Configuring SSL/TLS Encryption

in Laserfiche

White Paper
Table of Contents

Introduction .................................................................................................................................. 4
Configuring Your Computers for SSL/TLS .............................................................................. 5
Which Version of SSL or TLS Does Laserfiche Use? ........................................................... 5
How It Works ........................................................................................................................... 5
Certificates from Trusted Root Certification Authorities................................................... 6
Group Policy ............................................................................................................................. 7
Server Certificates .................................................................................................................... 7
Binding the Server Certificate ............................................................................................ 7
Laserfiche Server .......................................................................................................................... 9
To Configure the Laserfiche Server to Use SSL ................................................................... 9
To Configure the Administration Console to Use SSL ..................................................... 10
Laserfiche Server and LDAP Servers .................................................................................. 10
Windows Client ...................................................................................................................... 11
Web Client ................................................................................................................................... 12
Granting the Web Client Application Pool Access to a Certificate’s Private Key ........ 12
To Enable SSL between the Web Client and the Repository ........................................... 12
To Enable SSL between the Web Client Server and Users’ Internet Browsers ............. 12
To Enable SSL between the Web Client and an SMTP Server ......................................... 13
Web Client Endpoint Utility ................................................................................................. 13
To Configure Endpoints for the Web Client .................................................................. 13
Laserfiche Directory Server ...................................................................................................... 14
Configuring the Certificate and Service User .................................................................... 14
To Configure Directory Server ......................................................................................... 14
To Configure Each STS Instance ...................................................................................... 15
Directory Server and Identity Providers ............................................................................ 15
Directory Server and Email Servers .................................................................................... 16
Workflow..................................................................................................................................... 17
Workflow and Laserfiche Server ......................................................................................... 17

2
 To configure the Workflow Server to use SSL when connecting to an SSL-enabled
Laserfiche Server ................................................................................................................ 17
Workflow and Email Servers ............................................................................................... 18
Forms ........................................................................................................................................... 19
Granting FormsAppPool access to a certificate’s private key ..................................... 19
To configure SSL between the Forms server and internet browsers .......................... 19
To configure SSL between Forms and Workflow or Forms and Discussions ........... 21
To configure SSL between Forms and email servers .................................................... 21
To configure SSL between Forms and Laserfiche Server ............................................. 21
To configure SSL between Forms and LDAP servers ................................................... 22
To configure SSL between Forms and Laserfiche Directory Server ........................... 22
Distributed Computing Cluster ............................................................................................... 24
Prerequisites............................................................................................................................ 24
To configure SSL for the Distributed Computing Cluster ........................................... 24
SQL Server .................................................................................................................................. 25
ODBC Driver Configuration ................................................................................................ 25
Changing Connection Strings .............................................................................................. 25
To encrypt connections between the Laserfiche Server and SQL Server ................... 25
To encrypt connections between Laserfiche Directory Server and SQL Server ....... 26
To encrypt connections between Forms and SQL Server ............................................ 26
To encrypt connections between Workflow and SQL Server ...................................... 27
Granting Access to Certificate Keys ........................................................................................ 28
To grant an application pool identity or user access to a certificate key ................... 28

3
Introduction
When you transmit data over a network, encryption is key to ensuring that intercepted
communications cannot be easily read by outsiders. Laserfiche supports Secure Sockets
Layer (SSL) and Transport Layer Security (TLS) encryption for connections to Laserfiche
products. Connections that can be encrypted include:
 Connections between different Laserfiche servers.
 Connections between a Laserfiche server and an SQL Server.
 Connections from clients to Laserfiche servers.
 Connections from Laserfiche servers to email or Active Directory servers.
If you’re using Laserfiche Directory Server to authenticate your users, it is mandatory to
configure SSL or TLS between the web application they’re authenticating from and
Directory Server. Learn more about Laserfiche Directory Server’s architecture.
This paper explains how to configure SSL encryption for connections to the following
applications: Laserfiche Server, Workflow, Forms, the web client, the Windows client,
Laserfiche Directory Server, the Distributed Computing Cluster, and SQL Server.

4
Configuring Your Computers for
SSL/TLS
SSL and TLS are variant names for cryptographic protocols that secure communication
between computers. SSL is the predecessor to TLS, but many resources frequently
simply say “SSL” when they mean “either SSL or TLS”. In this paper, we follow this
convention by using “SSL” to mean “SSL or TLS”.

Which Version of SSL or TLS Does Laserfiche Use?

Laserfiche supports both SSL and TLS. As of Laserfiche 10, the newest version of these
protocols that Laserfiche supports is TLS 1.2.
 If TLS 1.2 is not working on your server, ensure that you’ve explicitly enabled it.
 Laserfiche clients and servers communicate with each other using the most
modern protocol that both parties are able to use. If you want Laserfiche to use
an earlier version of SSL or TLS, disable the later versions by changing registry
key values on the relevant computers. See Microsoft’s resources on how to
disable the various protocols.

How It Works
SSL-encrypted communication is typically carried through port 443, although you can
configure it to use other ports. The port distinguishes HTTP (unencrypted) traffic from
HTTPS (SSL-encrypted) traffic, as normal HTTP traffic usually goes through port 80.
When the client chooses to use this port, it indicates to the server that it wants to
communicate with SSL. If you want to use SSL to communicate across a firewall, ensure
that port 443 is open in the firewall.
Digital certificates are key to configuring SSL. For the purposes of this paper, you
should understand the roles of certificates from trusted root certification authorities
and server certificates. A server proves its identity by having a server certificate that is
signed by a trusted authority. The certificate proves that the server owns the public
encryption key it claims to own. A certificate from a trusted root certification authority
helps the client computer to recognize the server it is connecting to as having a valid
server certificate. Thus, both clients and servers require certificates in order for SSL to
work. Note that in the Laserfiche context, servers can play the role of clients when they
are communicating with another server. For example, if the Forms Server is checking a
user’s credentials with Laserfiche Directory Server, it is acting as a client contacting a
server.

5
The server certificate can be either a root or an intermediate certificate. Intermediate
certificates inherit their authenticity from the root certificate. As long as client
computers have a certificate from a trusted root certification authority, they will trust
intermediate certificates issued by the same certification authority.
You can obtain certificates from a trusted authority in three ways: By requesting one
from a third-party Certificate Authority (CA), by creating a self-signed certificate, or by
creating an internal CA and using that to issue certificates.
After obtaining the relevant certificates, you should configure your site bindings to
specify a port and certificate for SSL communication.

Certificates from Trusted Root Certification

Authorities
This section describes how to acquire these certificates using different methods. For
further information on how to distribute certificates within your organization, see the
Group Policy section.
Using Certificates from Third-Party Certificate Authorities
You can request certificates from third-party Certificate Authorities (CAs). Standard
web browsers recognize some third-party CAs as trusted CAs, so if you use one of these
CAs, you do not have go through an additional step of installing certificates on all client
machines. This option is most suitable if your servers will be accessed by public users
connecting from the internet.
Different vendors will have different ways for you to request certificates. Consult your
vendor’s instructions for this part of the process. After you have acquired a certificate,
import it into the computer’s Trusted Root Certification Authorities\Certificates
directory (if it is not already there) following Microsoft’s instructions. You should do
this for all client and server computers.
Using Self-Signed Certificates
Alternatively, you can have your server issue its own certificates by self-signing them.
Be aware that if your web server uses a self-signed certificate, many users’ browsers
will display a warning when they try to access your website, unless that same certificate
has also been installed on users’ computers. If they lack that certificate, users will have
to explicitly bypass the warning in order to access the site. For this reason, self-signed
certificates are generally more suitable for test environments or intranet-only use rather
than public-facing production environments—in the former cases, you would simply
need to install the self-signed certificate on all the computers in the restricted
environment.

6
To use a self-signed certificate to identify a server, create a self-signed server certificate
following Microsoft’s instructions. Then, export the certificate. Finally, add the
certificate to the list of trusted root certificates in all computers that will interact with
the server.
Using an Internal Certificate Authority to Generate Root Certificates
If your Laserfiche servers and clients will interact wholly within a secure network, you
can set up an internal CA within the network to generate root certificates for your
servers and clients. One advantage that this option has over using self-signed
certificates is that it is easier to manage and distribute certificates from an internal CA in
an Active Directory environment. An internal CA is also more convenient if you want
to have intermediate certificates on some of your servers. For example, if you install a
root certificate from an internal CA in your client computers, these computers will also
accept intermediate certificates signed by the same internal CA.
See Microsoft’s instructions on how to set up an internal CA.

Group Policy
You can distribute the certificates from a trusted root certification authority to all users
in a Windows domain or organizational unit by using Group Policy. This is especially
useful if you are using a self-signed certificate or an internal CA, as you will likely want
only internal users to have the certificates.

Server Certificates
If you obtained a certificate from a third-party CA, you can request a server certificate
by making a Certificate Signing Request. Your CA will provide instructions on how to
do this. After you obtain the server certificate from them, import the certificate
following Microsoft’s instructions.
If you had created a self-signed certificate, this certificate should already be listed under
Server Certificates in your IIS Manager, so you do not need to create another server
certificate.
If you used an internal CA to generate root certificates, you can request server
certificates from your internal CA server following these instructions.
After you have a server certificate, you should bind it to a port as follows.

Binding the Server Certificate

For web services, you can bind the server certificate to a port using IIS Manager. For
other types of services, use the netsh command.

7
Binding a Certificate for Web Services
For web services, bind your server certificate to a port using IIS Manager.
1. Open IIS Manager by clicking on Windows Administrative Tools from the Start
menu and double-clicking Internet Information Services (IIS) Manager.
2. In IIS Manager, expand the node for your Windows server in the Connections
pane. Then click on Sites.
3. In the main pane, select the site you are configuring. In the Alerts pane, click on
Bindings….
4. In the Site Bindings dialog, click on Add….
5. In the Add Site Binding dialog, configure the following options:
a. Select https under Type.
b. Under IP address, select either the IP address of the site or All
Unassigned.
c. Under Port, specify the port you want to use for SSL traffic. By default,
this is port 443.
d. Under SSL certificate, select the desired SSL certificate from the list of
server certificates.
6. Click OK to save your changes in the Add Site Binding dialog, then Close to
close the Site Bindings dialog.
Binding a Certificate Using netsh
Some services, like the Laserfiche Forms Notification Service, are not web services. To
bind a certificate to a port for these services, use the netsh command as follows.
netsh http add sslcert ipport=0.0.0.0:portNumber
certhash=certificateHash appid={randomGUID}
Replace the italicized variables as follows:
 Replace portNumber with the port that the service is using.
 Replace certificateHash with the certificate’s hash. You can view the hashes
of any server certificate by opening IIS Manager and double-clicking Server
Certificates.
 Replace randomGUID with a randomly generated GUID. Multiple websites offer
tools to help you generate random GUIDs.

8
Laserfiche Server
In order for the Laserfiche Server to communicate using SSL/TLS, you must configure
the server to have a certificate from a trusted root authority and a server certificate as
described in Configuring Your Computers for SSL/TLS. In addition, all computers
connecting to the server must have a certificate from a trusted root authority, otherwise
they will encounter a warning when trying to connect to the server.
After you’ve installed a server certificate, follow these instructions to configure SSL
between your Laserfiche Server and other servers or clients:
 Configure the Laserfiche Server to use SSL
 Configure the Administration Console to use SSL
 Configure SSL between the Laserfiche Server and LDAP Servers
 Configure SSL between the Laserfiche Server and the Windows client

To Configure the Laserfiche Server to Use SSL

1. Stop the Laserfiche Server Service by opening the Laserfiche Administration
Console, right-clicking on the server name, and selecting Stop Laserfiche Server.
3. On the Laserfiche Server computer, open the registry editor.
4. Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Laserfiche\Engine\8.0\HttpServ.
5. From the Edit menu, point to New and select DWORD.
6. Name the value "SSLPort" and set its value to "443". Set the Base value
to Decimal. (If your SSL/TLS implementation uses a different port, provide that
port number instead.)
7. Start the Laserfiche Server Service by opening the Laserfiche Administrion
Console, right-clicking on the server name, and selecting Start Laserfiche Server.

9
To Configure the Administration Console to Use SSL
You can remotely administer repositories using the Laserfiche Administration Console.
When you register a server in the Administration Console, check the Connect with SSL
box.

If you already have a server registered and want the Administration Console to connect
to it using SSL, you will have to de-register the server and re-register it. You can de-
register any server by right-clicking on its name in the Administration Console,
hovering over All Tasks, and clicking Remove Server Registration. When you re-
register the server, make sure that Connect with SSL is checked. After you de-register a
server, you may need to restart the computer hosting the server before you can re-
register the server.

Laserfiche Server and LDAP Servers

If you have repository named users retrieved from LDAP servers, you may want to
make sure that communication between the Laserfiche Server and the LDAP servers is
encrypted. You can enable SSL between the Laserfiche Server and your LDAP servers in
the Laserfiche Administration Console as follows:
If you’re configuring SSL for a new LDAP server profile:
1. Sign in to your repository in the Administration Console by right-clicking on the
repository name, hovering over All Tasks, and clicking Login.
2. Expand the Users and Groups node, then the LDAP Management node.
3. Right-click on Server Profiles and select New LDAP Server Profile.
4. As you configure your LDAP server profile, ensure that the Use SSL box is
selected.
If you’re configuring SSL for an existing LDAP server profile:
1. Sign in to your repository in the Administration Console by right-clicking on the
repository name, hovering over All Tasks, and clicking Login.
2. Expand the Users and Groups node, then the LDAP Management node.
3. Select Server Profiles.
4. Double-click the server profile you want to modify.
5. Select the Use SSL box for the server profile. Click OK to save your changes.

10
 Note: This configuration affects only communications that verify
repository named users from LDAP servers. It does not apply to LDAP
users who are registered in Laserfiche Directory Server, then registered to
a repository under their Directory Server account. For the latter kind of
user, Laserfiche Server communicates only with Laserfiche Directory
Server.

Windows Client
To configure the Windows client to connect to Laserfiche Server using SSL, make sure
that the Use SSL Connection box is selected when you attach a repository. If your
repository is already attached but the connection is not using SSL, you can detach the
repository, then make sure that Use SSL Connection is selected when you re-attach it.
The computer that the Windows client is connecting from must also have the
appropriate root certificates associated with the Laserfiche servers that it connects to.

11
Web Client
In order for the web client server to communicate using SSL/TLS, you must configure
the server to have a certificate from a trusted authority and a server certificate as
described in Configuring Your Computers for SSL/TLS. In addition, all computers
connecting to the server must have the the former kind of certificate installed, otherwise
they will encounter a warning when trying to connect to the server.

Granting the Web Client Application Pool Access to a

Certificate’s Private Key
If you plan to use SSL between the web client and a different server, such as Directory
Server or Laserfiche Server, you should grant the web client’s application pool access to
the private key of that server’s certificate. To do this, import the relevant certificate to
the Personal folder in the local computer’s certificate store. Then, see Granting Access
to Certificate Keys for further instructions.

To Enable SSL between the Web Client and the

Repository
1. Access the web client configuration page.
2. If the repository already exists on the configuration page:
a. In the Connections tab, select the Edit icon next to the repository whose
connection you want to modify.
b. In the line next to the repository of interest, select the SSL (LFS) box.
c. Click Save to save your changes.
3. If the repository has not been added to the configuration page:
a. Click Add new repository.
b. Specify the repository’s details.
c. Select the SSL (LFS) option.
d. Click Save.

To Enable SSL between the Web Client Server and

Users’ Internet Browsers
1. Access the web client configuration page.
2. Navigate to the Services tab.
3. In the General Services section, toggle the HTTPS Redirection setting to ON.
4. Click Save at the bottom of the page to implement your changes.

12
 Note: If you enabled HTTPS redirection but specified a Laserfiche Web
Client Host URL on the same page that does not begin with “https”, you
will receive a warning when you attempt to save your settings.

To Enable SSL between the Web Client and an SMTP

Server
Make sure the Use SSL box is selected when specifying the SMTP Server.

Web Client Endpoint Utility

Single sign-on authentication through Laserfiche Directory Server automatically uses
SSL without any special configuration. However, you will need to configure the web
client server to use the correct endpoints if it is not on the same computer as Directory
Server. You will also need to ensure that the web client server and Directory Server
have the appropriate certificates, and grant the web client application pool access to the
private key of the relevant certificate.

To Configure Endpoints for the Web Client

1. Open the EndpointUtility program found in the web client installation directory,
which is C:\Program Files\Laserfiche\Web Access by default.
2. Enter the address of your Laserfiche Directory Server.
3. If you had configured a non-default service user for Directory Server, specify it
under Service user’s principal name.
4. Select Use Alternative Service.
5. Select Certificate as the security mode, and choose the appropriate certificate
from the drop-down menu.
6. Click Save.

13
Laserfiche Directory Server
As part of its single sign-on service, Laserfiche Directory Server requires SSL when
communicating with other Laserfiche products to authenticate users. It also requires
SSL for connections to the Directory Server configuration site from web browsers.
Configuring SSL is part of the installation process, and if this step is skipped, the
administrator must add a server certificate and bind it in IIS Manager after the fact. In
addition, all computers connecting to Directory Server must have the appropriate
certificate from a trusted root certification authority installed, otherwise they will
encounter a warning when trying to connect to the server.
In this section, we cover the configuration of SSL for Directory Server STS tokens,
communication between Directory Server and identity providers, and communication
between Directory Server and email servers. To learn how to set up SSL for the
Directory Server SQL database, see the section on SQL Server.

Configuring the Certificate and Service User

You can configure various settings related to the Security Token Service using the
endpoint configuration utilities of both Directory Server and its Security Token Service
(STS) instances.

To Configure Directory Server

1. Open the Directory Server’s endpoint configuration utility, XmlEndpointUtility.
This is located in the Directory Server installation folder, which is C:\Program
Files\Laserfiche\Directory Server by default.
2. Confirm that the Directory Server’s fully qualified domain name, the Directory
Server service user’s principal name, and the listening port are correct.
a. If you leave Service user’s principal name blank, the service user will
default to a built-in account like Local System or Network Service.
b. If you specify a non-default service user, make sure to use the correct user
principal name.
 If you’re using Directory Server 10.2 or earlier, you’ll also need to
reserve URLs for the new service user.
3. Select the Use alternate service option.
4. In the drop-down menu that appears, specify the certificate that you want
Directory Server to use for SSL.

14
 5. Make sure that the service user specified in step 2 has Read permissions to the
certificate’s private key, following the instructions in Granting Access to
Certificate Keys.

To Configure Each STS Instance

1. Open the STS endpoint configuration utility, STSEndpointUtility. This is located
in the Web\WebSTS subfolder in the Directory Server installation folder. By
default, this is C:\Program Files\Laserfiche\Directory Server\Web\WebSTS.
2. Verify the address of the Directory Server and the principal name of the STS
service user. The latter must be identical to the service user principal name
specified in the Directory Server’s endpoint utility (step 2 in the preceding set of
instructions). If you had left the service user principal name blank when
configuring Directory Server, then you should also leave this area blank when
configuring the STS instance.
3. Select the Use alternate service option.
4. In the drop-down menu that appears, specify the certificate that you want the
STS token to use for SSL.
5. Make sure that the LicenseManagerSTSAppPool application pool identity has
Read permissions to the certificate’s private key, following the instructions in
Granting Access to Certificate Keys.

Directory Server and Identity Providers

Laserfiche Directory Server periodically synchronizes with identity providers to get
updates about changes to users. When you add an identity provider to Directory Server,
you can set SSL as the communication protocol by selecting “Use SSL”. For existing
identity providers, you can configure them to use SSL as follows.
1. Open the Directory Server licensing site.
2. Click Settings in the top navigation bar.
3. Select the Identity Providers tab.
4. In the left pane, select the identity provider that you want to reconfigure.
5. In the main pane, change the Use SSL setting to Yes.
6. Click Save to save your changes.
Directory Server uses port 636 by default to communicate through SSL with identity
providers, but you can specify a different port by adding the port to the end of your
identity provider’s address. For example, to specify port 123, you can specify your
identity provider’s address in the following format:
YourDomainController.YourDomain.com:123

15
Directory Server and Email Servers
When you add a new email server profile on the Directory Server licensing site, you can
configure Directory Server to use SSL with the email server by selecting the Use SSL
box.

16
Workflow
In order for the Workflow server to communicate using SSL/TLS, you must configure
the server to have a certificate from a trusted root CA and a server certificate, as
described in Configuring Your Computers for SSL/TLS. In addition, all computers
connecting to the server must have the the former kind of certificate installed, otherwise
they will encounter a warning when trying to connect to the server.
 To configure Workflow to use SSL when connecting to the Laserfiche Server,
continue reading.
 To use SSL for the emails that Workflow sends, see Workflow and Email Servers.
 To encrypt connections between Workflow and SQL Server, see the SQL Server
section.

Workflow and Laserfiche Server

To allow Workflow to use SSL
1. In the Workflow Administration Console, expand the node for the computer
hosting your Workflow server.
2. Double-click on Server Configuration, then Advanced Server Options.
3. Select the Laserfiche tab of the Advanced Server Options dialog box.
4. Select Use SSL when connecting to Laserfiche to use SSL to secure network
communications when connecting to Laserfiche. You must have your Laserfiche
Server set up to use SSL for this option to work.
5. Click OK to save your changes.
Note: This setting will affect the Workflow Server's connections, the
Workflow Administration Console's connections, and, after being
restarted, the Designer's connections to Laserfiche. Because the Workflow
Server applies the SSL settings to the programs it is connected to, your
Workflow connection profiles will have to specify repositories by using
their fully qualified domain name.
Note: You must restart the Workflow Subscriber service for this setting to
apply.

To configure the Workflow Server to use SSL when connecting to

an SSL-enabled Laserfiche Server
1. Ensure your Laserfiche Server is configured for SSL.

17
 2. Ensure Workflow is configured to use SSL when connecting to the Laserfiche
Server.
3. Open the Registry Editor by running regedit.exe.
4. Navigate
to HKEY_LOCAL_MACHINE\SOFTWARE\Laserfiche\Client8\Profile\IPData
base. The path contains "Client8" even if Laserfiche 9 or later is installed.
Note: If your machine is x64, the registry path
is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Laserfiche\
Client8\Profile.
5. Create a string value with the name of your repository and its domain name as
the value data.
a. Select the key you want to add a string value to. Right-click in the viewing
pane, point to New, and select String Value.
b. Type the name of the repository as the string value.
c. Double-click the RepositoryName string value to open the Edit
String dialog box.
d. In the Value data field, type in the Laserfiche Server's fully qualified
domain name.
6. Navigate
to HKEY_LOCAL_MACHINE\SOFTWARE\Laserfiche\Client8\Profile\Reposit
oryName. The path contains "Client8" even if Laserfiche 9 or later is installed.
Note: If your machine is x64, the registry path
is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Laserfiche\
Client8\Profile.
a. Create a string value named UseSSL.
b. Double-click the string to open the Edit String dialog box.
c. Change the Value data to yes.

Workflow and Email Servers

To ensure that Workflow sends emails using SSL, make sure the Use SSL option is
selected when you add or modify an email server.

18
Forms
In order for the Forms server to communicate using SSL/TLS, you must configure the
server to have a certificate from a trusted root CA and a server certificate as described in
Configuring Your Computers for SSL/TLS. In addition, all computers connecting to the
server must have the former kind of certificate installed, otherwise they will encounter a
warning when trying to connect to the server.
You may want to configure SSL between the Forms server and the following entities:
 Users’ internet browsers
 Workflow or Discussions
 Email servers
 The Laserfiche Server
 LDAP servers
 Laserfiche Directory Server
 SQL Server.
Note: If you configure SSL between Forms and internet browsers, you
should also configure SSL between Forms and Workflow, and between
Forms and Discussions (if Forms is communicating with these
applications).

Granting FormsAppPool access to a certificate’s private key

If you plan to use SSL between Forms and a different server, such as Directory Server or
the Workflow server, you should grant the Forms application pool access to the private
key of that server’s certificate. Import the relevant certificate into the Personal folder in
the local computer’s certificate store, then follow the instructions in Granting Access to
Certificate Keys.

To configure SSL between the Forms server and internet

browsers
1. On the Forms configuration page, open the Forms Server tab.
2. Under Primary Forms Server URL, select the Use SSL connection checkbox.
3. Optional: Select HTTPS Redirection if you also want users to be redirected to
the HTTPS version of a form’s page if they try to access the page using a HTTP
prefix. If this box is cleared, users will be able to access forms using HTTP even if
Use SSL connection is selected.
4. Click Save to save your changes.

19
 5. The following steps are necessary for Forms notifications to work when SSL is
enabled.
a. Find the certificate hash for the certificate used in the Forms website. You
can get the certificate hash by navigating to Server Certificates in IIS
Manager and copying the value in the Certificate Hash column, as shown
in the following image:

b. Run the following command in an administrator command prompt:

netsh http add sslcert ipport=0.0.0.0:8181
certhash=#certhash appid={#appid}
Replace #appid with a random GUID and #certhash with the certificate hash
value copied above. You can generate random GUIDs using a number of
third-party websites.
c. If the Laserfiche Notification Hub Service user is not Local System, or not
a member of the local Administrators group, you should also run the
following command:
netsh http add urlacl url=https://*:8181/ user="LOCAL
SERVICE" listen=yes
Replace LOCAL SERVICE with the Laserfiche Notification Hub Service
account name.
After you run the commands, you should get the following success
responses:

20
 d. Update the following configuration files manually to change the hub host
address to use https.
 The hub configuration file, located by default at C:\Program Files
(x86)\Laserfiche\Laserfiche
Notification\Hub\Laserfiche.PushNotificationService.Hub.Host.ex
e.config. Find the line with the HubHostAddress key and change it
to the following: <add key="HubHostAddress"
value="https://*:8181" />
 The master configuration file, located at C:\Program Files
(x86)\Laserfiche\Laserfiche
Notification\Service\Laserfiche.PushNotificationService.Master.H
ost.exe.config by default. Find the line with the HubAddress key
and change it to the following: <add key="HubAddress"
value="https://HUBSERVER:8181" />, replacing
HUBSERVER with your server name.
e. Restart the Laserfiche Notification Hub Service and the Laserfiche
Notification Master Service.

To configure SSL between Forms and Workflow or Forms and

Discussions
1. On the Forms configuration page, click on Laserfiche in the left pane.
2. To use SSL to connect to Workflow, ensure Use SSL Connection is selected in
the Laserfiche Workflow section.
3. To use SSL to connect to Discussions, ensure Use SSL Connection is selected in
the Laserfiche Discussions section.
4. Click Save to save your changes.

To configure SSL between Forms and email servers

1. On the Forms configuration page, click on the Email Settings tab.
2. To configure SSL for email notifications, select the Email Notification Server tab,
and select the box next to Use a secure connection (SSL) when sending email.
3. To configure SSL communication for emails sending approvals or rejections,
select the Email Approval Server tab, and select the box next to Use a secure
connection (SSL) when retrieving email.

To configure SSL between Forms and Laserfiche Server

Forms interacts with Laserfiche Server in the following situations:
 If you choose to authenticate users using Laserfiche Server (rather than Directory
Server) authentication

21
  During Save to Repository service tasks.
If you are authenticating through Laserfiche Server and want to use SSL for this type of
authentication, make sure that Use SSL Connection is selected when you configure
Laserfiche Server authentication.
Save to Repository tasks are controlled by repository profiles. To configure SSL for Save
to Repository actions, select the Use SSL connection checkbox when creating or editing
a repository profile.

To configure SSL between Forms and LDAP servers

This option comes into play when you add LDAP participant users to your Forms
system.
1. On your Forms page, click on your account name and select Administration.
2. Select the Participants tab.
3. Click Configure LDAP. In the Connection type drop-down, select
LDAP with SSL.
4. Proceed with the rest of the configuration following the usual instructions.

To configure SSL between Forms and Laserfiche Directory Server

On the Forms configuration page, make sure that Use SSL Connection is selected in the
Forms Server tab. When this is done, “https” rather than “http” will automatically be
prepended to the URL specified when configuring Laserfiche Directory Server
authentication in Forms.
Note: There may be a situation in which the Use SSL connection option
is selected but the SSL settings have not been propagated to the
appropriate configuration files. To update the configuration files to use an
SSL connection, clear and select the Use SSL connection box, then
click Save again.
If your Forms server is not on the same computer as the Directory Server it is
authenticating to, you should configure endpoints as follows.
1. Open the EndpointUtility program in the Forms\bin subfolder of the Forms
installation folder. By default, this program is located at C:\Program
Files\Laserfiche\Laserfiche Forms\Forms\bin.
2. Enter the Forms installation path.
3. Enter the address of the Directory Server that Forms is authenticating to.
4. Enter the user principal name of the Directory Server’s service user.
5. Select Use Alternative Service, then the Certificate security mode.
6. In the drop-down menu, choose the certificate you plan to use.

22
 7. Click Save to save your configuration.

23
Distributed Computing Cluster
You can configure the Distributed Computing Cluster to communicate securely with
the Laserfiche Server using SSL.

Prerequisites
Before you start configuring SSL for the Distributed Computing Cluster:
 Ensure the Laserfiche Server has already been configured to use SSL.
 Ensure the client computers have a valid trusted root authority certificate.

To configure SSL for the Distributed Computing Cluster

1. Stop the Distributed Computing Cluster service.
a. Open the Windows Services application and select Laserfiche Distributed
Computing Cluster.
b. Right-click, or open the Action menu, and select Stop.
2. Navigate to C:\ProgramData\Laserfiche\Distributed Computing
Cluster\Config.
3. Open SchedulerConfig.xml in a text editor.
4. Under the <SchedulerConfigFile> element, paste the following XML
fragment. Note that the fragment is case-sensitive, and whitespace matters for
TaskName.
<TaskModuleConfiguration>
<TaskConfiguration>
<TaskName>OCR.Image Cleanup</TaskName>
<Settings>ForceSSL=yes</Settings>
</TaskConfiguration>
<TaskConfiguration>
<TaskName>OCR.OCR</TaskName>
<Settings>ForceSSL=yes</Settings>
</TaskConfiguration>
<TaskConfiguration>
<TaskName>OCR.Task Creator</TaskName>
<Settings>ForceSSL=yes</Settings>
</TaskConfiguration>
</TaskModuleConfiguration>
5. Save your changes and close the XML file.
6. Restart the Distributed Computing Cluster.
a. Open the Windows Services application and select Laserfiche Distributed
Computing Cluster.
b. Right-click, or open the Action menu, and select Start.

24
SQL Server
You can ensure that connections from Laserfiche servers to their respective SQL Servers
are encrypted using any of the following methods:
 Forcing the SQL Server to use encryption. This will apply to all databases within
that SQL Server, not just the Laserfiche databases. SQL Server will deny access to
any attempted connections that are unencrypted, so if you use this option, make
sure that all services that access that SQL Server use SSL. To pursue this option,
see Microsoft’s instructions.
 Enforce encryption at the level of the ODBC driver.
 Change the connection strings that specific Laserfiche servers use to connect to
their SQL databases.

ODBC Driver Configuration

You can enforce encryption at the level of the ODBC driver as follows.
1. Open the ODBC Data Source Administrator.
2. Navigate to the relevant tab and either click Add to configure a new data source,
or select an existing data source and click Configure.
3. Select a driver for the data source and click Finish.
4. Enter a Name, Description, and Server for the data source. Click Next.
5. Select or enter your authentication options for the server. Click Next.
6. Select or specify your database options. Click Next.
7. On the final dialog page, select Use strong encryption for data. This is the option
that enables SSL for the data source.
8. Select or enter any other options you desire, then click Finish.

Changing Connection Strings

Another way of configuring SSL between a specific Laserfiche server and SQL Server is
to edit the connection strings used by the Laserfiche server. The following sections
explain how to do this for various Laserfiche applications.

To encrypt connections between the Laserfiche Server and SQL

Server
1. Open the registry editor and navigate to
HKEY_LOCAL_MACHINE\Software\laserfiche\Engine\8.0\Repositories.
2. Open the key corresponding to your repository.
3. Add the string value with the name “ConnectionString” and the following value:

25
 Driver={DriverName};Server=myServerAddress;
Database=myDataBase;Trusted_Connection=yes;Encrypt=yes;
Where DriverName would be something like “ODBC Driver 11 for SQL Server”,
and you would fill in the appropriate names for myServerAddress and
myDataBase.

To encrypt connections between Laserfiche Directory Server and

SQL Server
This feature is available only on Laserfiche Directory Server 10.3 and later.
1. On the Directory Server configuration site, navigate to the Settings tab, then click
on General.
2. In the Licensing Site section, click on Modify connection string.
3. Enter the connection string that you want. To enable SSL, make sure that the
string contains the substring “Encrypt=yes”. As an example, your connection
string may look something like this:
Driver={DriverName};Server=myServerAddress;
Database=myDataBase;Trusted_Connection=yes;Encrypt=yes;
Note: This dialog does not append to an existing connection string.
Instead, anything you enter here should be a full connection string. If you
leave it blank, a default connection string, which does not enable SSL, will
be used.
4. Click OK to save the new connection string.

To encrypt connections between Forms and SQL Server

1. Open the Web.config file in the Forms subfolder of your Forms installation
folder. By default, the subfolder’s path is C:\Program
Files\Laserfiche\Laserfiche Forms\Forms.
2. Locate the <appSettings> block in the file. Find the line that starts with <add
key=“Conn” and append ;Encrypt=True to the value of the key. For example,
if the line originally reads as follows:
<add key="Conn"
value="Server=myServer;Database=Forms;Integrated
Security=True;Connection Timeout=180" />
You should alter it to be:
<add key="Conn"
value="Server=myServer;Database=Forms;Integrated
Security=True;Connection Timeout=180;Encrypt=True" />
3. Locate the <connectionStrings> block in the file. Find the line that starts
with <add name=“FormsEntities” and append ;Encrypt=True to the

26
 parameter connection string that is in the list of parameters under
connectionString. For example, if the line originally reads as follows:
<add name="FormsEntities"
connectionString="metadata=res://*/FormsEntities.csdl|res:/
/*/FormsEntities.ssdl|res://*/FormsEntities.msl;provider=Sy
stem.Data.SqlClient;provider connection string=&quot;data
source=myDataSource;initial catalog=Forms;persist security
info=True;Integrated
Security=True;multipleactiveresultsets=True;App=EntityFrame
work&quot;" providerName="System.Data.EntityClient" />
You should alter it to be:
<add name="FormsEntities"
connectionString="metadata=res://*/FormsEntities.csdl|res:/
/*/FormsEntities.ssdl|res://*/FormsEntities.msl;provider=Sy
stem.Data.SqlClient;provider connection string=&quot;data
source=myDataSource;initial catalog=Forms;persist security
info=True;Integrated
Security=True;multipleactiveresultsets=True;App=EntityFrame
work;Encrypt=True&quot;"
providerName="System.Data.EntityClient" />
4. Open the RoutingEngineServiceHost.exe file in the Forms\bin subfolder of your
Forms installation folder. By default, the subfolder is at C:\Program
Files\Laserfiche\Laserfiche Forms\Forms\bin.
5. Repeat Steps 2 and 3 for RoutingEngineServiceHost.exe.

To encrypt connections between Workflow and SQL Server

1. Within the Workflow Designer, open the Workflow Data Source Administrator
and either Add a new data source or Configure an existing one, following the
Laserfiche Administration Guide.
2. When selecting a wizard type for the Configure Data Source Wizard, select the
Expert (Connection Strings) wizard type.
3. After specifying your data source provider, specify your connection string. To
use SSL, make sure that the string contains the substring “Encrypt=yes”. As an
example, your connection string may look something like this:
Driver={DriverName};Server=myServerAddress;
Database=myDataBase;Trusted_Connection=yes;Encrypt=yes;

27
Granting Access to Certificate
Keys
In many of the preceding instructions, you are asked to ensure that certain users or
application pool identities have access to certificate keys. The following instructions
explain how to do so. They assume that you have imported the relevant certificate into
the Personal folder of your local computer’s certificate store.

To grant an application pool identity or user access to a

certificate key
1. Open Microsoft Management Console (MMC). If the snap-in for Certificates is
not installed, install it by going to File, selecting Add/Remove Snap-in, and
selecting the Certificates snap-in. Choose to add this snap-in for the Local
Computer.
2. Once the snap-in is added, click on Certificates in the left pane
3. Click on Personal.
4. If you have the relevant certificate saved to the Personal node, there will be a
subfolder in this node labeled Certificates. Expand this.
5. Right-click on the relevant certificate. Select All Tasks, then Manage private
keys.
6. Select Add… under the “Group or user names” section. A dialogue will pop up
where you can enter object names to be added.
a. If you are configuring permissions for an application pool identity, choose
the location to be the local computer.
b. If you are configuring permissions for a service user that is not a default
local service, choose the domain in which to search for the user.
c. Search for the name of the object you are looking for. The relevant objects
for these paper are as follows:
i. IIS AppPool\FormsAppPool for the Forms application pool
identity.
ii. IIS AppPool\LicenseManagerSTSAppPool is the application pool
identity for an STS token
iii. IIS AppPool\WebAccessAppPool for the web client
iv. The Directory Server service user.
After the relevant object is found, click OK.
7. Back in the permissions for private keys dialogue, select the relevant object in the
“Group or user names” section. In the “Permissions for YourObject” section,

28
 ensure that Allow is checked for the relevant permission. The permissions
required for the objects mentioned in this paper are as follows:
a. Full control for the FormsAppPool
b. Read for LicenseManagerSTSAppPool, WebAccessAppPool, and the
Directory Server service user.
8. Click OK to save your settings.

29
Configuring SSL/TLS Encryption in Laserfiche
January 2019

Author: Leif Hancox-Li

Description:
This paper describes how to configure SSL or TLS for connections between different Laserfiche products,
connections between a Laserfiche server and an SQL Server, and client connections to Laserfiche.

Laserfiche
3545 Long Beach Blvd.
Long Beach, CA 90807
U.S.A

Phone: +1.562.988.1688
www.laserfiche.com

Laserfiche is a trademark of Compulink Management Center, Inc. Various product and service names references
herein may be trademarks of Compulink Management Center, Inc. All other products and service names
mentioned may be trademarks of their respective owners.

Laserfiche makes every effort to ensure the accuracy of these contents at the time of publication. They are for
information purposes only and Laserfiche makes no warranties, express or implied, as to the information herein.

Copyright © 2018-2019 Laserfiche

All rights reserved

30