This Article Applies From:
DeMeter 2.8


Introduction

This article details how to set a certificate for DeMeter. If you feel unsure about the procedure, contact your remote support team.

TABLE OF CONTENTS

Introduction

1 - Pre- requisites  

     1.1 - Intended audience  

     1.2 - Suggested readings  

     1.3 - System state  

2 - Setting up the certificate  

     2.1 - Windows requirements  

     2.2 - Setting up a certificate  

     2.3 - Checking your connection is secure  

3 - Induced configuration changes  

     3.1 - DeMeter collector settings  

     3.2 - Desoutter software suite changes  


1 - Pre- requisites  


1.1 - Intended audience  

This article is intended for IT engineers in charge of securing the network.

A basic understanding of SSL / HTTPS protocols and certificates is required.


1.2 - Suggested readings  

The following articles can be useful before installing the certificates:

- DeMeter installation procedure.


1.3 - System state  

All necessary software in the DeMeter software suite have been installed on your server.


2 - Setting up the certificate  


2.1 - Windows requirements  

DeMeter only supports PFX and P12 certificates.

The certificate cipher rules depends on your IT rules and your server settings. In order to check what cipher suites are permitted on your computer:

  1. Open a PowerShell console.
  2. Type Get-TLSCipherSuite in the console then hit enter.

All cipher suites supported by your server will be listed.

If you wish to restrict the display to only check whether the certificate you wish to install is supported, type Get-TLSCipherSuite -Name XYZ, XYZ being the name of your certificate's cipher.

  • If nothing is returned, then the cipher suite of your certificate is not supported by your server.
  • If the command returns some data, then your cipher suite is supported by your server.

Note: it is key, in addition to your server allowing you to use a given cipher suite, to make sure that the cipher suite you intend is still secure.


2.2 - Setting up a certificate  

  1. Copy your certificate to the server running DeMeter.
  2. Stop the DeMeter service.
  3. Open the appsettings.json file in C:\ProgramData\Desoutter\DeMeter\API folder.
    Note: the file may not exist if you are using the default DeMeter port settings. If that is the case, copy the appsettings.json file from C:\ProgramFiles\Desoutter\DeMeter to C:\ProgramData\Desoutter\DeMeter\API.
  4. Edit the Certificate field to match the certificate's path.
    Note: you must use "\\" instead of the standard "\" in the path's name. As an example, if your certificate is directly located in the API folder, you should write: C:\\ProgramData\\Desoutter\\DeMeter\\API.
  5. Copy the password associated to your certificate in the CertificatePwd field.
  6. (Optional) Edit the secured port number associated to SSL / HTTPS in the ApiPortSecured field.
  7. Start the DeMeter service.


Contact your remote support team if you feel unsure about the procedure, or need additional help.


If you wish to remove the certificate from DeMeter, simply remove both the certificate path and its password from the appsettings.json file.


2.3 - Checking your connection is secure  

You can check that the certificate is correctly taken into account by connecting to DeMeter using your preferred web browser: see the below example for a local connection.


Note that, depending on the certificate generation method (i.e. the Trusted Root Certification Authorities), your web browser may deem your connection Not to be secure

This is not necessarily due to the certificate, but can be linked to your web browser not recognising the root certification authority. In such a case:

  • You can ignore the message an carry on. This may be disconcerting though to the users in house.
  • You can add the information for the root certification authorities to all computers that may have to connect to DeMeter. We advise to consult with your IT department to ensure this is done where necessary.


3 - Induced configuration changes  


It is necessary to ensure that all softwares from the DeMeter Software Suite but also from the broader Desoutter ecosystem are setup to connect to DeMeter via the secured port.


3.1 - DeMeter collector settings  

DeMeter Collector parameters need to be edited whenever DeMeter is setup with a certificate.

  • Open the file C:\Program Files (x86)\Desoutter\DeMeterCollector\appsettings.ini.
  • Change DeMeter_API_Use_HTTPS value to true.
  • Change DeMeter_API_Port value to 443 if you have made no change to the default port settings.
  • Save your changes then restart DeMeter Collector Service.


3.2 - Desoutter software suite changes  

The following software require a configuration change to work correctly with DeMeter as soon as a certificate has been configured:

  • DeMeter Assistant: it needs to be configured to retrieve alerts settings from DeMeter via https. This can be achieved through the user interface.
  • Connection to the DeMeter Tightening Result API must be made through the secured connection.
  • Pivotware: each Infinity Client connected to DeMeter must be setup for connecting via https.