SSL is a protocol that secures network communication. Part of this protocol is using certificates to establish a trust relationship between two systems. There are multiple places where you may need to install a certificate to establish a trust relationship.
Intranet Connections calls itself to run the scheduled tasks. If your Intranet is set to only allow HTTPS access, you will need to install your site's certificate.
- You can optionally choose to connect to your Active Directory server using LDAPS. To enable this connection, you will need to install your Active Directory's certificate.
- You are connecting to an Exchange Server using HTTPS to pull a shared calendar. To enable this connection, you will need to install your Exchange Server's certificate.
In This Article
Step 1: Install SSL Certificate in IIS
Step 2: Update Java files for Lucee (Only Applicable to Lucee)
Step 3: Install SSL Certificate in Lucee (or Railo)
Step 4: Configure Stats Application
Step 1: Install SSL Certificate in IIS
Download the Certificate
Using a browser of your choice, navigate using HTTPS to resource you want to connect to and download the certificate.
Microsoft Edge
- Navigate using HTTPS to the resource you want to connect to
- Right click on the page and choose Properties
- Click on Certificates
- Click Details tab
- Click Copy to File
- Choose the format DER encoded binary X.509 (.CER)
- Choose a file name and download
Chrome
- Navigate using HTTPS to the resource you want to connect to
- Click on the Lock icon in the address bar and choose Connection tab
- Click Certificate Information
- Click Details tab.
- Click Copy to File
- Choose the format DER encoded binary X.509 (.CER)
- Choose a file name and download
Install the Certificate into IIS
Install the certificate into IIS (refer to the article IIS 7 SSL Certificate Installation)
- Open IIS
- Under Connections, click the server’s name
- In the main pane, double-click Server Certificates
- Under Actions, click Complete Certificate Request
- Click the … to the right of File name containing the certification authority’s response and select the .cer file that you have stored. Specify a friendly name (to remember). Click OK
Add Bindings
- In IIS, under Connections, expand the server name and sites. Select the site for your intranet
- Under Actions, click Bindings
- Click Add. For Type, choose https. For port, choose 443. For SSL, choose the certificate you added. Click OK
Step 2: Update Java files for Lucee (Only Applicable to Lucee)
(Only for older installations of Lucee 4.5.x, not required for Lucee 5.3.x)
- Download the Lucee update zip file and unzip it
- Backup the Lucee library directory (Standard locations are C:\Lucee\Lib folder or C:\sqbox\lucee\lib)
- Stop the Lucee service
- Copy the files from the unzipped download to C:\Lucee\Lib or C:\sqbox\lucee\lib and select to overwrite the existing files
- Restart the Lucee service
Step 3: Install SSL Certificate in Lucee (or Railo)
Install certificate into Lucee. You can use the Lucee Server Console to import the SSL certificate into Lucee. The steps are the same for Railo; differences are noted.
- Navigate to the Lucee Server Administrator by going to HTTP://INTRANETPATH/Lucee/admin/server.cfm or HTTP://INTRANETPATH/railo-context/admin/server.cfm for Railo (e.g. http://intranet.
- Please contact Support for the default password
- Choose SSL Certificates under Services
- Enter the host name of your Server (example: Domain controller, Exchange server, SMTP, etc.) that you are trying to connect to. The default is port 443 for the intranet site, and 636 for LDAPS.
- Click install
- A reboot of the intranet server will be required to complete the change
- Additionally, if you're on 14.5.8 or higher, follow the steps here to install the web services certificate if you haven't already
- Navigate to the Intranet using HTTPS, go to Admin > Setup and click Update Locations at the bottom of the screen
- If you're not seeing the option to Update Locations, check the URL that you're accessing the site with against the Web Location path under Admin > Setup- if this matches, this is why this option is not appearing as it has already been set to use HTTPS.
Step 4: Configure Stats Application
For versions 14.0 + you'll need to do some additional configurations to ensure that the stats application is still updating after changing the site to use HTTPS.
- Make a copy of the schedule.json file, the default location is: C:\inetpub\wwwroot\TaskManager\Config\schedule.json.
- From the copy of the file change the value for both basepath's to have https instead of http.
- Replace the file the original file with the modified file.
- After making the change wait a full day and check the stats on the site to ensure it is updating.
Step 5: HTTP to HTTPS Redirect (optional)
You may want to do this step if you want to force users to HTTPS to ensure that they access the intranet securely.
You can force users to HTTPS through the IIS interface or by editing the web.config file.
Option 1. IIS interface
- Ensure you can access your Intranet with both HTTP and HTTPS
- Install SSL certificate in IIS
- In IIS, click on your site and then click Bindings on the right. Ensure both port 80 and 443 are set up.
- In IIS double click SSL Settings and ensure ‘Require SSL’ is not checked
- Install URL rewrite module, if not already installed - see Microsoft's URL Rewrite page
- Create URL rewrite rule:
- Provide a name for your rule
- Click add rule(s)…
- Click Blank Rule under Inbound rules and click OK
- Change dropdown in Using to Wildcards
- Pattern should be * (asterisk)
- Ignore case should be checked
- Under Conditions select Match Any in Logical grouping
- Click Add
- In Condition input start typing {HTTPS} and find {HTTPS} in the dropdown
- Check if input string should be Matches the Pattern
- Pattern should be off
- Under Action, set the type to redirect
- Type ‘https://{HTTP_HOST}{REQUEST_URI}’ in the redirect URL
- Ensure Append query string is checked
- Set Redirect type to Found (302)
- Click Apply
Option 2. Editing the Web.config file:
You can simply add a piece of code to the web.config file found in C:\inetpub\wwwroot
Take a backup of the existing web.config file
If the web.config file has a section, then add the following code between the <rules> and </rules> tags. If not, reach out to support for help.
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
Step 6: Update Web Location
- Log into IIS Manager
- Expand the left column and click on your site
- Click on Bindings on the far right and ensure that the binding for https exists and has the correct port number
- Clear your browser cache and cookies
- Log into the intranet using the new URL (https) as an administrator (e.g. kellybristow / password)
Note: If you're unable to access your intranet, check the URL. Sometimes the http URL will be placed back into the address bar after you enter your credentials to log in. You can manually remove this from the URL and access the site. This should not happen after Update Locations has been completed. If you log in and get redirected to the http path, type in your base URL and add this text to go directly to the admin setup page: admin/sitesettings/site_settings.cfm?tabidx=1 (e.g. https://sqintranet.sqbox.com/admin/sitesettings/site_settings.cfm?tabidx=1). - Click Admin
- At the bottom of the page is the Web Location. If the https URL is different from the current Web Location, you will see warning text in red, display the https and http URL.
- Click the Update Locations button to update the intranet to use the https URL.
Troubleshooting
After implementing your SSL certificate, or updating from an existing one, try testing the connection. If the connection fails, try restarting your webserver. If you make any further updates to your certificates with the troubleshooting steps below, please try restarting your webserver once more.
Sometimes, you may notice that the certificate disappears after enabling SSL. To ensure the certificate stays, you can install the certificate into java run-time environment.
- Start a command prompt with run as administrator on the intranet server
- Type ‘set IC_JAVA_HOME’ to get the path set by this environment variable.
- Restart the Lucee or Railo Server service and the IIS Server
- Back up the cacerts file located under %IC_JAVA_HOME%\lib\security as precaution.
- If you're running Railo 4.2.1, goto C:\Railo\bin
- If you're running Lucee 4.5, go to C:\Lucee\bin or C:\sqbox\lucee\jdk\bin
If the steps above do not work you can use the keytool utility, to do that.
Troubleshooting with Keytool
The steps included below are not specific to the Intranet software as the Java Keytool is used by other Apache Tomcat applications.
All bolded items below should be modified based on the paths on your webserver, as well as any desired alias names that you would like to choose to make things easier if you have multiple aliases.
The default password for the cacerts file is: changeit
- Navigate to the directory %IC_JAVA_HOME%\bin which should contain the keytool executable.
- Export the certificate (adjust paths as needed)
keytool -list -v -storepass changeit -keystore C:\lucee\lib\lucee-server\context\security\cacerts > c:\cacertlist.txt - Once you export the file, review it and identify the alias' of all certs so you can delete them.
- With the aliases, you can run this command to delete them. (You may need to adjust the lucee install location referenced in the path below)
- keytool -delete -alias LDAPS -storepass changeit -keystore C:\lucee\lib\lucee-server\context\security\cacerts
- Confirmed the certificates were deleted by exporting the cert list again.
- Go to Lucee Server admin > SSL Certificates and reimport the certs necessary for the website, the domain controller, etc.
If the connection is still failing, further errors should be detailed within the Active Directory Synchronization log file located on your Admin > Security tab > Active Directory Synchronization screen.