Using the Site Security Utility to create a strong password for additional security

By default, all servers will construct a server-to-server password to authenticate the connection. The Site Security Utility improves upon this password by creating a cryptographically strong, unique password for server-to-server communication. However, the password must be copied to all servers. This is the recommended approach.

• Start with running the tool (SiteSecurityUtility.exe) on the first PharosAPI server with no parameters. The utility will generate a strong password.

• Record this password.

• Run the tool again on all other PharosAPI and MobilePrint servers, passing in the password generated in the first step.

Details:

1. Copy the file SiteSecurityUtility.exe to each server where the PharosAPI has been installed (and MobilePrint server if this is separate).

2. On the first server, open a Command Prompt window as administrator, and run SiteSecurityUtility.exe without giving any parameters.

3. This will create a random base64 encoded string, and will store a hash of this string in the PharosSystems registry.

   • The created random string is output to the Command Prompt window.

4. COPY this string and store it somewhere securely for future use, as this string needs to be used as a parameter when running the utility on subsequent servers.

   • You cannot compare the registry entry on one server with that on another server as each is hashed differently.

   • The tool also produces a verification hash which can be used to compare the result of runs on subsequent servers with the result on the first server to ensure exactly the same value was added, hashed, to the registry.

5. Use the random string output from the Command Prompt window on the first server to run the tool on additional servers:

   • On all other servers, run the SiteSecurityUtility.exe tool from elevated Command Prompt, and this time pass the 'random string' copied from the first server as a parameter. Eg.

     • SiteSecurityUtility.exe wJKwbu5qnYsEHXN55ObvWN1fviS45SzybSIKrTWOf/7YJZa6gTrbx7beRwNgGbJ2TicQLyzeZ61Cl29H2GGDPQ==

6. Once it runs, you can compare the verification hash output in the command prompt window with the verification hash produced on the first server. Ensure these match.

7. If you need to change the password, you can re-run the tool. Repeat the steps above (first server with no parameters, subsequent servers with the copied string output from the first). In this case, an IIS (or app pool) restart is required for the changes to apply.

The Site Security Utility is supported by Pharos API versions 4.11.23 or later, and 5.0.26 or later.

When running the Site Security Utility for the first time on a server, the Pharos API (and MobilePrint services) will pick up the change automatically. No restarts are needed. If you run the tool a second or further time on the server, the Pharos API app pool will need to be recycled or IIS restarted (or MobilePrint services restarted.)

Unpatched versions of MobilePrint will continue to function following the update being applied to the Pharos API servers up until either MobilePrint services or IIS on the Pharos API Server are restarted.