Secure Server Connection - techtalk/SpecLog-Resources GitHub Wiki
You can configure a secure HTTPS connection to:
- communicate between client and server
- communicate between server and TFS work item synchronization (see Synchronization-Workitems)
The following instructions assume that you are familiar with setting up and using the certificate infrastructure of Windows.
You need a valid SSL certificate installed on the SpecLog server for secure communication via HTTPS. We recommended using a certificate from a trusted root certification authority to allow clients to connect to the server without further configuration.
You can also create your own SSL certificate on the server, using the makecert command:
>makecert -r -pe -n "CN=<YourServerURL>" -b 01/01/2000 -e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
- Replace
YourServerURLwith the address of the server, e.g.CN=myspeclogserver.acme.org
If you create your own certificate, you need to ensure that clients connecting to the server trust this certificate, e.g. by importing the certificate into the "Trusted Root Certification Authorities/Certificates" location in the "Local Computer" certificate store on each client.
You need to bind the certificate to the port the server is listening to.
Execute the following command on the server in an elevated rights command window to bind the certificate:
>netsh http add sslcert ipport=0.0.0.0:<port number> certhash=<thumbprint> appid={7a429750-90e5-4a04-b6dc-03b3338d7c83}
- Replace
<port number>with the port the server is listening to, e.g. `ipport=0.0.0.0:4242' - Replace
<thumbprint>with the thumbprint value of the certificate you are using (step1), e.g.certhash=810bbbfd1a68f7a27bb0507f29e695ce164a5ca8
To list those certificates already bound to a specific port, use the following command:
>netsh http show sslcert ipport=0.0.0.0:<port number>
The user account the server is running under needs to be registered for HTTPS on the desired port. This user is either the service user assigned to run the server service, or the user running the server interactively from the console.
The following assumes that you want to register HTTPS for port 4242. Execute the commands from an elevated rights command window:
- Execute the following command to list any existing HTTP reservations on the port:
>netsh http show urlacl url=http://+:4242/ - If HTTP reservations exist, delete them with the following command:
>netsh http delete urlacl url=http://+:4242/ - Execute the following command to register the port with the correct URI scheme for the user:
>netsh http add urlacl url=https://+:4242/ user=<user>
- Replace
<user>with USERDOMAIN\USERNAME, e.g.user=MyDomain\MyUserName - When registering the current user (for console access), you can also use
user=%USERDOMAIN%\%USERNAME%to specify the user
You need to modify the SpecLog.Server.exe.config file to enable transport level security over http (https).
In the <appSettings/> element, set SecureUrlSchema to true:
<appSettings>
<add key="ServiceUrlPort" value="4242" /> <!-- Optional: the port on which SpecLog services communicate; default: 4242 -->
<add key="SecureUrlSchema" value="true" /> <!-- Optional: whether services use transport level security (SSL); default: false -->
<add key="ReducedSecurity" value="false" /> <!-- Optional: whether request and response urls have to match; default: false -->
<!-- Optional: the folder for plugin repositories; default: <CommonApplicationData>\TechTalk\SpecLog -->
<!-- <add key="PluginRepositoryFolder" value="C:\ProgramData\TechTalk\SpecLog" /> -->
</appSettings>
You also need to update the connection string for any server access and repository access client you are running from the command line:
-
Server Access Management in
SpecLog.UserManager.exe.config -
Repository Access Management in
SpecLog.AccessManager.exe.config<appSettings> <!-- change the prefix from "http" to "https" to connect with SSL --> <add key="SpeclogServerUrl" value="https://localhost:4242"/> </appSettings>