With expanding connectivity and dependence on online resources, modern approaches to encrypt and protect data have become increasingly important. In fact, most of us are now aware that nearly all website visits are forced to used HTTPS, whereas a few years ago that was still a rarity. Recent browser (Chrome, Edge) "engine" (Chromium open-source browser engine) updates have begun the process of sending what would otherwise be unencrypted HTTP traffic as encrypted HTTPS traffic automatically. This extends the previously internet bound redirect to all traffic. This process happens through a client-side URL rewrite implemented via HTTP Strict Transport Security (HSTS). Once your browser is updated, any web resource in the HSTS cache list will be requested via HTTPS traffic rather than HTTP traffic.
For Aderant Expert clients, this means that if the framework application servers are not configured to listen/respond using HTTPS, services will no longer function after this update. This results in an outage of all Expert Framework applications using those services. Further, this same sequence of events can impact other web services related to Expert including SSRS and Spotlight.
- Load balanced setups are firm-unique and may require additional steps
- Classic Aderant Expert applications are unaffected because they do not use services framework
- Connections to Expert Framework applications will fail
- Automated system processes or integrations may fail
- Integrated SSRS reports may fail
- Fiddler or Wireshark logs can be collected to verify that HTTPS traffic is sent to the server but a valid response is not received
- Also in these logs, look for incomplete responses that cannot be parsed by the web client
- Server-side event viewer logs will start logging numerous errors indicating that no endpoints were listening for traffic coming in on port 443
To comply with modern security, servers should be compliant with HTTPS standards, which includes signing web bindings with a valid SSL certificate. This requires that you update the configuration on several servers including database and web/app servers in addition to configuring any networking appliances between those servers and client machines (e.g., load balancers). Please see the sections below for guidance when configuring your environment with appropriate SSL bindings.
- HOW TO CONFIGURE HTTPS ON AN EXPERT FRAMEWORK APPLICATION SERVER - To confirm and configure HTTPS on Aderant Expert framework application servers
- HOW TO IMPORT CERTIFICATES INTO IIS - To import certificate files onto application servers, including Aderant Expert framework application servers
- HOW TO CONFIGURE HTTPS FOR SECURE ACCESS TO REPORTS VIA SSRS - To confirm and configure HTTPS on your SQL Server Reporting Services servers
To ensure your binding is configured correctly for application servers using IIS as a web host, follow the steps below:
1. Open IIS Manager on an Aderant Expert Application Server (Start menu, Run, "inetmgr")
2. Select the web site host for your application services, in this case the "Default Website" under the Server > Sites node
3. Click on the "Bindings..." option under Actions on the right of your window
4. Verify that you see an HTTPS entry. This confirms that an https binding on 443 is enabled
a. If there is an HTTPS entry
i. Confirm that the binding is using a valid SSL certificate by selecting the HTTPS item and clicking on the "Edit" button
ii. On the Edit Site Binding screen, ensure an SSL certificate is selected and click "View..."
iii. Ensure the certificate attached is valid, non-expired, and not a self-signed certificate
1) If your certificate is not valid, choose a valid certificate from the dropdown
2) If there are no valid certificates listed, see the "HOW TO IMPORT CERTIFICATES INTO IIS" section to import your company's certificates.
b. If there is no HTTPS entry
i. Click on the "Add..." button
ii. On the Edit Bindings Screen, enter the following and click "OK"
- Type = HTTPS
- Port = 443
- IP Address = use the value from your HTTP entry (either "*" or a specific IP address)
- SSL Certificate = choose a valid certificate from the drop-down
Note. If there are no valid certificates listed, see the "HOW TO IMPORT CERTIFICATES INTO IIS" section to import your company's certificates.
5. Open a PowerShell or Command Prompt in Administrator mode, type "IISRESET"(no quotes), and hit Enter
NOTE. If the certificate used is a local, self-signed certificate, it will NOT be trusted by another machine even on the same LAN as this setup is intended for non-production, single-server scenarios.
For a test or production server that accepts traffic from other machines, you would need to associate the binding with your company's appropriate SSL certificate. To do that, follow the steps below:
1. Open IIS Manager on the Application Server (Start menu, Run, "intemgr")
2. Select the server node in the navigation area on the left
3. Double-click Server Certificates item from the central menu
4. Click the Import option in the right-hand menu
This will present the Certificate Import Wizard that allows you to import the certificate.
NOTE. It is considered best practice to NOT allow certificate exporting on a non-certificate store server, so our recommendation would be to uncheck the “Allow certificate to be exported” box when prompted.
5. Follow the Certificate Import Wizard until successful completion, selecting your certificate file, and providing other details as required
6. Open PowerShell as an administrator and issue the command “iisreset” to ensure that incoming traffic is handled appropriately
7. Return to your IIS bindings settings from the section "CONFIRM OR CONFIGURE HTTPS ON AN EXPERT FRAMEWORK APPLICATION SERVER" to select your newly imported certificates for use in the HTTPS binding (Step 4 a iii 1)
NOTE. It is considered best practice to NOT allow certificate exporting on a non-certificate store server, so our recommendation would be to uncheck the “Allow certificate to be exported” box when prompted.
From the SSRS Server desktop
1. Click the Start menu and search for “Manage Computer Certificates” to launch the certIm mmc snap-in
2. Right-click on the “Personal” node (as of this writing, this is the location required by Microsoft) and choose “All Tasks -> Import” from the menu.
This will present the Certificate Import Wizard that allows you to import the certificate.
NOTE. It is considered best practice to NOT allow certificate exporting on a non-certificate store server, so our recommendation would be to uncheck the “Allow certificate to be exported” box when prompted.
3. Follow the Certificate Import Wizard until successful completion, selecting your certificate file, and providing other details as required
4. Open the Report Server Configuration Manager application and connect to your SSRS server.
5. Perform a Stop and Start the SSRS service
6. Navigate to the Web Service URL item in the Report Server Configuration Manager and associate your certificate with port 443 for HTTPS by selecting it from the HTTPS Certificate dropdown
7. Navigate to the Web Portal URL page and click the “Advanced” button
8. Click “Add” under HTTPS Identities and associate the appropriate certificate with port 443:
With the ever-increasing connectedness and dependencies of modern business applications, small, seemingly innocuous updates may result in complete system outages. In this article you learned about the impact of new browser security measures on your business application infrastructure. Specifically, you learned about the impact of forcing all client web traffic to adhere to HTTPS, the reasons it breaks application access, and steps to resolve these issues on various server types.