Versions Compared

Old Version 1

changes.mady.by.user Tony Luzar

Saved on

compared with

New Version Current

changes.mady.by.user Michał Gawlas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...


Warning

Please note that some of these configuration changes may be reverted when upgrading the installed software.
Make sure to backup the changes before you start the upgrade, then after it concludes examine the corresponding files and restore any customizations that may have been reverted by the process.

Supervisor 2.3 and up

Supervisor 2.3 changes how HTTPS is configured for Supervisor. The installer does not support configuring HTTPS automatically, however HTTPS can be configured manually:

...

To manually configure HTTPS do the following:

  1. See /wiki/spaces/PLATFORM/pages/1711112458How to configure HTTPS for the ayfie Authority Service for how to configure HTTPS for the ayfie Authority Service.
  2. The same guide applies to the other services, create a appsettings.Custom.json for each of these services. You can use the same certificate for all services.

  3. Notification Service. Make sure the user running the service has read permission to the certificate.

    Code Block
    themeEmacs
    titleNotification Service appsettings.Custom.json
    {
  "AuthoritySettings": {
    "AuthorityServiceBaseUrl": "https://supervisor.example.com:9789"
  },
  "HttpServer": {
    "Endpoints": {
      "Https": {
        "Host": "supervisor.example.com",
        "Port": 9781,
        "Scheme": "https",
        "StoreName": "My",
        "StoreLocation": "LocalMachine",
        "CertificateSerialNumber": "14f1eff1feea3740e982d36cdf244c0cffd2"
      }
    }
  }
}


  4. ReportEngine Service.  Make sure the user running the service has read permission to the certificate.

    Code Block
    themeEmacs
    titleReportEngine Service appsettings.Custom.json
    {
  "ReportEngineUISettings": {
    "UserInterfaceBaseUrl": "https://supervisor.example.com/supervisor"
  },
  "AuthoritySettings": {
    "AuthorityServiceBaseUrl": "https://supervisor.example.com:9789"
  },
  "NotificationSettings": {
    "NotificationServiceBaseUrl": "https://supervisor.example.com:9781"
  },
  "ResourceSettings": {
    "ResourceServiceBaseUrl": "https://supervisor.example.com:9780"
  },
  "SchedulerSettings": {
    "SchedulerServiceBaseUrl": "https://supervisor.example.com:9779"
  },
  "HttpServer": {
    "Endpoints": {
      "Https": {
        "Host": "supervisor.example.com",
        "Port": 9777,
        "Scheme": "https",
        "StoreName": "My",
        "StoreLocation": "LocalMachine",
        "CertificateSerialNumber": "14f1eff1feea3740e982d36cdf244c0cffd2"
      }
    }
  },
  "LocatorSettings": {
    "LocatorBaseUrl": "https://supervisor.example.com"
  },
  "ReportSnapshotViewerUrl": "https://supervisor.example.com/supervisor/viewer/{reportSnapshotId}",
}


  5. Resource Service.  Make sure the user running the service has read permission to the certificate. 

    Code Block
    themeEmacs
    titleResource Service appsettings.Custom.json
    {
  "AuthoritySettings": {
    "AuthorityServiceBaseUrl": "https://supervisor.example.com:9789"
  },
  "HttpServer": {
    "Endpoints": {
      "Https": {
        "Host": "supervisor.example.com",
        "Port": 9780,
        "Scheme": "https",
        "StoreName": "My",
        "StoreLocation": "LocalMachine",
        "CertificateSerialNumber": "14f1eff1feea3740e982d36cdf244c0cffd2"
      }
    }
  }
}


  6. Scheduler Service.  Make sure the user running the service has read permission to the certificate.

    Code Block
    themeEmacs
    titleScheduler Service appsettings.Custom.json
    {
  "AuthoritySettings": {
    "AuthorityServiceBaseUrl": "https://supervisor.example.com:9789"
  },
  "HttpServer": {
    "Endpoints": {
      "Https": {
        "Host": "supervisor.example.com",
        "Port": 9779,
        "Scheme": "https",
        "StoreName": "My",
        "StoreLocation": "LocalMachine",
        "CertificateSerialNumber": "14f1eff1feea3740e982d36cdf244c0cffd2"
      }
    }
  }
}


  7. Edit <<Program Files>>\ayfie\Locator\InsightWebUI\wwwroot\assets\config.json. This file has no Custom override file. Change all of the URLs to https URLs (see examples below):

    Code Block
    languagexml
    themeEmacs
    titleInsightWebUI config.json
    {
  "ModuleIdentifier": {
    "id": "6ac14b34-920d-4886-aa04-a752a57315f2",
    "name": "Supervisor"
  },
  "authorization": {
    "authorityServer": "https://supervisor.example.com:9789",
    "redirectUrl": "https://supervisor.example.com/supervisor/login",
    "clientId": "report_engine_implicit",
    "responseType": "id_token token",
    "scope": "openid profile report_engine authority.provision_user authority.read_user_all report_engine.read report_engine.create_report report_engine.delete_report report_engine.export_report report_engine.write_dashboard scheduler.read scheduler.create_schedule scheduler.delete_schedule scheduler.pause_schedule notification.read notification.write_smtp_configuration notification.write_email",
    "postLogoutRedirectUri": "https://supervisor.example.com/supervisor/login",
    "enableSilentRenew": false,
    "silentRenewUrl": "https://supervisor.example.com/supervisor/silent-renew.html",
    "silentRenewOffsetInSeconds": 10,
    "logConsoleDebugActive": false,
    "maxIdTokenIatOffsetAllowedInSeconds": 100
  },
  "searchRestApiHost": "https://supervisor.example.com",
  "resourceRestApiHost": "https://supervisor.example.com:9780",
  "reportRestApiHost": "https://supervisor.example.com:9777",
  "notificationRestApiHost": "https://supervisor.example.com:9781",
  "schedulerConfig": {
    "schedulerRestApiHost": "https://supervisor.example.com:9779",
    "emailFeatureOn": true
  },
  "snapshotDataViewRowsLimit": 500
}


  8. Setup a https binding for the Default Web Site in IIS
  9. In Supervisor 2.3 SR3 a IIS Rewrite rule was introduced to redirect all URLs to the canonical URL. HTTPS configuration is probably not using the canonical URL, so this rule needs to be disabled. 
    a) Go to the supervisor application in IIS and go to IIS Rewrite

    b) Disable the rule Redirect to canonical URL
  10. Clear your browser cache and go to https://supervisor.example.com/supervisor

...

In the example below, replace the CERT_HASH value with the Thumbprint value. Remove the extra spaces. Then paste the code block in an elevated Command Prompt and run.

Update: You also need to pay attention to the certificate store. It defaults to "MY", but for Let's Encrypted certificates it will be installed in Computer → WebHosting. This can be seen with this command:

Code Block
languagebash
netsh http show sslcert

Here you can see that the certificate we're intersted resides in certstore "WebHosting".

Image Modified

Code Block
SET CERT_HASH=C5211345EED22B07D23706E37E18C1D40D25465D
SET APP_ID={bfa7f0ce-bdd8-4dd9-866c-f944beae7f93}
SET CERT_STORE_NAME=MY

netsh http add sslcert ipport=0.0.0.0:9777 appid=%APP_ID% certhash=%CERT_HASH% certstorename=%CERT_STORE_NAME%
netsh http add sslcert ipport=0.0.0.0:9778 appid=%APP_ID% certhash=%CERT_HASH% certstorename=%CERT_STORE_NAME%
netsh http add sslcert ipport=0.0.0.0:9779 appid=%APP_ID% certhash=%CERT_HASH% certstorename=%CERT_STORE_NAME%
netsh http add sslcert ipport=0.0.0.0:9780 appid=%APP_ID% certhash=%CERT_HASH% certstorename=%CERT_STORE_NAME%
netsh http add sslcert ipport=0.0.0.0:9781 appid=%APP_ID% certhash=%CERT_HASH% certstorename=%CERT_STORE_NAME%

...