Enable SSL for Apollo 2015

[1] Obtain proper SSL certificate *.pfx (contains both certificate and private keys)

For example, the pfx file contains both certificate and private keys, also the ascii file contains the password.

[2] Import Certificate to local computer

This section instructs you on how to import a trusted certificate into your Local Computer's certificate store.1. Run mmc.exe to launch the Microsoft Management Console (or, open a pre-configured MMC console if you have one.)

NOTE: You should run mmc.exe with Administrator rights.

2. Before you can add certificates to the Windows Certificate Store, you must add the Certificate snap-in to the Microsoft Management Console (MMC) on the Windows Server host on which the View server is installed.a. Verify that the MMC and Certificate snap-in are available on the Windows Server computer on which the View server is installed.In the MMC window, go to File > Add/Remove Snap-inIn the Add or Remove Snap-ins window, select Certificates and click Add.In the Certificates snap-in window, select Computer account, click Next, select Local computer, and click Finish.In the Add or Remove snap-in window, click OK

1. Expand Certificates (Local Computer) to display the certificate store nodes.2. Expand Trusted Root Certification Authorities, right click on Certificates and select All Tasks and Import.

3. On the Certificate Import Wizard, choose “Local Machine”, and click Next.Then specify the .pfx file for File to Import. Click Next.

From “Private key protection” dialog, use the Password from the ASCII file that comes with the pfx certificate.Then make sure to select “Mark this key as exportable” option. Click Next.

NOTE: if you provide the wrong password, you will get the following message “The password you entered is incorrect.”

From Certificate store, choose “Place all certificate in the following store: Trusted Root Certification Authorities”

Review the summary page, and click “Finish”.

You will get “The import was successful” message.

Here is the imported Certification, you can view the Issuer, Expiration date, Friendly name...

Do the same thing for “Intermediate Certification Authorities”

[3] Import certification to IIS

1. Open Administrative Tools > Internet Information Services (IIS) Manager2. Click on the server name in the Connections pane.3. In the main pane, double click on the Server Certificates icon to open the Server Certificates view.

4. Once in “Server Certificate” view, then Click on the Import... link in the far right Actions pane to open the Import Certificate dialog.

5. Select the Certificate File (*.pfx) you received from a Certificate Authority, also the password that comes with the certification.click OK to complete the import.

Now the certificate will be imported to IIS, you can click view to see details about the certificate.

[4] HTTPS port Binding

Adding an https Binding to the ERDAS APOLLO Web Site This section instructs you on how to add an https binding associated with an SSL trusted certificate to your ERDAS APOLLO web site.1. Open Administrative Tools > Internet Information Services (IIS) Manager.

NOTE: If you have just completed Importing an SSL Certificate into IIS (on page 17), IIS Manager should already be opened.2. Expand the Sites folder3. Select the site to be secured.

NOTE: This will either be the Default Web Site or the web site that you added and configured in Configuring the ERDAS APOLLO Web Site 4. From the Actions menu (on the right), select Bindings... to open the Site Bindings dialog box.

5. In the Site Bindings dialog box, click Add... to open the Add Site Binding dialog box.6. Under Type choose https.7. The IP address should be the IP address of the site or All Unassigned.8. The port over which traffic will be secured by SSL is usually 443.9. The SSL Certificate field should specify the SSL certificate that was imported into IIS in Importing an SSL Certificate into IIS.

In this case, the SSL certificate is “*.ingrnet.com”, select it from the drop down list.10. Click OK to add the https binding.

Your SSL certificate is now installed and the website configured to accept secure connections through https.

[5] Run Apollo Configure Wizard

NOTE: Due to the following bug in Apollo 2015, you can not change the hostname during configuration wizard (if this is not the 1st time to run the wizard). If you want to change host name, then you have to uninstall reinstall Apollo again.CR 1-BMIVHN config wizard for ERDAS APOLLO throws error when hostname is changed

During configure wizard HTTP Server settings, the “→ HTTPS on port 443” should show up, and make sure it is highlighted/selected.Also make sure you use the domain for the server name.

[6] Configuring APOLLO Services for SSL

If you have configured Secure Sockets Layer as described in Configuring Secure Sockets Layer (SSL) (on page 16), you can now configure your ERDASAPOLLO services to use https and SSL.Configuring the APOLLO Catalog WMS Service for SSL1. Navigate to C:\Program Files\Common Files\Hexagon\Services\Instances\ApolloCatalogWMS.2. Open web.config and search for the comment, "If you wish to run the service over HTTPS transport change the mode from None to Transport".3. On the next line change <security mode="None"> to <security mode="Transport">.4. Search for the comment again and change the second occurrence from "None" to "Transport" also.5. Save and close the file. The ERDAS APOLLO Catalog WMS service will automatically restart.

Do the same thing for public WMS again.1. Navigate to C:\Program Files\Common Files\Hexagon\Services\Instances\ApolloCatalogWMSPublic.2. Open web.config and search for the comment, "If you wish to run the service over HTTPS transport change the mode from None to Transport".3. On the next line change <security mode="None"> to <security mode="Transport">.4. Search for the comment again and change the second occurrence from "None" to "Transport" also.5. Save and close the file. The ERDAS APOLLO Catalog WMS service will automatically restart.

[7] Configure Geospatial Portal for SSL

If IIS is configured to receive requests on a public address and that address is not resolved as the localhost IP (it is IP address of another server that redirects requests), configure the host machine to resolve the public host name as the localhost IP address.To configure the host machine, add the following line to C:\Windows\System32\drivers\etc\hosts file.127.0.0.1 publichostname.yourdomain.com

[8] Test DM and Portal @ HTTP port 80 (DM can not render image)

Portal √

Both Data manager and Portal should work on regular http port 80

If click WMS link, and save shortcut, and you will find it actually use HTTPshttps://vmapollosupport.ingrnet.com/ApolloCatalogWMS/service.svc/get?service=WMS&version=1.3.0&REQUEST=GetLayer&layers=XS_truecolor_sub

DM x

While DM will not render the image, and Confirmed with Sridhar @ QA team.The following CR has been filed.CR 1-DIFOC0 Could not render any WMS @ Data Manager http port 80 with SSL enabled.

And http://vmapollosupport.ingrnet.com/ApolloCatalogWMS/service.svc/get?Service=WMS&Request=GetCapabilities will return 404, which explains why there is no WMS rendering in Apollo data manager.

[9] Test DM and Portal @ HTTPs port 443

Both Data manager and Portal should work on regular https port 443

Portal √

DM √

https://vmapollosupport.ingrnet.com/ApolloCatalogWMS/service.svc/get?Service=WMS&Request=GetCapabilities