Professional Documents
Culture Documents
Configuring SSLTLS Encryption in Laserfiche
Configuring SSLTLS Encryption in Laserfiche
in Laserfiche
White Paper
Table of Contents
Introduction .................................................................................................................................. 4
Configuring Your Computers for SSL/TLS .............................................................................. 5
Which Version of SSL or TLS Does Laserfiche Use? ........................................................... 5
How It Works ........................................................................................................................... 5
Certificates from Trusted Root Certification Authorities................................................... 6
Group Policy ............................................................................................................................. 7
Server Certificates .................................................................................................................... 7
Binding the Server Certificate ............................................................................................ 7
Laserfiche Server .......................................................................................................................... 9
To Configure the Laserfiche Server to Use SSL ................................................................... 9
To Configure the Administration Console to Use SSL ..................................................... 10
Laserfiche Server and LDAP Servers .................................................................................. 10
Windows Client ...................................................................................................................... 11
Web Client ................................................................................................................................... 12
Granting the Web Client Application Pool Access to a Certificate’s Private Key ........ 12
To Enable SSL between the Web Client and the Repository ........................................... 12
To Enable SSL between the Web Client Server and Users’ Internet Browsers ............. 12
To Enable SSL between the Web Client and an SMTP Server ......................................... 13
Web Client Endpoint Utility ................................................................................................. 13
To Configure Endpoints for the Web Client .................................................................. 13
Laserfiche Directory Server ...................................................................................................... 14
Configuring the Certificate and Service User .................................................................... 14
To Configure Directory Server ......................................................................................... 14
To Configure Each STS Instance ...................................................................................... 15
Directory Server and Identity Providers ............................................................................ 15
Directory Server and Email Servers .................................................................................... 16
Workflow..................................................................................................................................... 17
Workflow and Laserfiche Server ......................................................................................... 17
2
To configure the Workflow Server to use SSL when connecting to an SSL-enabled
Laserfiche Server ................................................................................................................ 17
Workflow and Email Servers ............................................................................................... 18
Forms ........................................................................................................................................... 19
Granting FormsAppPool access to a certificate’s private key ..................................... 19
To configure SSL between the Forms server and internet browsers .......................... 19
To configure SSL between Forms and Workflow or Forms and Discussions ........... 21
To configure SSL between Forms and email servers .................................................... 21
To configure SSL between Forms and Laserfiche Server ............................................. 21
To configure SSL between Forms and LDAP servers ................................................... 22
To configure SSL between Forms and Laserfiche Directory Server ........................... 22
Distributed Computing Cluster ............................................................................................... 24
Prerequisites............................................................................................................................ 24
To configure SSL for the Distributed Computing Cluster ........................................... 24
SQL Server .................................................................................................................................. 25
ODBC Driver Configuration ................................................................................................ 25
Changing Connection Strings .............................................................................................. 25
To encrypt connections between the Laserfiche Server and SQL Server ................... 25
To encrypt connections between Laserfiche Directory Server and SQL Server ....... 26
To encrypt connections between Forms and SQL Server ............................................ 26
To encrypt connections between Workflow and SQL Server ...................................... 27
Granting Access to Certificate Keys ........................................................................................ 28
To grant an application pool identity or user access to a certificate key ................... 28
3
Introduction
When you transmit data over a network, encryption is key to ensuring that intercepted
communications cannot be easily read by outsiders. Laserfiche supports Secure Sockets
Layer (SSL) and Transport Layer Security (TLS) encryption for connections to Laserfiche
products. Connections that can be encrypted include:
Connections between different Laserfiche servers.
Connections between a Laserfiche server and an SQL Server.
Connections from clients to Laserfiche servers.
Connections from Laserfiche servers to email or Active Directory servers.
If you’re using Laserfiche Directory Server to authenticate your users, it is mandatory to
configure SSL or TLS between the web application they’re authenticating from and
Directory Server. Learn more about Laserfiche Directory Server’s architecture.
This paper explains how to configure SSL encryption for connections to the following
applications: Laserfiche Server, Workflow, Forms, the web client, the Windows client,
Laserfiche Directory Server, the Distributed Computing Cluster, and SQL Server.
4
Configuring Your Computers for
SSL/TLS
SSL and TLS are variant names for cryptographic protocols that secure communication
between computers. SSL is the predecessor to TLS, but many resources frequently
simply say “SSL” when they mean “either SSL or TLS”. In this paper, we follow this
convention by using “SSL” to mean “SSL or TLS”.
How It Works
SSL-encrypted communication is typically carried through port 443, although you can
configure it to use other ports. The port distinguishes HTTP (unencrypted) traffic from
HTTPS (SSL-encrypted) traffic, as normal HTTP traffic usually goes through port 80.
When the client chooses to use this port, it indicates to the server that it wants to
communicate with SSL. If you want to use SSL to communicate across a firewall, ensure
that port 443 is open in the firewall.
Digital certificates are key to configuring SSL. For the purposes of this paper, you
should understand the roles of certificates from trusted root certification authorities
and server certificates. A server proves its identity by having a server certificate that is
signed by a trusted authority. The certificate proves that the server owns the public
encryption key it claims to own. A certificate from a trusted root certification authority
helps the client computer to recognize the server it is connecting to as having a valid
server certificate. Thus, both clients and servers require certificates in order for SSL to
work. Note that in the Laserfiche context, servers can play the role of clients when they
are communicating with another server. For example, if the Forms Server is checking a
user’s credentials with Laserfiche Directory Server, it is acting as a client contacting a
server.
5
The server certificate can be either a root or an intermediate certificate. Intermediate
certificates inherit their authenticity from the root certificate. As long as client
computers have a certificate from a trusted root certification authority, they will trust
intermediate certificates issued by the same certification authority.
You can obtain certificates from a trusted authority in three ways: By requesting one
from a third-party Certificate Authority (CA), by creating a self-signed certificate, or by
creating an internal CA and using that to issue certificates.
After obtaining the relevant certificates, you should configure your site bindings to
specify a port and certificate for SSL communication.
6
To use a self-signed certificate to identify a server, create a self-signed server certificate
following Microsoft’s instructions. Then, export the certificate. Finally, add the
certificate to the list of trusted root certificates in all computers that will interact with
the server.
Using an Internal Certificate Authority to Generate Root Certificates
If your Laserfiche servers and clients will interact wholly within a secure network, you
can set up an internal CA within the network to generate root certificates for your
servers and clients. One advantage that this option has over using self-signed
certificates is that it is easier to manage and distribute certificates from an internal CA in
an Active Directory environment. An internal CA is also more convenient if you want
to have intermediate certificates on some of your servers. For example, if you install a
root certificate from an internal CA in your client computers, these computers will also
accept intermediate certificates signed by the same internal CA.
See Microsoft’s instructions on how to set up an internal CA.
Group Policy
You can distribute the certificates from a trusted root certification authority to all users
in a Windows domain or organizational unit by using Group Policy. This is especially
useful if you are using a self-signed certificate or an internal CA, as you will likely want
only internal users to have the certificates.
Server Certificates
If you obtained a certificate from a third-party CA, you can request a server certificate
by making a Certificate Signing Request. Your CA will provide instructions on how to
do this. After you obtain the server certificate from them, import the certificate
following Microsoft’s instructions.
If you had created a self-signed certificate, this certificate should already be listed under
Server Certificates in your IIS Manager, so you do not need to create another server
certificate.
If you used an internal CA to generate root certificates, you can request server
certificates from your internal CA server following these instructions.
After you have a server certificate, you should bind it to a port as follows.
7
Binding a Certificate for Web Services
For web services, bind your server certificate to a port using IIS Manager.
1. Open IIS Manager by clicking on Windows Administrative Tools from the Start
menu and double-clicking Internet Information Services (IIS) Manager.
2. In IIS Manager, expand the node for your Windows server in the Connections
pane. Then click on Sites.
3. In the main pane, select the site you are configuring. In the Alerts pane, click on
Bindings….
4. In the Site Bindings dialog, click on Add….
5. In the Add Site Binding dialog, configure the following options:
a. Select https under Type.
b. Under IP address, select either the IP address of the site or All
Unassigned.
c. Under Port, specify the port you want to use for SSL traffic. By default,
this is port 443.
d. Under SSL certificate, select the desired SSL certificate from the list of
server certificates.
6. Click OK to save your changes in the Add Site Binding dialog, then Close to
close the Site Bindings dialog.
Binding a Certificate Using netsh
Some services, like the Laserfiche Forms Notification Service, are not web services. To
bind a certificate to a port for these services, use the netsh command as follows.
netsh http add sslcert ipport=0.0.0.0:portNumber
certhash=certificateHash appid={randomGUID}
Replace the italicized variables as follows:
Replace portNumber with the port that the service is using.
Replace certificateHash with the certificate’s hash. You can view the hashes
of any server certificate by opening IIS Manager and double-clicking Server
Certificates.
Replace randomGUID with a randomly generated GUID. Multiple websites offer
tools to help you generate random GUIDs.
8
Laserfiche Server
In order for the Laserfiche Server to communicate using SSL/TLS, you must configure
the server to have a certificate from a trusted root authority and a server certificate as
described in Configuring Your Computers for SSL/TLS. In addition, all computers
connecting to the server must have a certificate from a trusted root authority, otherwise
they will encounter a warning when trying to connect to the server.
After you’ve installed a server certificate, follow these instructions to configure SSL
between your Laserfiche Server and other servers or clients:
Configure the Laserfiche Server to use SSL
Configure the Administration Console to use SSL
Configure SSL between the Laserfiche Server and LDAP Servers
Configure SSL between the Laserfiche Server and the Windows client
9
To Configure the Administration Console to Use SSL
You can remotely administer repositories using the Laserfiche Administration Console.
When you register a server in the Administration Console, check the Connect with SSL
box.
If you already have a server registered and want the Administration Console to connect
to it using SSL, you will have to de-register the server and re-register it. You can de-
register any server by right-clicking on its name in the Administration Console,
hovering over All Tasks, and clicking Remove Server Registration. When you re-
register the server, make sure that Connect with SSL is checked. After you de-register a
server, you may need to restart the computer hosting the server before you can re-
register the server.
10
Note: This configuration affects only communications that verify
repository named users from LDAP servers. It does not apply to LDAP
users who are registered in Laserfiche Directory Server, then registered to
a repository under their Directory Server account. For the latter kind of
user, Laserfiche Server communicates only with Laserfiche Directory
Server.
Windows Client
To configure the Windows client to connect to Laserfiche Server using SSL, make sure
that the Use SSL Connection box is selected when you attach a repository. If your
repository is already attached but the connection is not using SSL, you can detach the
repository, then make sure that Use SSL Connection is selected when you re-attach it.
The computer that the Windows client is connecting from must also have the
appropriate root certificates associated with the Laserfiche servers that it connects to.
11
Web Client
In order for the web client server to communicate using SSL/TLS, you must configure
the server to have a certificate from a trusted authority and a server certificate as
described in Configuring Your Computers for SSL/TLS. In addition, all computers
connecting to the server must have the the former kind of certificate installed, otherwise
they will encounter a warning when trying to connect to the server.
12
Note: If you enabled HTTPS redirection but specified a Laserfiche Web
Client Host URL on the same page that does not begin with “https”, you
will receive a warning when you attempt to save your settings.
13
Laserfiche Directory Server
As part of its single sign-on service, Laserfiche Directory Server requires SSL when
communicating with other Laserfiche products to authenticate users. It also requires
SSL for connections to the Directory Server configuration site from web browsers.
Configuring SSL is part of the installation process, and if this step is skipped, the
administrator must add a server certificate and bind it in IIS Manager after the fact. In
addition, all computers connecting to Directory Server must have the appropriate
certificate from a trusted root certification authority installed, otherwise they will
encounter a warning when trying to connect to the server.
In this section, we cover the configuration of SSL for Directory Server STS tokens,
communication between Directory Server and identity providers, and communication
between Directory Server and email servers. To learn how to set up SSL for the
Directory Server SQL database, see the section on SQL Server.
14
5. Make sure that the service user specified in step 2 has Read permissions to the
certificate’s private key, following the instructions in Granting Access to
Certificate Keys.
15
Directory Server and Email Servers
When you add a new email server profile on the Directory Server licensing site, you can
configure Directory Server to use SSL with the email server by selecting the Use SSL
box.
16
Workflow
In order for the Workflow server to communicate using SSL/TLS, you must configure
the server to have a certificate from a trusted root CA and a server certificate, as
described in Configuring Your Computers for SSL/TLS. In addition, all computers
connecting to the server must have the the former kind of certificate installed, otherwise
they will encounter a warning when trying to connect to the server.
To configure Workflow to use SSL when connecting to the Laserfiche Server,
continue reading.
To use SSL for the emails that Workflow sends, see Workflow and Email Servers.
To encrypt connections between Workflow and SQL Server, see the SQL Server
section.
17
2. Ensure Workflow is configured to use SSL when connecting to the Laserfiche
Server.
3. Open the Registry Editor by running regedit.exe.
4. Navigate
to HKEY_LOCAL_MACHINE\SOFTWARE\Laserfiche\Client8\Profile\IPData
base. The path contains "Client8" even if Laserfiche 9 or later is installed.
Note: If your machine is x64, the registry path
is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Laserfiche\
Client8\Profile.
5. Create a string value with the name of your repository and its domain name as
the value data.
a. Select the key you want to add a string value to. Right-click in the viewing
pane, point to New, and select String Value.
b. Type the name of the repository as the string value.
c. Double-click the RepositoryName string value to open the Edit
String dialog box.
d. In the Value data field, type in the Laserfiche Server's fully qualified
domain name.
6. Navigate
to HKEY_LOCAL_MACHINE\SOFTWARE\Laserfiche\Client8\Profile\Reposit
oryName. The path contains "Client8" even if Laserfiche 9 or later is installed.
Note: If your machine is x64, the registry path
is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Laserfiche\
Client8\Profile.
a. Create a string value named UseSSL.
b. Double-click the string to open the Edit String dialog box.
c. Change the Value data to yes.
18
Forms
In order for the Forms server to communicate using SSL/TLS, you must configure the
server to have a certificate from a trusted root CA and a server certificate as described in
Configuring Your Computers for SSL/TLS. In addition, all computers connecting to the
server must have the former kind of certificate installed, otherwise they will encounter a
warning when trying to connect to the server.
You may want to configure SSL between the Forms server and the following entities:
Users’ internet browsers
Workflow or Discussions
Email servers
The Laserfiche Server
LDAP servers
Laserfiche Directory Server
SQL Server.
Note: If you configure SSL between Forms and internet browsers, you
should also configure SSL between Forms and Workflow, and between
Forms and Discussions (if Forms is communicating with these
applications).
19
5. The following steps are necessary for Forms notifications to work when SSL is
enabled.
a. Find the certificate hash for the certificate used in the Forms website. You
can get the certificate hash by navigating to Server Certificates in IIS
Manager and copying the value in the Certificate Hash column, as shown
in the following image:
20
d. Update the following configuration files manually to change the hub host
address to use https.
The hub configuration file, located by default at C:\Program Files
(x86)\Laserfiche\Laserfiche
Notification\Hub\Laserfiche.PushNotificationService.Hub.Host.ex
e.config. Find the line with the HubHostAddress key and change it
to the following: <add key="HubHostAddress"
value="https://*:8181" />
The master configuration file, located at C:\Program Files
(x86)\Laserfiche\Laserfiche
Notification\Service\Laserfiche.PushNotificationService.Master.H
ost.exe.config by default. Find the line with the HubAddress key
and change it to the following: <add key="HubAddress"
value="https://HUBSERVER:8181" />, replacing
HUBSERVER with your server name.
e. Restart the Laserfiche Notification Hub Service and the Laserfiche
Notification Master Service.
21
During Save to Repository service tasks.
If you are authenticating through Laserfiche Server and want to use SSL for this type of
authentication, make sure that Use SSL Connection is selected when you configure
Laserfiche Server authentication.
Save to Repository tasks are controlled by repository profiles. To configure SSL for Save
to Repository actions, select the Use SSL connection checkbox when creating or editing
a repository profile.
22
7. Click Save to save your configuration.
23
Distributed Computing Cluster
You can configure the Distributed Computing Cluster to communicate securely with
the Laserfiche Server using SSL.
Prerequisites
Before you start configuring SSL for the Distributed Computing Cluster:
Ensure the Laserfiche Server has already been configured to use SSL.
Ensure the client computers have a valid trusted root authority certificate.
24
SQL Server
You can ensure that connections from Laserfiche servers to their respective SQL Servers
are encrypted using any of the following methods:
Forcing the SQL Server to use encryption. This will apply to all databases within
that SQL Server, not just the Laserfiche databases. SQL Server will deny access to
any attempted connections that are unencrypted, so if you use this option, make
sure that all services that access that SQL Server use SSL. To pursue this option,
see Microsoft’s instructions.
Enforce encryption at the level of the ODBC driver.
Change the connection strings that specific Laserfiche servers use to connect to
their SQL databases.
25
Driver={DriverName};Server=myServerAddress;
Database=myDataBase;Trusted_Connection=yes;Encrypt=yes;
Where DriverName would be something like “ODBC Driver 11 for SQL Server”,
and you would fill in the appropriate names for myServerAddress and
myDataBase.
26
parameter connection string that is in the list of parameters under
connectionString. For example, if the line originally reads as follows:
<add name="FormsEntities"
connectionString="metadata=res://*/FormsEntities.csdl|res:/
/*/FormsEntities.ssdl|res://*/FormsEntities.msl;provider=Sy
stem.Data.SqlClient;provider connection string="data
source=myDataSource;initial catalog=Forms;persist security
info=True;Integrated
Security=True;multipleactiveresultsets=True;App=EntityFrame
work"" providerName="System.Data.EntityClient" />
You should alter it to be:
<add name="FormsEntities"
connectionString="metadata=res://*/FormsEntities.csdl|res:/
/*/FormsEntities.ssdl|res://*/FormsEntities.msl;provider=Sy
stem.Data.SqlClient;provider connection string="data
source=myDataSource;initial catalog=Forms;persist security
info=True;Integrated
Security=True;multipleactiveresultsets=True;App=EntityFrame
work;Encrypt=True""
providerName="System.Data.EntityClient" />
4. Open the RoutingEngineServiceHost.exe file in the Forms\bin subfolder of your
Forms installation folder. By default, the subfolder is at C:\Program
Files\Laserfiche\Laserfiche Forms\Forms\bin.
5. Repeat Steps 2 and 3 for RoutingEngineServiceHost.exe.
27
Granting Access to Certificate
Keys
In many of the preceding instructions, you are asked to ensure that certain users or
application pool identities have access to certificate keys. The following instructions
explain how to do so. They assume that you have imported the relevant certificate into
the Personal folder of your local computer’s certificate store.
28
ensure that Allow is checked for the relevant permission. The permissions
required for the objects mentioned in this paper are as follows:
a. Full control for the FormsAppPool
b. Read for LicenseManagerSTSAppPool, WebAccessAppPool, and the
Directory Server service user.
8. Click OK to save your settings.
29
Configuring SSL/TLS Encryption in Laserfiche
January 2019
Description:
This paper describes how to configure SSL or TLS for connections between different Laserfiche products,
connections between a Laserfiche server and an SQL Server, and client connections to Laserfiche.
Laserfiche
3545 Long Beach Blvd.
Long Beach, CA 90807
U.S.A
Phone: +1.562.988.1688
www.laserfiche.com
Laserfiche is a trademark of Compulink Management Center, Inc. Various product and service names references
herein may be trademarks of Compulink Management Center, Inc. All other products and service names
mentioned may be trademarks of their respective owners.
Laserfiche makes every effort to ensure the accuracy of these contents at the time of publication. They are for
information purposes only and Laserfiche makes no warranties, express or implied, as to the information herein.
30