Web Site Settings
To configure IIS Web site settings, provide the following:
|Application Engine Web site||
Select an IIS Web site in the drop-down list. The Default Web Site is selected by default. After you select a Web site and click Apply, SBM Configurator performs the following tasks:
|Web site HTTP port||Define the HTTP port for the Web site that you selected. This updates the Web site in IIS with a new binding, which means you do not have to open IIS to change the Web site's port value.|
|Web site HTTPS port||Define the HTTPS port for the Web site that you selected. This updates the Web site in IIS with a new binding, which means you do not have to open IIS to change the Web site's port value.|
|Maximum request content length (MB)||Specify the maximum size for incoming
requests that can be processed by IIS. This setting limits the size of requests
that are processed by IIS. If you receive a "Transport error: 404 Error–Not
found" or a "404.13 error" when you deploy a large process app, increase the
maximum size. The default value is 500 MB.
Note: In IIS 7.5, the documented setting of zero (or unlimited) is not recognized. Additionally, you might need to install the Administration Pack for IIS located here in order to view Request Filtering settings in IIS Manager.
You can configure SSL in IIS by generating a new certificate from a well-known certificate authority (CA) or a self-signed certificate generated by your own CA. You can also manage the current SSL configuration by removing or selecting existing SSL certificates.
Before you can configure SSL for IIS, you must specify an HTTPS port in the Web site HTTPS port field.
The IIS Server tab only appears when you run SBM Configurator on the SBM Application Engine server. If you want to secure end-user connections to IIS in a distributed server environment, you must configure SSL settings on the SBM Application Engine server. Additionally, if you choose to enable SSO, you can secure connections from the browser into the SSO Security Server by selecting Use HTTPS for SSO login on the Security tab. For details, refer to Securing SSO.
To configure SSL, use the following options:
- Generate Sample Certificate
Creates a new SSL certificate that is based on a sample CA certificate installed with SBM. For example, if you have not yet purchased a certificate from a well-known certificate authority (CA), select this option to temporarily secure IIS with a sample certificate.
- You must confirm that you want to add the SBM sample CA certificate to the Windows truststore (if is not detected there already). This operation deploys the sample CA certificate to the local Windows truststore (which creates a trust for any certificates that are henceforth generated by this CA certificate).
- Once you click Yes, SBM Configurator creates a new SSL certificate (using the sample CA certificate that you just deployed), and imports the new certificate into IIS, which associates it with selected Web site. The newly-generated certificate's common name is generated using the server's host name. You can view the certificate details in SBM Configurator or in the Web site properties in IIS.
- After the certificate is created, you can export the public key and import it into a third party keystore to establish a trust. To export the certificate, click View more details, select the Details tab, and click Copy to File. Complete the export wizard that appears to generate a DER-encoded certificate.
- Import New Certificate
Imports a well-known or self-signed certificate (in PEM format, which is a base64-encoded DER). For example, if you have purchased a certificate from a well-known CA, select this option to have SBM Configurator import the certificate for you. This operation adds the new certificate to the Windows keystore, imports the certificate into IIS, and associates the certificate with the Web site that is selected in the Web site drop-down list.
- SBM does not support using certificates that contain wildcards.
- If you configure your server for Smart Card authentication, there are restrictions when configuring SSL. Specifically, if you replace the server SSL certificate with a self-signed server certificate, you must create the self-signed certificate using the RSA algorithm. The SSL handshake fails when using a self-signed DSA certificate in earlier FireFox browsers. This is not an issue for Internet Explorer browsers.
- Export Current Certificate
Launches the Export dialog box, from which you can: export the certificate and optionally the private key; export the entire certificate chain plus the certificate; export just the chain without the certificate. Note that the certificate path options are disabled if you are using a self-signed certificate.
- Select Existing Certificate
Selects an existing certificate from the Windows keystore to secure IIS. For example, if you need change the current certificate that is installed, use this option to select an alternative certificate from the keystore. This operation replaces the current certificate (if one is installed) with the certificate that you select.
- Remove Current Certificate
Removes the current certificate from IIS. For example, if the server's hostname changes (which invalidates the current certificate), you use this option to disassociate the current certificate from IIS. This operation disassociates the current certificate from the Web site that is selected in the Web site drop-down list and also provides you the option to remove the certificate from the keystore.
- If you select Yes, the certificate is removed from IIS and the keystore.
- If you select No, the certificate is removed from IIS, but not the keystore. To secure IIS again with an alternative certificate, you can either generate, import, or select a different certificate.
Managing Trusted Certificates
- Import Certificates – Imports a trusted certificate into the truststore.
- Export Certificates – Exports a trusted certificate.
- Remove Certificates – Removes one or more selected certificates.
- View Details – Select a certificate and click View Details to see more information.
To execute an external Web service call from SBM using SSL, the SBM certificate truststore must contain the external service's public certificate (in the event that the certificate does not already exist in the truststore). Therefore, you must import the service's public certificate into either the Windows or Tomcat truststore—depending on which SBM component performs the call.
For example, if the external Web service call is invoked from a workflow transition, you must add the public certificate to the Windows truststore in the IIS tab on the IIS server. This ensures that SBM Application Engine calls are trusted by the external service. Similarly, you must add the public certificate to the Tomcat truststore to ensure that SBM Orchestration Engine calls are trusted by the external service. For example, if you create an SBM orchestration that contains an external Web service call that is secured by SSL, the public certificate for that service must be added to the Tomcat truststore. The truststore may already contain some public certificates, but if you create your own certificates or use certificates that are newer than those the truststore, the truststore must be updated to successfully complete calls over HTTPS.
- Application pool name – This is the Application Pool that is assigned to the tmtrack application in IIS. SBM Application Engine powers the runtime environment using this memory space.
- Application pool identity – This is the name of the account under which the application pool's worker process runs. By default, application pools operate under the Network Service account, which has low-level user access rights.
- Number of worker processes – Should always have a value of "1". This values denotes a single worker process for the application, which disables the Web garden feature. This keeps concurrent licenses from being consumed multiple times by one user session.
- Recycle worker processes (in minutes) – This setting is disabled by default. If enabled, IIS will periodically restart. This not only forces an IIS restart at a potentially inconvenient time, but also causes problems for installations that use Single Sign-On (SSO).
- Idle timeout (in minutes) – This setting is disabled by default. If enabled, the IIS worker process is shutdown after a specified period of inactivity. This forces IIS to re-cache all the templates and images again, which impacts users on subsequent attempts to access the system.
- Virtual directory authentication – This setting denotes the current authentication methods that are selected in the tmtrack and gsoap applications in IIS.