(Optional) Configure SSL or TLS for AgilePoint Server and AgilePoint NX Portal
To configure AgilePoint Server and AgilePoint NX Portal to use SSL or TLS, do the procedure in this topic.
Background and Setup
Prerequisites
- AgilePoint NX OnPremises or AgilePoint NX PrivateCloud.
- To use secure communication, AgilePoint NX requires an SSL or TLS certificate to be installed for each communication port used for AgilePoint Server on the AgilePoint Server machine.
- A full chain SSL certificate in PFX or PEM format.
- PFX - The file must be in .pfx format and requires a password.
- PEM - In most cases, a PEM certificate consists of two files: a private key file (.pem or .key) and a certificate file (.crt or .pem).
Note: Make sure the SSL certificate chain is complete.
Good to Know
- For security, AgilePoint recommends you use a standard SSL or TLS certificate, and not a self-signed certificate.
- SSL or TLS is required for AgilePoint Server if you use on-premises SharePoint over SSL or TLS.
- AgilePoint NX supports any version of SSL or TLS, but limitations to the versions of SSL or TLS you can use in your environnment may apply based on software or systems outside of AgilePoint NX. The following are examples of restrictions that may apply to the SSL or TLS versions that could apply in your environment. However, the specifc rules depend on your specific configuration:
- AgilePoint
Server relies on the version of SSL or TLS that is configured for
.NET on your AgilePoint Server machine. For example, by default,
.NET 4.7.1 supports TLS 1.2 or higher.
This configuration can be changed, but any downgrade in the supported version of SSL or TLS can result in security risks. For more information, see the documentation from Microsoft.
- Outside services, such as Salesforce, may require certificates with
higher levels (or
specific levels) of SSL or TLS.
You can test your certificate with several third-party, web-based services—for example, https://www.digicert.com/help/
- If you want to connect to mobile apps that use iOS 9 or higher, your certificate must use Apple's App Transport Security standard.
For more information, refer to NSAppTransportSecurity from Apple.
- AgilePoint
Server relies on the version of SSL or TLS that is configured for
.NET on your AgilePoint Server machine. For example, by default,
.NET 4.7.1 supports TLS 1.2 or higher.
- The security protocols supported by third-party technologies are subject to change are the responsibility for the associated vendors. These are subject to change without notice from AgilePoint.
- After you configure AgilePoint Server and AgilePoint NX Portal for TLS or SSL, you also must configure
serveral other components if they are used in your environments.
For more information, refer to:
Add the SSL or TLS Certificate to the AgilePoint NX Installation Path
To add an SSL or TLS certificate to the AgilePoint NX file path, do the procedure in this topic.
Prerequisites
- Important: If your certificate is stored in the Microsoft certificate store, when you export the certificate, select Export all extended properties.
If this option is not selected, the certificate will cause errors.
Procedure
- On the AgilePoint Server machine, add the SSL or TLS certificate (.pfx or .pem) files to this folder:
(NX Portal installation folder - v9.0 and higher) C:\Program Files\AgilePoint\AgilePointPortalInstance\Certificates
Enable SSL or TLS in AgilePoint Server Manager
To enable the SSL Settings in AgilePoint Server Manager, do the procedure in this topic.
How to Start
- On the AgilePoint Server machine, in Windows Explorer, right-click the file (AgilePoint Server installation folder) C:\Program Files\AgilePoint\AgilePoint Server\WCFConfigurationUtility.exe, and click Run as Administrator.
Procedure
- On the AgilePoint Server Manager, select your AgilePoint Windows Service instance.
- On the Networking tab, in the SSL Settings section, turn on Use Secure Connection (SSL).
- In the Domain field, enter the common name or domain name for your SSL certificate.
- Restart your AgilePoint Server instance.
For more information, refer to Restarting AgilePoint Server and AgilePoint Portal
Bind an SSL or TLS Certificate to an AgilePoint Server Port
To bind an SSL or TLS certificate to an AgilePoint Server port, do the procedure in this topic.
Prerequisites
- The numbers for the ports you use for binding in AgilePoint Server. You can find these in AgilePoint Server Manager.
Procedure
- In a command prompt, enter mmc.
- On the Console Root screen, click File > Add/Remove Snap-in.
- On the Add or Remove Snap-ins screen, select Certificates, and click Add.
- On the Certificates snap-in screen, click Computer account.
- On the Select Computer screen, click Local computer.
- Click Finish.
- On the Selected snap-ins section, click Certificates (Local Computer).
- Click Ok.
- Click Certificates (Local Computer) > Personal.
- Right-click on the Certicates and select All Task > Import.
- On the Certificates Import wizard, click the Next button.
- In the File name field, browse your SSL certificate.
- Click Next.
- On the Private key protection screen, in the Password field, enter the password for the private key.
This screen shows only when the private key is secured with password.
- On the Certificate Store screen, select Place all certicates in the following store.
- In the Certificate Store field, click the Browse button, and select Personal.
- Click Next.
- Click Finish.
- On the Console Root screen, double-click on the imported SSL certificate.
- On the Certificate screen, click the Details tab.
- In the Show field, select ALL.
- Select Thumbprint.
- Copy the value of the thumbprint.
- In a command prompt, enter the following command:
netsh http add sslcert ipport=0.0.0.0:portnumber certhash=SSL-Certifcate-thumbprint-value-without-spaces appid={c929c857-e10a-48c4-b123-5713faba528e}
- Restart your AgilePoint Server instance.
For more information, refer to Restarting AgilePoint Server and AgilePoint Portal
Configure SSL or TLS for AgilePoint NX Portal
To configure an SSL or TLS certificate for an AgilePoint NX Portal port, do the procedure in this topic.
Procedure
- On the AgilePoint Server machine, in a text editor, open the AgilePoint NX Portal configuration file:
(NX Portal configuration folder - v9.0 and higher) C:\Program Files\AgilePoint\AgilePointPortalInstance\config\web.yaml
- Do one of these, depending upon your SSL or TLS certificate format:
- PFX certificate:
- Encrypt the password:
- On the AgilePoint Server machine, open this folder:
(NX Portal installation folder - v9.0 and higher) C:\Program Files\AgilePoint\AgilePointPortalInstance\tools\windows
- Right-click the file encrypt.bat, and click Run as administrator.
- In the command prompt, enter the password for the .pfx file.
- Click Enter.
The encrypted password opens in the default text editor, usually Notepad.
- On the AgilePoint Server machine, open this folder:
- In the key pfx, enter the path and file name for your PFX certificate.
Example:
"pfx": "Certificates/mycertificate.pfx",
- In the the key pfxpassword, enter the encrypted password.
Example:
"pfxpassword": "658df8cbceb7499d245df32158dcf3aa83ce3558589sw2547f36d5",
- Encrypt the password:
- PEM certificate:
- In the key sslkey, enter the path and file name
of the private key file.
The file name has the extension .pem or .key.
Example:
"sslkey": "Certificates/key.pem",
- In the key sslcert, enter the path and file name
of the the certificate file.
The file name has the extension .crt or .pem.
Example:
"sslcert": "Certificates/cert.pem",
- In the key sslkey, enter the path and file name
of the private key file.
The file name has the extension .pem or .key.
- PFX certificate:
- Change the value of the key httpsenabled to true:
"httpsenabled": true,
- To change the REST URL, find the agilepointserverurl key and change the value
so it starts with https://
The REST URL is the URL for your AgilePoint Server instance.
For more information, refer to Find your AgilePoint Server Instance REST URL.
Format:
"agilepointserverurl": "[Your AgilePoint NX Portal URL]/AgilePointServer",
Example:
"agilepointserverurl": "https://myagilepointnxdomain.com:13490/AgilePointServer",
- To change the Portal URL, find the portalurl key, change the value so it starts with https://
The Portal URL represents the AgilePoint Portal Instance URL.
For more information, refer to Find your Portal Instance URL.
Example:
"portalurl": "https://myagilepointnxdomain.com:13490",
- To change the IdP URL, find the idpurl key and change the value so it starts with https://
The value of the IdP URL is the same as the Portal URL, followed by /idp.
Format:
[Your AgilePoint NX Portal URL]/idp
Example:
"idpurl": "https://myagilepointnxdomain.com:13490/idp",
- Save and close the file web.yaml.
- Restart your AgilePoint Portal instance.
For more information, refer to Restarting AgilePoint Server and AgilePoint Portal
Test the HTTPS AgilePoint NX Portal REST URL
To test the HTTPS AgilePoint NX Portal REST URL, do the procedure in this topic.
Procedure
- Open HTTPS REST URL for the AgilePoint NX Portal.
Format:
https://[fully qualified domain name]
Example:
https://myagilepointnxdomain.com
Troubleshoot Issues for AgilePoint NX Portal
After an SSL or TLS certificate is configured, the portal logs one of these errors.
Error Message 1
If the SSL certificate in use was generated with a legacy encryption mechanism, this error shows:
unsupported
AgilePoint strongly recommends to obtain a new SSL certificate. However, if you still want to support legacy encryption, do these:
- On the AgilePoint Server machine, in a text editor, open this file:
(NX Portal installation folder - v9.0 and higher) C:\Program Files\AgilePoint\AgilePointPortalInstance\windows-service\AgilePointPortalService.exe.config
- Change the value of the arguments key to --openssl-legacy-provider build/index.js.
<add key="arguments" value="--openssl-legacy-provider build/index.js" />
- Restart your AgilePoint Portal instance.
For more information, refer to Restarting AgilePoint Server and AgilePoint Portal
Error Message 2
If the password specified for the .pfx file is not encrypted, this error shows:
The encrypted data is in an invalid format
To resolve this issue, specify the encrypted password.
For more information, refer to Configure SSL or TLS for AgilePoint NX Portal.
Error Message 3
If the password specified for the .pfx file is not correct, this error shows:
Looks like the password provided for the pfx certificate type is not matching. Please check your password and try again
To resolve this issue, specify the correct password.
For more information, refer to Configure SSL or TLS for AgilePoint NX Portal.