This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to Set Up TLS For Application Server ~ OnBase 18.0.1.46 SP 1 on Windows 2016 Server

Michael_Snyder
Star Contributor
Star Contributor

‎04-03-2020 07:01 AM

Hello,

Hope everyone is well in these times.  I have OnBase 18.0.1.46 SP 1 up and running on Windows 2016 Server.  This server effectively is both the Web and Application server in one. 

I am setting up TLS after-the-fact of installing it.  It is working fine with the Web Server component.  

Now, I'd like to set it up for the Application Server component.  I am unable to find any documentation at this time.  I'd simply like to know the different configuration settings and all the touch points to get this working. 

For instance, in Configuration and under "Utils | Application Server | Application Server Configuration" I simply changed my Application Server path from "http://<server name>/AppServer/service.asmx" to "https://<URL DNS Alias>/AppServer/service.asmx" but that results in an error while attempting to open a document in the Thick Client as "System.Net.WebException: The underlying connection was closed. Could not establish trust relationship for the SSL/TLS secure channel.  ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure."

What settings must be made in the web.config file under C:\inetpub\wwwroot\AppServer?  Are there any additional settings under WAMCon (Web Application Console) that I need to focus on/modify?  Are there any changes or areas under iiS Manager for the site/application pool?  

I'd appreciate narrowing this down to the requirements for getting this up and working.  

Many thanks and be safe!

Mike

 

Labels:
0 Kudos
7 REPLIES 7

AdamShaneHyland
Employee
Employee

‎04-03-2020 07:30 AM

Hi Mike.

When setting HTTPS there are two parts; 1) setting the bindings in IIS to use an appropriate certificate for the server and 2) disabling the AllowInsecureConnection by setting it to FALSE in the web.config.  This is the same process for both the Web Server and the Application Server.  With the Web Server you also have to update the dmsVirtualRoot to HTTPS:// and if you are using HTTPS to the Application Server you will have to update the Application Server URL to point to HTTPS://. ;

For the clients (Unity Client, OnBase Thick Client, etc), you will have to update the referenced Application Server URL to use HTTPS://. ; For the Unity Client this is done in the .config file and for the OnBase Thick Client this is typically performed in Configuration by updating the Config | Utils | Application Server URL.

If you are running into issue, try browsing to the HTTPS://appserver.domain.com/AppServer/Service.asmx page.  If you run into certificate issues, then you will have to investigate why the URL is not binding correctly when using the certificate.  

Take care.

Michael_Snyder
Star Contributor
Star Contributor

‎04-03-2020 09:34 AM

Thanks Adam, 

I believe I covered all that you have in your response, except I did not set  AllowInsecureConnection by setting it to FALSE.

I modified this value in the web.config under C:\inetpub\wwwroot\AppServer...

<add key="AllowInsecureConnection" value="false" />

THIS IS THE OTHER SETTING THAT I HAD ALREADY ADDED UNDER THE <appSettings> section...

<add key="dmsVirtualRoot" value="https://<URL Alias in DNS>/AppServer" />

 

I did an iiSReset but I am still receiving the follow error while trying to open a document in the Thick Client when I attempt to open any document...

 

"System.Net.WebException: The underlying connection was closed. Could not establish trust relationship for the SSL/TLS secure channel.  ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure."

 

I do not seem to be having any issue while using the following in my IE Browser...

https://<URL Alias in DNS>/AppServer/service.asmx

 

Here is what comes up...

 

The following operations are supported. For a formal definition, please review the Service Description.

This web service is using http://tempuri.org/ as its default namespace.

Recommendation: Change the default namespace before the XML Web service is made public.

Each XML Web service needs a unique namespace in order for client applications to distinguish it from other services on the Web. http://tempuri.org/ is available for XML Web services that are under development, but published XML Web services should use a more permanent namespace.

Your XML Web service should be identified by a namespace that you control. For example, you can use your company's Internet domain name as part of the namespace. Although many XML Web service namespaces look like URLs, they need not point to actual resources on the Web. (XML Web service namespaces are URIs.)

For XML Web services creating using ASP.NET, the default namespace can be changed using the WebService attribute's Namespace property. The WebService attribute is an attribute applied to the class that contains the XML Web service methods. Below is a code example that sets the namespace to "http://microsoft.com/webservices/":

C#

[WebService(Namespace="http://microsoft.com/webservices/")]public class MyWebService {    // implementation}

Visual Basic

<WebService(Namespace:="http://microsoft.com/webservices/")> Public Class MyWebService    ' implementationEnd Class

C++

[WebService(Namespace="http://microsoft.com/webservices/")]public ref class MyWebService {    // implementation};

For more details on XML namespaces, see the W3C recommendation on Namespaces in XML.

For more details on WSDL, see the WSDL Specification.

For more details on URIs, see RFC 2396.

-----------------------------------------------------------------------------------------------------------------------------------------------------------

WHEN I CLICK ON EXECUTE THIS IS THE RESULT WHICH SEEMS NORMAL...

 

Execute

 

Test

To test the operation using the HTTP POST protocol, click the 'Invoke' button.
ParameterValue
strXML:
 

SOAP 1.1

The following is a sample SOAP 1.1 request and response. The placeholders shown need to be replaced with actual values.

POST /AppServer/service.asmx HTTP/1.1Host: <URL Alias in DNS>Content-Type: text/xml; charset=utf-8Content-Length: lengthSOAPAction: "http://tempuri.org/Execute"<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">  <soap:Body>    <Execute xmlns="http://tempuri.org/">      <strXML>string</strXML>    </Execute>  </soap:Body></soap:Envelope>
HTTP/1.1 200 OKContent-Type: text/xml; charset=utf-8Content-Length: length<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">  <soap:Body>    <ExecuteResponse xmlns="http://tempuri.org/">      <ExecuteResult>string</ExecuteResult>    </ExecuteResponse>  </soap:Body></soap:Envelope>

SOAP 1.2

The following is a sample SOAP 1.2 request and response. The placeholders shown need to be replaced with actual values.

POST /AppServer/service.asmx HTTP/1.1Host: <URL Alias in DNS>Content-Type: application/soap+xml; charset=utf-8Content-Length: length<?xml version="1.0" encoding="utf-8"?><soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">  <soap12:Body>    <Execute xmlns="http://tempuri.org/">      <strXML>string</strXML>    </Execute>  </soap12:Body></soap12:Envelope>
HTTP/1.1 200 OKContent-Type: application/soap+xml; charset=utf-8Content-Length: length<?xml version="1.0" encoding="utf-8"?><soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">  <soap12:Body>    <ExecuteResponse xmlns="http://tempuri.org/">      <ExecuteResult>string</ExecuteResult>    </ExecuteResponse>  </soap12:Body></soap12:Envelope>

HTTP GET

The following is a sample HTTP GET request and response. The placeholders shown need to be replaced with actual values.

GET /AppServer/service.asmx/Execute?strXML=string HTTP/1.1Host: <URL Alias in DNS>
HTTP/1.1 200 OKContent-Type: text/xml; charset=utf-8Content-Length: length<?xml version="1.0" encoding="utf-8"?><string xmlns="http://tempuri.org/">string</string>

HTTP POST

The following is a sample HTTP POST request and response. The placeholders shown need to be replaced with actual values.

POST /AppServer/service.asmx/Execute HTTP/1.1Host: <URL Alias in DNS>Content-Type: application/x-www-form-urlencodedContent-Length: lengthstrXML=string
HTTP/1.1 200 OKContent-Type: text/xml; charset=utf-8Content-Length: length<?xml version="1.0" encoding="utf-8"?><string xmlns="http://tempuri.org/">string</string>

 

 

Would there be any other settings in the web.config file for AppServer and/or iiS settings that I need to verify?

 

MANY THANKS Adam!!!

 

Mike

 

 

 

0 Kudos

AdamShaneHyland
Employee
Employee

‎04-03-2020 12:06 PM

Hi Mike.

I'm not aware of anything else which would cause a problem with using TLS if you are able to connect via a browser.  You can use a tool like Fiddler to watch the HTTP(S) traffic from a client to the server which is how the OnBase Thick Client would communicate with the Application Server to verify that you are connecting to the right Application Server.  

Another option you can uses are the following OnBase Thick Client command line switches.

-APPSRV_URL="https://server.domain.com/AppServer/Service.asmx"

-APPSRV_DSN="OnBaseDatasourceOnApplicationServer" 

These specify the Application Server URL and the Application Server datasource.  These values are the same as that configured within Configuration | Utils | Application Server, but the values on the command line will take precedence.  This in combination with Fiddler could be helpful to troubleshoot the issue and validating what is wrong.

Keep in mind that there are Operating System settings which can play a role in what protocols are supported.  However, if you are able to browse to the Application Server's service page without any prompts or errors then the version of TLS should be supported.

Take care.

Michael_Snyder
Star Contributor
Star Contributor

‎04-03-2020 01:17 PM

Thank you Adam,

I see your URL is -APPSRV_URL="https://server.domain.com/AppServer/Service.asmx"

I am using a DNS Alias for the "server" portion.  That is working fine for appnet (Web configuration).

As an example, the webconfig for my appnet webconfig is using onbasedev.domain.com.  I have created an URL Alias in DNS set up for "onbasedev.domain.com.*" that redirects to my web/app server with a host/server name of "obwebapp01".  I am using a wild card cert on the Web/App Server on port 443.

Would you suggest trying the appserver web.config to use the server.domain.com as "obwebapp01.domain.com" instead of "onbasedev.domain.com"?

I do not have separate hosts/servers for my Web Server and App Server (they reside on the same VM Ware Windows 2016 virtual server, thus both have same virtual IP - thus one host/server is effectively a Web/App server).  Therefore, is there really any advantage to using TLS for the application component?  Could I simply keep the WebServer (appnet) using TLS and AppServer configuration not using TLS?

MANY THANKS for all your help and ALL you do on the community site.

Be well,

Mike

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC