IIS Server

In the IIS Server tab, you designate a Web site to host the SBM Application Engine Web server components and configure the ports it will use. You configure the IIS Server settings in either wizard mode or utility mode on the server where you installed the SBM Application Engine component.

If you change any IIS settings while SBM Configurator is open, you must close and reopen SBM Configurator in order to update it with the latest changes that you made in IIS.

Web Site Settings

To configure IIS Web site settings, provide the following:

Field	Description
Application Engine Web site	Select an IIS Web site in the drop-down list. The Default Web Site is selected by default. After you select a Web site and click Apply, SBM Configurator performs the following tasks: Creates the tmtrack and workcenter applications in IIS, which host SBM Work Center. Creates the gsoap application in IIS, which hosts the SBM Application Engine Web services WSDL. Creates the sbmconnector application in IIS, which hosts the REST Grid and PDF widgets. Creates the necessary ISAPI filters for SBM Application Engine to communicate with SBM Common Services. Sets file system permissions for the Network Service and IUSR accounts and grants access to the SBM Application Engine folder and its sub-folders. Grants permission to the necessary ISAPI extensions. Configures the tmtrack and gsoap application pools to use the recommended identity, number of worker processes, and idle timeout. SBM Configurator adjusts the idle timeout and number of worker processes if the recommended settings are not currently used.
Web site HTTP port	Define the HTTP port for the Web site that you selected. This updates the Web site in IIS with a new binding, which means you do not have to open IIS to change the Web site's port value.
Web site HTTPS port	Define the HTTPS port for the Web site that you selected. This updates the Web site in IIS with a new binding, which means you do not have to open IIS to change the Web site's port value.
Maximum request content length (MB)	Specify the maximum size for incoming requests that can be processed by IIS. This setting limits the size of requests that are processed by IIS. If you receive a "Transport error: 404 Error–Not found" or a "404.13 error" when you deploy a large process app, increase the maximum size. The default value is 500 MB. Note: In IIS 7.5, the documented setting of zero (or unlimited) is not recognized. Additionally, you might need to install the Administration Pack for IIS located here in order to view Request Filtering settings in IIS Manager.

Configuring SSL

You can configure SSL in IIS by generating a new certificate from a well-known certificate authority (CA) or a self-signed certificate generated by your own CA. You can also manage the current SSL configuration by removing or selecting existing SSL certificates.

Before you can configure SSL for IIS, you must specify an HTTPS port in the Web site HTTPS port field.

The IIS Server tab only appears when you run SBM Configurator on the SBM Application Engine server. If you want to secure end-user connections to IIS in a distributed server environment, you must configure SSL settings on the SBM Application Engine server. Additionally, if you choose to enable SSO, you can secure connections from the browser into the SSO Security Server by selecting Use HTTPS for SSO login on the Security tab. For details, refer to Securing SSO.

To configure SSL, use the following options:

Generate Sample Certificate
Creates a new SSL certificate that is based on a sample CA certificate installed with SBM. For example, if you have not yet purchased a certificate from a well-known certificate authority (CA), select this option to temporarily secure IIS with a sample certificate.
- In the Generate Certificate dialog box that appears, you can accept the default values to create a new sample certificate with a common name that matches the local server's hostname. By default, the sample certificate is signed by the sample CA, but you can import and use a different CA cert if necessary.
- If you clear the Certificate authority check box, SBM Configurator generates a self-signed certificate. You can configure additional parameter including the public key size, validity dates, and signature algorithm as needed.
- You must confirm that you want to add the sample CA certificate to the Windows truststore (if is not detected there already). This operation deploys the sample CA certificate to the local Windows truststore (which creates a trust for any certificates that are henceforth generated by this CA certificate).
- Once you click Yes, SBM Configurator creates a new SSL certificate (using the sample CA certificate that you just deployed), and imports the new certificate into IIS, which associates it with selected Web site. The newly-generated certificate's common name is generated using the server's host name. You can view the certificate details in SBM Configurator or in the Web site properties in IIS.
- After the certificate is created, you can export the public key and import it into a third party keystore to establish a trust. To export the certificate, click View more details, select the Details tab, and click Copy to File. Complete the export wizard that appears to generate a DER-encoded certificate.
Import New Certificate
Imports a well-known or self-signed certificate (in PEM format, which is a base64-encoded DER). For example, if you have purchased a certificate from a well-known CA, select this option to have SBM Configurator import the certificate for you. This operation adds the new certificate to the Windows keystore, imports the certificate into IIS, and associates the certificate with the Web site that is selected in the Web site drop-down list.
- SBM does not support using certificates that contain wildcards.
- If you configure your server for Smart Card authentication, there are restrictions when configuring SSL. Specifically, if you replace the server SSL certificate with a self-signed server certificate, you must create the self-signed certificate using the RSA algorithm. The SSL handshake fails when using a self-signed DSA certificate in earlier FireFox browsers. This is not an issue for Internet Explorer browsers.
Export Current Certificate
Launches the Export dialog box, from which you can: export the certificate and optionally the private key; export the entire certificate chain plus the certificate; export just the chain without the certificate. Note that the certificate path options are disabled if you are using a self-signed certificate.
Select Existing Certificate
Selects an existing certificate from the Windows keystore to secure IIS. For example, if you need change the current certificate that is installed, use this option to select an alternative certificate from the keystore. This operation replaces the current certificate (if one is installed) with the certificate that you select.
Remove Current Certificate
Removes the current certificate from IIS. For example, if the server's hostname changes (which invalidates the current certificate), you use this option to disassociate the current certificate from IIS. This operation disassociates the current certificate from the Web site that is selected in the Web site drop-down list and also provides you the option to remove the certificate from the keystore.
- If you select Yes, the certificate is removed from IIS and the keystore.
- If you select No, the certificate is removed from IIS, but not the keystore. To secure IIS again with an alternative certificate, you can either generate, import, or select a different certificate.

Managing Trusted Certificates

Click Manage Trusted Certificates to launch the Certificates dialog box. This enables you to search for trusted certificates, as well as import, export, or remove trusted certificates from the truststore. In the Certificates dialog box, you can:

Import Certificates – Imports a trusted certificate into the truststore.
Export Certificates – Exports a trusted certificate.
Remove Certificates – Removes one or more selected certificates.
View Details – Select a certificate and click View Details to see more information.

Use the search field to find a certificate in the truststore. You can search for certificates by using any of the details that are listed in the Certificates dialog box.

To execute an external Web service call from SBM using SSL, the SBM certificate truststore must contain the external service's public certificate (in the event that the certificate does not already exist in the truststore). Therefore, you must import the service's public certificate into either the Windows or Tomcat truststore—depending on which SBM component performs the call.

For example, if the external Web service call is invoked from a workflow transition, you must add the public certificate to the Windows truststore in the IIS tab on the IIS server. This ensures that SBM Application Engine calls are trusted by the external service. Similarly, you must add the public certificate to the Tomcat truststore to ensure that SBM Orchestration Engine calls are trusted by the external service. For example, if you create an SBM orchestration that contains an external Web service call that is secured by SSL, the public certificate for that service must be added to the Tomcat truststore. The truststore may already contain some public certificates, but if you create your own certificates or use certificates that are newer than those the truststore, the truststore must be updated to successfully complete calls over HTTPS.

Other Settings

SBM Configurator also displays the following Application Engine settings:

Application pool name – This is the Application Pool that is assigned to the tmtrack application in IIS. SBM Application Engine powers the runtime environment using this memory space.
Application pool identity – This is the name of the account under which the application pool's worker process runs. By default, application pools operate under the Network Service account, which has low-level user access rights.
Number of worker processes – Should always have a value of "1". This values denotes a single worker process for the application, which disables the Web garden feature. This keeps concurrent licenses from being consumed multiple times by one user session.
Recycle worker processes (in minutes) – This setting is disabled by default. If enabled, IIS will periodically restart. This not only forces an IIS restart at a potentially inconvenient time, but also causes problems for installations that use Single Sign-On (SSO).
Idle timeout (in minutes) – This setting is disabled by default. If enabled, the IIS worker process is shutdown after a specified period of inactivity. This forces IIS to re-cache all the templates and images again, which impacts users on subsequent attempts to access the system.
Virtual directory authentication – This setting denotes the current authentication methods that are selected in the tmtrack and gsoap applications in IIS.