IIS Server

In the IIS Server tab, you designate a Web site to host the SBM Application Engine Web server components and configure the ports it will use. You configure the IIS Server settings in either wizard mode or utility mode on the server where you installed the SBM Application Engine component.

If you change any IIS settings while SBM Configurator is open, you must close and reopen SBM Configurator in order to update it with the latest changes that you made in IIS.

General Settings

In the General Settings tab, you configure the following settings.

Web Site Settings

To configure IIS Web site settings, provide the following:

Field Description
Application Engine Web site

Select an IIS Web site in the drop-down list. The Default Web Site is selected by default. After you select a Web site and click Apply, SBM Configurator performs the following tasks:

  • Creates the tmtrack and workcenter applications in IIS, which host SBM Work Center.
  • Creates the gsoap application in IIS, which hosts the SBM Application Engine Web services WSDL.
  • Creates the sbmconnector application in IIS, which hosts the REST Grid and PDF widgets.
  • Creates the necessary ISAPI filters for SBM Application Engine to communicate with SBM Common Services.
  • Sets file system permissions for the Network Service and IUSR accounts and grants access to the SBM Application Engine folder and its sub-folders.
  • Grants permission to the necessary ISAPI extensions.
  • Configures the tmtrack and gsoap application pools to use the recommended identity, number of worker processes, and idle timeout. SBM Configurator adjusts the idle timeout and number of worker processes if the recommended settings are not currently used.
Web site HTTP port Define the HTTP port for the Web site that you selected. This updates the Web site in IIS with a new binding, which means you do not have to open IIS to change the Web site's port value.
Maximum request content length (MB) Specify the maximum size for incoming requests that can be processed by IIS. This setting limits the size of requests that are processed by IIS. If you receive a "Transport error: 404 Error–Not found" or a "404.13 error" when you deploy a large process app, increase the maximum size. The default value is 500 MB.
Note: In IIS 7.5, the documented setting of zero (or unlimited) is not recognized. Additionally, you might need to install the Administration Pack for IIS located here in order to view Request Filtering settings in IIS Manager.

Work Center and Web Services IIS Application Settings

SBM Configurator displays the following IIS settings for informational purposes:
  • Application pool name – The Application Pool that is assigned in IIS.
    • DefaultAppPool – Used by the sbmconnector, tmtrack, and workcenter applications. SBM Application Engine powers the runtime environment using this memory space.
    • gsoap_pool – Used by the gsoap application. Powers the SBM Application Engine Web Services.
  • Application pool identity – The name of the account under which the application pool's worker process runs. By default, application pools operate under the ApplicationPoolIdentity.
  • Number of worker processes – Should always have a value of "1". This values denotes a single worker process for the application, which disables the Web garden feature. This keeps concurrent licenses from being consumed multiple times by one user session.
  • Recycle worker processes (in minutes) – This setting is disabled by default. If enabled, IIS will periodically restart. This not only forces an IIS restart at a potentially inconvenient time, but also causes problems for installations that use Single Sign-On (SSO).
  • Idle timeout (in minutes) – This setting is disabled by default. If enabled, the IIS worker process is shutdown after a specified period of inactivity. This forces IIS to re-cache all the templates and images again, which impacts users on subsequent attempts to access the system.
  • Virtual directory authentication – This setting denotes the current authentication methods that are selected in the workcenter and gsoap applications in IIS.

HTTPS / TLS Settings

The IIS Server HTTPS / TLS Settings tab enables you to secure end-user connections to IIS.

If you enable SSO, you can secure connections from the browser into the SSO Security Server by selecting Use HTTPS for SSO login on the Security | Secure SSO sub-tab. For details, refer to Securing SSO.

General Settings

To configure HTTPS, you must specify a port in the Web site HTTPS port field.

Field Description
Web site HTTPS port Enter the HTTPS port for the Web site that you selected. This updates the Web site in IIS with a new binding, which means you do not have to open IIS to change the Web site's port value.

To finish configuring HTTPS, you can either import a new certificate from a well-known certificate authority (CA) or a self-signed certificate generated by your own CA. You can also manage the current configuration by removing or selecting existing certificates.

The following certificate options are available:

  • Generate Sample Certificate

    Creates a new certificate that is based on a sample CA certificate installed with SBM. For example, if you have not yet purchased a certificate from a well-known certificate authority (CA), select this option to temporarily secure IIS with a sample certificate.

    • In the Generate Certificate dialog box that appears, you can accept the default values to create a new sample certificate with a common name that matches the local server's hostname. By default, the sample certificate is signed by the sample CA, but you can import and use a different CA cert if necessary.
    • If you clear the Certificate authority check box, SBM Configurator generates a self-signed certificate. You can configure additional parameter including the public key size, validity dates, and signature algorithm as needed.
    • You must confirm that you want to add the sample CA certificate to the Windows truststore (if is not detected there already). This operation deploys the sample CA certificate to the local Windows truststore (which creates a trust for any certificates that are henceforth generated by this CA certificate).
    • Once you click Yes, SBM Configurator creates a new certificate (using the sample CA certificate that you just deployed), and imports the new certificate into IIS, which associates it with selected Web site. The newly-generated certificate's common name is generated using the server's host name. You can view the certificate details in SBM Configurator or in the Web site properties in IIS.
    • After the certificate is created, you can export the public key and import it into a third party keystore to establish a trust. To export the certificate, click View more details, select the Details tab, and click Copy to File. Complete the export wizard that appears to generate a DER-encoded certificate.
  • Import New Certificate

    Imports a well-known or self-signed certificate (in PEM format, which is a base64-encoded DER). For example, if you have purchased a certificate from a well-known CA, select this option to have SBM Configurator import the certificate for you. This operation adds the new certificate to the Windows keystore, imports the certificate into IIS, and associates the certificate with the Web site that is selected in the Web site drop-down list.

    • SBM does not support using certificates that contain wildcards.
    • There are restrictions to note when you configure your server for Smart Card authentication. Specifically, if you replace the server certificate with a self-signed server certificate, you must create the self-signed certificate using the RSA algorithm. The security handshake fails when using a self-signed DSA certificate in earlier FireFox browsers. This is not an issue for Internet Explorer browsers.
  • Export Current Certificate

    Launches the Export dialog box, from which you can: export the certificate and optionally the private key; export the entire certificate chain plus the certificate; export just the chain without the certificate. Note that the certificate path options are disabled if you are using a self-signed certificate.

  • Select Existing Certificate

    Selects an existing certificate from the Windows keystore to secure IIS. For example, if you need change the current certificate that is installed, use this option to select an alternative certificate from the keystore. This operation replaces the current certificate (if one is installed) with the certificate that you select.

  • Remove Current Certificate

    Removes the current certificate from IIS. For example, if the server's hostname changes (which invalidates the current certificate), you use this option to disassociate the current certificate from IIS. This operation disassociates the current certificate from the Web site that is selected in the Web site drop-down list and also provides you the option to remove the certificate from the keystore.

    • If you select Yes, the certificate is removed from IIS and the keystore.
    • If you select No, the certificate is removed from IIS, but not the keystore. To secure IIS again with an alternative certificate, you can either generate, import, or select a different certificate.
  • Manage Trusted Certificates
    Click Manage Trusted Certificates to launch the Certificates dialog box. This enables you to search for trusted certificates, as well as import, export, or remove trusted certificates from the truststore. In the Certificates dialog box, you can:
    • Import Certificates – Imports a trusted certificate into the truststore.
    • Export Certificates – Exports a trusted certificate.
    • Remove Certificates – Removes one or more selected certificates.
    • View Details – Select a certificate and click View Details to see more information.
    Use the search field to find a certificate in the truststore. You can search for certificates by using any of the details that are listed in the Certificates dialog box.

    To execute an external Web service call from SBM using SSL, the SBM certificate truststore must contain the external service's public certificate (in the event that the certificate does not already exist in the truststore). Therefore, you must import the service's public certificate into either the Windows or Tomcat truststore—depending on which SBM component performs the call.

    For example, if the external Web service call is invoked from a workflow transition, you must add the public certificate to the Windows truststore in the IIS tab on the IIS server. This ensures that SBM Application Engine calls are trusted by the external service. Similarly, you must add the public certificate to the Tomcat truststore to ensure that SBM Orchestration Engine calls are trusted by the external service. For example, if you create an SBM orchestration that contains an external Web service call that is secured by SSL, the public certificate for that service must be added to the Tomcat truststore. The truststore may already contain some public certificates, but if you create your own certificates or use certificates that are newer than those the truststore, the truststore must be updated to successfully complete calls over HTTPS.

Advanced Settings

Use the following options to configure TLS protocols for your IIS server:

  • Client TLS – Affects calls originating from this server. For example, this affects calls made via TLS using a client on the server, such as ODBC client connection.
  • Server TLS – Affects external calls that terminate at this server. For example, this affects calls made via TLS to Application Engine on this server.

Note the following:

  • The TLS protocols that you select affect the entire Windows operating system. This can affect other applications that are running in IIS and other programs using the Windows Security Channel (or SCHANNEL) to make outbound HTTP calls from this server.
  • You must ensure that at least one TLS protocol is common between your IIS server and your Tomcat servers. This means if you enable TLS 1.2 for IIS, you must enable TLS 1.2 for Tomcat as well. If you enable TLS 1.3 for Tomcat, you must enable TLS 1.2 or earlier for IIS.