Important Update: Some Community URL Redirects are Under Maintenance. Learn More. .

cancel
Showing results for 
Search instead for 
Did you mean: 
BruceAllison
Archer Employee
Archer Employee

Link to 6.2.0.5 & 6.3 Installers: Enabling Advanced Workflow to use SSL through Archer Installer (6.2.0.5+ & 6.3) 

 

The items listed below are intended for use on DEV/TEST environments and should be fully tested before implementing in PROD environments.

 

 

 

We have made some installer enhancements to allow users to configure the Advanced Workflow Service to communicate using SSL. The changes first appeared in 6.2.0.4 (6.2.00400.1036).

 

Please note the certificate requirements:

  1. Needs to be from ROOT CA, or if self signed, needs to be placed in the Trusted Root cert store.
  2. Common name of the server running the service must match the issued to name on the certificate. IP Address can also be used instead of hostname, as long as Advanced Workflow REST URL also portrays the IP Address.
  3. User will need to import the certificate into the local machine's personal store before they run the installer.
  4. Certificate needs to be used solely for the Advanced Workflow Service.

 

The following pages were added/modified to accomplish this.

 

The first page will display for every install, regardless of if the Advanced Workflow Service was selected during install.

  • The default values are listed below in the screenshot.
  • If you wish to use SSL for Advanced Workflow, you will need to update the Advanced Workflow REST URL to use the SSL port (specified on the next page), 'https' and the host name (example of this listed before screenshot).
  • IP address can be used instead of using hostname if the certificate also uses the IP Address.
  • The Advanced Workflow Communication Port is used for inter-server workflow communication. 

 

                  Example REST URL for SSL: https://HOSTNAME:8443

pastedImage_1.png

 

 

The second page page will only display when the user has selected to install the Advanced Workflow Service.

  • We will prompt users to enable HTTPS by default through the first install. After the first install/upgrade with these new settings, the installer will inherit whatever setting was used previously, while still allowing users to change their setting through each upgrade.
  • The default port used for HTTPS communication is listed below.
  • Once the certificate has been specified from the cert store prompt, every install after will display the option listed below. 

pastedImage_2.png

10 Comments
BillNelson1
Contributor II

We installed this update and were a bit confused with the instructions.  We have 2 web servers, 2 application servers and 1 database server.  The web servers are behind an A10 DNS load balancer.  The 2 web servers share the same SSL cert.  You only need to run this process on the Web servers.  When you run the installation program, only select Services and Advanced Workflow.  We used our regular SSL cert for the graphic one above.  The traffic used by the Advanced Workflow does not contain any sensitive data so for the second graphic, we selected http (the one that says "not recommended" per recommendation of our RSA support contact).  We did not create a self signed cert which we thought we needed to do.  It does reset your services, so go back and Disable the ones that were not running before (would be really, really nice if the install script would remember what they were set to or at least prompt you if you are installing a web or application server and set things accordingly).  Once we followed these additional steps, everything worked.  Hopefully this will save someone some time.

Anonymous
Not applicable

What are the options besides using a self-signed certificate for the web servers?

jwojtowicz
Contributor

Has anyone been able to configure advanced workflow using 8443 and a certificate? If so what are the exact steps that you took? I have tried multiple ways and none of them work. I always get a communication error.

Ilya_Khen
Champion III

You are using new certificate right, not the one used for RSA web app? And that new certificate is trusted on all ends.

jwojtowicz
Contributor

Yes I am using a new cert that is not used any where else.

Ilya_Khen
Champion III

Well, you need to check AWF logs then, make sure that certificate installed as trusted in all servers.

If nothing reveals root cause, probably create ticket to support.

 

If you have higher version of Archer, maybe newest guide may help: https://community.rsa.com/docs/DOC-82975 

BruceAllison
Archer Employee
Archer Employee

Here are some items I check when configuring this on a test environment. Keep in mind that 8443 is the default and has also been validated on our side. 

 

  1. Not sure if you are configuring in an isolated infrastructure or not, but the best way to begin validation is to isolate. One web, one advanced worflow service, etc. Eliminate a load balancer for now to help troubleshoot connection issues. 
  2. Ensure that the servers can communicate successfully outside of using RSA Archer, ping is something I use often.
  3. Check your Workflow Host or Load Balancer URL is configured properly in the Archer control panel. Since you are using a certificate, you need the port on this URL to point to port 8443, as well as have https in the URL. Example: "https://serverxyz:8443", DONT use the communication port when you enable SSL for Advanced Workflow
  4. Ensure certificate is not expired. 
  5. Check registry, ensure that the "RestApiUseSsl" name has a data value of 1 on the server where the RSA Archer Advanced Workflow Service is installed (Registry path: HKEY_LOCAL_MACHINE>SOFTWARE>Workpoint LLC>Workpoint>4.1)
  6. Ensure that the RSA Archer Advanced Workflow service gets reinstalled when you upgrade Archer (if the service is isolated on another server). These versions need to match, in case we upgrade this component, it will be dependent on Archer Web version.
  7. A few things you can look at in the UI to validate the functionality I use are; 
    1. Administration > Advanced Workflow Job Troubleshooter
    2. Application Builder > Advanced Workflow designer tab in an Application or Questionnaire
    3. Add a record to an application or questionnaire which has workflow enabled on it. 
jwojtowicz
Contributor

So are you saying when installing advanced workflow to not put anything in the field for advanced workflow communication port which normally uses 8000, should I leave it empty?

BruceAllison
Archer Employee
Archer Employee

Hi Jessica, Sorry for the late reply. I somehow missed your question. 

 

Do not leave communication port empty. This port just needs to be different than the HTTPS port, which would in turn make it different than the port used in the Advanced Workflow URL.

 

Let me know if you need more clarification on this.

 

-Bruce

JohnRichardson1
Contributor

Hello, most are older posts but our team recently had a requirement to implemented ADV WF and ran into similar issues.  We were able to get through the setup and it is now rendering.

  • We did this in development only so far
  • web/app/services on one server and SQL on another
  • As others have pointed out the first thing is to request a CERT from your CA
  • Ours are internal, not SELF Signed
  • The format is pfx and when it is downloaded from within our internal CERT tool and the entire chain was selected
  • Entity then ROOT but the order shouldn't matter.  Include all though
  • Since it is an internal CERT it was imported into the personnel/cert store
  • When it was first imported through MMC it didn't appear, which was odd, but when imported from IIS SSL, which is at the TOP server level in IIS it imported and was visible - not sure why we couldn't see it at first
  • Once the CERT is added to the store you're ready to run the setup - Assuming this is the first time or you're changing to SSL
  • Like one of the screen shares showed earlier, select 8443 and then select the dropdown to point to personnel cert store
  • The 2nd page was https://hostname:8443.   We didn't use the FQDN but it may be needed in some circumstances
  • Com port left a 8000.  You can hit this through the URL too after a binding for 8000 was added
  • After the install completes go back to IIS DEFAULT site
  • Add a binding of 8443 and select the new CERT you had created for ADV WF
  • A warning returned saying it was in use but hit okay unless 8443 is being used elsewhere.  This happened due to the numerous attempts to get installed
  • After the binding was done the ADV WF rendered for the first time directly on the server
  • It was the first time the URL, whether the VIP, localhost or server name was used with 8443 and https included that a page was returned.  This was 
  • for testing
  • ADV WF from the GUI, from the desktop and the server launched the ADV WF.
  • Binding may have been assumed in other posts, but it is being mentioned here as a reminder
  • The site was turned over to the ADMINS so there may be issues that haven't surfaced.  . 
  • Good luck