Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles
How to Follow Data Through the Search PipelineEndpoint for Windows Configuration Reference GuideEndpoint Software Command Line InterfaceBasic Troubleshooting Steps (Enterprise Console)Endpoints or Results Fail to be Displayed in the ConsoleMongoDB and TLS 1.3SQL Client SQL Exception ErrorHow to Troubleshoot Spirion Client Search Failures and How to WhitelistCustomer Notice – Spirion Agent Update & Security Assessment for PostgreSQLHow to Enable Verbose/Debug Logging for the Endpoint ServiceHow can I monitor the status of a queue job?Can I monitor the job queue status automatically?Troubleshooting: "Unable to find job queue: search_queue"How to Verify the Discovery Agent's StatusHow to check if port 6433 is open on your networkWhat is the SDM Translator Service?How to Create a Single Tenant App for OneDrive and Exchange Online SearchesHow to Configure Spirion for Sybase DiscoveryHow to Use Certificates to Authenticate with SharePoint OnlineHow to Quarantine to a Remote Location Using Spirion Sensitive Data PlatformA Server Error has Occurred: How to use the Chrome Developer ToolsWhy doesn't my Oracle 19c Database scan?How to Enable Full Disk Access on a Mac AgentWhy is My Scan Node Running Out of Disk Space?What to do about Message Processing and Delays, also known as 'Lag,' in SpirionDetails About the Box API used by Spirion to Search Box AccountsHow to Build a Mac Package (PKG)How to Sanitize AgentsHow to Set User and Role AccessHow to Enable SSL Communication between Linux Agents and the Spirion ConsoleHow to Enable HTTPS for the Spirion ConsoleHow to Search BoxFAQ: How do I avoid being prompted to re-login to the Spirion console?Spirion Sensitive Data Platform Scan PerformanceHow to Authenticate to SharePoint On-PremiseHow to Configure Spirion Sensitive Data Platform to Connect to an Oracle DatabaseFAQ: Linux 12.5 Client Package Build WorkaroundTroubleshoot Exchange Online Using Microsoft Graph ExplorerFAQ: What to do when an agent will not start the discovery team scan?Required SQL Server PermissionsHow to Scan Microsoft Teams with Spirion Sensitive Data PlatformField Input Using Linux Machines Anti-virus Alerts Received during Spirion SearchVersion 13.6 MSI Installation Issues - Exe file not signedWhat are common firewall rules needed for distributed scans?
Release Notes

How to Enable HTTPS for the Spirion Console

By default, access to the console user interface and communication between clients and the console is configured to occur using HTTP. Use this article to enable HTTPS communication.

By default, access to the console user interface and communication between clients and the console is configured to occur using HTTP

It is possible to enable secure HTTPS communication for either or both of these functions. 

  • The procedure in this article requires IIS to be configured for HTTPS communication.
  • Configuring IIS is beyond the scope of this article and Spirion Support.  
  • Configuration information is available from Microsoft.
NOTE: The IIS website used by Identity Finder Enterprise Console must not use multiple, different host headers.
NOTE: IIS must be configured to ignore client certificates for the Services application.

In This Article

  • How Do I Enable HTTPS for the Console Web Application?
  • Enabling HTTPS for the Services Web Application
  • Endpoint Configuration
    • Windows Clients
    • Linux Clients
    • Mac Clients (link to another KB article)

What Are Some Things I Should Know Before I Enable HTTPS? 

  • You MUST have access to the Console Server including IIS and the Console Administrator Tool (CAT)
  • Configuring IIS is beyond the scope of support of this article and Spirion Support. Configuration information for IIS is available from Microsoft.
  • The IIS website used by Spirion Console MUST NOT use multiple/different host headers
  • IIS MUST be configured to ignore client certificates for the Services application.
  • After enabling HTTPS in the console you may experience some interruption in communication between endpoints and the console due to an unknown certificate. To fix this enable the following setting: IgnoreunknownCA.
    • If you are building MSIs when SSL/HTTPS is enabled and you are using a private key then you MUST enable this setting.
  • The server name in the certificate must match the server name of the console under the System settings.
    • To see this right-click on the start menu on the console server and click System.
  • If HTTPS is selected, toggling the HTTP/HTTPS drop-down boxes for the console in the CAT tool cuts off HTTP access to the console

How Do I Enable HTTPS for the Console Web Application?

To enable HTTPS for the console web application, the user interface to perform console functions, perform the indicated configuration steps.

NOTE: Before the Console Administrator Tool (CAT) can be used to enable HTTPS, IIS must be configured with the appropriate HTTPS bindings.

  1. Launch the Console Administrator Tool by double-clicking on the ConsoleAdministrator executable.
    1. The default location is:
      C:\Program Files\Spirion Console\ConsoleAdministrator\ConsoleAdministrator.exe 
    2. If you previously upgraded from Identity Finder to Spirion, the default location is:
      C:\Program File\Identity Finder\Identity Finder Console>ConsoleAdministrator>ConsoleAdministrator.exe
    3. On Windows 2008 and later, there may be a UAC dialog prompt as Administrative privileges are required to run the Console Administrator Tool.
  3. Select the Web Application Settings tab.
  4. In the Console Application group, select the appropriate setting for Enabled Protocols depending on your IIS bindings configuration:
    1. HTTP Only
    2. HTTPS Only
    3. HTTP and HTTPS
  6. If IIS is configured to "Require SSL" for the website or the Console application, then HTTPS Only must be selected.
  7. Click the Save button.
  8. Click the Reload button to instruct the IIS server to reload the configuration.
  9. Click the Test button at the bottom of the dialog. 
    • In the "Base Console's services address" field, enter:
      • https://consoleserver/Console
      • where consoleserver is the name or IP address of the enterprise console
    • If the Services application is also using HTTPS, enter:
      • https://consoleserver/Services
      • where consoleserver is the name or IP address of the enterprise console
    • If the Services application is not using HTTP, enter:
      • http://consoleserver/Services
      • where consoleserver is the name or IP address of the enterprise console
    • Click the Test button

Enable HTTPS for the Services Web Application

To enable HTTPS for client/console communication, perform the indicated configuration steps.

NOTE: Before the Console Administrator Tool (CAT) can be used to enable HTTPS, IIS must be configured with the appropriate HTTPS bindings.

Procedure:

  1. Launch the Console Administrator Tool by double-clicking on the ConsoleAdministrator executable.
    1. The default location is:
      C:\Program Files\Spirion Console\ConsoleAdministrator\ConsoleAdministrator.exe
    2. If you previously upgraded from Identity Finder to Spirion, the default location is:
      C:\Program File\Identity Finder\Identity Finder Console>ConsoleAdministrator>ConsoleAdministrator.exe
  3. Select the Web Application Settings tab.
  4. In the Services Application group, select the appropriate setting for Enabled Protocols depending on your IIS bindings configuration:
    1. HTTP Only
    2. HTTPS Only
    3. HTTP and HTTPS 
    4. If IIS is configured to "Require SSL" for the website or the Services application, then HTTPS Only must be selected.
  6. Click the Save button.
  7. Click the Reload button to instruct the IIS server to reload the configuration.
  8. Test the SSL configuration by clicking the Test button at the bottom of the dialog.
  9. In the "Base services address" field, enter https://the-ssl-server-name/Services and click Test
    1. Testing the "Base Console's services address" is optional.

Endpoint Configuration

Identity Finder clients have a built-in security feature that prevent them from communicating with any console over HTTPS if the SSL certificate is not trusted.  

  • The SSL certificate used must be valid and signed by a certificate authority that is trusted by the endpoint.
  • Additionally, the URL of the console server, as specified in the server URL setting, must be exactly the same as the server name specified in the certificate.

Windows Clients

Windows clients should not require any additional configuration to utilize the secure connection.

  • However, if the SSL certificate is self-signed (e.g., signed by an internal/organizational CA), then the certificate authority must be specified in the trusted root certificate authority contained within the computer certificate store.
  • If the certificate is not properly trusted or the console server specified in the server URL setting does not exactly match the server name specified in the certificate, the following errors may appear:
  • Errors in the file endpointservice.log:
    • Exception: Service call failed (Context: RequestGuid. An HTTP processing error occurred). System Error: 12175.
    • Failed to acquire an endpoint id.
  • Errors in the client log:
    • Identity Finder is configured to communicate with the Enterprise Console but the server specified in the server URL setting cannot be contacted  (Unknown Error): https://consoleserver/services  All communication with the Enterprise Console will fail.
    • Check related Knowledge Base (KB) articles at http://support.identityfinder.com/ for further information.

If the errors above are generated because the CA is untrusted, perform either of the steps below to resolve the issue:

  1. Add the certificate authority that was used to sign the certificate to the trusted root certificate authority contained within the computer certificate store.
  2. Allow the client to ignore the fact that the certificate is unknown by configuring the setting Console\ignoreUnknownCA to either:
    1. "Allow untrusted CA"
    2. 1 (this may appear as "Enable" depending on the current version of the policy definitions). 
  4. Because communication with the console may not be possible, this setting may need to be manually added in the appropriate location directly to the Windows Registry for current installations.
  5. If the errors above are generated because the console server specified in the Server URL setting does not exactly match the server name specified in the certificate, perform either of the steps below to resolve the issue:
    1. Update the server URL setting to use the exact name specified in the certificate.
    2. Issue a new certificate to use the name specified in the server URL setting.
  7. If IIS is configured to require or accept client certificates, the following error will appear in the endpointservice.log file:
    • Exception: Service call failed (Context: RequestGuid. End of file or no input: Operation interrupted or timed out). System Error: 12044.
    • Failed to acquire an endpoint id.

Resolution

To resolve this issue, reconfigure IIS to ignore client certificates for the services application. 

It is permissible to require or accept client certificates for the console application so long as the certificate is properly installed on all client systems used to access the console web application.

Linux

Linux clients, like Windows clients, should not require any additional configuration to utilize the secure connection.

  • However, if the SSL certificate is self-signed (for example, signed by an internal/organizational CA), then the certificate authority details must be deployed with the Linux installation.
  • If the certificate is not properly trusted or the console server specified in the server URL setting does not exactly match the server name specified in the certificate, review the errors listed above in the Windows section.
  • If those errors are present a custom SSL certificate will need to be deployed with the Linux installation.
  • The following article discusses in detail how to configure SSL for Linux manually:

Mac

Mac clients require several additional deployment steps to utilize the secure connection.  

Related Articles


Was this article helpful?

Powered by Product Fruits