Enabling HTTPS

By default, communication with the RESTful web server is not encrypted. By setting up an HTTPS server, the server can enforce secure connections between client and server on an SSL channel. Steps to configure IIS Express to host an HTTPS server are outlined in the sections below.

Requirements

  • To enable HTTPS, you must install a trusted certificate issued by a certificate authority OR a self-signed certificate used for development testing. The procedures detailed below cover how to install self-signed server certificate.

  • To install a CA (Certificate Authority) signed server certificate, go to Microsoft's TechNet Install a Server Certificate website. If you enable HTTPS and are using a self-signed certificate, you MUST install the self-signed certificate.

Overview

The following high-level steps are covered on this page.

  1. Obtain a certificate (we will use self-signed certificate in this documentation).

  2. Install the certificate.

  3. Configure IIS with HTTPs.

  4. Restart Metadefender REST service.

Generating a self-signed certificate

Windows 8.1, Windows 2012, or newer

Windows 7 or Windows 2008

  1. open Powershell as administrator

  2. run New-SelfSignedCertificate -DnsName {DNS_NAME} -CertStoreLocation Cert:\LocalMachine\My\

    1. replace {DNS_NAME} with the DNS name of your server

  1. Download Microsoft Windows SDK for Windows 7 and .NET Framework 4

  2. You only need to install .NET Development → Tools images/download/attachments/347545/image2016-9-15_8_29_15.png

  3. From an administrator command line navigate to the SDK install dir and run makecert.exe

    1. cd "C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\x64\makecert.exe"

      images/download/attachments/347545/image2016-9-15_8_33_8.png

    2. makecert.exe -n "CN={DNS_NAME}" -a sha256 -sr LocalMachine -ss MY -r

    3. replace {DNS_NAME} with the DNS name of your server

      images/download/attachments/347545/image2016-9-15_8_34_41.png

  1. from a command prompt run certutil -store MY

    images/download/attachments/347545/image2016-9-14_16_53_28.png

  2. Copy the Cert Hash from the certificate that has Issuer: CN={DNS_NAME}. Edit the hash so that it does not have spaces (e.g., ef8a0fc5620b621a54fb367f1e7ee45e1ba6d006).

Install Certificate

  1. Create a new GUID at https://www.guidgenerator.com/online-guid-generator.aspx (e.g., {CDA52389-5954-44C2-8CF0-38062D1572F8}).

  2. Open a command prompt.

  3. Run the following command:

    netsh http add sslcert ipport=0.0.0.0:443 appid={<guid retrieved from previous step>} certhash=<certificate thumbprint retrieved from previous step>

  4. Confirm that the SSL Certificate is successfully added, as indicated by the example below.

images/download/attachments/347545/image26.gif

Enabling HTTPS on IIS Express

The following procedure enables HTTPS on IIS Express.

  1. Open the <Metadefender Core installation directory>\REST\Config folder (e.g., C:\Program Files (x86)\OPSWAT\Metadefender Core X\REST\Config).

  2. Open the applicationhost.config file in a text editor.

  3. Go to the <sites> tag and add the HTTPS binding to the metascan_rest website as shown in the example below. This port can not be in use by any other applications.

    Original

    New

    <bindings>
    <!--<binding protocol="http" bindingInformation="*:80:localhost" />-->
    <binding protocol="http" bindingInformation=":8008:"/>
    </bindings>
    <bindings>
    <!--<binding protocol="http" bindingInformation="*:80:localhost" />-->
    <binding protocol="https" bindingInformation=":443:"/>
    <binding protocol="http" bindingInformation=":8008:"/>
    </bindings>

  4. Optionally, to keep REST HTTPS only, remove the <binding protocol="http" bindingInformation=":8008:" /> line from applicationhost.config.

  5. Save and close the ‘applicationhost.config’ file.

  6. Navigate to the Quarantine folder (by default, this is C:\Program Files (x86)\OPSWAT\Metadefender Core X\Metascan Quarantine).

  7. Open Metadefender.Quarantine.Service.exe.config in a text editor and change the following section leaving the replace *DNS_or_IP* value with what is on the original.

    Original

    New

    <setting name="RestBaseUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8000</value>
    </setting>
    <setting name="QuarantineBaseUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8000</value>
    </setting>
    <setting name="QuarantineProtocol" serializeAs="String">
    <value>REST</value>
    </setting>
    <setting name="MetascanUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8008/metascan_rest/</value>
    </setting>
    <setting name="WebBaseUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8008/management/#</value>
    </setting>
    <setting name="RestBaseUrl" serializeAs="String">
    <value>https://*DNS_or_IP*</value>
    </setting>
    <setting name="QuarantineBaseUrl" serializeAs="String">
    <value>https://*DNS_or_IP*</value>
    </setting>
    <setting name="QuarantineProtocol" serializeAs="String">
    <value>REST</value>
    </setting>
    <setting name="MetascanUrl" serializeAs="String">
    <value>https://*DNS_or_IP*/metascan_rest/</value>
    </setting>
    <setting name="WebBaseUrl" serializeAs="String">
    <value>https://*DNS_or_IP*/management/#</value>
    </setting>

  8. Navigate to the Metadefender Mail agent folder (by default, this is C:\Program Files (x86)\OPSWAT\Metadefender Core X\Metadefender Mail Agent).

  9. Open C:\Program Files (x86)\OPSWAT\Metadefender Core 4\Metadefender Mail Agent in a text editor and change the following section, replacing *DNS_or_IP* with your server's real DNS hostname or IP address.

    Original

    New

    <setting name="RestBaseUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8000</value>
    </setting>
    <setting name="QuarantineBaseUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8000</value>
    </setting>
    <setting name="QuarantineProtocol" serializeAs="String">
    <value>REST</value>
    </setting>
    <setting name="MetascanUrl" serializeAs="String">
    <value>http://*DNS_or_IP*:8008/metascan_rest</value>
    </setting>
    <setting name="RestBaseUrl" serializeAs="String">
    <value>https://*DNS_or_IP*</value>
    </setting>
    <setting name="QuarantineBaseUrl" serializeAs="String">
    <value>https://*DNS_or_IP*</value>
    </setting>
    <setting name="QuarantineProtocol" serializeAs="String">
    <value>REST</value>
    </setting>
    <setting name="MetascanUrl" serializeAs="String">
    <value>https://*DNS_or_IP*/metascan_rest</value>
    </setting>

  10. Stop Metadefender Quarantine Service, Metascan Rest Service, and Metadefender Generic Mail Agent

  11. Start Metascan Rest Service then Metadefender Quarantine Service and Metadefender Generic Mail Agent

  12. Test that the site works by going to https://localhost. The following webpage should be displayed:

    images/download/attachments/347545/image28.gif

  13. Click Continue to this website .

    images/download/attachments/347545/image2015-9-28_16_19_40.png

Trusting local or remote self signed security certificate

if you are using this guid on the local computer you should access and install the certificate from the DNS address eg https://frosty7c

  1. Open Internet Explorer and access core dashboard eg https://frosty7c

  2. Click Continue to this website

    images/download/attachments/347545/image2016-9-15_8_59_47.png

  3. Click certificate error

    images/download/attachments/347545/image2016-9-15_9_0_47.png

  4. Click view certificates

    images/download/attachments/347545/image2016-9-15_9_1_27.png

  5. Click Install Certificate...

    images/download/attachments/347545/image2016-9-15_9_2_1.png

  6. Select either Current User or Local Machine and click next

    images/download/attachments/347545/image2016-9-15_9_2_54.png

  7. Select "Place all certificates in the following store" and click browse

    images/download/attachments/347545/image2016-9-15_9_3_42.png

  8. Select "Trusted Root Certification Authorities" and Click OK

    images/download/attachments/347545/image2016-9-15_9_4_8.png

  9. Select Next then select Finish

  10. Restart your Internet Explorer and navigate to the same page again

  11. You should now see a locked lock instead of certificate error

    images/download/attachments/347545/image2016-9-15_9_6_14.png

  12. Run certmgr.msc

  13. Select Trusted Root Certification Authority → Certificates

    images/download/attachments/347545/image2016-9-15_14_47_8.png

  14. Right click the DNS name → All Tasks → export

    images/download/attachments/347545/image2016-9-15_14_49_14.png

  15. Click Next → Next →Browse

  16. Choose anywhere to save the certificate and hit save

  17. Click Next→finish

  18. Run mmc

  19. File → add/remove Snap-in

  20. Select Certificates and click add

    images/download/attachments/347545/image2016-9-15_14_52_27.png

  21. Select Computer account and hit next

    images/download/attachments/347545/image2016-9-15_14_52_58.png

  22. Click finish then click ok

  23. Select Trusted Root Certification Authority → Certificates

    images/download/attachments/347545/image2016-9-15_14_53_57.png

  24. Right click certificates → all tasks → Import

    images/download/attachments/347545/image2016-9-15_14_54_45.png

  25. Click next

  26. Select the file you created previously

  27. Click next->next->finish