HTTPS Time Server Configuration

Prerequisites

All prerequisites must be passed before the configuration can commence.

1. PowerShell version must be 3 or newer.

To determine PowerShell version, run the following command in PowerShell (as Administrator) prompt:

$PSVersionTable.PSVersion.Major

The output should be 3 or higher.

2. A valid certificate, with private key, must be installed on Personal Certificate Store for Local Computer account.

To see list of installed certificates run in PowerShell, as Administrator:

Get-ChildItem Cert:\LocalMachine\My

The certificate intended to be used with the MobileWeb connector must be shown in the output from the command.

To verify that you also have the private key for the certificate, an export with certutil -exportPFX should output message “Encryption test passed”.

Run the following in PowerShell (as Administrator):

certutil -exportPFX <thumbprint> foo.bar

Use the relevant thumbprint from the Get-ChildItem command before.

There should now come a prompt to provide password. Press ctrl+c to abort.

In the output for the certutil command it should say “Encryption test passed”, before the password prompt. If that’s the case, then the certificate is installed correctly, with private key.

If, in the output of the certutil command it says, “Cannot find the certificate and private key for decryption.”, then you don’t have the private key and cannot proceed with configuring MobileWeb connector for secure communication (https) until this is fixed.

Gather Information

1. Get Time Server port number

(This step can be skipped if you already got the Time Server port number in the prerequisite check section.)

Start PowerShell prompt as Administrator in Time Server installation folder under Totalview installation. It is often C:\Program Files (x86)\formula.fo\Totalview3\TimeServer.

Run the following command:

Get-Content TimeServer.exe.config | Select-String “add baseAddress” | Select-Object -First 2

This should output the TimeServer endpoints and the port numbers that it is running on. You should note the endpoint for the http address, in this case 8000.

TimeServerPowerShellGetBaseAddress

2. Assign Time Server port number to PowerShell variable

Store the port number from previous command in a PowerShell variable by running the following command (RUN AS ADMINISTRATOR):

$timeserverport = <port number>

Replace <port number> with the port number outputted in PowerShell command in previous section.

Example:

$timeserverport = 8000

Verify that the port number was saved by running the following command:

echo $timeserverport

It should output the port number to the console.

TimeServer PowerShell Port Number

Use this same PowerShell session for the remainder of this guide.

3. Get certificate thumbprint

Take the thumbprint of the certificate that passed in step 3 of the prerequisite check. Assign it to a PowerShell variable the same way as you did with the timeserverport variable:

$thumbprint = ‘<thumbprint>’

Example:

$thumbprint = ‘6042aef35be8da8a454d0288cf57f6e8’

Verify that the thumbprint was saved by running the following command:

echo $thumbprint

It should echo the thumbprint value in the console.

TimeServer PowerShell Certificate Thumbprint

Use this same PowerShell session for the remainder of this guide.

Making the switch to HTTPS

TimeServer Configuration

Stop the TimeServer service. Open services.msc find the service, usually Totalview_TimeServer and stop it.

In the TotalviewInstallFolder/TimeServer, open TimeServer.exe.config in a text editor and follow the instructions described there.

In the TotalviewInstallFolder/TimeClient folder, open TimeClient.exe.config in a text editor and follow the instructions described there.
NB! Change the tv_version at the top of the files, to some other value, so it will trigger an auto update for clients.

Windows OS Configuration

Run the following commands to assign the certificate to the port where the TimeServer is running:

netsh http add sslcert ipport=”0.0.0.0:$timeserverport” certhash=”$thumbprint” appid=”{bfc1c581-4403-4fcf-b527-5312d1511822}”

TimeServer PowerShell Certificate Bound

If you get error “Cannot create a file when that file already exists.”, then you need to remove existing sslcert configuration for same port. Running the following command, and rerunning previous netsh http add sslcert, should fix the issue:

netsh http del sslcert ipport=”0.0.0.0:$timeserverport”

Now start the TimeServer service again.

Verification

Open your Time Client and login.

In the bottom left corner it should say [SECURE]

TimeClient Secure Connection

HTTPS configuration is now complete. Congratulations!

Last edited on March 31st, 2020