Configure SSL or TLS for AgilePoint NX Portal
To configure AgilePoint Server and AgilePoint NX Portal to use SSL or TLS, do the procedure in this topic.
Background and Setup
Prerequisites
- AgilePoint NX OnPremises or AgilePoint NX PrivateCloud.
- To use secure communication, AgilePoint NX requires an SSL or TLS certificate to be installed for each communication port used for AgilePoint Server on the AgilePoint Server machine.
- A full chain SSL or TLS certificate in PFX or PEM format.
- PFX - The file must be in .pfx format and requires a password.
- PEM - In most cases, a PEM certificate consists of two files: a private key file (.pem or .key) and a certificate file (.crt or .pem).
Note: Make sure the SSL certificate chain is complete.
Good to Know
- For security, AgilePoint recommends you use a standard SSL or TLS certificate, and not a self-signed certificate.
- SSL or TLS is required for AgilePoint Server if you use on-premises SharePoint over SSL or TLS.
- AgilePoint NX supports any version of SSL or TLS, but limitations to the versions of SSL or TLS you can use in your environnment may apply based on software or systems outside of AgilePoint NX. The following are examples of restrictions that may apply to the SSL or TLS versions that could apply in your environment. However, the specifc rules depend on your specific configuration:
- AgilePoint
Server relies on the version of SSL or TLS that is configured for
.NET on your AgilePoint Server machine. For example, by default,
.NET 4.7.1 supports TLS 1.2 or higher.
This configuration can be changed, but any downgrade in the supported version of SSL or TLS can result in security risks. For more information, see the documentation from Microsoft.
- Outside services, such as Salesforce, may require certificates with
higher levels (or
specific levels) of SSL or TLS.
You can test your certificate with several third-party, web-based services—for example, https://www.digicert.com/help/
- If you want to connect to mobile apps that use iOS 9 or higher, your certificate must use Apple's App Transport Security standard.
For more information, refer to NSAppTransportSecurity from Apple.
- AgilePoint
Server relies on the version of SSL or TLS that is configured for
.NET on your AgilePoint Server machine. For example, by default,
.NET 4.7.1 supports TLS 1.2 or higher.
- The security protocols supported by third-party technologies are subject to change are the responsibility for the associated vendors. These are subject to change without notice from AgilePoint.
- After you configure AgilePoint Server and AgilePoint NX Portal for SSL or TLS, you also must configure
serveral other components if they are used in your environments.
For more information, refer to:
Enable SSL or TLS in AgilePoint Server Manager
To enable the SSL Settings in AgilePoint Server Manager, do the procedure in this topic.
How to Start
- On the AgilePoint Server machine,
in Windows Explorer, right-click the file
(AgilePoint Server installation folder)
C:\Program Files\AgilePoint\AgilePoint Server\WCFConfigurationUtility.exe,
and click Run as Administrator.
Procedure
- On the AgilePoint Server Manager, select your AgilePoint Windows Service instance.
- On the Networking tab, in the SSL Settings section, turn on Use Secure Connection (SSL).
- In the Domain field, enter the common name or domain name for your SSL certificate.
- Restart the AgilePoint Server instance.
For more information, refer to Restarting AgilePoint Server and AgilePoint Portal.
Create the Thumbprint for the certificate
To create a thumbprint for the SSL or TLS certificate in the AgilePoint Server instance, do the procedure in this topic.
Procedure
- In a command prompt, enter mmc.
- On the Console Root screen, click File > Add/Remove Snap-in.
- On the Add or Remove Snap-ins screen, select Certificates, and click Add.
- On the Certificates snap-in screen, click Computer account.
- On the Select Computer screen, click Local computer.
- Click Finish.
- On the Selected snap-ins section, click Certificates (Local Computer).
- Click Ok.
- Click Certificates (Local Computer) > Personal.
- Right-click on the Certicates and select All Task > Import.
- On the Certificates Import wizard, click the Next button.
- In the File name field, browse your SSL certificate.
- Click Next.
- On the Private key protection screen, in the Password field, enter the password for the private key.
This screen shows only when the private key is secured with password.
- On the Certificate Store screen, select Place all certicates in the following store.
- In the Certificate Store field, click the Browse button, and select Personal.
- Click Next.
- Click Finish.
- On the Console Root screen, double-click on the imported SSL certificate.
- On the Certificate screen, click the Details tab.
- In the Show field, select ALL.
- Select Thumbprint.
- Copy the value of the thumbprint and paste it in the text editor.
(Optional) Remove an SSL or TLS certificate from AgilePoint NX Portal
If you are replacing an SSL or TLS certificate — for example, if a certificate is due to expire — you must remove the association with the current certificate. To remove the SSL or TLS certificate from a port served by AgilePoint NX Portal, do the procedure in this topic.
Prerequisites
- This procedure is only required if an SSL or TLS certificate is already configured for AgilePoint NX portal, and you are replacing the existing certificate with a new one.
Good to Know
- This action removes the association between the certificate and the port number. The certificate is not deleted from the folder path. The same certificate file can be applied to a different port.
How to Start
- On the AgilePoint Server machine, open this folder:
(NX Portal installation folder - v9.0 and higher) C:\Program Files\AgilePoint\AgilePointPortalInstance\tools\windows
- Right-click the file AgilePoint.Portal.Management.exe, and click Run as Administrator.
Procedure
- On the SSL Management Utility screen, click the Remove SSL tab.
- On the Remove SSL tab, in the Port field, enter the port number from which to remove the SSL or TLS certificate.
- Click Remove.
Configure an SSL or TLS Certificate for AgilePoint NX Portal
To configure an SSL or TLS certificate to AgilePoint NX Portal, do the procedure in this topic.
How to Start
- On the AgilePoint Server machine, open this folder:
(NX Portal installation folder - v9.0 and higher) C:\Program Files\AgilePoint\AgilePointPortalInstance\tools\windows
- Right-click the file AgilePoint.Portal.Management.exe, and click Run as Administrator.
Procedure
- On the SSL Management Utility screen, in the Select the type of Certificate field, select the type of certificate to import.
- In the Upload Certificate File field, click Browse.
- Select the certificate from the AgilePoint Server machine to use to configure SSL or TLS.
The certificate must be in .pfx or .pem format.
- Do one of these:
- For a .pfx certificate, do this:
- In the Passpharse field, enter the password for the certificate.
The password is stored in encrypted format in the web.yaml file.
- In the Passpharse field, enter the password for the certificate.
- For a .pem certificate, do the this:
- In the Upload Key File field, click Browse.
- Select a private key file from the AgilePoint Server machine.
- In the Upload Key File field, click Browse.
- For a .pfx certificate, do this:
- Click Update.
The utility copies the SSL or TLS certificate files to this folder:
(NX Portal installation folder - v9.0 and higher) C:\Program Files\AgilePoint\AgilePointPortalInstance\Certificates
- Click the Apply SSL tab.
- On the Apply SSL tab, in the Port field, enter the port number to associate with the SSL or TLS certificate.
- In the CertHashID field, paste the value of the thumbprint you created in
Create a thumbprint for the certificate.
- Click Apply.
The utility associates the SSL or TLS certificate with the specified port.
- Restart the AgilePoint Server instance.
For more information, refer to Restarting AgilePoint Server and AgilePoint Portal.
Update the URLs in the AgilePoint NX Portal Configuration
To update the URLs in AgilePoint NX Portal, do the procedure in this topic.
Good to Know
- When you configure the SSL or TLS certificate for the first time, you must change the URLs in the AgilePoint NX Portal configuration file from HTTP to HTTPS.
How to Start
- On the AgilePoint Server machine, in a text editor,
open the AgilePoint NX Portal configuration file:
(NX Portal configuration folder - v9.0 and higher) C:\Program Files\AgilePoint\AgilePointPortalInstance\config\web.yaml
Procedure
- In web.yaml, change the value of the key httpsenabled to true:
"httpsenabled": true,
- To change the REST URL, find the agilepointserverurl key and change the value
so it starts with https://
The REST URL is the URL for your AgilePoint Server instance.
For more information, refer to Find your AgilePoint Server Instance REST URL.
Format:
"agilepointserverurl": "[Your AgilePoint NX Portal URL]/AgilePointServer",
Example:
"agilepointserverurl": "https://myagilepointnxdomain.com:13490/AgilePointServer",
- To change the Portal URL, find the portalurl key, change the value so it starts with https://
The Portal URL represents the AgilePoint Portal Instance URL.
For more information, refer to Find your Portal Instance URL.
Example:
"portalurl": "https://myagilepointnxdomain.com:13490",
- To change the IdP URL, find the idpurl key and change the value so it starts with https://
The value of the IdP URL is the same as the Portal URL, followed by /idp.
Format:
[Your AgilePoint NX Portal URL]/idp
Example:
"idpurl": "https://myagilepointnxdomain.com:13490/idp",
- Save and close the file web.yaml.
- Restart the AgilePoint Server instance.
For more information, refer to Restarting AgilePoint Server and AgilePoint Portal.
Test the HTTPS AgilePoint NX Portal REST URL
To test the HTTPS AgilePoint NX Portal REST URL, do the procedure in this topic.
Procedure
- Open HTTPS REST URL for the AgilePoint NX Portal.
Format:
https://[fully qualified domain name]
Example:
https://myagilepointnxdomain.com
Troubleshoot Issues for AgilePoint NX Portal
After an SSL or TLS certificate is configured, the portal logs one of these errors.
Error Message 1
If the SSL certificate in use was generated with a legacy encryption mechanism, this error shows:
unsupported
AgilePoint strongly recommends to obtain a new SSL certificate. However, if you still want to support legacy encryption, do these:
- On the AgilePoint Server machine, in a text editor, open this file:
(NX Portal installation folder - v9.0 and higher) C:\Program Files\AgilePoint\AgilePointPortalInstance\windows-service\AgilePointPortalService.exe.config
- Change the value of the arguments key to --openssl-legacy-provider build/index.js.
<add key="arguments" value="--openssl-legacy-provider build/index.js" />
- Restart your AgilePoint Portal instance.
For more information, refer to Restarting AgilePoint Server and AgilePoint Portal
Error Message 2
If the password specified for the .pfx file is not encrypted, this error shows:
The encrypted data is in an invalid format
To resolve this issue, specify the encrypted password.
For more information, refer to Configure an SSL or TLS Certificate for AgilePoint NX Portal.
Error Message 3
If the password specified for the .pfx file is not correct, this error shows:
Looks like the password provided for the pfx certificate type is not matching. Please check your password and try again
To resolve this issue, specify the correct password.
For more information, refer to Configure an SSL or TLS Certificate for AgilePoint NX Portal.