Setting up MTWeb to use SSL/TLS Certificates or HTTPS

Information sent to and from a web server using basic configuration is not encrypted. You can configure your web server to use Transport Layer Security (TLS) to encrypt web traffic. Instead of communicating on the default web port (80), your web server will use the default secure port (443).

Note: Using TLS for your web server encrypts your web traffic; however, the encryption of MassTransit file transfers is configured separately in the MassTransit Administrator. For more information on how to do this, refer to Setting up MTWeb for TLS File Transfer.

Note: To serve TLS and non-TLS traffic simultaneously, two installations of the MTWeb folder are required, each with their own mtweb.ini file. This configuration is not officially supported and is not covered by this document.

Before setting up a secure IIS web server for MTWeb

• Configure a working basic web configuration. For more information on how to do this, refer to Installing MTWeb or Upgraging MTWeb.
• Choose a port that you will use for your secure web traffic. The default port for secure traffic is 443. In a normal configuration, MassTransit and the web server use different ports. If you need to run both on the same port, refer to Setting up MTWeb with Multi-homing.
• Obtain a signed certificate file in the .pfx format. For more information on generating or obtaining these files, refer to Appendix B: Generating SSL Keys for IIS.
• Confirm that you are running IIS 6 or later.

Configuring IIS for secure connections

This procedure covers Windows Server 2008 to Windows Server 2016.

1. Import your SSL certificate.
   1. Open the IIS Manager from Windows Start > Administrative Tools > IIS Manager
   2. In the IIS Manager Connections pane, click the server name, and then double-click the Server Certificates icon in the main pane

      

   3. In the Actions pane, choose Import…
   4. Enter the path to the certificate file and the password for the certificate.
   5. Click OK.
2. In the IIS Manager Connections pane, expand the server name, expand Sites, and then click the Default Web Site.

   

3. In the Actions pane, click Bindings…
   1. In the Site Bindings dialog box, click Add…
   2. Under Type, choose https.
   3. Under IP address, choose the IP address of your server.

      Note: If you have more than one IP address on your machine, and you want to use your MTWeb site with SSL on all of them, choose All Unassigned.

   4. In the Port field, enter the port you want to use for the secure web server. The default is 443.
   5. Under SSL certificate, from the drop-down list, choose your certificate.

      

   6. Click OK, and then click Close.
4. In the Connections pane, click Default Web Site. In the Default Web Site Home pane, double-click SSL Settings.
   1. Under SSL Settings, select the Require SSL check box.
   2. [Skip this step if you are configuring MTWeb on IIS 7.5 or later] Check Require 128-bit SSL to disable low-security encryption.
   3. Under Client certificates, choose the option you prefer for your server.
5. Click Apply to save the new settings.
6. Restart IIS, for the new settings to be properly loaded. To do so, go to the IIS Manager Connections pane, and then click Default Web Site. Then, in the Actions pane, navigate to the Manage Web Site section, and click Restart.

IIS is now ready to accept secure web traffic on the port you specified. For more information on SSL for IIS, refer to IIS online help.

Verifying your setup

1. Open a web browser.
2. In the address bar, enter https://localhost. If you are using a port different from 443, specify it explicitly. For example, https://localhost:xxx where xxx is the port you are using.

   Note: If you chose a particular IP address for the secure connection in step 3c, ensure that you type this address instead of localhost.

Now you can see the MassTransit login page and you are able to log in with a configured web client login and password. After a successful login, you can start uploading and downloading files.