Documentation Center

Setting up a secure connection to the Core Service

You can set up a HTTPS connection from a client to ensure secure communication.

About this task

You can configure a secure connection for both NetTcpBinding and WSHttpBinding for Audience Manager and Outbound E-mail user interface clients as follows:

StepDescriptionFile location from Tridion root
1Create a domain certificate on your Content Manager Server.
2Modify the application configuration file for the Core Service running as a Windows service (to enable SSL if connecting using NetTcpBinding)\bin\TcmServiceHost.exe.config
3Modify the main application configuration file for the Content Manager Server.\WebUI\WebRoot\Web.config
4Modify the application configuration file for the Content Manager Explorer.\WebUI\Models\CME\Web.config
5Modify the application configuration file for the Content Manager Explorer connecting to the Content Manager using the Core Service.\WebUI\Models\TCM54\Web.config
6Modify the application configuration file for the Core Service running as a virtual directory under the Content Manager Web application in IIS (to enable SSL if connecting using WSHttpBinding).\webservices\Web.config
7Modify the application configuration file for the Audience Manager and Outbound E-mail GUI extension.\Outbound Email\Models\Web.config
8Install a certificate, obtained from a third party Certificate Authority, on machines where clients of the Content Manager are installed, for example, Audience Manager and Outbound E-mail.

Procedure

  1. Create and install a domain certificate:  
    1. On the machine where your Content Manager Server is installed, open Internet Information Services (IIS).
    2. In IIS settings, double-click Server Certificates:
    3. In Actions, click Create Domain Certificate:
    4. Fill in the fields and click Next.
    5. Select your certificate authority and click Finish.
    The new certificate is added. If you create the domain certificate on a machine other than the Content Manager Server (but within your company domain), you will need to export the certificate as a *.pfx file and then import it into the Content Manager Server (in IIS Setting > Server Certificates).
  2. Modify the TcmServiceHost.exe.config configuration file:
    The TcmServiceHost.exe.config is the configuration file for the Core Service when running as a Windows service (for NET.TCP connections):
    1. Open the TcmServiceHost.exe.config configuration file, located in the bin\ subfolder of %TRIDION_HOME% (defaults to C:\Program Files (x86)\Tridion\), in a text editor.
    2. Go to the path: <configuration><system.serviceModel><bindings><netTcpBinding><binding name="CoreService_netTcpBinding"...> and add the following:
      <security mode="Transport">
      	<transport clientCredentialType="Windows" />
      </security>
      <reliableSession enabled="true" ordered="false" />
    3. Go to the path: <configuration><system.serviceModel><behaviors><serviceBehaviors><behavior> and add the following using your own ServerName:
      <serviceCredentials>
      	<serviceCertificate x509FindType="FindBySubjectName"
      		findValue="ServerName"
      		storeLocation="LocalMachine" storeName="My" />
      </serviceCredentials>
  3. Modify the main application configuration file for the Content Manager Server:
    1. Open Web.config, located in the WebUI\WebRoot\Web.config subfolder of %TRIDION_HOME% (defaults to C:\Program Files (x86)\Tridion\), in a text editor.
    2. Go to path: <configuration><system.serviceModel><client> and change ServerName to use your own server name:
      <endpoint name="netTcp_2012"
      	address="net.tcp://ServerName:2660/CoreService/2012/netTcp"
      	binding="netTcpBinding" bindingConfiguration="TcmNetTcpBinding"
      	contract="ISessionAwareCoreService">
      	<identity>
      		<dns value="ServerName" />
      	</identity>
      </endpoint>
      <endpoint name="CoreService_wsHttpBinding"
      	address="https://ServerName/webservices/CoreService2012.svc/wsHttp"
      	binding="wsHttpBinding" bindingConfiguration="AM_CoreService_wsHttpBinding" 
      	contract="AudienceManagerCoreServiceProxy.ISessionAwareCoreService">
      	<identity>
      		<dns value="ServerName" />
      	</identity>
      </endpoint>
    3. If you use an SDL Tridion 2011 SP1-compatible endpoint, replace CoreService2011.svc with CoreService2012.svc.
    4. Alternatively, if you use an SDL tridion 2011-compatible endpoint, your endpoint is no longer supported. Update and recompile your code.
    5. Go to the path: <configuration><system.serviceModel><bindings><netTcpBinding><binding name="TcmNetTcpBinding"...> and add the following:
      <security mode="Transport">
      	<transport clientCredentialType="Windows" />
      </security>
      <reliableSession enabled="true" />
    6. Go to the path: <configuration><system.serviceModel><bindings><webHttpBinding>. Uncomment the HTTPS binding (and, optionally, remove the HTTP binding).
    7. Go to the path: <configuration><system.serviceModel><bindings> and add the following:
      <wsHttpBinding>
      	<!-- Audience Manager -->
      	<binding name="AM_CoreService_wsHttpBinding" maxReceivedMessageSize="2097152">
      		<readerQuotas maxArrayLength="81920" maxBytesPerRead="5120" maxDepth="32"
      		maxNameTableCharCount="81920" maxStringContentLength="2097152"/>
      		<reliableSession enabled="true" /> 
      		<security mode="TransportWithMessageCredential" >
      			<transport clientCredentialType="Windows"/>
      		</security>
      	</binding>
      </wsHttpBinding>
    8. Go to the path: <configuration><system.serviceModel><behaviors><serviceBehaviors><behavior> and enable HTTPS and disable HTTP:
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
  4. Modify the application configuration file for the Content Manager Explorer connecting to the Content Manager using the Core Service:
    1. Open the Web.config located in the WebUI\Models\TCM54\ subfolder of %TRIDION_HOME% (defaults to C:\Program Files (x86)\Tridion\), in a text editor.
    2. Go to path: <configuration><system.serviceModel><services><service>. Uncomment the HTTPS binding (and, optionally, remove the HTTP binding).
  5. Modify the application configuration file for the Content Manager Explorer:
    1. Open the Web.config located in the WebUI\Models\CME\ subfolder of %TRIDION_HOME% (defaults to C:\Program Files (x86)\Tridion\), in a text editor.
    2. Go to path: <configuration><system.serviceModel><services><service>. Uncomment the HTTPS binding (and, optionally, remove the HTTP binding).
  6. Modify the Web site configuration file used when Core Service running as a virtual directory under the Content Manager Web application in IIS:
    1. Open the Web.config located in the webservices\ subfolder of %TRIDION_HOME% (defaults to C:\Program Files (x86)\Tridion\), in a text editor.
    2. Go to path: <configuration><system.serviceModel><bindings><wsHttpBinding><binding>. Add <reliableSession enabled="true" ordered="false" /> under the <security> element:
      <security mode="TransportWithMessageCredential">
      	<transport clientCredentialType="Windows" />
      </security>
      <reliableSession enabled="true" ordered="false" />
    3. Go to the path: <configuration><system.serviceModel><services><service><endpoint name="wsHttp"...> and change to the following to use your own ServerName:
      <dns value="ServerName" />
    4. Go to the path: <configuration><system.serviceModel><services><service> and add the following using your own ServerName:
      <host>
      	<baseAddresses>
      		<add baseAddress="https://ServerName/webservices/" />
      	</baseAddresses>
      </host>
    5. Go to the path: <configuration><system.serviceModel><behaviors><serviceBehaviors><behavior> and enable HTTPS and disable HTTP:
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
  7. Modify the Audience Manager and Outbound E-mail Web.config:
    1. Open the Web.config located in the Outbound Email\Models\ subfolder of %TRIDION_HOME% (defaults to C:\Program Files (x86)\Tridion\), in a text editor.
    2. Search for:
      bindingConfiguration="Tridion.Web.UI.ContentManager.WebServices.WebHttpBindingConfig"

      and replace with:

      bindingConfiguration="Tridion.Web.UI.ContentManager.WebServices.WebHttpsBindingConfig"
  8. Install the certificate of the trusted third party on the machine on which you have installed clients of the Content Manager, for example Audience Manager and Outbound E-mail, using the SDL Tridion MMC Snap-in tool.
    The certificate (for example SDLCorpCA) allows you Audience Manager and Outbound E-mail to call the Core Service using SSL, otherwise you will experience GUI errors.
    1. Start the MMC Snap-in by selecting Programs > SDL Tridion > SDL Tridion Content Manager configuration in the Microsoft Windows Start (or run mmc.exe).
    2. Select File > Add/Remove Snap-in.
    3. Select Certificates and click Add:
    4. In the Certificates Snap-in wizard:
      • Select This certificate will always manage certificates for: Computer account and click Next.
      • Select This snap-in will always: Local computer and click Finish.
    5. Click OK to return to the main screen of the SDL Tridion Content Manager snap-in.  
    6. Select Certificates > Trusted Root Certification Authorities > Certificates and choose All Tasks > Import:
      The Certificate Import Wizard opens
    7. In the Certificate Import Wizard, click Next.
    8. Browse to a *.cer file for the SDLCorpCA root certificate authority and click Next.
    9. Select Place all certificates in the following store Trusted Root Certification Authorities and click Next.
    10. Click Finish:
    11. You should see the certificate in the store:

Results

You can now connect to the Content Manager Explorer using HTTPS, for example https://ServerName/WebUI