Configure HTTPS

You can use HTTPS to secure data transferred between the application components and the client’s browser.

To configure HTTPS, you need SSL certificates for Process Intelligence and Recording Service. You can choose one of the following options:

  • Use an SSL certificate issued by the Certification Authority (CA).

    This is the recommended approach for the application installation that is intended for a production environment. The connection to the server will be secure and users will not get any warnings from the browser.

  • Use a self-signed SSL certificate.

    If you do not have a signed certificate or if you only require a certificate for testing purposes, use a self-signed SSL certificate. However, in this case users will get warnings from the web browser about the use of a self-signed certificate as the server will not be considered secure.

    If you install the program in a production environment, it is not recommended to use a self-signed SSL certificate.

If you install the program in a production environment, it is strongly recommended to use HTTPS instead of HTTP.

Set up HTTPS for Process Intelligence

Below is a general sequence of steps necessary for setting up HTTPS for the Process Intelligence component:

  1. Obtain an SSL certificate.

  2. Extract the certificate and keys from a .pfx file.

    Currently, Process Intelligence does not accept .pfx files. You must extract the .cert and .key files from the .pfx file, so that the certificate and the key files are available separately. See Extract .cert and .key files from the .pfx file.

  3. Set up HTTPS.

    You can enable SSL and configure HTTPS during one of the following stages:

Extract .cert and .key files from the .pfx file

Ensure OpenSSL is installed on the server that contains the SSL certificate.

Name your private key and certificate files as server.key and server.cert respectively, as Process Intelligence accepts only files with these names.

  1. Start OpenSSL from the OpenSSL\bin folder.
  2. Open the Command Prompt and go to the folder that contains your .pfx file.

  3. Run the following command to extract the private key:

    Copy 
    openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

    You will be prompted to type the import password. Type the password that you used to protect your keypair when you created the .pfx file. You will be prompted again to provide a new password to protect the .key file that you are creating. Store the password to your key file in a secure place to avoid misuse.

  4. Run the following command to extract the certificate:

    Copy 
    openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.cert]

  5. Run the following command to decrypt the private key:

    Copy 
    openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]

  6. Type the password that you created to protect the private key file at the previous step.

    The .cert file and the decrypted and encrypted .key files are available in the path where you started OpenSSL.

  7. Rename your .cert and .key files to server.cert and server.key if you haven't done so already as Process Intelligence only accepts files with these names.

Set up HTTPS during Process Intelligence installation

  1. Run the Process Intelligence installer and follow the on-screen instructions in the Installation Wizard. For more information, see Install Process Intelligence.

  2. Enable SSL between the remote PostgreSQL instance and application at the Database Connection step.

    If your remote PostgreSQL is configured with SSL support:

    1. Select Use SSL for the database connection.

    2. Provide a path to your database SSL certificate.

      If your PostgreSQL is configured with SSL support and a CA root certificate file is used, select Use CA Root certificate file and provide the full path to your root certificate.

  3. Enable SSL between application and client at the Base URL and Ports Configuration step:

    1. Specify the TCP/IP port for the Process Intelligence website. For example, 443.
    2. Select Use HTTPS.
    3. Provide paths to server.cert, server.key, and the password files.
  4. Set up a network connection for Process Intelligence. For more information, see Network connection settings.
    1. In Windows Firewall, open the rules for inbound Process Intelligence connections.
    2. Add a TCP/IP port specified during the installation process to the exception list. For example, 443.
  5. Check whether HTTPS is working as expected by opening a browser on any computer and entering the {ProcessIntelligenceUrl}:{port} in the address bar, where:
    • {ProcessIntelligenceUrl} is the Base URL you specified during the Process Intelligence installation or the public IP address or the full name of the computer where Timeline is installed.

    • {port} is the custom port assigned to the Process Intelligence website during the installation process. If you are using the default port (80 or 443), you do not need to add them to the {timelineURL}. By default, TCP/IP port 80 or 443 are used.

      Example: https://myprocessintelligence:30443

Switch from HTTP to HTTPS without reinstalling Process Intelligence

If you did not configure HTTPS when installing Process Intelligence, you can do it later without reinstalling Process Intelligence. To do this:

  1. Go to the computer on which Process Intelligence is installed.

    To perform all steps below, you must be a system administrator of the computer.

  2. Stop the timelinepi service using the Services snap-in or open Command Prompt as administrator and use:
    sc stop timelinepi

  3. Open the Process Intelligence installation folder and copy the server.cert and server.key to the ssl subfolder.

  4. Start thetimelinepi service using Services snap-in or run Command Prompt as administrator and use:
    sc start timelinepi

  5. By default, the Process Intelligence website uses the 443 TCP/IP port when using HTTPS.
    You can reassign port numbers. For more information, see Set a different website base URL and port number for Process Intelligence.
    Update the appropriate Windows Firewall rules or to the settings of any other firewall that you are using.

  6. Open a browser on any computer and enter {ProcessIntelligenceUrl}:{port} in the address bar, where:

    Example: https://myprocessintelligence:30443

Set up HTTPS for the Recording Service

Below is a general sequence of steps necessary to set up HTTPS for the Recording Service during the installation process:

  1. Obtain an SSL certificate.

    The SSL certificate should be installed in Microsoft IIS on the server you plan to install the Recording Service.

  2. Run the Recording Service installer and follow the on-screen instructions in the installation wizard. For more information, see Install the Recording Service.

    At the Destination Folder step:

    • Select Use HTTPS.

    • Select the SSL certificate from the list.

      You can find the thumbprint of your certificate in the Internet Information Services (IIS) Manager:

      1. In the Connections field, select the server name (host).

      2. Open Server Certificates.

      3. Open your certificate details and find the thumbprint.

  3. Set up a network connection for the Recording Service. For more information, see Network connection settings.

    1. In Windows Firewall, open the rules for inbound Recording Service connections.

    2. Add the TCP/IP port specified during the installation process to the exception list. For example, 443.

  4. Check whether HTTPS works as expected by opening a browser on any computer and entering {url}:{port} in the address bar, where:

    • {url} is the name of the Recording Service website.

    • {port} is the port assigned to the Recording Service website during the installation process, for example, 443.

Switch from HTTP to HTTPS without reinstalling Recording Service

If you did not configure HTTPS when installing Recording Service, you can do it later using IIS Manager:

  1. In the Connections panel, select the Recording Service site.
  2. In the Action panel, click Bindings….

  3. In the Site Bindings dialog, click Add.

    The Add Site Binding dialog displays.

  4. Select HTTPS and provide an SSL certificate issued to the site URL.

  5. Restart the Recording Service site.