuel for a detailed answer. We were planning to use a self-signed because our LF installation is run locally.

Just a few more questions:

  • Our LF installations run locally and so our server name does not bear a .com. Its something like http://ttc-lfserver/laserfiche. How would we use this if we are getting one from a CA?
  • this prefix before example.com (fqdnOrAliasinCertificate...) in your reply, are we to specify it like that or its a placeholder for something else?
  • Must we use a fully qualified domain name even if we are running LF locally?
  • So NO to self-signed even if on a localhost?
0 0
replied on July 2

There is an important distinction here. Some people use "self-signed" to mean any certificate that isn't issued by a well-known public Certificate Authority, but this isn't what the term means. You can run your own CA as part of your Windows domain, and have it issue certificates, and you can use group policy to push your CA certificate into the trusted store on all of your domain. These certificates are not "self-signed", they are issued by a trusted CA.

0 0
SELECTED ANSWER
replied on July 2

If you want to look into what it takes to install an internal CA, which is what Brian was referring to, I have created a video that walks through the implementation process: https://youtu.be/ntdtjyPkpbI?si=FVCt4hqKzDuzJTBk. I would also be sure to read Microsoft's documentation on system requirements before doing the install.

2 0
replied on July 2 Show version history

Before I respond to the individual questions, please try to find someone to work with on this who has some general experience with SSL/TLS certificates. Everyone has to learn somewhere, but these are very basic questions about certificates that make me concerned you're trying to do a security-sensitive task for the first time by yourself.

Responses:

  • Q: Our LF installations run locally and so our server name does not bear a .com. Its something like http://ttc-lfserver/laserfiche. How would we use this if we are getting one from a CA?
    • A: If the servers are joined to an AD domain (and at absolute minimum the one hosting Directory Server has to be), they will also have a fully qualified domain name (FQDN) like "ttc-lfserver.example.com", where "example.com" is a placeholder for the actual AD domain.
  • Q: this prefix before example.com (fqdnOrAliasinCertificate...) in your reply, are we to specify it like that or its a placeholder for something else?
    • A: That's a placeholder for the hostname portion of the FQDN. In your case, it would be "ttc-lfserver" or similar.
  • Q: Must we use a fully qualified domain name even if we are running LF locally?
    • A: Yes. 
      • 1. Public CAs will only issue certificates for fully qualified names.
      • 2. It's a good security practice and important part of the security certificates provides.
      • 3. A Private / Internal CA might let you issue a certificate for non-fully-qualified name. This is a bad idea, violates widely accepted security guidelines, and even if you can, you shouldn't.
  • Q: So NO to self-signed even if on a localhost?
    • A: No. As Blake and Brian mentioned above, a Private / Internal CA is fine, like an AD Certificate Authority. That's not "self-signed". Internal users would normally already trust certificates issued by the Private / Internal CA. They should still be for fully-qualified names.
1 0
replied on July 4 Show version history

Hello Samuel,
Thank you so much for such an elaborate explanation. I really appreciate it. 
I am fully in the cleat now with all the feedback here.

 

Thank you.

1 0
SELECTED ANSWER
replied on July 2

If you want to look into what it takes to install an internal CA, which is what Brian was referring to, I have created a video that walks through the implementation process: https://youtu.be/ntdtjyPkpbI?si=FVCt4hqKzDuzJTBk. I would also be sure to read Microsoft's documentation on system requirements before doing the install.

2 0

Replies

replied on July 5

Thank you @Blake for the Video Resource. It was definitely helpful.

0 0
replied on July 8

I just want to add as well for those that use SCIM 2.0 in Laserfiche, that you need to manually select the proper SSL certificate in the configuration tool after you install a new certificate.

Directory Server\SCIM\LfdsScimServiceConfig.exe

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...