Setting up SSL

Certain Pharos components, in particular the Pharos External Device Interface (EDI), use HTTP to communicate with each other. This communication can be secured with SSL encryption. Setting up encryption for secure communications requires the installation of certificates, which are supplied as a free service from Pharos Systems.

When to Use SSL

The following Pharos components communicate via HTTP, which can be secured with SSL:

  • Services, terminals, and iMFPs communicating with the Pharos EDI Service
  • Client web browsers accessing the SignUp Nerve Center

Where a service communicating with the EDI is on the same machine as the EDI, secure communications are not required (as no data is transmitted over the wire).

Setting up Encryption

To secure these communication paths with SSL, you must perform the following steps:

  1. Install the Pharos CA certificate on all computers that will access the server.
  2. Request a server certificate for the server component from Pharos Support.
  3. Install the server certificate on the server.
  4. Direct the relevant components to use SSL

Installing the Pharos CA Certificate

The Pharos CA certificate is required to verify the server certificate during any SSL session (i.e. when communicating with the server). The Pharos CA certificate is publicly available—you can find it on the Pharos disk. This certificate must be installed on all clients that will be accessing the server. For example, when securing communication with the Pharos EDI Server, the CA certificate must be present on all terminals or computers running software that will contact the EDI. The Pharos Omega terminals and Pharos integrated Multifunction Printers (iMFPs) come with the CA certificate already installed.

To install the Pharos CA certificate on a computer:

  1. Access the Pharos disk image from the computer on which you want to install the Pharos CA certificate.
  2. Browse the disk image and open the server\edi.net folder. The Pharos CA certificate is called PharosCACertificate.crt.
  3. Double-click the certificate. If prompted, select Open.
  4. Click Install Certificate on the dialog that opens. This starts the Certificate Import Wizard.
  5. Click Next on the opening screen.
  6. Select Place all certificates in the following store on the Certificate Store screen and click Browse.
  7. Select the store Trusted Root Certification Authorities > Local Computer and click OK. (You may need to check the Show physical stores box to see this store.)
  8. Click Next.
  9. Click Finish.

Requesting a Server Certificate using IIS 7.0 or later

To obtain a certificate from Pharos Systems, you must generate a certificate request using Microsoft Internet Services Manager and send it to Pharos Systems. The certificate request is simply a text file containing information about your server in an encoded format.

The following section shows instructions on how to obtain a Server Certificate using IIS 7.0 or later.

To generate a certificate request using IIS 7.0 or later:

  1. Open the Internet Services (IIS) Manager.
  2. Select the server on which you want to enable encryption and then double-click Server Certificates (from IIS).
  3. In the Server Certificates Actions pane, select Create Certificate Request. This opens the Request Certificate dialog.
  4. In the Common name field, enter the name of your certificate. You may want to match it with the name of the Web site.

Note: Server certificates are specific to the common name that they have been issued to, so it is important that the common name is correct. The common name must be the same as the Web address you will be accessing when connecting to the secure site. Common names are typically composed of Host + Domain Name and will look like "servername" or "servername.domain". If the certificate is used on a cluster, the common name should the Host + Domain Name of the virtual server name of the resource group that contains the Pharos services.

  1. Enter values to the rest of the fields:
  • Organization
  • Organizational Unit
  • City/locality
  • State/province
  • Country/region

These values do not need to match any Active Directory entries.

  1. Click Next.
  2. Select the Cryptographic Service Provider.
  3. Select a bit length; the higher the bit length, the stronger the certificate encryption. Click Next.
  4. Specify the file name and the location of the certificate request. Remember the filename and the location where you saved the file.

On IIS 7.0, the text file (called certreq.txt by default) is created into the location you specified in step 9.

  1. Click Finish.

The request can now be emailed to Pharos Systems at support@pharos.com.

Installing the Server Certificate Using IIS 7.0 or later

Once the request is received and verified, Pharos Systems will generate your certificate and send it to you.

To install the certificate on your server using IIS 7.0 or later:

  1. Open the IIS Manager.
  2. Select the server on which you want to enable SSL, and then click Server Certificates (from IIS).
  3. In the Server Certificates Actions Pane, add a certificate to your server.
  4. On the Default Web Site, check that you have added https to your Bindings list.
  5. On the Sites list, select Pharos EDI.
  6. Double click SSL Settings and tick the Require SSL checkbox.
  7. Click Apply.

Directing the System to Use SSL

Once both the CA certificate and the server certificate have been installed where required, SSL can be activated by informing the clients to connect to the server.

Pharos EDI

To direct clients to contact the EDI Server using SSL, configure them to connect to the server using the URL:

https://<server>/PharosEdi/EdiService.asmx

where <server> is the host name of the web server that the Pharos EDI is installed on. This should be the host name specified in the common name of the certificate.

SignUp Nerve Center

If you want to secure communication between users’ web browsers and the SignUp Nerve Center, you must instruct users to browse to the following URL (note the https):

https://[server]/SignUp/