BROWSER BEWARE – Modern browsers to start assuming internal apps are insecure
As we all move into the modern security-centered IT world, there are many changes coming and many that have already come to pass. Enforcement of the HTTP"S" standard was cemented with the move for Google to enforce Chrome to assume all internet sites were truly HTTPS compliant. Recent updates to Chromium, the "engine" for both Chrome and Edge, are now starting to force that same tactic on all web traffic. This impacts end-user connections to internal web applications (Aderant Expert) as well as server-to-server web connections.
AUTHOR(S):
Chris Mills
COO
Olivia Plunkett
Technical Consultant
Article tags:
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Share this article
This article is part of THE FOLLOWING SERIES:
Security

INTRODUCTION

With expanding connectivity and dependence on online resources, modern approaches to encrypt and protect data have become increasingly important. In fact, most of us are now aware that nearly all website visits are forced to used HTTPS, whereas a few years ago that was still a rarity. Recent browser (Chrome, Edge) "engine" (Chromium open-source browser engine) updates have begun the process of sending what would otherwise be unencrypted HTTP traffic as encrypted HTTPS traffic automatically. This extends the previously internet bound redirect to all traffic. This process happens through a client-side URL rewrite implemented via HTTP Strict Transport Security (HSTS). Once your browser is updated, any web resource in the HSTS cache list will be requested via HTTPS traffic rather than HTTP traffic.

For Aderant Expert clients, this means that if the framework application servers are not configured to listen/respond using HTTPS, services will no longer function after this update. This results in an outage of all Expert Framework applications using those services. Further, this same sequence of events can impact other web services related to Expert including SSRS and Spotlight.

 

CONSIDERATIONS

     - Load balanced setups are firm-unique and may require additional steps

     - Classic Aderant Expert applications are unaffected because they do not use services framework

SYMPTOMS AND IMPACT

     - Connections to Expert Framework applications will fail

     - Automated system processes or integrations may fail

     - Integrated SSRS reports may fail

DETECTION

     - Fiddler or Wireshark logs can be collected to verify that HTTPS traffic is sent to the server but a valid response is not received

     - Also in these logs, look for incomplete responses that cannot be parsed by the web client

     - Server-side event viewer logs will start logging numerous errors indicating that no endpoints were listening for traffic coming in on port 443

SOLUTION

To comply with modern security, servers should be compliant with HTTPS standards, which includes signing web bindings with a valid SSL certificate. This requires that you update the configuration on several servers including database and web/app servers in addition to configuring any networking appliances between those servers and client machines (e.g., load balancers). Please see the sections below for guidance when configuring your environment with appropriate SSL bindings.

      - HOW TO CONFIGURE HTTPS ON AN EXPERT FRAMEWORK APPLICATION SERVER - To confirm and configure HTTPS on Aderant Expert framework application servers

      - HOW TO IMPORT CERTIFICATES INTO IIS - To import certificate files onto application servers, including Aderant Expert framework application servers

      - HOW TO CONFIGURE HTTPS FOR SECURE ACCESS TO REPORTS VIA SSRS - To confirm and configure HTTPS on your SQL Server Reporting Services servers

 

HOW TO CONFIGURE HTTPS ON AN EXPERT FRAMEWORK APPLICATION SERVER

To ensure your binding is configured correctly for application servers using IIS as a web host, follow the steps below:

     1.      Open IIS Manager on an Aderant Expert Application Server (Start menu, Run, "inetmgr")

IIS Manager - Main window

     2.      Select the web site host for your application services, in this case the "Default Website" under the Server > Sites node

     3.      Click on the "Bindings..." option under Actions on the right of your window

IIS Manager - Bindings

     4.      Verify that you see an HTTPS entry. This confirms that an https binding on 443 is enabled

Site Bindings - Bindings list

             a.      If there is an HTTPS entry

                      i.     Confirm that the binding is using a valid SSL certificate by selecting the HTTPS item and clicking on the "Edit" button

                      ii.     On the Edit Site Binding screen, ensure an SSL certificate is selected and click "View..."

Edit Site Bindings

                      iii.    Ensure the certificate attached is valid, non-expired, and not a self-signed certificate

                                   1)     If your certificate is not valid, choose a valid certificate from the dropdown

                                   2)     If there are no valid certificates listed, see the "HOW TO IMPORT CERTIFICATES INTO IIS" section to import your company's certificates.

             b.     If there is no HTTPS entry

                      i. Click on the "Add..." button

                      ii. On the Edit Bindings Screen, enter the following and click "OK"

                               - Type = HTTPS

                               - Port = 443

                               - IP Address = use the value from your HTTP entry (either "*" or a specific IP address)

                               - SSL Certificate = choose a valid certificate from the drop-down

                                  Note. If there are no valid certificates listed, see the "HOW TO IMPORT CERTIFICATES INTO IIS" section to import your company's certificates.

     5.      Open a PowerShell or Command Prompt in Administrator mode, type "IISRESET"(no quotes), and hit Enter

      NOTE. If the certificate used is a local, self-signed certificate, it will NOT be trusted by another machine even on the same LAN as this setup is intended for non-production, single-server scenarios.

HOW TO IMPORT CERTIFICATES INTO IIS

For a test or production server that accepts traffic from other machines, you would need to associate the binding with your company's appropriate SSL certificate. To do that, follow the steps below:

      1.      Open IIS Manager on the Application Server (Start menu, Run, "intemgr")

      2.      Select the server node in the navigation area on the left

      3.      Double-click Server Certificates item from the central menu

IIS Manager - Server settings list

      4.      Click the Import option in the right-hand menu

              This will present the Certificate Import Wizard that allows you to import the certificate.

              NOTE. It is considered best practice to NOT allow certificate exporting on a non-certificate store server, so our recommendation would be to uncheck the “Allow certificate to be exported” box when prompted.

Certificate Import Wizard

      5.      Follow the Certificate Import Wizard until successful completion, selecting your certificate file, and providing other details as required

      6.      Open PowerShell as an administrator and issue the command “iisreset” to ensure that incoming traffic is handled appropriately

      7.      Return to your IIS bindings settings from the section "CONFIRM OR CONFIGURE HTTPS ON AN EXPERT FRAMEWORK APPLICATION SERVER" to select your newly imported certificates for use in the HTTPS binding (Step 4 a iii 1)

     NOTE. It is considered best practice to NOT allow certificate exporting on a non-certificate store server, so our recommendation would be to uncheck the “Allow certificate to be exported” box when prompted.

 

HOW TO CONFIGURE HTTPS FOR SECURE ACCESS TO REPORTS VIA SSRS

 

From the SSRS Server desktop

     1.      Click the Start menu and search for “Manage Computer Certificates” to launch the certIm mmc snap-in

     2.      Right-click on the “Personal” node (as of this writing, this is the location required by Microsoft) and choose “All Tasks -> Import” from the menu.

              This will present the Certificate Import Wizard that allows you to import the certificate.

              NOTE. It is considered best practice to NOT allow certificate exporting on a non-certificate store server, so our recommendation would be to uncheck the “Allow certificate to be exported” box when prompted.

     3.      Follow the Certificate Import Wizard until successful completion, selecting your certificate file, and providing other details as required

     4.      Open the Report Server Configuration Manager application and connect to your SSRS server.

     5.      Perform a Stop and Start the SSRS service

     6.      Navigate to the Web Service URL item in the Report Server Configuration Manager and associate your certificate with port 443 for HTTPS by selecting it from the HTTPS Certificate dropdown

     7.       Navigate to the Web Portal URL page and click the “Advanced” button

     8.      Click “Add” under HTTPS Identities and associate the appropriate certificate with port 443:

CONCLUSION

With the ever-increasing connectedness and dependencies of modern business applications, small, seemingly innocuous updates may result in complete system outages. In this article you learned about the impact of new browser security measures on your business application infrastructure. Specifically, you learned about the impact of forcing all client web traffic to adhere to HTTPS, the reasons it breaks application access, and steps to resolve these issues on various server types.

Don't miss any update on this topic.
Sign up for our newsletter to receive a personalized collection of our most recent articles, blog posts, videos, and more, curated specifically for you based on your interests.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.