Parallels H-Sphere Documentation System Administrator Guide

 

Winbox Shared SSL

(version 3.0 and up)
 
 

Related Docs:   Winbox Shared SSL (before 3.0)

Last modified: 27 Dec 2007

 

WARNING: This documentation covers Parallels H-Sphere versions up to 3.1. For the latest up-to-date Parallels H-Sphere documentation, please proceed to the official Parallels site.

Starting with version 3.0, H-Sphere implements new Winbox Shared SSL scheme. This scheme introduces solution to the problem with resources synchronization not supported in H-Sphere 3.0 and eliminates the following issues:

  • problems with applications hosted under different versions of ASP.NET but under the same shared ssl virtual host
  • issues with scripts containing some server variables that use #include directive
  • necessity to synchronize shared ssl virtual host resources with user virtual host resources
  • need for deploying additional ISAPI filter
Starting with WINDOWS 2003 SP1, IIS 6.0 supports host headers in SSL bindings.

Requirements: Windows 2003 with SP1 or Windows 2000 server; H-Sphere 3.0 Final

This document covers Winbox Shared SSL integration and update.

 

Winbox Shared SSL Integration

There are two different approaches to integration of Winbox Shared SSL implemented for IIS 5.0 and for IIS 6.0:

IIS 5.0

On IIS 5.0 service, shared SSL virtual hosts are still used but their purpose has been changed to act as certificate holders. IIS 5.0 uses the virtual host with enabled Shared SSL for certain IP to establish any SSL connections for this IP regardless of actual target virtual host. So, in situations when a user turns shared SSL off on some virtual host which was the first shared SSL host, the others shared SSL's on this IP become unavailable. In other words, shared SSL virtual hosts on IIS 5.0 are intended to avoid such issues.

Admin shared SSL creation:

  • Post the certificate and key on the server. The name of key container is {3716B9D2-2486-446a-9281-E4D1CA03EC0A}_<wild-card domain name>
  • Create shared SSL service virtual host. It has server binding formed as <IP>:80:<IP>.SharedSSL2 where IP is an IP address of this particular shared SSL. Also it has secure binding and appropriate wild-card certificate installed. The host number of such virtual host will be in the range 10000-20000.

User shared SSL creation:

  • SSL with appropriate shared SSL certificate is enabled for customer's virtual host
  • The following bindings are added to ServerBindings? of customer's virtual host: <IP>:80:<domain alias> and <IP>:443:<domain alias> where domain alias is a 3rd level domain alias for customer shared SSL.

IIS 6.0

Shared SSL service virtual hosts are not used anymore.

Admin shared SSL creation:

  • Post certificate and key to the server. The name of key container is {3716B9D2-2486-446a-9281-E4D1CA03EC0A}_<wild-card domain name>

User shared SSL creation:

  • Enable SSL with appropriate shared SSL certificate for customer's virtual host
  • Set the SecureBindings? of customer's virtual host to <IP>:443:<domain alias> where domain alias is 3rd level domain alias for customer shared SSL.

 

Winbox Shared SSL Update

Important: Prior to update, make sure you have H-Sphere 2.4.x and higher installed.

If there is shared SSL hosting on the server managed, the upgrade procedure automatically migrates shared SSL to a new scheme. It detects shared SSL by existence of virtual hosts with H-Sphere shared SSL Log plugin log plugin and by HKLM\SOFTWARE\Psoft\HSphere\SharedSSL\Virtual registry key existence. Before performing migration, it makes IIS metabase backup called sharedSSL used to restore metabase if something goes wrong. Migration procedure makes the following changes:

IIS 5.0

Shared SSL service virtual host:

  • removes SharedSSL ISAPI filter
  • renames server binding from <IP>:80:<IP>.SharedSSL to <IP>:80:<IP>.SharedSSL2
  • changes log plugin to standard W3SVC
  • removes shared SSL virtual directories

User host:

  • enables SSL with appropriate wild-card certificate for customer's virtual host
  • adds <IP>:80:<domain alias> and <IP>:443:<domain alias> bindings to server bindings, where domain alias is a 3rd level domain alias for customer shared SSL

IIS 6.0

Shared SSL service virtual hosts are removed.

User host:

  • enables SSL with appropriate wild-card certificate for customer's virtual host
  • sets secure binding to <IP>:443:<domain alias> where "domain alias" is 3rd level domain alias for customer shared SSL


Related Docs:   Winbox Shared SSL (before 3.0)



© Copyright 2017. Parallels Holdings. All rights reserved.