Skip to content

Secure openHistorian Web Interface adding https

Jump to bottom Edit New page
J. Ritchie Carroll edited this page Aug 2, 2019 · 18 revisions

To add transport layer security (TLS/SSL) to the self-hosted openHistorian web interface on a Windows platform, follow these steps:

Adding SSL

  1. Create self-signed or obtain an SSL certificate

Note that certificate must be installed to Local Computer / Personal / Certificates in order for it to be associated with self-hosted web port.

  1. Copy the "thumbprint" from the certificate details with no spaces - this will become certhash parameter replacing YOUR_CERT_HASH in commands below.
  2. Open an administrator command prompt and run the following commands:
netsh http add sslcert ipport=[::0]:8181 appid="{F65126E5-E27A-49DF-8188-1CDE74FE15F3}" certhash=YOUR_CERT_HASH

netsh http add sslcert ipport=0.0.0.0:8181 appid="{F65126E5-E27A-49DF-8188-1CDE74FE15F3}" certhash=YOUR_CERT_HASH

netsh http add urlacl url=https://+:8181/ user=Everyone

The appID parameter came from the [assembly: Guid("value")] from AssemblyInfo.cs in the openHistorian service.

  1. Make sure openHistorian service is not running and update the following setting in the openHistorian.exe.config file:
<add name="WebHostURL" value="https://+:8181" description="The web hosting URL for remote system management." encrypted="false" />

Note that you can also run the XML Configuration Editor for the openHistorian to make this change. Using this tool, navigate to the systemSettings section and find the key called WebHostURL changing the value from http://+:8181 to https://+:8181. Clicking Save Settings will stop the openHistorian service, save the configuration change and automatically restart the openHistorian.

  1. Make sure when navigating to openHistorian to use new port and specify https:
https://localhost:8181/

Removing SSL

  1. Open an administrator command prompt and run the following commands:
netsh http delete sslcert ipport=[::0]:8181

netsh http delete sslcert ipport=0.0.0.0:8181

For a Mono hosted instance running on other platforms:

Instructions are similar but instead use the httpcfg tool:

http://manpages.ubuntu.com/manpages/xenial/man1/httpcfg.1.html

Creating a Trusted Self-Signed Certificate on Windows

  1. Run Windows PowerShell as an Administrator
  2. Run the following PowerShell command:
New-SelfSignedCertificate -FriendlyName "openHistorian Self-Signed Certificate" -DnsName openHistorianSSL, localhost -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(3)

Note that the -NotAfter (Get-Date).AddYears(3) parameter at the end of the command says the certificate will expire in three years.

  1. Run `mmc.exe'
  2. Press Ctrl+M (or select File > Add/Remove Snap-in...)
  3. Select Certificates and click Add
  4. Select Computer account and click `Next >'
  5. Select Local computer: (the computer the console is running on) and click Finish, then click OK
  6. Navigate to the Console Root / Certificates (Local Computer) / Personal / Certificates folder
  7. Right-click on openHistorianSSL certificate and select Copy
  8. Navigate to the Console Root / Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates folder
  9. Right-click on the Certificates sub-folder of Trusted Root Certification Authorities in the tree and select Paste
  10. The openHistorianSSL certificate should now be in the Trusted Root Certification Authorities / Certificates folder and now trusted by the local system
Add a custom footer

Pinned

Clone this wiki locally