Documentation Center

Setting up a secure connection from Audience Manager to the Core Service

You can set up a HTTPS connection from a client to ensure secure communication.

About this task

You can configure a secure connection for both NetTcpBinding and WSHttpBinding for the Audience Manager user interface client as follows:

StepDescriptionFile location relative to %TRIDION_HOME%
1Create a domain certificate on your Content Manager Server.
2Modify the application configuration file for the Core Service running as a Windows service (to enable SSL if connecting using NetTcpBinding)\bin\TcmServiceHost.exe.config
3Modify the main application configuration file for the Content Manager Server.\WebUI\WebRoot\Web.config
4Modify the application configuration file for the Content Manager Explorer.\WebUI\Models\CME\Web.config
5Modify the application configuration file for the Content Manager Explorer connecting to the Content Manager using the Core Service.\WebUI\Models\TCM54\Web.config
6Modify the application configuration file for the Core Service running as a virtual directory under the Content Manager Web application in IIS (to enable SSL if connecting using WSHttpBinding).\webservices\Web.config
7Modify the application configuration file for the Audience Manager GUI extension.\Outbound Email\Models\Web.config
8Install a certificate, obtained from a third party Certificate Authority, on machines where clients of the Content Manager are installed, for example, Audience Manager.

Procedure

  1. Create and install a domain certificate:  
    1. On the machine where your Content Manager Server is installed, open Internet Information Services (IIS).
    2. In IIS settings, double-click Server Certificates:
    3. In Actions, click Create Domain Certificate:
    4. Fill in the fields and click Next.
    5. Select your certificate authority and click Finish.
    The new certificate is added. If you create the domain certificate on a machine other than the Content Manager Server (but within your company domain), you will need to export the certificate as a *.pfx file and then import it into the Content Manager Server (in IIS Setting > Server Certificates).
  2. Modify the TcmServiceHost.exe.config configuration file:
    The TcmServiceHost.exe.config is the configuration file for the Core Service when running as a Windows service (for NET.TCP connections):
    1. Open the TcmServiceHost.exe.config configuration file, located in %TRIDION_HOME%\bin\, in a text editor.
    2. Go to the path: <configuration><system.serviceModel><bindings><netTcpBinding><binding name="CoreService_netTcpBinding"...> and add the following:
      <security mode="Transport">
      	<transport clientCredentialType="Windows" />
      </security>
      <reliableSession enabled="true" ordered="false" />
    3. Go to the path: <configuration><system.serviceModel><behaviors><serviceBehaviors><behavior> and add the following using your own ServerName:
      <serviceCredentials>
      	<serviceCertificate x509FindType="FindBySubjectName"
      		findValue="ServerName"
      		storeLocation="LocalMachine" storeName="My" />
      </serviceCredentials>
  3. Modify the main application configuration file for the Content Manager Server:
    1. Open Web.config, located in %TRIDION_HOME%\WebUI\WebRoot\, in a text editor.
    2. Go to path: <configuration><system.serviceModel><client> and change ServerName to use your own server name:
      <endpoint name="netTcp_201601"
      	address="net.tcp://ServerName:2660/CoreService/201601/netTcp"
      	binding="netTcpBinding" bindingConfiguration="TcmNetTcpBinding"
      	contract="ISessionAwareCoreService">
      	<identity>
      		<dns value="ServerName" />
      	</identity>
      </endpoint>
      <endpoint name="CoreService_wsHttpBinding"
      	address="https://ServerName/webservices/CoreService201601.svc/wsHttp"
      	binding="wsHttpBinding" bindingConfiguration="AM_CoreService_wsHttpBinding" 
      	contract="AudienceManagerCoreServiceProxy.ISessionAwareCoreService">
      	<identity>
      		<dns value="ServerName" />
      	</identity>
      </endpoint>
    3. If you are using the SDL Web 8-compatible endpoints, replace CoreService201501.svc with CoreService201601.svc.
    4. If you use an SDL Tridion 2011 SP1-compatible endpoint, replace CoreService2011.svc with CoreService201601.svc.
    5. Alternatively, if you use an SDL Tridion 2011-compatible endpoint, your endpoint is no longer supported. Update and recompile your code.
    6. Go to the path: <configuration><system.serviceModel><bindings><netTcpBinding><binding name="TcmNetTcpBinding"...> and add the following:
      <security mode="Transport">
      	<transport clientCredentialType="Windows" />
      </security>
      <reliableSession enabled="true" />
    7. Go to the path: <configuration><system.serviceModel><bindings><webHttpBinding>. Uncomment the HTTPS binding (and, optionally, remove the HTTP binding).
    8. Go to the path: <configuration><system.serviceModel><bindings> and add the following:
      <wsHttpBinding>
      	<!-- Audience Manager -->
      	<binding name="AM_CoreService_wsHttpBinding" maxReceivedMessageSize="2097152">
      		<readerQuotas maxArrayLength="81920" maxBytesPerRead="5120" maxDepth="32"
      		maxNameTableCharCount="81920" maxStringContentLength="2097152"/>
      		<reliableSession enabled="true" /> 
      		<security mode="TransportWithMessageCredential" >
      			<transport clientCredentialType="Windows"/>
      		</security>
      	</binding>
      </wsHttpBinding>
    9. Go to the path: <configuration><system.serviceModel><behaviors><serviceBehaviors><behavior> and enable HTTPS and disable HTTP:
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
  4. Modify the application configuration file for the Content Manager Explorer connecting to the Content Manager using the Core Service:
    1. Open the Web.config located in %TRIDION_HOME%\WebUI\Models\TCM54\ in a text editor.
    2. Go to path: <configuration><system.serviceModel><services><service>. Uncomment the HTTPS binding (and, optionally, remove the HTTP binding).
  5. Modify the application configuration file for the Content Manager Explorer:
    1. Open the Web.config located in %TRIDION_HOME%\WebUI\Models\CME\ in a text editor.
    2. Go to path: <configuration><system.serviceModel><services><service>. Uncomment the HTTPS binding (and, optionally, remove the HTTP binding).
  6. Modify the Web site configuration file used when Core Service running as a virtual directory under the Content Manager Web application in IIS:
    1. Open the Web.config located in %TRIDION_HOME%\webservices\ in a text editor.
    2. Go to path: <configuration><system.serviceModel><bindings><wsHttpBinding><binding>. Add <reliableSession enabled="true" ordered="false" /> under the <security> element:
      <security mode="TransportWithMessageCredential">
      	<transport clientCredentialType="Windows" />
      </security>
      <reliableSession enabled="true" ordered="false" />
    3. Go to the path: <configuration><system.serviceModel><services><service><endpoint name="wsHttp"...> and change to the following to use your own ServerName:
      <dns value="ServerName" />
    4. Go to the path: <configuration><system.serviceModel><services><service> and add the following using your own ServerName:
      <host>
      	<baseAddresses>
      		<add baseAddress="https://ServerName/webservices/" />
      	</baseAddresses>
      </host>
    5. Go to the path: <configuration><system.serviceModel><behaviors><serviceBehaviors><behavior> and enable HTTPS and disable HTTP:
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
  7. Modify the Audience Manager Web.config:
    1. Open the Web.config located in %TRIDION_HOME%\Outbound Email\Models\, in a text editor.
    2. Search for:
      bindingConfiguration="Tridion.Web.UI.ContentManager.WebServices.WebHttpBindingConfig"

      and replace with:

      bindingConfiguration="Tridion.Web.UI.ContentManager.WebServices.WebHttpsBindingConfig"
  8. Install the certificate of the trusted third party on the machine on which you have installed clients of the Content Manager, for example Audience Manager, using the SDL Web MMC Snap-in tool.
    The certificate (for example SDLCorpCA) allows Audience Manager to call the Core Service using SSL, otherwise you will experience GUI errors.
    1. Start the MMC Snap-in by selecting Programs > SDL Web > SDL Web Content Manager configuration in the Microsoft Windows Start (or run mmc.exe).
    2. Select File > Add/Remove Snap-in.
    3. Select Certificates and click Add:
    4. In the Certificates Snap-in wizard:
      • Select This certificate will always manage certificates for: Computer account and click Next.
      • Select This snap-in will always: Local computer and click Finish.
    5. Click OK to return to the main screen of the SDL Web Content Manager snap-in.  
    6. Select Certificates > Trusted Root Certification Authorities > Certificates and choose All Tasks > Import:
      The Certificate Import Wizard opens
    7. In the Certificate Import Wizard, click Next.
    8. Browse to a *.cer file for the SDLCorpCA root certificate authority and click Next.
    9. Select Place all certificates in the following store Trusted Root Certification Authorities and click Next.
    10. Click Finish:
    11. You should see the certificate in the store:

Results

You can now connect to the Content Manager Explorer using HTTPS, for example https://ServerName/WebUI