Qlik Community

Qlik NPrinting Documents

Documents related to Qlik NPrinting.

How to Enable SSL in On-Demand

Employee
Employee

How to Enable SSL in On-Demand

NOTE: NPrinting On Demand does NOT support reverse proxy server configurations nor software/hardware web load balancers at this time. It is currently designed to work with http or https in a non load-balanced front environment where ports 9000 and 9001 are left open for use with NPrinting On Demand Exclusively.

SSL can be enabled selectively per-endpoint.

For example, you can enable SSL for HTTP endpoint and disable SSL for WS endpoint. Also see "NPrinting On-Demand: Architecture and Configuration".

A valid SSL certificate signed by a valid CA (public or domain) must be bound to the https://yourhostdnsname:ajaxport/ address you plan to use for the endpoint.

Ports Reservation

                
            Ports-Reservation.png                
      

Ports reservation are done automatically at service startup in NPrinting 14.0.0.12 or higher releases. In some installations, you must reserve TCP ports listening for the On-Demand service process.

After opening a Command Prompt as Administrator, check if SSL is enabled:

  1. Enter netsh http add urlacl url=https://+:9000/ user=DOMAIN\user , replace DOMAIN\user with the domain and the name of your NPrinting Server account
  2. Enter netsh http add urlacl url=https://+:9001/ user=DOMAIN\user

If a port is reserved by another process and you are sure you can use it with On-Demand, remove the reservation before enabling it typing the following:

Enter netsh http delete urlacl url=https://+:9000/ (replace 9000 with target TCP port and http with https if SSL is enabled)

Install Makecert Tool

                
            Install-Makecert-Tool.png                
      

If you already have a SSL certificate, go directly to "Get the Certificate Thumbprint" step further below in this tutorial.

After logging in with your NPrinting Server account, download and install "Microsoft Windows SDK for Windows 7 and .NET Framework 4" if your system does not have "makecert" installed.

Select Tools during the installation and finish the installation

Create a Trusted Certificate only for Test

                
            Create-a-Trusted-Certificate-only-for-Test.png                
      

Right click on Windows SDK 7.1 Command Prompt and select Run as administrator

Generate the Trusted SSL Certificate

                
            Generate-the-Trusted-SSL-Certificate.png                
      
  1. Enter cd C:\Program Files\Microsoft SDKs\Windows\v7.1\bin
  2. Enter makecert -sv C:\SignRoot.pvk -cy authority -r C:\signroot.cer -a sha1 -n "CN=Dev Certification Authority" -ss my -sr localmachine to create a trusted certificate only for tests. Refer to "Makecert.exe (Certificate Creation Tool)"
  3. Enter a password
  4. Click OK. If necessary retype the password

This command create a certificate (.cer) and a Private Key (.pvk) in C:\ root folder.

Open the Microsoft Management Console

                
            Open-the-Microsoft-Management-Console.png                
      

Execute the command mmc.exe then:

  1. Click on File
  2. Select Add/Remove Snap-in...

Add the Certificates to the Console

                
            Add-the-Certificates-to-the-Console.png                
      
  1. Select Certificates from the list
  2. Click on Add > to import the selected element in the console and a new window will appears
 

Certificate snap-in

                
            Certificate-snap-in-.png                
      
  1. Select Computer account
  2. Click on Next

After clicking on Finish, click on OK

  

Move the Certificate to Trusted Root Certification Authorities

                
            Move-the-Certificate-to-Trusted-Root-Certification.png                
      
  1. Move into Certificates -> Personal -> Certificates
  2. Select Dev Certification Authority and drag and drop it into Trusted Root Certification Authorities

Create a localhost Certificate

                
            Create-a-localhost-Certificate.png                
      

After returning to the Command Prompt:

  1. Enter makecert -iv C:\SignRoot.pvk -ic C:\signroot.cer -cy end -pe -n CN="localhost" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
  2. Enter the password created for the first certificate
  3. Click OK

Get the Certificate Thumbprint

                
            Get-the-Certificate-Thumbprint.png                
      

If you already have a certificate you can import it:

  1. Go to Certificates -> Personal -> Certificates
  2. Right-click on the empty list and select All Tasks -> Import...

After reopening the Microsoft Management Console and clicking F5:

  1. Double click on localhost or on your certificate into Certificates -> Personal -> Certificates
  2. Open the Details tab
  3. Select from the list Thumbprint
  4. Select the thumbprint and copy it into Notepad and remove the spaces, the number will be different from the screenshot

Remove old SSL Associations

                
            Remove-old-SSL-Associations-.png                
      

After opening a Command Prompt as Administrator:

  1. Enter netsh http delete sslcert ipport=0.0.0.0:9000
  2. Enter netsh http delete sslcert ipport=0.0.0.0:9001

If you get the error "SSL Certificate deletion failed, Error: 2 The system cannot find the file specified." means that there weren't certificates bound to these ports.

Netsh command works only starting from Windows Vista and Windows Server 2008, if you use an older version refer to "How to: Configure a Port with an SSL Certificate"

  

Generate GUIDs

                
            Generate-GUIDs.png                
      
  1. Go to "Online GUID Generator"
  2. Enter 2
  3. Check all three boxes
  4. Click on Generate some GUIDs!
  5. Select and copy these two GUIDs into your Notepad,  the GUIDs will be different from the screenshot.
 

Binding an SSL Certificate to a URL

                
            Binding-an-SSL-Certificate-to-a-URL.png                
      

After reopening the Command Promt:

  1. Enter netsh http add sslcert ipport=0.0.0.0:9000 certhash="thumbprint" appid={GUID} , replace "thumbprint" with your thumbprint and "GUID" with one of your GUIDs previously copied into the notepad without quotes (e.g. netsh http add sslcert ipport=0.0.0.0:9000 certhash=‎c494745efa0aef0467fb4a87e1712922c19b7dbc appid={CD57FF9A-FBF8-4215-873B-116253E65ED1})
  2. Enter netsh http add sslcert ipport=0.0.0.0:9001 certhash="thumbprint" appid={GUID} , replace "thumbprint" with your thumbprint and "GUID" with your second GUID (e.g. netsh http add sslcert ipport=0.0.0.0:9001 certhash=‎c494745efa0aef0467fb4a87e1712922c19b7dbc appid={3AB66D52-BB62-4AAE-8E29-29A5D2B07D3B})
   

Check the Ports

                
            Check-the-Ports.png                
      

Enter netsh http show sslcert

Using this command is possible to see all the SSL certificate added. If all step have been performed correctly, you will see the certificates which you added in previous steps.

Configure ods.config

                
            Configure-odsconfig.png                
      
  1. Go to C:\Users\{UserName}\AppData\Roaming\NPrinting\ODS (e.g. C:\Users\NPrinting\AppData\Roaming\NPrinting\ODS)
  2. Open ods.config with a text editor
 

Configure On-Demand Service Endpoints

                
            Configure-On-Demand-Service-Endpoints-.png                
      
  • WsEnabled and HttpEnabled enable or disable the WS and HTTP endpoints respectively.
  • WsHostname and HttpHostname are the DNS hostnames of  the WS and HTTP interfaces respectively as they appear to clients. If you enable SSL, these names must be the same as indicated in the SSL certificate. (e.g. localhost)
  • WsPort and HttpPort are the TCP ports used for the WS and HTTP interfaces respectively. If both endpoints are enabled these ports must be different.
  • WsEnableSSL and HttpEnableSSL enable or disable the SSL protocol in the respective interface.
  1. Enter localhost in the WsHostname and HttpHostname value field
  2. Type true in the WsEnableSSL and HttpEnableSSL value field
  3. Save and Close

Edit the On-Demand Components

                
            Edit-the-On-Demand-Components.png                
      

If you want to use SSL you must enable SSL on ON-Demand Components

  1. Click on View
  2. Select Turn on/off WebView
  3. Right-click on each button and click on Properties

Enable SSL on On-Demand Components

                
            Enable-SSL-on-On-Demand-Components.png                
      
  1. Select On-Demand service connection
  2. Check Use SSL

Restart the NPrinting Server Service

                
            Restart-the-NPrinting-Server-Service.png                
      

After opening the Services manager:

  1. Select NPrinting Server service from the list
  2. Click on Restart

Result

                
            Result.png                
      

If you go to https://localhost:9000/ods, you can see the a green padlock and that the certificate has been accepted.

NOTE: NPrinting On Demand does NOT support reverse proxy server configurations nor software/hardware web load balancers at this time. It is currently designed to work with http or https in a non load-balanced front environment where ports 9000 and 9001 are left open for use with NPrinting On Demand Exclusively.

Labels (1)
Version history
Revision #:
1 of 1
Last update:
‎11-06-2015 08:58 AM
Updated by:
Employee