-
Notifications
You must be signed in to change notification settings - Fork 52
Secure openHistorian Web Interface adding https
To add transport layer security (TLS/SSL) to the self-hosted openHistorian web interface on a Windows platform, follow these steps:
- Create self-signed or obtain an SSL certificate
Note that certificate must be installed to Local Computer / Personal / Certificates in order for it to be associated with self-hosted web port.
- Copy the "thumbprint" from the certificate details with no spaces - this will become
certhashparameter replacingYOUR_CERT_HASHin commands below. - Open an administrator command prompt and run the following commands:
netsh http add sslcert ipport=[::0]:8181 appid="{F65126E5-E27A-49DF-8188-1CDE74FE15F3}" certhash=YOUR_CERT_HASH
netsh http add sslcert ipport=0.0.0.0:8181 appid="{F65126E5-E27A-49DF-8188-1CDE74FE15F3}" certhash=YOUR_CERT_HASH
netsh http add urlacl url=https://+:8181/ user=Everyone
Port
8181is selected as the secure port for SSL binding here since port8180is preconfigured for non-SSL bindings, i.e.,http, by default during installation. You will need to delete the existing urlacl bindings for8080if you want to continue to use this port, see removing ssl section below. Currently the self-hosted web service only listens on one port, so its usage will be SSL or not.
The
appIDparameter came from the[assembly: Guid("value")]fromAssemblyInfo.csin theopenHistorianservice.
- Make sure
openHistorianservice is not running and update the following setting in theopenHistorian.exe.configfile:
<add name="WebHostURL" value="https://+:8181" description="The web hosting URL for remote system management." encrypted="false" />
Note that you can also run the
XML Configuration Editorfor the openHistorian to make this change. Using this tool, navigate to thesystemSettingssection and find the key calledWebHostURLchanging the value fromhttp://+:8180tohttps://+:8181. ClickingSave Settingswill stop the openHistorian service, save the configuration change and automatically restart the openHistorian.
- Make sure when navigating to openHistorian to use new port and specify
https:
https://localhost:8181/
- Open an administrator command prompt and run the following commands:
netsh http delete sslcert ipport=[::0]:8181
netsh http delete sslcert ipport=0.0.0.0:8181
netsh http delete urlacl url=https://+:8181/
- Ensuring
openHistorianservice is not running, update the following setting in theopenHistorian.exe.configfile:
<add name="WebHostURL" value="http://+:8180" description="The web hosting URL for remote system management." encrypted="false" />
For a Mono hosted instance running on other platforms:
Instructions are similar but instead use the httpcfg tool:
http://manpages.ubuntu.com/manpages/xenial/man1/httpcfg.1.html
- Run
Windows PowerShellas an Administrator - Run the following PowerShell command:
New-SelfSignedCertificate -FriendlyName "openHistorian Self-Signed Certificate" -DnsName openHistorianSSL, localhost -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(3)
Note that the
-NotAfter (Get-Date).AddYears(3)parameter at the end of the command says the certificate will expire in three years.
- Run `mmc.exe'
- Press
Ctrl+M(or selectFile > Add/Remove Snap-in...) - Select
Certificatesand clickAdd - Select
Computer accountand click `Next >' - Select
Local computer: (the computer the console is running on)and clickFinish, then clickOK - Navigate to the
Console Root / Certificates (Local Computer) / Personal / Certificatesfolder - Right-click on
openHistorianSSLcertificate and selectCopy - Navigate to the
Console Root / Certificates (Local Computer) / Trusted Root Certification Authorities / Certificatesfolder - Right-click on the
Certificatessub-folder ofTrusted Root Certification Authoritiesin the tree and selectPaste - The
openHistorianSSLcertificate should now be in theTrusted Root Certification Authorities / Certificatesfolder and now trusted by the local system