Wednesday, June 5, 2013

Savision Web Console & SSL: Getting Rid Of Nagging Message ‘There is a problem with this website's security certificate.’

When one installs Savision Live Maps and all the related components, the Savision Web Console defaults to SSL. When this Web Console isn’t published to the internet, it’s not required to use a third party SSL certificate. Instead one could use a self-signed certificate. The installer of the Savision Web Console aids you in that. Simply hit the Create Certificate button and on the fly a certificate, required for SSL, will be created:
image

And:
image

So far so good. However, now one might bump into the error message ‘There is a problem with this website's security certificate’.

Simply because the self signed certificate has the FQDN of the server where the Savision Web Console runs from. However, the URL used doesn’t have the FQDN but only the NETBIOS name of that server. So now the security of the browser kicks in, telling you the certificate doesn’t match with the URL you used:
image

This is a nagging issue which keeps on coming back. So basically there are two solutions:

  1. You buy a SSL certificate from a well known CA (they come cheap nowadays);
  2. Or, when you have a CA (based on Microsoft technology) in place, create a Domain Certificate with the NETBIOS name as Common Name instead.

Option 1 is to be advised when the Savision Web Console will be published on the internet or internal security requirements demand it. Option 2 is to be used only when the Savision Web Console will be used internally.

And of course, you could also disable SSL. But that’s a bad idea all together. After all, SCOM collects sensitive data and you don’t want to send that unencrypted over your network…

Already in 2010 I blogged how to secure the SCOM 2007 R2 Web Console with SSL by using a Domain Certificate. So when Option 2 is at play here for you, simply read that posting and of you go.

With Option 1, you most certainly have the CA where you buy your certificates from. Simply buy a SSL certificate and use ONLY the NETBIOS name of the server hosting the Savision Web Console as the Common Name for the SSL certificate.

So now we have a new certificate, whether we used option 1 or 2. So how to attach it to the Savision Web Console? This is very easy, simply follow these 3 steps:

  1. Start a RDP session with the server hosting the Savision Web Console and log on with an account which has local admin permissions. Start IIS Manager;
  2. Go to [SERVER NAME] > Sites > Live Maps 2012 Web Console > click right > Edit Bindings > Select the one and only SSL binding, it looks like this:
     image
  3. > Edit > under the header SSL Certificate: there is a drop down menu. Select the new SSL certificate (in this example I created a Domain Certificate named MS01 SSL For Savision Web Console) image
    And:
    image
    Click OK > Close.

Now the Savision Web Console opens in IE without the nagging message:
image

No comments: