Table of Contents
1. Introduction
Flow can be configured to use Secure Sockets Layer (SSL) certificates for encryption between its components and clients. This tech-note describes the principal points to follow for a successful configuration.
SSL is a communication protocol that allows for secure communication over a network through network traffic encryption. The data is scrambled such that third parties who intercept the data cannot read the data, and only the intended recipient can read the data. For the two systems to know how to encrypt and decrypt messages between each other, they must share a certificate that is used as a key to “unlock” and “lock” messages.
A certificate can be privately generated or bought from and provisioned by a certificate authority. In both cases, that certificate Is Install on all devices/systems that use encrypted communication.
To enable SSL encryption in Flow, the certificate should be Installed on the Flow platform(s) and all other devices and systems that access Flow via the browser, and the HTTPS setting needs to be enabled on the flow platforms well.
There are 4 main steps that you will need to follow to enable SSL on the Flow Information Platform:
- Create / Acquire and Install the SSL certificate
- Bind the certificate to the Flow bootstrap and Flow Server ports
- Enable HTTPS on the Flow Platform
- Share the certificate with other systems.
These steps are described in greater detail in the following sections.
2. Create / Acquire and Install a certificate
For this technote, we use a self-signed certificate generated via IIS. To create one, you will need a server that has IIS, and IIS manager installed. For certificates issued by an external authority, the Import procedure outline in section 4 will need to be followed, then proceed from section 2.
- In IIS Manager, select the server’s name and double click the Server Certificates feature.
2. From the actions pane, click on Create Self-Signed Certificate
3. Give It a friendly name, then click OK.
3. Binding the certificate to the Flow Server and Bootstrap
Applicable only on the Flow platforms, the certificate will need to be bound to the hostname or IP address and port. This will Indicate to Flow which certificate to use for communication.
Self-signed certificates
- From the IIS managers server certificates section, Right-click the newly created certificate, then click on View.
2. Click the details tab, then copy the Thumbprint from the property list.
3. Remove any dash or slash that may be used to group the thumbprint characters.
Publicly Issued certificates
- Open the Run application (Windows + R) and enter type in certlm.msc Into the Open field
2. Navigate to the Certificates folder under the Trusted Root Authorities.
3. Select and Right-click the certificate that will be used for binding.
NB: This Is the certificate that was Issue by a certificate authority and was manually Imported onto the server.
4. Binding the certificate
- Open PowerShell as an administrator.
- Run the following command to retrieve Flows application Id.
Table 1: Retrieving the Flow AppID
get-wmiobject Win32_Product -filter “name LIKE ‘%Flow%’”| Sort-Object -Property Name |Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize |
3. Run the following command into the command window and replace [Thumbprint] with the value in Notepad. The command will need to be executed for both the bootstrap and Flow Server port; the defaults are 4501 and 80 but may defer depending on the organization.
Table 2: Binding on the Flow Bootstrap Port
netsh http add sslcert ipport=IPAddress:4501 certhash={Certificate Thumbprint} appid='{Flow AppID}’ “certstorename=MY” |
Table 3: Binding on the Flow Server Port
netsh http add sslcert ipport=IPAddress:80 certhash={Certificate Thumbprint} appid='{Flow AppID}’ “certstorename=MY” |
4. To bind the certificate only to the Flow Platform hostname, use the following command. You will need to use the fully qualified domain name if the server is on a domain.
Table 4: Binding on the Flow Bootstrap Port
netsh http add sslcert hostnameport=ServerName:4501 certhash={Certificate Thumbprint} appid='{Flow AppID}’ “certstorename=MY” |
Table 5: Binding on the Flow Server Port
netsh http add sslcert hostnameport=ServerName:80 certhash={Certificate Thumbprint} appid='{Flow AppID}’ “certstorename=MY” |
5. Configuring HTTPS
The Flow Platform and bootstrap will now need to be configured to use HTTPS. The changes will need to be made from the Flow config tool and the bootstrap settings file, respectively.
- From the Flow config tool, navigate to the system menu then the Properties option.
2. Set the Use HTTPS setting to True.
3. Navigate to the deployment view, then Undeploy the platform.
4. From Windows Explorer, navigate to %ProgramFiles(x86)%\Flow Software\Flow\Bootstrap. Create a new test File and rename It to Bootstrap, then change the file extension to settings.
5. Open the file and add the line {useHttps: true}
6. Restart the Flow Bootstrap service and deploy the platform.
6. Sharing the certificate
The certificate will need to be Imported on all devices that will communicate with the flow bootstrap or server. Importing the certificate In Windows allows the user to communicate with the Flow bootstrap and server. All Flow administrators will need to have the loaded to their trusted root certification authorities. Once this Is does, the Flow Instance can be connected to managed from the Flow config tool on the administrator’s workstation.
Exporting
- Flow the Flow server, navigate to the certificate from the IIS manager under the Server Certificates feature.
- Right-click and click export.
- Select a location to export, then click Open.
4. Provide a strong password to secure the certificate.
Importing to a windows device
5. In Windows, open the Run and type in certlm.msc into the Open field
6. Import the certificate Into the Certificates folder under the Trusted Root Authorities.
7. You can now access connect to the Flow Instance from the config tool.
8. To access the access Flow Server from a mobile device. The SSL certificate will need to first be Installed on the server as well.