HTTPS Time Server Configuration

Prerequisites

All prerequisites must be passed before the configuration can commence.

1. PowerShell version must be 3 or newer.

To determine PowerShell version, run the following command in PowerShell (as Administrator) prompt:

$PSVersionTable.PSVersion.Major

The output should be 3 or higher.

../../_images/psversion1.png

1. A valid certificate, with private key, must be installed on Personal Certificate Store for Local Computer account.

To see list of installed certificates run in PowerShell, as Administrator:

Get-ChildItem Cert:\LocalMachine\My

The certificate intended to be used with the MobileWeb connector must be shown in the output from the command.

../../_images/certificatelist1.png

To verify that you also have the private key for the certificate, an export with certutil -exportPFX should output message “Encryption test passed”.

Run the following in PowerShell (as Administrator):

certutil -exportPFX <thumbprint> foo.bar

Use the relevant thumbprint from the Get-ChildItem command before.

There should now come a prompt to provide password. Press ctrl+c to abort.

In the output for the certutil command it should say “Encryption test passed”, before the password prompt. If that’s the case, then the certificate is installed correctly, with private key.

../../_images/certutilexportpfx1.png

If, in the output of the certutil command it says, “Cannot find the certificate and private key for decryption.”, then you don’t have the private key and cannot proceed with configuring MobileWeb connector for secure communication (https) until this is fixed.

Gather Information

You can see every port used in the TimeServer.exe.config file in the TimeServer folder. Typically located in C:\Program Files (x86)\formula.fo\Totalview3\TimeServer

There are three distinct services.

  1. The Time Server usually running on port 8000

  2. The Payment Service usually running on port 8002

  3. The Account Service usually running on port 8003

They can be located by looking for the <baseAddresses> <add baseAddress=”….” for each service. You can also use Powershell to lookup these values. See below:

1. Get Time port numbers

Start PowerShell prompt as Administrator in Time Server installation folder under Totalview installation. It is often C:\Program Files (x86)\formula.fo\Totalview3\TimeServer.

Run the following command:

Get-Content TimeServer.exe.config | Select-String -Pattern "^(\s)*(<add baseAddress)"

This should output the TimeServer endpoints and the port numbers that it is running on. You should note the endpoint for the https address, in this case 9000.

../../_images/TimeServerPowerShellGetBaseAddress.png

The first two ports are the TimeServer WCF ports (one for https and one for net.tcp) 9000 and 9001 in this example

The 3rd is the Payment WCF service port number 9002 in this example

The 4th is the Account WCF service port 9003 in this example

1. Assign the port numbers to PowerShell variable

Store the port number from previous commands in a PowerShell variable by running the following command (RUN AS ADMINISTRATOR): (Skip payment and account if they are not used)

$timeserverport = <time server port number>
$paymentport = <payment port number>
$account = <account port number>

Replace <port number> with the port number outputted in PowerShell command in previous section.

Example:

$timeserverport = 8000
$paymentport = 8002
$account = 8003

Verify that the port number was saved by running the following command:

echo $timeserverport
echo $paymentport
echo $accountport

It should output the port number to the console.

../../_images/TimeServerPowerShellPortNumber.png

Use this same PowerShell session for the remainder of this guide.

3. Get certificate thumbprint

Take the thumbprint of the certificate that passed in step 3 of the prerequisite check. Assign it to a PowerShell variable the same way as you did with the timeserverport variable:

$thumbprint = '<thumbprint>'

Example:

$thumbprint = '6042aef35be8da8a454d0288cf57f6e8'

Verify that the thumbprint was saved by running the following command:

echo $thumbprint

It should echo the thumbprint value in the console.

../../_images/TimeServerPowerShellCertificateThumbprint.png

Use this same PowerShell session for the remainder of this guide.

Making the switch to HTTPS

TimeServer Configuration

Stop the TimeServer service. Open services.msc find the service, usually Totalview_TimeServer and stop it.

In the TotalviewInstallFolder/TimeServer, open TimeServer.exe.config in a text editor and follow the instructions described there.

In the TotalviewInstallFolder/TimeClient folder, open TimeClient.exe.config in a text editor and follow the instructions described there.
NB! Change the tv_version at the top of the files, to some other value, so it will trigger an auto update for clients.

Windows OS Configuration

Run the following commands to assign the certificate to the port where the TimeServer is running, and potentially Payment and Account services:

netsh http add sslcert ipport="0.0.0.0:$timeserverport" certhash="$thumbprint" appid="{bfc1c581-4403-4fcf-b527-5312d1511822}"
netsh http add sslcert ipport="0.0.0.0:$paymentport" certhash="$thumbprint" appid="{bfc1c581-4403-4fcf-b527-5312d1511822}"
netsh http add sslcert ipport="0.0.0.0:$accountport" certhash="$thumbprint" appid="{bfc1c581-4403-4fcf-b527-5312d1511822}"
../../_images/TimeServerPowerShellCertificateBound.png

If you get error “Cannot create a file when that file already exists.”, then you need to remove existing sslcert configuration for same port. Running the following command, and rerunning previous netsh http add sslcert, should fix the issue:

netsh http del sslcert ipport="0.0.0.0:$timeserverport"
netsh http del sslcert ipport="0.0.0.0:$paymentport"
netsh http del sslcert ipport="0.0.0.0:$account"

Now start the TimeServer service again.

Verification

Open your Time Client and login.

In the bottom left corner it should say [SECURE]

../../_images/TimeClientSecureConnection2.png

HTTPS configuration is now complete. Congratulations!