SSL Support
It is possible to run Kodiak OMS web services under ssl.
Certificate
A supported and trusted ssl certificate must be availble on the server.
Port registration example
This show how to register a certificate for ports. In our example we will be using 3 ports. 8091, 9091 and 5001.
netsh http add sslcert ipport=0.0.0.0:8091 certhash=991ab4fb6080ce11d64ba60bea79f4f81a014bb0 appid={12345678-1234-1234-1234-123456789013}
netsh http add sslcert ipport=0.0.0.0:9091 certhash=991ab4fb6080ce11d64ba60bea79f4f81a014bb0 appid={12345678-1234-1234-1234-123456789013}
netsh http add sslcert ipport=0.0.0.0:5001 certhash=991ab4fb6080ce11d64ba60bea79f4f81a014bb0 appid={12345678-1234-1234-1234-123456789013}
Â
Renewal/Removal
In case the certificate needs to be renewed or changed the old certificate needs to be removed
netsh http delete sslcert ipport=0.0.0.0:8085
Â
Kodiak Server
appSettings.config
<!--Main url used for web services-->
<add key="BaseUrl" value="https://kodiak-staging.kodi.is:8091/" />
<!--The location of the token dealer-->
<add key="TokenDealerUrl" value="https://kodiak-staging.kodi.is:9091"/>
<!-- The location of the trade report server Web API. Used by clients-->
<add key="TradeReportServerAPIUrl" value="https://kodiak-staging.kodi.is:8091"/>
<!-- The location of the trade report server websocket url. Used by clients-->
<add key="TradeReportServerWebsocketUrl" value="wss://kodiak-staging.kodi.is:5001"/>
<add key="InvoiceUrl" value="https://kodiak-staging.kodi.is:8091/InvoiceService.svc" />
Â
serviceModel.configuration
Behaviors
<behaviors>
<serviceBehaviors>
<behavior name="HttpsBehaviour">
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="Kodi.Kodiak.Security.AuthorizationPolicy, Kodi.Kodiak.Security" />
</authorizationPolicies>
</serviceAuthorization>
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="991ab4fb6080ce11d64ba60bea79f4f81a014bb0"/>
</serviceCredentials>
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />
</behavior>
<behavior name="ServiceBehaviorBasicHttps">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false" />
<dataContractSerializer maxItemsInObjectGraph="2147483646" />
</behavior>
Â
Finding Certificates in the behavior.
It is possible to set the x509FindType to use different methods to find the certificate. Below are examples for subject name or thumbprint. Thumbprint values need to be changed when the certificate is renewed and the value changes. FindBySubjectName should be more resilient to such changes.
Â
FindByThumbprint
<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="991ab4fb6080ce11d64ba60bea79f4f81a014bb0"/>
FindBySubjectName
<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="kodiak-staging.kodi.internal"/>
Â
Binding
<wsHttpBinding>
<binding name="WSHttpsBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false" maxBufferPoolSize="2147483646" maxReceivedMessageSize="2147483646">
<readerQuotas maxDepth="2147483646" maxStringContentLength="2147483646" maxArrayLength="2147483646" maxBytesPerRead="2147483646" maxNameTableCharCount="2147483646" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
<webHttpBinding>
<binding name="WebHttpsBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</webHttpBinding>
Services
<service behaviorConfiguration="HttpsBehaviour" name="KodiakService">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding" contract="Kodi.Kodiak.Services.ServiceContracts.IKodiakService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
<service behaviorConfiguration="ServiceBehaviorBasicHttps" name="ExternalOrderEntryService">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="WebHttpsBinding" contract="Kodi.Kodiak.Services.IExternalOrderEntryService" behaviorConfiguration="rest" />
</service>
Â
Trade Report Server
To enable ssl for the Trade Report server a certificate thumbprint must be specified under TradeReportServerWebsocketCertificateThumbPrint. (Beware of hidden characters when pasting from certificate details window.)
<add key="TradeReportServerWebsocketPort" value="5001"/>
<add key="TradeReportServerWebsocketAddress" value="0.0.0.0"/>
<add key="TradeReportServerWebsocketCertificateThumbPrint" value="991ab4fb6080ce11d64ba60bea79f4f81a014bb0"/>
...
<add key="RestApiUrl" value="https://kodiak-staging.kodi.is:8091"/>
Â
Client
...
<add key="UrlPrefix" value="https://kodiak-staging.kodi.is:8091/" />
...
<wsHttpBinding>
<binding name="KodiakADHttp" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="2147483646" maxReceivedMessageSize="2147483646" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="2147483646" maxStringContentLength="2147483646" maxArrayLength="2147483646" maxBytesPerRead="2147483646" maxNameTableCharCount="2147483646" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
<binding name="KodiakAD" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="2147483646" maxReceivedMessageSize="2147483646" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="2147483646" maxStringContentLength="2147483646" maxArrayLength="2147483646" maxBytesPerRead="2147483646" maxNameTableCharCount="2147483646" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>