SCS v5 User Manual
Click here to see this page in full context

SCS Installation

Certificates on the SCS Website

A website security certificate is a validation and encryption tool, part of the HTTPS protocol, which secures and encrypts data going back and forth between the server and the client browser. It is issued by a trusted certification authority (CA) who verifies the identity of the owner of a website. The certificate then ensures the user that the website it is connected to is legitimate and that the connection is safe and secure. - Techopedia

 

When you browse to a website you use one of two protocols: HTTP or HTTPS

 

HTTP stands for HyperText Transfer Protocol and allows for communications between a client and a server via request-response.  It is the backbone of the world wide web and has been the standard root protocol since the late '90s.

 

HTTPS stands for HyperText Transfer Protocol Secure and essentially wraps security (TLS or SSL) around normal unsecured HTTP.  Traffic moving between the client and the website is theoretically encrypted and secure so sensitive things like usernames/passwords, your bank balances and other such info is protected from 3rd parties trying to listen in.  As an evil-doer knowing your bank balance may not seem like a big deal, but if I learn your username/password then your bank balance is now my bank balance, obviously not ideal (for you!). 

Because of this, most public websites sites these days utilize HTTPS and require a valid certificate be installed on the source web server and associated with the site. US Government sites are required to use HTTPS as per White House Office of Management and Budget memorandum M-15-13, “A Policy to Require Secure Connections across Federal Websites and Web Services” (https://https.cio.gov/)

 

Many internal sites use an unofficial self-signed certificate.  When you browse to the site you get the familiar "insecure site" warning:

 

Self-signed certificates are commonly used internally for a variety of reasons.  Namely they are free, easily generated, are much more secure then having no certificate at all and don't require a certificate authority (most of which require a website to be internet facing / public).  While this is fine for development purposes when the system is moved into production using a self-signed certificate is a bad idea.  Aside from annoying your users it also opens security holes and avenues for man in the middle attacks.  

 

SCS will install by default with both HTTP and HTTPS bindings.  While you can access the site using either protocol if you try to use HTTP then SCS will automatically redirect you to the HTTPS version for security purposes. 

 

To associate a certificate with your SCS website 

  1. Launch Internet Information Services (IIS) Manager.  Depending on your operating system this can be done various ways, most windows servers will have it as an option under the Tools portion of Server Manager
  2. Click on the root web role element and double click on the Server Certificates link inside the IIS group.
  3. In the right pane click the Import action which will open a dialog allowing you to browse to the certificate file and upload it into IIS.  Note the password is the password used to secure the certificate when in .pfx format (similar to adding a password to a zip file).  If you do not know the password talk to the source who exported or provided the pfx file.
  4. Validate that the certificate shows up in the list on the server. 
     
  5. Now that the certificate is installed on the server you must associate it with your website itself
    1. In IIS manager, select the SCS website (expand the sites node, the names might be different but it should be the only site on the server)
    2. Right click the site and click Edit Bindings
    3. Associate the HTTPS binding with the new certificate by choosing it in the dropdown.  If you have aliases or other names for the host be sure to enter additional HTTPS bindings to reflect them.

 

NOAA Ships 

NOAA GFE should use the Department of Defense as their certificate authority (CA).  NOAA machines should already have the full DoD certificate chain installed as it's a requirement for Common Access Card (CAC) authentication / login.  Each SCS website will have it's own dedicated certificate issued by the DoD.  If you do not have a copy of your certificate please reach out to SEG and we will provide one to you.

 

Non-NOAA Ships 

Ships outside the DoD boundary have a few options available to them.   

Setup an HTTP / HTTPS hybrid situation

SCS is installed to support both HTTP and HTTPS but is setup in a way which forces the user into HTTPS regardless of which option they choose.  If you are unable to obtain a valid certificate and must use a self-signed one then removing that restriction from SCS might be the best way to move forward.  The idea would be to use HTTP for normal read-only operation of SCS and use the HTTPS option when doing things that require authentication.  This would prevent usernames and passwords being sent in clear text but minimize the number of annoying 'unsecure' warnings you receive from your browser.  For the primary workstations you can always explicitly trust the self-signed certificate itself which would take another step towards reducing the red.

It is recommended to use HTTPS whenever possible and definitely when conducting operations that require authentication / login!

 

  1. Switch all SCS services to use the HTTP protocol instead of the HTTPS
  2. Launch Internet Information Services (IIS) Manager.  Depending on your operating system this can be done various ways, most windows servers will have it as an option under the Tools portion of Server Manager
  3. Find and expand the SCS website (expand the sites node, the names might be different but it should be the only site on the server)
  4. Right click the site and click Explore
  5. This will open up windows explorer in the directory containing all the code used to run the SCS Website.  Inside this directory is a file named Web.Config.  Open it using a text editor such as Notepad (you may need to open it in Administrator Mode to save changes).  Be careful when editing this file, it might be worth copying it somewhere else (backup) in case things get messed up so you can revert.
  6. Search the file for the <system.webServer> node.  Inside of it should be a <rewrite> node
  7. Delete the entire <rewrite> node (everything between <rewrite> .... </rewrite> including the <rewrite> tags themselves as highlighted above)
  8. Save the web.config file.
  9. Restart the website

 

 

Do not use HTTPS

While not recommended (usernames and passwords will be sent in clear text whenever users work on the site) using standard HTTP is an option.  If you have a small setup, completely trust your user base, are disconnected from the internet, etc it is the simplest option available to you.  

To remove HTTPS from your setup:

  1. Switch all SCS services to use the HTTP protocol instead of the HTTPS
  2. Launch Internet Information Services (IIS) Manager.  Depending on your operating system this can be done various ways, most windows servers will have it as an option under the Tools portion of Server Manager
  3. Find and expand the SCS website (expand the sites node, the names might be different but it should be the only site on the server)
  4. Right click the site and click Explore
  5. This will open up windows explorer in the directory containing all the code used to run the SCS Website.  Inside this directory is a file named Web.Config.  Open it using a text editor such as Notepad (you may need to open it in Administrator Mode to save changes).  Be careful when editing this file, it might be worth copying it somewhere else (backup) in case things get messed up so you can revert.
  6. Search the file for the <system.webServer> node.  Inside of it should be a <rewrite> node
  7. Delete the entire <rewrite> node (everything between <rewrite> .... </rewrite> including the <rewrite> tags themselves as highlighted above)
  8. Save the web.config file.
  9. Right click the site and click Edit Bindings
  10. You will see a list of bindings associated with the site, remove all HTTPS bindings and hit OK
  11. Restart the website

 

After this there will be no more HTTPS endpoint, users will have to browse to http://[server name or IP here] to access SCS.

 

 

Procure a publicly valid certificate

You can always purchase a certificate from a known vendor such as VeriSign, RapidSSL, DigiCert, etc.  This is the solution most every website on the internet takes.  However, as a ship you are quite unlike most websites.   Be aware these certificates are meant for internet facing sites, so unless your exposing your server to the internet and assigning it a valid publicly resolvable DNS name this is unlikely to be a feasible option.

 

Setup your own CA

This is beyond the scope of the help manual, however setting up your own certificate authority is an option.  In the vast majority of cases this will be to complicated a solution unless you already have one in place for other reasons.  If so you may and should take advantage of it for SCS. 

 

 

 

How to switch all SCS services to use the HTTP protocol instead of the HTTPS

Be default, all SCS services use the HTTPS protocol when connecting and communicating with the website.  If you are disabling HTTPS or do not have a valid certificate you should let each service know that it should be using HTTP instead of HTTPS or you will introduce performance and functionality issues.

 

To do this you must browse to the directory you installed SCS into (normally D:\SCS) and open the Services directory.  Inside there each SCS service will have it's own folder which contains most of it's execution code and configuration files.  

Inside each folder you must find the service's configuration file (name follows this syntax: SCS.[Service Name].Service.exe.config  ) and edit it (Administrative mode may be required to edit and save this file).

 

 

Once the file is open search for the <appSettings> node.  Inside there you will find a key named [Service].HubBaseUrl.  This is the setting you must change, all you have to do is remove the 's' from https (eg transform it from https://.... to http://....).  Do not change anything else in the file nor any other part of that line.

 

 

Save the file and proceed onto the next service until all are modified.

 

 

Trust a self-signed certificate

On each remote computer that you wish to operate SCS on you must:

 

Open IE as an Administrator

 

Browse to the SCS website in that browser, accept the certificate warning and continue on to the website

 

On the SCS site you'll notice the bar is red, click the Certificate Error text and View certificates

 

Click Install Certificate (note if this is grayed out or not there you are most likely not running IE in admin mode)

 

Choose Local Machine and put it in the Trusted Root Certification Authorities container

 

Now when you browse to the SCS server it should not present the security warnings any longer.

 

 

 

SCSv5                                                                                                        Page 1 of 1