HTTPS for RestAPI
NOTE:
Ensure that hostnames can be mapped to IP.
- Ensure that the value of ‘urls’ parameter is “https://*:12345”<add assembly="RA.InfoPlatform.PlugIn.WebServiceHost" type="RA.InfoPlatform.PlugIn.WebServiceHost.PlugInInfo"> <Parameters> <add name="urls" value="https://*:12345" /> </Parameters> </add>When this is enabled, some additional manual steps will be required as described below:NOTE:Ensure to use valid IP address and port when performing this configuration.
- Follow the guide at this location: http://chavli.com/how-to-configure-owin-self-hosted-website-with-ssl/.When running netsh commands, try the following if user run into trouble, replacing the certhash and appid keys with the correct values for the certificate.
- Execute the following commands as an administrator at the command prompt
- netsh http add urlacl url=https://*:<port>/ user=<domain>\<user>Where
- url: the url of the FTA InfoPlatform web service, including the port
- user: the user or group for which the registration is being created
Example for a server on the domain:netsh http add urlacl url=https://*:12345/ user=BUILTIN\UsersNOTE:In the above command, "domain" is either the NTDomain (as defined in Windows Active Directory) or the local computer name (if the machine is in a workgroup rather than a domain).This command reserves the specified URL for non-administrator users and accounts. The discretionary access control list (DACL) can be specified by using an account name with the listen and delegate parameters or by using a security descriptor definition language (SDDL) string. - netsh http add sslcert ipport=<IP Address>:<port> certhash= 21d150d80ea8e55fc7ae28e3a1746667ba77993e appid={214124cd-d05b-4309-9af9-9caa44b2b74a}Where:
- ipport=<IP Address>:<port>
Specifies the IP address and port for the binding.- certhash=string
Specifies the SHA hash of the certificate. This hash is 20 bytes long and specified as a hexadecimal string. To get certhash, look at properties of the certificate in certlm – use the value found in the thumbprint property, without the spaces.- appid=GUID
Specifies a GUID to identify the owning application.This command adds a new Secure Sockets Layer (SSL) server certificate binding and the corresponding client certificate policies for an IP address and port.Example:netsh http add sslcert ipport=<IP Address>:12345 certhash= 21d150d80ea8e55fc7ae28e3a1746667ba77993e appid={214124cd-d05b-4309-9af9-9caa44b2b74a}
NOTE:User may encounter this error: “SSL Certificate add failed, Error: 1312” This is possibly because of binding a certificate that only has a public key, the private key is missing. This may be because user has installed a cer file rather than a pfx file.NOTE:User may also encounter this error in the event viewer on startup.An exception was caught starting the InfoPlatform service: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Net.HttpListenerException: Failed to listen on prefix 'https://ws2012r2adsb.psdemo.local:12345/' because it conflicts with an existing registration on the machine.This may be caused by the “netsh http add urlacl” command (see item above). It may have registered incorrectly (e.g. http instead of https).Run the following command to delete the existing URL:netsh http delete urlacl url=https://<IP>:<PORT>/When connecting to the service from a browser on the local machine, use a URL such as https://localhost:12345. When connecting to a remote server, enter the hostname as it appears in the “IssuedTo” field of the certificate when viewed in “certlm”.
Provide Feedback