Skip to content

Secure openHistorian Web Interface adding https

Jump to bottom Edit New page
J. Ritchie Carroll edited this page Feb 1, 2022 · 18 revisions

Adding Transport Layer Security (TLS/SSL) to the Self-Hosted openHistorian Web Interface

Note that these instructions target a Windows deployment. Instructions for non-Windows platforms running with Mono will have similar instructions but instead use the httpcfg tool:

http://manpages.ubuntu.com/manpages/xenial/man1/httpcfg.1.html

Adding SSL

  1. Create a self-signed or obtain an SSL certificate

Note that certificate must be installed to Local Computer / Personal / Certificates in order for it to be associated with self-hosted web port.

  1. Copy the "thumbprint" from the certificate details with no spaces - this will become the certhash parameter value replacing YOUR_CERT_HASH in the commands below.
  2. Open an administrator command prompt and run the following commands:
netsh http add sslcert ipport=[::0]:8181 appid="{F65126E5-E27A-49DF-8188-1CDE74FE15F3}" certhash=YOUR_CERT_HASH

netsh http add sslcert ipport=0.0.0.0:8181 appid="{F65126E5-E27A-49DF-8188-1CDE74FE15F3}" certhash=YOUR_CERT_HASH

netsh http add urlacl url=https://+:8181/ user=Everyone

Port 8181 is selected as the secure port for SSL binding here since port 8180 is preconfigured for non-SSL bindings, i.e., http, by default during installation. You will need to delete the existing urlacl bindings for 8180 if you want to continue to use the original port, see removing ssl section below. Currently the self-hosted web service only listens on one port, so its usage will be SSL or not.

The appID parameter came from the [assembly: Guid("value")] from AssemblyInfo.cs in the openHistorian service.

  1. Make sure openHistorian service is not running and update the following setting in the openHistorian.exe.config file:
<add name="WebHostURL" value="https://+:8181" description="The web hosting URL for remote system management." encrypted="false" />

Note that you can also run the XML Configuration Editor for the openHistorian to make this change. Using this tool, navigate to the systemSettings section and find the key called WebHostURL changing the value from http://+:8180 to https://+:8181. Clicking Save Settings will stop the openHistorian service, save the configuration change and automatically restart the openHistorian.

  1. Make sure when navigating to openHistorian to use the new port and specify https:

https://localhost:8181/

Removing SSL

  1. Open an administrator command prompt and run the following commands:
netsh http delete sslcert ipport=[::0]:8181

netsh http delete sslcert ipport=0.0.0.0:8181

netsh http delete urlacl url=https://+:8181/
  1. Ensuring openHistorian service is not running, update the following setting in the openHistorian.exe.config file changing the value from https://+:8181 back to http://+:8180:
<add name="WebHostURL" value="http://+:8180" description="The web hosting URL for remote system management." encrypted="false" />

Creating a Trusted Self-Signed Certificate (Windows)

Steps 1-2 create the self-signed certificate:

  1. Run Windows PowerShell as an Administrator
  2. Run the following PowerShell command:
New-SelfSignedCertificate -FriendlyName "openHistorian Self-Signed Certificate" -DnsName openHistorianSSL, localhost -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(3)

Note that the -NotAfter (Get-Date).AddYears(3) parameter at the end of the command says the certificate will expire in three years.

Also, the Thumbprint value shown on the screen after the PowerShell command successfully ran will be needed for step 3 when adding ssl. Go ahead and copy this and save it for later as this will be the replacement value for YOUR_CERT_HASH.

Steps 3-12 add the certificate to the Windows trusted certificate store:

  1. Run `mmc.exe'
  2. Press Ctrl+M (or select File > Add/Remove Snap-in...)
  3. Select Certificates and click Add
  4. Select Computer account and click Next >
  5. Make sure Local computer: (the computer the console is running on) is selected and click Finish then OK
  6. Navigate to the Console Root / Certificates (Local Computer) / Personal / Certificates folder
  7. Right-click on openHistorianSSL certificate and select Copy
  8. Navigate to the Console Root / Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates folder
  9. Right-click on the Certificates sub-folder of Trusted Root Certification Authorities in the tree and select Paste
  10. The openHistorianSSL certificate should now be in the Trusted Root Certification Authorities / Certificates folder and be trusted by the local system
Add a custom footer

Pinned

Clone this wiki locally