2 Configuring SSL/TLS (HTTPS)
Standard SSL/TLS (one-way SSL/TLS) provides privacy but not authentication. This means that it stops an adversary on the network from examining network traffic between the client and the server.
SSL must be configured and ‘required’ for all websites and web services associated with MyID (that is, clients must be forced to connect with HTTPS and should be unable to connect with HTTP).
To configure SSL/TLS:
-
Enroll a server certificate.
- In IIS manager, at the web server level, select Server Certificates.
- This opens a window that allows enrollment of the server certificates that represent the identity of the web server.
-
Bind the certificate to the website.
-
Configure the websites and web services to require SSL/TLS.
Note: A PowerShell script is supplied to enable SSL/TLS for the web services. See the Configuring MyID for 2-way SSL/TLS section in the Installation and Configuration Guide.
At this point the web server has been SSL/TLS enabled – clients can choose to connect to HTTPS, although they may still connect to HTTP. In order to protect clients from accidentally connecting using HTTP (and therefore not getting the benefit of the privacy that https provides), we must set IIS to require SSL.
This can be done individually for each virtual directory – but it is more efficient to require SSL for the entire website.
Note: If the MyID web server is hosting other applications that do not support SSL/TLS, it may not be possible to enforce SSL/TLS for the entire web server, and you may need to set it for each virtual directory.
Since the web server certificate will expire, it is important to put a plan in place for renewing or replacing this certificate before it expires to ensure continuity of service.
Ensure that all clients use HTTPS (rather than HTTP) to connect to the MyID website and web services, since connecting through HTTP will no longer work.
For WCF web services, review the Web.config as described section 5, Additional configuration for WCF web services.
Note: The web server must be able to make https requests to its own domain (the domain part of the URL must resolve and be consistent with the value in the TLS web certificate). If your network setup prevents this, you can using the hosts file on the web server to map that domain to the IP address of the web server.
Some browsers may behave in different ways; it is important to check multiple browsers will work with your network setup if you are using the MyID Operator Client. For example, Google Chrome requires the TLS certificate to have a subjectaltname with the DNSName of the server – it refuses to communicate using TLS unless the TLS certificate is configured like in this way.