Introduction

In the course of implementing and/or expanding features and functions for the Blueprint Enterprise solution, it may be necessary to utilize more than one certificate for secure HTTP (HTTPS) communications. An example would be providing Pharos Print Center or Pharos Print app access to Apple iPhone or iPad users while keeping the original certificate configuration intact. This article describes how to do this for a successful deployment.

Phase I. Prepare Microsoft IIS

In this example, two HTTPS bindings will be created for Port 443. One will utilize a self-signed certificate that only contains the name of the server, and the other will utilize a wildcard certificate for an alternate domain name obtained from a third-party certificate provider.

1. Ensure that all certificates and any necessary intermediate and root certificates have been imported for the server.

2. Launch Internet Information Services (IIS) Manager.

3. Expand the Sites group and select the appropriate web site. This is usually the "Default Web Site" in most cases.

4. Right-click the web site and choose "Edit Bindings..." from the shortcut menu. Alternately, click the "Bindings..." link under Action > Edit Site. A dialog box similar to the one below will display.

   
   
    

   In this example, a binding has already been created for HTTPS using another certificate. This is fine. Ensure that it is configured like the one in this example:

   
   
    

5. If no HTTPS binding has been defined yet, start with the self-signed certificate that contains the server’s fully-qualified DNS name. Click the “Add…” button.

6. For “Type” choose “https.” Maintain “All Unassigned” for the “IP address” option and “443” for the Port designation. Keep the “Host name” field blank, which requires that the “Require Server Name Indication” box be unchecked. This step is important, or the Blueprint Server Configuration and other HTTPS-based tests will not operate correctly, as they are not web browsers, and so are not Server Name Indication (SNI) compliant.

7. Choose the self-signed certificate in the “SSL certificate” drop-down menu. Your configured “Add Site Binding” dialog box will look like the one below:

   
   
    

8. Click the “OK” button.

9. Click the “Add…” button again.

10. Choose “https” as the “Type.” This time, put in the alternate fully-qualified name for the server in the “Host name” box and enabling (ticking) the “Require Server Name Indication” box.

11. Choose the appropriate certificate in the “SSL certificate” drop-down menu. The “Add Site Binding” dialog box will look similar to the one below:

    
    
     

12. Click the “OK” button. There will now be two HTTPS bindings for port 443 for the website. If desired, check a browser to ensure that both sites can be reached over HTTPS.

    
    

This concludes the IIS phase of the configuration. Close IIS Manager.

Phase II. Configure Blueprint Enterprise

There are seven (7) configuration files that must be edited for Blueprint in order to support multiple bindings to the HTTPS port. They are:

• C:\Program Files (x86)\PharosSystems\Blueprint\Services\TrackerService\web.config

• C:\Program Files (x86)\PharosSystems\IPP Service\web.config

• C:\Program Files (x86)\PharosSystems\MpsProxy\web.config

• C:\Program Files (x86)\PharosSystems\ProvisioningService\web.config

• C:\Program Files (x86)\PharosSystems\IdentityService\web.config

• C:\Program Files (x86)\PharosSystems\Blueprint\Services\BediService\web.config

• C:\Program Files (x86)\PharosSystems\PrintCenter\WebApp\Web.config

Fortunately, the edit within each is the same. To prevent issues while editing, ensure the following are true before beginning:

1. The Pharos System TaskMaster service is stopped.

2. The web server is stopped.

3. Notepad, or the text editor of choice, is running "As Administrator" so that edits can be saved directly into the privileged locations.

The web.config file is an XML-formatted configuration file used by .NET-hosted services to define many things. Of importance to this need is the ability to support more than one certificate binding to a designated port. Within the .NET framework, this setting, multipleSiteBindingsEnabled, is a child element of the system.serviceModel element, which is, in turn, a child of the configuration element. Case is important and must be followed explicitly. The basic format is:

<configuration>
    <system.serviceModel>
         <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    </system.serviceModel>
</configuration>

With Notepad launched as an administrator, open each file in turn. Some do not contain the system.serviceModel element, so the configuration items above can simply be added either at the top or at the bottom of the <configuration> element's section (bottom is recommended). Once the edit has been made, save the file and move on to the next.

When complete, start the web services and restart the Pharos System TaskMaster service as well. Perform a Test in the Blueprint Server Configuration utility to ensure that all tests remain successful.

GOAL

• Properly configure a Blueprint server with two certificates for HTTPS use.

SYMPTOMS/ERRORS

• Tracker Web Service fails health test

• Tracker REST API fails health test

• Pharos IPP service fails health test

• Certificate errors when accessing secured web sites

• Application Pool fails to start when more than one certificate is bound to HTTPS

• "The remote server returned an error: (500) Internal Server Error"