Enabling HTTPS for the LEADTOOLS Medical Viewer and Service on IIS
Summary
HTTPS (HTTP over SSL/TLS) security is a requirement for many web applications. When properly implemented, HTTPS ensures that the traffic received was really sent from the expected endpoint, protecting the client and server. When a web application is secured via HTTPS, all resources, including web services, must also be secure. Fortunately, HTTPS support is ubiquitous and most of the plumbing is already in place. However, because HTTPS requires a machine-specific certificate, HTTPS is not enabled in the LEADTOOLS Medical Viewer and Service by default.
Adding HTTPS Support to the Service Hosted on IIS
Perform the following steps to add HTTPS support to the Medical Viewer and Service:
-
Obtain a certificate (either an SSL (Secure Sockets Layer) certificate or a self-signed certificate)
-
Add IIS binding to the certificate you obtained
-
In IIS, configure SSL settings for the virtual directory of the web service
-
Configure the web.config file to be a secure binding
Obtain a Certificate
There are two methods that can be used to obtain a certificate, as follows:
-
Purchase an SSL certificate from a Certificate Authority (CA) such as Symantec (VeriSign), Thawte, or GoDaddy. The SSL certificate authenticates and certifies that your website is secure. Certifications are only issued if the CA determines the company is who it says it is. The purchase cost is for the investigation and the brand name recognition provided by the CA. Consequently, purchasing an SSL certificate can be expensive.
-
Create a certificate signed by an internal or domain Certificate Authority (CA). These certificates are usually trusted across the domain, but the IT department may need to be involved and it is possible that your organization may not have an internal CA. Although each client running the host will still need a machine-specific SSL certificate, some equipment (like scanners) could be shared. The drawback is that the certificate is only trusted on the machine on which the certificate is created. Still, it is often suitable for development, internal deployments and in-house procedures. and saves the cost of purchasing a certificate from an external trusted authority.
There are many resources on the Internet that explain each option described above in more detail. For information about creating a self-signed certificate, refer to https://msdn.microsoft.com/en-us/library/hh556232(v=vs.110).aspx , and search for "Create a Self-Signed Certificate".
Add SSL Binding to the Certificate
For information about adding SSL binding, refer to https://msdn.microsoft.com/en-us/library/hh556232(v=vs.110).aspx , and search for "Add SSL Binding".
In IIS, Configure a Virtual Directory for SSL
For information about configuring a virtual directory for SSL, refer to https://msdn.microsoft.com/en-us/library/hh556232(v=vs.110).aspx and search for "Configure Virtual Directory for SSL".
Configure WCF Service for HTTP Transport Security
Perform the following steps to modify the web.config file of the WCF service to configure the HTTP binding to use transport security.
-
Modify the following attributes of each and every service:
a. Modify the service binding configuration to become either SSLBinding or SSLHandleLargeData (if the service had HandleLargeData as a bindingConfiguration)
b. Modify the metadata endpoint to become https by renaming mexHttpBinding to mexHttpsBinding.
Example 1
<service name="Leadtools.Medical.WebViewer.Wcf.AuthenticationService" behaviorConfiguration="WebViewerServiceBehavior"><endpoint address="" binding="webHttpBinding" contract="Leadtools.Medical.WebViewer.ServiceContracts.IAuthenticationService" behaviorConfiguration="WebViewerServiceBehavior" bindingConfiguration="SSLBinding"></endpoint><endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /></service>
Example 2
<service name="Leadtools.Medical.WebViewer.Wcf.StoreService" behaviorConfiguration="WebViewerServiceBehavior"><endpoint address="" binding="webHttpBinding" contract="Leadtools.Medical.WebViewer.ServiceContracts.IStoreService" behaviorConfiguration="WebViewerServiceBehavior" bindingConfiguration="SSLHandleLargeData"/><endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /></service>
Conclusion
Enabling HTTPS support is an important first step in bridging the gap between secured browser applications and the desktop. However, HTTPS is not enabled by default because a machine-specific certificate is required to encrypt the connection. Fortunately, the steps required can be performed easily and without necessarily having to purchase a certificate.
