Sunday, 9 August 2015

Configuring Web Services to Use SSL (SOAP and OData)

Secure Sockets Layer (SSL) is a cryptographic protocol that helps provide security and data integrity for data communications over a network.

By encrypting your Microsoft Dynamics NAV web services using SSL, you make your data and the network more secure and more reliable.

Microsoft Dynamics NAV Web Services and SSL


Microsoft Dynamics NAV supports SSL authentication for SOAP and OData web services.

The server authenticates itself to the client, but the client does not authenticate itself to the server.

When the web service client connects to the Microsoft Dynamics NAV Server instance, the server replies by sending its digital certificate to the client. This certificate contains the server's public encryption key and the name of the authority that granted the certificate. The client verifies the certificate using the authority's public key.

We have covered above top related to Creating and Implementing Certificates for Microsoft Dynamics NAV Server. If not seen please follow below links for better understanding:

How to create a root CA and a private key file by using the makecert.exe utility

How to create certificate revocation list for the root certification authority

How to create and install a test certificate for the Microsoft Dynamics NAV Server computer

How to grant access to the certificate’s private key to the service account for the Microsoft Dynamics NAV Server

Implementing Security Certificates.

Configuring Microsoft Dynamics NAV Web Services to Use SSL


The first step is to prepare Microsoft Dynamics NAV to use SSL. This involves configuring the relevant Microsoft Dynamics NAV Server instance to specify SSL.

The following procedure uses Microsoft Dynamics NAV Server Administration tool to configure the Microsoft Dynamics NAV Server instance.

  • Choose the Start button, and in the Search programs and files box, type Microsoft Dynamics NAV Administration, and then choose the related link.

  • In Microsoft Dynamics NAV Server Administration tool, in the left pane, under Console Root, expand the node for the Microsoft Dynamics NAV Server computer. This is typically named Microsoft Dynamics NAV (Local), which is the local computer.


The Microsoft Dynamics NAV Server instances on the computer appear in the left pane and center panes.

In the left pane, choose the relevant instance to display settings for that instance in the center pane.

UseSSL-1

  • At the bottom of the center pane, choose Edit.

  • To configure SOAP web services to use SSL, expand the SOAP Web Services tab, and then select the Enable SSL


Make a note of the port that is used by SOAP web services. You will need the port number later on in this walkthrough.

UseSSL-2

  • To configure OData web services to use SSL, expand the OData Web Services tab, and then select the Enable SSL


Make a note of the port that is used by OData web services. You will need the port number later on in this walkthrough
UseSSL-3

  • Choose Save at the bottom of the center pane.

  • In the right pane, under Actions, choose Login Account.

  • Make a note of the service account information. You will need this information later on in this walkthrough.


UseSSL-4

Configuring the Access Control List and the Web Services Ports for SSL


An access control list (ACL) is part of the Windows security infrastructure and features. The ACL controls who can access resources on a computer.

Note

These procedures use the netsh tool (netsh.exe) for configuring the HTTP server. The netsh tool is supplied with Windows 7 and Windows Server 2008.

By default the netsh tool is located in the c:\Windows\System32 folder.

To configure the ACL



  1. On the computer running Microsoft Dynamics NAV Server, open a command prompt as an administrator as follows:




    1. From the Start menu, choose All Programs, and then choose Accessories.

    2. Right-click Command Prompt, and then choose Run as administrator.




  1. At the command prompt, type the following command to change to the Windows\System32 directory.


cd\Windows\System32


  1. To view the ACL for the web services ports to determine if any entries are already using the relevant host name and port, type the following command:


netsh http show urlacl

  1. Each entry is listed by the Reserved URL field, which has the format http://hostname:port. hostname is the name of the computer running the service and port is the port number the service runs on. A '+' (plus sign) in the Reserved URL field represents localhost, which indicates the computer that you are working on.

  2. By default, SOAP and OData web services in Microsoft Dynamics NAV use ports 7047 and 7048, respectively, and connect to a Microsoft Dynamics NAV Server instance named DynamicsNAV80. The default reserved URL entries for these services are: http://+:7047/DynamicsNAV80/ and http://+:7048/DynamicsNAV80/.

  3. You must delete any entries that use the same port as the SOAP or OData web services.


To delete an entry, type the following command:
netsh http delete urlacl url=http://hostname:Port/NAVserver/

Substitute Port with the port number of the SOAP or OData web service and NAVserver with the name of the Microsoft Dynamics NAV Server instance.

For example, to delete the default entries for SOAP and OData, use the following two commands:
netsh http delete urlacl url=http://+:7047/DynamicsNAV80/

netsh http delete urlacl url=http://+:7048/DynamicsNAV80/


  1. To register the ports for the SOAP and OData web service with https, type the following command for each service:


netsh http add urlacl url=https://hostname:port/navserver user=DOMAIN\user


  1. Substitute the following options with the proper values:

























Option Description
hostnameThe name of the computer running Microsoft Dynamics NAV Server. Use + for localhost.
portThe port that is used by the web service.
navserverThe name of the Microsoft Dynamics NAV Server instance to use with the web service. The default is DynamicsNAV80.
DOMAIN\usernameThe domain and user name of the service account for Microsoft Dynamics NAV Server. If the service account for Microsoft Dynamics NAV Server is Network Service, then use "NT AUTHORITY\NETWORK SERVICE".


  1. For example, if the service account for Microsoft Dynamics NAV Server has the domain ABC and the user name xyz, and then the command for the SOAP web service is as follows:


netsh http add urlacl url=https://+:7047/DynamicsNAV80 user="NT AUTHORITY\NETWORK SERVICE"


  1. If the service account for Microsoft Dynamics NAV Server is Network Service, then the command is as follows:


netsh http add urlacl url=https://+:7047/DynamicsNAV80 user="NT AUTHORITY\NETWORK SERVICE"


  1. To verify that your port has been registered, repeat step 3.


To configure the port to use the SSL certificate



  1. At the command prompt, type the following command to view the current port configurations:


netsh http show sslcert

  1. All port bindings to SSL certificates are listed. Each entry is indicated by the IP:port field, where IP is the IP address that uses the port (0.0.0.0 indicates all IP addresses) and port is the port number.

  2. If SSL is already configured on the address and port that you want to use for SOAP or OData web services, then use the following command to delete the entry:


netsh http delete ssl ipport=ipaddress:port


  1. Substitute ipaddress and port with the IP address and port number of the entry that you want to delete.

  2. For example, to delete the entry on the default SOAP port, use the following command:


netsh http delete ssl ipport=0.0.0.0:7047


  1. To bind an SSL certificate to the SOAP or OData web service port, use the following command:


netsh http add sslcert ipport=ipaddress:port certhash=thumbprint appid={id}


  1. Substitute the following options with the proper values:

























Option Description
ipaddressThe IP address that can use the web service. Use 0.0.0.0 to include all IP addresses.
portThe port that is used by the web service.
thumbprintThe certificate thumbprint that you obtained in previous post.
idA 32-digit hexadecimal number that identifies the Microsoft Dynamics NAV application. The id must be in the format {NNNNNNNN-NNNN-NNNN-NNNN-NNNNNNNNNNNN). If you do not know the appid, then use any value, such as {00112233-4455-6677-8899-AABBCCDDEEFF}.


  1. For example, the following command binds a certificate that has the thumbprint c0d0f27095b03d4317e219841024328cef248779 to port 7047 for all IP addresses:


netsh http add sslcert ipport=0.0.0.0:7047 certhash=c0d0f27095b03d4317e219841024328cef248779 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

Imp Note: - Please replace the port and thumbprint values with your valid values.

Restart the Microsoft Dynamics NAV Server Instance


You can use the Microsoft Dynamics NAV Server Administration Tool to restart the Microsoft Dynamics NAV Server instance.

To restart Microsoft Dynamics NAV Server



  1. In Microsoft Dynamics NAV Server Administration tool, in the left pane, under Console Root, choose the Microsoft Dynamics NAV Server computer.

  2. In the center pane, choose the Microsoft Dynamics NAV Server instance that you have configured, and then in the right pane under Actions, choose Restart.

  3. After the instance restarts, close Microsoft Dynamics NAV Server Administration tool.


Verifying the Configuration


You should now be able to use web services that are encrypted with SSL. To verify this, type the following URL in the address bar for your browser.
https://localhost:7047/DynamicsNAV80/WS/services

The page lists any web services that have been published.

1 comment: