Step 1: Configure IIS for SSL

When using SSL, the fully qualifed domain name on the certificate must match the web server address. The configuration examples use servername.domain.local, but the actual domain must match your web server.

Microsoft IIS 6

1. Start Internet Information Services (IIS) Manager.
2. Expand Web Sites, right-click Default Web Site, and then click Properties.
3. Click the Directory Security tab, and then click the Server Certificate.
4. In the wizard, select Import a certificate from a .pfx file. Find your certificate and enter its password. Use port 443 (unless you need this port for some other purpose).
   NOTE: Note: You must use a fully qualified domain name (FQDN) in the certificate for authentication. If you use the server short name in the certificate for authentication, a 401 error may result.
5. Finish and test by using your browser to connect. The URL will be something similar to https://servername.domain.local/; https://localhost/adminui will not be trusted because the certificate name is the FQDN.

Microsoft IIS 7

1. Start IIS Manager.
2. Select the correct server node. In the IIS section, double-click Server Certificates.
3. Under Actions, click Import. Find your certificate and enter its password.
4. Highlight Default Web Site, and then click Bindings in the Actions menu.
5. Click Add in the Site Bindings dialog box.
   • Set Type to https.
   • Set SSL certificate to the certificate you just imported.
6. Finish and test by using your browser to connect. The URL will be something similar to https://servername.domain.local/; https://localhost/adminui will not be trusted because the certificate name is the FQDN.

Step 2: Configure Surveyor 6 for SSL

You will need to configure the web.config files for Surveyor web services for SSL by uncommenting the HTTPS option and then commenting out the HTTP option.

1. Before performing any web.config edits, stop the Default Web Site either through the IIS Manager or the command line.
2. Starting with the web.config file located in the C:\Program Files\Verdiem\Surveyor\Administrator directory, perform the following edits:
   

   Find the <bindings> section of the web.config. In the <bindings> section, beneath the comment <!--Use HTTP or HTTPS - NOT both-->, comment out the HTTP binding section; uncomment the HTTPS binding section. The comment start string is <!-- and the end comment string is -->.

   For example:

<system.serviceModel>
 <serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
  <bindings>
   <webHttpBinding>
    <binding name="webBinding"/>
     </webHttpBinding>
      <customBinding>
      <!--Use HTTP OR HTTPS - NOT both-->
      <!--HTTP-->
      <!--<binding name="jsonWebBinding">
      <webMessageEncoding webContentTypeMapperType="Verdiem.Enterprise.WebServices.Common.JsonWebContentTypeMapper, 
Verdiem.Enterprise.WebServices.Common"/>
       <httpTransport manualAddressing="true" maxReceivedMessageSize="10000000" 
authenticationScheme="Negotiate"/>
        </binding>-->
    <!--HTTPS-->
    <binding name="jsonWebBinding">
     <webMessageEncoding webContentTypeMapperType="Verdiem.Enterprise.WebServices.Common.JsonWebContentTypeMapper, 
Verdiem.Enterprise.WebServices.Common" />
      <httpsTransport manualAddressing="true" maxReceivedMessageSize="10000000" 
authenticationScheme="Negotiate"/>
       </binding>
      </customBinding>
    </bindings>

Repeat the same steps for the web.config files in \Surveyor\PMPService and \Surveyor\EnergyWiseProvisioningService.

Step 3: Create a custom AdminCommand.exe.config file

Create a custom config file that contains the following XML code, and then save it as AdminCommand.exe.config in C:\Program Files (x86)\Verdiem\Surveyor\Tools.

<?xml version="1.0"?>
<configuration>
  <appSettings>
    <add key="ConnectionString" value="https://{0}/Admin/AdminService.svc"/>
  </appSettings>
</configuration>

Note: For {0} above, change the ConnectionString setting to point to the appropriate web service URL.

Step 4: Disable the loopback check in the DisableLoopbackCheck registry key

This step is recommended in the following Microsoft Support article: http://support.microsoft.com/kb/896861.

1. Set the DisableStrictNameChecking registry entry to 1. For more information about this setting you may refer to  the Microsoft Knowledge Base: http://support.microsoft.com/kb/281308/.
2. Click Start, click Run, type regedit, and then click OK.
3. In Registry Editor, locate and then click the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
4. Right-click Lsa, point to New, and then click DWORD Value.
5. Type DisableLoopbackCheck, and then press ENTER.
6. Right-click DisableLoopbackCheck, and then click Modify.
7. In the Value data box, type 1, and then click OK.
8. Quit Registry Editor, and then restart your computer.

Step 5: Edit the URL for Wake for Remote Access

Edit the Admin URL in the Wake for Remote Access service so it uses HTTPS to contact the Surveyor Server Web Services.

In the web.config file in \Surveyor\WRA, change the ConnectionString setting to point to the appropriate web service URL.

<add key="ConnectionString" value="https://{0}/Admin/AdminService.svc"/>

Step 6: Configure and test Surveyor agents

When installing Surveyor Agents, make sure the Server URL is configured to use HTTPS rather than the default HTTP.

1. For existing clients, you will need to modify the server configuration file on each PC.
2. Modify the serverconfig file in \Program Files\Verdiem\Surveyor Agent\Data, changing http to https.
3. Restart the PwrMgrService.

Otherwise, the client can be reinstalled or upgraded using the new https:// URL.

Note: For Mac agents, use the following command line to configure the package for HTTPS:

sudo perl ~/Desktop/updateinstallerconfig.pl --hostname yourservername --https --package ~/Desktop/SurveyorAgent.pkg

Step 7 (Optional): Configure and test the EnergyWise Proxy Service

To complete configuration for the Surveyor EnergyWise Proxy service, you must change the \Surveyor\EnergyWise Proxy Server\energywise_proxy_server.properties file to point to Surveyor Server’s Web Services using HTTPS and install a trusted certificate for the proxy server:

1. Export a DER-encoded binary of the certificate (via the browser or other certificate-management tool).
2. Use Java's keytool utility to add the certificate to Java's keystore.

   The keytool utility is located in the JRE bin folder (typically at C:\Program Files\Java\jre6\bin).

   The trusted keystore is at \lib\security\cacerts. The following operations will prompt you for a password, which out of the box is "changeit".

   Listing installed certs

   cd c:\program files\java\jre6\bin
   keytool -v -list -keystore ..\lib\security\cacerts > certs.txt

   Open the certs.txt and make sure the appropriate certificate is present.

   Adding a new cert

   This example shows a DER-encoded version of our self-signed cert called "mycert.cer" and placed it in c:\certs\.

   keytool -import -keystore ..\lib\security\cacerts -file c:\certs\mycert.cer

3. Configure Verdiem Surveyor EnergyWise Connector to use HTTPS as follows:

   a. Stop the Surveyor EnergyWise Connector service.

   b. Edit \Surveyor\EnergyWise Proxy Server\energywise_proxy_server.properties and change http to https in both URLs.

   c. Start the Surveyor EnergyWise Connector service.

Step 8: Test the connnections

1. Restart the website.
2. Connect to https://servername.domain.local/adminui to ensure you are able to access the Surveyor Administrator console using SSL.
   Note: The URL will be something similar to https://servername.domain.local/adminui; https://localhost/adminui will not be trusted (because the certificate name is the FQDN).
3. Ensure the EnergyWise Proxy Server is connecting to Server by checking Last Checkin Time in Surveyor Administrator.
4. Ensure agents are connecting to the server.
5. Test Wake for Remote Access.