Supervisor 2.3 and up

Supervisor 2.3 changes how HTTPS is configured for Supervisor. The installer does not support configuring HTTPS automatically, however HTTPS can be configured manually:

The following services need to configured with HTTPS:

• ayfie Authority Service
• ayfie Notification Service
• ayfie ReportEngine Service
• ayfie Resource Service
• ayfie Scheduler Service

To manually configure HTTPS do the following:

1. See How to configure HTTPS for the ayfie Authority Service for how to configure HTTPS for the ayfie Authority Service.
2. The same guide applies to the other services, create a appsettings.Custom.json for each of these services. You can use the same certificate for all services.

3. Notification Service. Make sure the user running the service has read permission to the certificate.

   Notification Service appsettings.Custom.json

   {
     "AuthoritySettings": {
       "AuthorityServiceBaseUrl": "https://supervisor.example.com:9789"
     },
     "HttpServer": {
       "Endpoints": {
         "Https": {
           "Host": "supervisor.example.com",
           "Port": 9781,
           "Scheme": "https",
           "StoreName": "My",
           "StoreLocation": "LocalMachine",
           "CertificateSerialNumber": "14f1eff1feea3740e982d36cdf244c0cffd2"
         }
       }
     }
   }

4. ReportEngine Service.  Make sure the user running the service has read permission to the certificate.

   ReportEngine Service appsettings.Custom.json

   {
     "ReportEngineUISettings": {
       "UserInterfaceBaseUrl": "https://supervisor.example.com/supervisor"
     },
     "AuthoritySettings": {
       "AuthorityServiceBaseUrl": "https://supervisor.example.com:9789"
     },
     "NotificationSettings": {
       "NotificationServiceBaseUrl": "https://supervisor.example.com:9781"
     },
     "ResourceSettings": {
       "ResourceServiceBaseUrl": "https://supervisor.example.com:9780"
     },
     "SchedulerSettings": {
       "SchedulerServiceBaseUrl": "https://supervisor.example.com:9779"
     },
     "HttpServer": {
       "Endpoints": {
         "Https": {
           "Host": "supervisor.example.com",
           "Port": 9777,
           "Scheme": "https",
           "StoreName": "My",
           "StoreLocation": "LocalMachine",
           "CertificateSerialNumber": "14f1eff1feea3740e982d36cdf244c0cffd2"
         }
       }
     },
     "LocatorSettings": {
       "LocatorBaseUrl": "https://supervisor.example.com"
     },
     "ReportSnapshotViewerUrl": "https://supervisor.example.com/supervisor/viewer/{reportSnapshotId}"
   }

5. Resource Service.  Make sure the user running the service has read permission to the certificate. 

   Resource Service appsettings.Custom.json

   {
     "AuthoritySettings": {
       "AuthorityServiceBaseUrl": "https://supervisor.example.com:9789"
     },
     "HttpServer": {
       "Endpoints": {
         "Https": {
           "Host": "supervisor.example.com",
           "Port": 9780,
           "Scheme": "https",
           "StoreName": "My",
           "StoreLocation": "LocalMachine",
           "CertificateSerialNumber": "14f1eff1feea3740e982d36cdf244c0cffd2"
         }
       }
     }
   }

6. Scheduler Service.  Make sure the user running the service has read permission to the certificate.

   Scheduler Service appsettings.Custom.json

   {
     "AuthoritySettings": {
       "AuthorityServiceBaseUrl": "https://supervisor.example.com:9789"
     },
     "HttpServer": {
       "Endpoints": {
         "Https": {
           "Host": "supervisor.example.com",
           "Port": 9779,
           "Scheme": "https",
           "StoreName": "My",
           "StoreLocation": "LocalMachine",
           "CertificateSerialNumber": "14f1eff1feea3740e982d36cdf244c0cffd2"
         }
       }
     }
   }

7. Edit <<Program Files>>\ayfie\Locator\InsightWebUI\wwwroot\assets\config.json. This file has no Custom override file. Change all of the URLs to https URLs (see examples below):

   InsightWebUI config.json

   {
     "ModuleIdentifier": {
       "id": "6ac14b34-920d-4886-aa04-a752a57315f2",
       "name": "Supervisor"
     },
     "authorization": {
       "authorityServer": "https://supervisor.example.com:9789",
       "redirectUrl": "https://supervisor.example.com/supervisor/login",
       "clientId": "report_engine_implicit",
       "responseType": "id_token token",
       "scope": "openid profile report_engine authority.provision_user authority.read_user_all report_engine.read report_engine.create_report report_engine.delete_report report_engine.export_report report_engine.write_dashboard scheduler.read scheduler.create_schedule scheduler.delete_schedule scheduler.pause_schedule notification.read notification.write_smtp_configuration notification.write_email",
       "postLogoutRedirectUri": "https://supervisor.example.com/supervisor/login",
       "enableSilentRenew": false,
       "silentRenewUrl": "https://supervisor.example.com/supervisor/silent-renew.html",
       "silentRenewOffsetInSeconds": 10,
       "logConsoleDebugActive": false,
       "maxIdTokenIatOffsetAllowedInSeconds": 100
     },
     "searchRestApiHost": "https://supervisor.example.com",
     "resourceRestApiHost": "https://supervisor.example.com:9780",
     "reportRestApiHost": "https://supervisor.example.com:9777",
     "notificationRestApiHost": "https://supervisor.example.com:9781",
     "schedulerConfig": {
       "schedulerRestApiHost": "https://supervisor.example.com:9779",
       "emailFeatureOn": true
     },
     "snapshotDataViewRowsLimit": 500
   }

8. Setup a https binding for the Default Web Site in IIS
9. In Supervisor 2.3 SR3 a IIS Rewrite rule was introduced to redirect all URLs to the canonical URL. HTTPS configuration is probably not using the canonical URL, so this rule needs to be disabled. 
   a) Go to the supervisor application in IIS and go to IIS Rewrite
   
   b) Disable the rule Redirect to canonical URL
   
10. Clear your browser cache and go to https://supervisor.example.com/supervisor

Supervisor 2.0 to 2.2 SR1

Note: In Supervisor 2.0, 2.1 and 2.2, SSL can be configured automatically in the installer. If you would like to enable SSL after Supervisor is installed, use this guide to manually configure SSL. Alternatively, Supervisor can be uninstalled (reports and data will be retained) and re-installed using the built-in SSL setup.

Pre-Requisites

• A valid SSL certificate has been issued and installed on the server and the appropriate bindings are configured in IIS.

Note: For existing customers prior to 2.8 SR1, the directories will be under Program Files\Virtualworks\ViaWorks instead of Program Files\ayfie\Locator

Back end services

Change ports

Each end point must be updated to use the HTTPS port as follows. These changes are made in the overrides.config file for each respective service.

*Also need to change the protocol and port for the BaseURL keys of the other services and the Report Snapshot Viewer in the Report Engine config file. 

Examples

Report Engine Rest Service Config Override File

C:\Program Files\ayfie\Locator\ReportEngineService\Via.ReportEngine.RestServer.exe_overrides.config

Note: replace [server_name] in the ReportSnapshotViewerUrl value with the FQDN of the server

<?xml version="1.0" encoding="UTF-8"?>
<diff>
<replace sel="/configuration/appSettings/add[@key='Server']" type="@value">https://+:9777</replace>
<replace sel="/configuration/appSettings/add[@key='UserServiceBaseUrl']" type="@value">https://localhost:9778/api/user/v1</replace>
<replace sel="/configuration/appSettings/add[@key='ResourceServiceBaseUrl']" type="@value">https://localhost:9780/api/resource/v1</replace>
<replace sel="/configuration/appSettings/add[@key='SchedulerServiceBaseUrl']" type="@value">https://localhost:9779/api/scheduler/v1</replace>
<replace sel="/configuration/appSettings/add[@key='NotificationServiceBaseUrl']" type="@value">https://localhost:9781/api/notification/v1</replace>
<replace sel="/configuration/appSettings/add[@key='ReportSnapshotViewerUrl']" type="@value">https://[server_name]/supervisor/viewer/{reportSnapshotId}</replace>
</diff>

User Service Config Override File

C:\Program Files\ayfie\Locator\UserService\Via.Infrastructure.Service.UserService.exe_overrides.config

<?xml version="1.0" encoding="UTF-8"?>
<diff>
<replace sel="/configuration/appSettings/add[@key='Server']" type="@value">https://+:9778</replace>
</diff>

Scheduler Service Config Override File

C:\Program Files\ayfie\Locator\SchedulerService\Via.Infrastructure.Service.SchedulerService.exe_overrides.config

<?xml version="1.0" encoding="UTF-8"?>
<diff>
<replace sel="/configuration/appSettings/add[@key='Server']" type="@value">https://+:9779</replace>
</diff>

Resource Service Config Override File

C:\Program Files\ayfie\Locator\ResourceService\Via.Infrastructure.Service.ResourceService.exe_overrides.config

<?xml version="1.0" encoding="UTF-8"?>
<diff>
<replace sel="/configuration/appSettings/add[@key='Server']" type="@value">https://+:9780</replace>
</diff>

Notification Service Config Override File

C:\Program Files\ayfie\Locator\NotificationService\Via.Infrastructure.Service.NotificationService.exe_overrides.config

<?xml version="1.0" encoding="UTF-8"?>
<diff>
<replace sel="/configuration/appSettings/add[@key='Server']" type="@value">https://+:9781</replace>
</diff>

Apply Config Overrides

1. Open an elevated Command Prompt
2. Navigate to the Locator\Tools directory
3. For each end point run the Via.SolrUpdate.exe APPLY command.
   1. The syntax is: Via.SolrUpdate.exe APPLY base_file override_file target_file
   2. Example: 

      Via.SolrUpdate.exe apply "C:\Program Files\ayfie\Locator\ReportEngineService\Via.ReportEngine.RestServer.exe_base.config" "C:\Program Files\ayfie\Locator\ReportEngineService\Via.ReportEngine.RestServer.exe_overrides.config" "C:\Program Files\ayfie\Locator\ReportEngineService\Via.ReportEngine.RestServer.exe.config"

4. Repeat the SolrUpdate command for each end point, changing the paths and file names appropriately.
   
   

Add SSL binding for each endpoint

In IIS, open the SSL certificate properties and go to the Details tab. Copy the Thumbprint value. Replace CERT_HASH with the Thumbprint, see example below:

In the example below, replace the CERT_HASH value with the Thumbprint value. Remove the extra spaces. Then paste the code block in an elevated Command Prompt and run.

Update: You also need to pay attention to the certificate store. It defaults to "MY", but for Let's Encrypted certificates it will be installed in Computer → WebHosting. This can be seen with this command:

netsh http show sslcert

Here you can see that the certificate we're intersted resides in certstore "WebHosting".

SET CERT_HASH=C5211345EED22B07D23706E37E18C1D40D25465D
SET APP_ID={bfa7f0ce-bdd8-4dd9-866c-f944beae7f93}
SET CERT_STORE_NAME=MY

netsh http add sslcert ipport=0.0.0.0:9777 appid=%APP_ID% certhash=%CERT_HASH% certstorename=%CERT_STORE_NAME%
netsh http add sslcert ipport=0.0.0.0:9778 appid=%APP_ID% certhash=%CERT_HASH% certstorename=%CERT_STORE_NAME%
netsh http add sslcert ipport=0.0.0.0:9779 appid=%APP_ID% certhash=%CERT_HASH% certstorename=%CERT_STORE_NAME%
netsh http add sslcert ipport=0.0.0.0:9780 appid=%APP_ID% certhash=%CERT_HASH% certstorename=%CERT_STORE_NAME%
netsh http add sslcert ipport=0.0.0.0:9781 appid=%APP_ID% certhash=%CERT_HASH% certstorename=%CERT_STORE_NAME%

Restart the services

Restart the following Supervisor services:

• Notification Service
• User Service
• Scheduler Service
• Resource Service
• Report Engine Service

Webclient App

On the UI side, there is a mechanism that detects the protocol from the browser and assembles endpoint addresses using that protocol. So when you use http://server_name/supervisor/ address it'll prepare the endpoint addresses based on http - the same for https. The only restriction is that endpoints and the page have to have the same protocol. It's easy to enforce https everywhere if such need occurs.