Export (0) Print
Expand All
Expand Minimize
2 out of 46 rated this helpful - Rate this topic

Enabling SSL Protection on MCMS Sites

Content Management Server
 

Stefan Goßner
Liz Crawford
Microsoft Corporation

March 2005

Applies to:
    Microsoft Content Management Server 2002

Summary: Learn how to set up Secure Sockets Layer (SSL) for your Microsoft Content Management Server (MCMS) 2002 site. (6 printed pages)

Contents

Introduction to Enabling SSL Protection
Securing an Entire Site
Securing Parts of a Site with a Custom HTTP Module
Conclusion
Additional Resources

Introduction to Enabling SSL Protection

Secure Sockets Layer (SSL) is a protocol used to encrypt data sent over the Internet. You use SSL when you want to help secure Web pages that contain information such as passwords or credit card numbers. URLs for pages using SSL begin with "https:" instead of "http:", which is used for plain Hypertext Transfer Protocol (HTTP) requests.

You can use SSL for specific channels on your Microsoft Content Management Server (MCMS) 2002 site, or you can enable it for the entire site.

Because SSL can affect the performance of your site, consider using it only for the parts of your site that can benefit most from it, such as a small number of channels, or for the logon page on forms-based authenticated sites. For more information about helping to secure logon pages, see Forms-Based Authentication.

Note   This article assumes your site is running on standard port numbers. If your site does not use standard ports, you must change the port number in code and configuration files.

Securing an Entire Site

You can help to secure your entire MCMS site with SSL by obtaining an SSL certificate for the site. For more information, see Obtaining and Installing Server Certificates and the Microsoft Knowledge Base article How to Set Up SSL Using IIS 5.0 and Certificate Server 2.0.

After you have configured SSL for your site, you need to change pointers into the site for Site Manager, the Server Configuration Application (SCA), Authoring Connector, and Microsoft Visual Studio .NET as follows:

  • To change the point of entry for Site Manager: Modify the Target property of the Site Manager shortcut to the following:
    "C:\Program Files\Microsoft Content Management Server 
    \Client\nrclient.exe" https://MyServer:443/NR/System/ClientUI/login.asp
    
  • To change the point of entry for Authoring Connector: Follow the instructions in Submitting Content to Other MCMS Content Servers.

    In the Server name and path box, type the new path to your server, for example:

    https://MyServer/mcms/cms/officewizard/oc.aspx
    
  • To change the point of entry for Visual Studio .NET:
    1. Open the file MyProject.csproj.webinfo. WebInfo is a special project file that keeps track of the virtual application root.
    2. Modify the VisualStudioUNCWeb element to the following:
      <VisualStudioUNCWeb>
          <Web URLPath = "https://MyServer/MyProject/MyProject.csproj" />
      </VisualStudioUNCWeb>
      
  • To change the point of entry for the MCMS tools in Visual Studio .NET:
    1. Open the file C:\Program Files\Microsoft Content Management Server\DevTools\DeveloperTools.xml.
    2. Modify the CmsVsTools element to the following:
      <CmsVsTools>
          <Tool ID="0" Name="Site Manager" Command="C:\Program  
           Files\Microsoft Content Management Server\Client\NRClient.exe" 
           Arguments="https://MyServer:443/NR/System/ClientUI/login.asp"/>
          <Tool ID="1" Name="Database Configuration Application" 
           Command="C:\Program Files\Microsoft Content Management 
           Server\Server\bin\NRDCApplication.exe" Arguments=""/>
          <Tool ID="2" Name="Server Configuration Application" 
           Command="https://MyServer:80/NRConfig" Arguments=""/>
          <Tool ID="3" Name="Web Author Client" 
           Command="https://MyServer/channels" Arguments=""/>
      </CmsVsTools>
      
      
    3. Modify the CmsEnvironment element to the following:
      <CmsEnvironment>
          <Server BaseUrl="https:// MyServer" InstanceId="1"/>
          <Template QueryString=""/>
      </CmsEnvironment>
      
      

Securing Parts of a Site with a Custom HTTP Module

If you do not want to use SSL for your entire site, you can still help to secure channels within your site so that all postings within those channels require SSL. You can create a custom HTTP module that checks channels for a custom property called RequireSSL. If the custom property is present, and has the value yes, the module redirects requests to the channel to use SSL. For channels on your site that do not have the RequireSSL custom property set to yes, the module redirects the requests using HTTP instead of HTTPS.

If you are using a proxy server other than Microsoft Internet Security and Acceleration (ISA) Server, ensure that your proxy can rewrite the location header on the outgoing request. The custom HTTP module you create uses the location header from the incoming request to create the outgoing request.

Important   This code uses the NRORIGINALURL query string parameter to identify the URL to redirect. If your solution appends query string parameters to your posting URLs, you need to install hotfix 836895. For more information, see the Microsoft Knowledge Base article The Query String Arrays Are not Correctly Passed to the Posting.

To implement the custom HTTP module, you create the module class, and then configure your site to use it.

To create the custom HTTP module class

  1. Create a new Microsoft Visual C# class library project.
  2. Add the following references:
    • System.Web
    • Microsoft.ContentManagement.Common
    • Microsoft.ContentManagement.Publishing
  3. Replace the code in the class1.cs file with the following code.
    using System;
    using System.Web;
    using Microsoft.ContentManagement.Publishing;
    namespace McmsHttpModules
    { 
        public class CmsSslHttpModule : IHttpModule 
        { 
            public void Init(HttpApplication httpApp) 
            {
                httpApp.PreRequestHandlerExecute += new 
                EventHandler(this.OnPreRequestHandlerExecute);
            }
    
            public void Dispose() 
            {
                // nothing to do...
            }
    
            public void OnPreRequestHandlerExecute(object o, EventArgs e)
            {
                HttpApplication httpApp = (HttpApplication) o; 
                HttpContext ctx = HttpContext.Current;
                CmsHttpContext cmsContext = null;
    
                // catch expired auth cookie exception in forms login
                try
                {
                    cmsContext = CmsHttpContext.Current;
                }
                catch
                {
                    // nothing to do...
                }
    
                if (cmsContext != null)
                {
                    if (cmsContext.Channel != null)
                    {
                        bool RequireSSL = false;
                        if (cmsContext.Channel.CustomProperties
                        ["RequireSSL"] != null)
                        {
                          RequireSSL = 
                          (cmsContext.Channel.CustomProperties["RequireSSL"]
                           .Value).ToLower() == "yes";
                        }
    
                        string Url = "";
                        string UglyUrl = ctx.Request.Url.PathAndQuery;
                        if (cmsContext.Mode == PublishingMode.Published)
                        {
    // uses query string parameter NRORIGINALURL to find friendly URL
                            if (ctx.Request.QueryString["NRORIGINALURL"] 
                            != null)
                            {
                                Url = 
                                ctx.Request.QueryString["NRORIGINALURL"];
                            }
                        }
                        if (Url != "")
                            Url = ctx.Request.Url.Host+Url;
                        else
                            Url = ctx.Request.Url.Host+UglyUrl;
    
                        if (RequireSSL & !ctx.Request.IsSecureConnection) 
                            ctx.Response.Redirect("https://"+Url);
                        if (!RequireSSL & ctx.Request.IsSecureConnection)
                            ctx.Response.Redirect("http://"+Url);
                    }
                }
            }
        }
    }
    
    
  4. Build the solution.
  5. Copy the DLL built from the solution to the bin directory of your MCMS project.
  6. Add the following code to the httpModules section of your web.config file, and replace myDLL with the name of your DLL.
    <add type="McmsHttpModules.CmsSslHttpModule, myDLL" 
    name="CmsSslHttpModule" /> 
    
    

To configure channels in your site to require SSL, add a custom property named RequireSSL to channels that you want to use SSL. The module ensures that all requests to postings or channel rendering scripts in these channels use SSL.

Conclusion

You can secure MCMS postings with SSL in several ways, such as the following:

When you are choosing a method to secure your MCMS site, remember that SSL can affect the site's performance, so apply your security method to the fewest number of postings possible in your site.

Additional Resources

Forms-Based Authentication
HOW TO: Enable SSL on an MCMS 2002 Web Site
How to Implement SSL with Host Header Mapping in MCMS 2002
How to Set Up SSL Using IIS 5.0 and Certificate Server 2.0
Obtaining and Installing Server Certificates

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.