Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
My complete steps for setting up IW SSL app, using http.sys
#1
My Steps for getting IW SSL application working (using http.sys)

I recently updated to IW 15 Ultimate, for the purposes of transitioning my app to SSL.  It was actually easier than I expected.  After reading many posts in the forums, especially some helpful ones from Jose Nilton Pace, as well as Daniel, I decided to go with using http.sys, instead of the usual Indy version.  From what I can tell, it was a good decision, and easier.

(as an aside - I really think AtoZed should provide definitive instructions, for doing this with their software.  Someone else recently asked for official AtoZed instructions for this, in the forums, and the AtoZed response was to go read threads and posts that their other *customers* had written.  The end result is, to learn how to do something new, you have to go searching and reading dozens of scattered posts and tidbits here and there, some old, some new, some accurate and some not, from other customers on this forum and users around the ’net.
Would make a lot more sense if there was a central help document, written and sanctioned by AtoZed.
All that being said — Im still very appreciative of AtoZed for making all this *work*! …)


MY DETAILS:
IW version:  IW15 Ultimate  (I currently have v 15.1.7)
IW application type:  Standalone, HTTP.SYS
Delphi IDE:  Delphi 2010
Hosting server:  Windows Server 2012 R2
IIS version (only used for installing certificate):  IIS 8


GENERATE YOUR CSR  (certificate request)
On your server, start IIS Manager.  (Only use IIS for dealing with certificate; after that, you don't need it.)
Go into ‘Server Certificates’.
On the right, click ‘Create Certificate request’, and fill out the required info.  For Common name, you’ll need to put the exact domain name that will be used for accessing your application.  Mine was: weblogin.mydomain.com.  
For Cryptographic service, use: Microsoft RSA SChannel…   For bit length, use: 2048
Then specify a filename for your CSR and save it.


GET YOUR SSL CERTIFICATE
You can get certificates from many places, including a free one from LetsEncrypt.  I used SSL.com and just got their most basic certificate which is about $40-$45 USD or so per year, depending on how many years you buy it for.  After that, I think you just have to renew it, once per year or so.
During the purchase process, they’ll ask you to input the CSR you generated in the above step, so you can simply cut and paste the contents of the CSR.
SSL.com will also need to validate that you are in fact the owner of the domain for the certificate; there are several methods of doing this.  I chose to simply have them send an email to me at admin@mydomain.com, which has a special link in it, which you use to confirm you received the email and therefore that you have control over the domain name.   Somewhere in this process, you also specify which type of server you’re using, so that they can give you the appropriate type of certificate.  Obviously the server type is IIS.
At the end, they will email you the certificate bundle, which contains a zip file, which contains the certificate as a .p7b file.  You can also download the certificate from their site, in other formats if needed.

Upload your certificate (.p7b file) to your server.
Then go back into IIS Manager on your server, go back into Server Certificates, and on the right click ‘Complete certificate request’.  Select the .p7b file that you just recently uploaded.  If you use the Open dialog, it seems to be looking for a *.cer file, but I simply changed it to *.* and selected my .p7b file.  Give it a friendly name, leave certificate store set to ‘personal’, and click OK.  It should then add your Cert to the list.
You are now DONE with IIS, so close it out.


BIND YOUR CERTIFICATE TO YOUR PORT NUMBER
Start Powershell.  I think you need it running as Administrator.  You can simply start a command prompt, then type:  powershell.
Type:
dir cert:\localmachine\my
It should list your certificate, and its Thumbprint.

Then run this powershell code, substituting your own thumbprint:
Code:
$guid = [guid]::NewGuid()
$certHash = “89C38E9AD6455F9A8782DD29CE089074C57311ED”  #  <— Put in your own Thumbprint here!
"http add sslcert ipport=0.0.0.0:443 certhash=$certHash appid={$guid} certstore=my" | netsh
To be able to copy-and-paste within the powershell window (so you can copy and paste your thumbprint)… on the command prompt window menu, choose Properties / Options and enable the ‘Quick edit mode’.
Also, if you want a DIFFERENT port number than 443, then obviously change that in the above code.  I used 443, as it is the default port for HTTPS.
Running that code should add your binding.
To verify, you can then type:   “http show sslcert” | netsh

…and it should show your binding listing.
Also, if using a firewall, don't forget to allow traffic on port 443, or whatever port you wanna use.


THEN IN DELPHI…

In your project file, change:
IWStart  —>   IWStartHsys
TIWStart.execute(false)   —>   TIWStartHsys.execute(false)    (the false means its gonna be a service; set to true for a GUI)

On your servercontroller, set:
SSLOptions -> port  to 443, or whatever port you wanna use
SSLOptions -> NonSSLrequest  to NsRedirect   (assuming you want to force everything to HTTPS)

Thats about all I did, and it worked.  There are some other settings on the serverController you can tweak if needed, but I haven’t monkeyed with those yet.
For local development and testing, where you probably don't have a certificate, you can of course use some compiler conditionals (or other means) to easily switch back and forth between local devel mode (non ssl)  and server mode (ssl).
Thats all folks.  Hope this helps.
Reply
#2
Thanks!
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)