SSL Support Problems

[kmenningen]

We recently purchased Vault and have successfully set it up in unencrypted mode. We are trying to get SSL support going so we can go live. After successfully assigning a certificate to the web site, we can no longer connect. I have verified that when switched back to unencrypted mode, the system still works. Also, I turned on Debug level logging, but there is nothing in the SgVault.log file after attempting to log in with SSL. Logging in unencrypted puts in two lines in that log.

Here is the error message we receive with SSL:
"Unable to connect to https://xxxx.domain.com:8686/VaultService. No server was found at the specified URL. Please verify your network settings using the Options dialog under the Tools menu in the Vault GUI Client. Web Exception: The underlying connection was closed: Could not establish secure channel for SSL/TLS."

It is very possible that we messed something up when adding the certificate. Question: if the website is xxxx.domain.com internally (intranet) but the certificate is for yyyy.domain.com for external access, will that fail in this manner? Or can the certificate have a different name and still work correctly? xxxx is the machine name and works correctly when SSL is not enabled.

Thanks for your help,

Kevin Menningen
Lead Software Engineer
VIASYS Healthcare, Inc.

[lbauer]

The servername and certificate name should match, unless you're doing some fancy configuration:

http://www.microsoft.com/technet/prodte ... dcard.mspx

[lbauer]

Can you access https://xxxx.domain.com:8686/VaultService with a browser?

[kmenningen]

Hi Linda,

No, we can't access it with a browser. We created a new certificate that matched the server name, but still have the same problem. This is a Windows Server 2003 R2 operating system.

Attached is a group of screenshots with our complete configuration and browser tests. Please let us know if there are things we should change.

Thanks in advance,

--Kevin

[Attachment deleted because it is big and didn't help]

[lbauer]

We created a new certificate that matched the server name, but still have the same problem.

Is your certificate signed? Did you send it to a signing authority, or sign it yourself? If it's not signed, this could be why it's not working.

[kmenningen]

I'm not sure what you mean about signing the certificate -- typically a certificate is used to sign something else. Attached are screenshots of the certificate we are using, and the root certificate. Should it look differently? Would you please tell us how to change the certificate if it needs changing?

Thanks!

[attachment deleted - no longer pertinent]

[kmenningen]

After contacting Microsoft, we discovered the source of the problem was permissions for 'Everyone' in the Crypto folder. Granting the "Everyone" group "Read & Execute" permission on the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder solved the problem.

The documentation and installer help mentioned adding NETWORKSERVICE to the permissions for that folder, but we don't recall seeing instructions to give Everyone Read & Execute permissions. If your documentation does not mention this, would you please update it?

Furthermore, we could find no mention of the relation between this permission and SSL support. It turns out SSL in any form, whether related to the Vault application or not, would not work until this permission was set. Perhaps that might be useful for your knowledge base.

Thanks!

[lbauer]

Thanks for the info. Although SSL is an IIS configuration issue rather than a configuration in Vault, we are thinking of writing up a KB article for Vault users on how to set up SSL in IIS and this information is useful.