Configure Transport Layer Security

This article describes how to configure Transport Layer Security for CLEAR Engine, the Web UI, and the CLI.

In this article, you will learn how to:

• Configure TLS over TCP for CLEAR Engine.
• Configure TLS over HTTP for the Web UI.
• Configure TLS over TCP for the CLI.

At the end, you will be able to configure TLS for CLEAR Engine, the Web UI, and the CLI.

Configure TLS over TCP for CLEAR Engine

CLEAR Engine is built with Windows Communication Foundation (WCF), which the Web UI and the CLI use to communicate with it. By default, CLEAR Engine is only accessible through named pipe endpoints, which limits communication to process running on the same host.

To make CLEAR Engine accessible to other PCs, TCP endpoints must be enabled. The default TCP endpoint configuration used by CLEAR Engine is not secure. Follow these steps to enable transport security (TLS over TCP) for TCP endpoints:

1. Place the X.509 certificate to be used by the TCP endpoints in the machine-level Personal certificate store. The certificate can be the same used by the Web UI.
2. Open Windows PowerShell as administrator.

3. Enter the following command to open the CLEAR Engine configuration file with the default text editor:

    (Get-ChildItem "C:\Program Files\Lucent Sky\CLEAR Engine\SkyAnalyzer.Engine.exe.config").FullName | Invoke-Item
   

4. Locate the <behavior name=""> tag in the <system.serviceModel\> section, and place the following before the </behavior> end tag:

    <serviceCredentials>
        <!-- Replace CertificateThumbprint with the thumbprint of the X.509 certificate. -->
        <serviceCertificate findValue="CertificateThumbprint" x509FindType="FindByThumbprint" />
    </serviceCredentials>
   

5. Locate the <binding name="DefaultTcpBinding"> tag in the <system.serviceModel> section, and replace <security> tag with the following:

    <security mode="Transport">
        <transport clientCredentialType="None" />
    </security>
   

6. Locate the <binding name="LargeReceivedMessageSizeTcpBinding"> tag in the <system.serviceModel> section, and replace <security> tag with the following:

    <security mode="Transport">
        <transport clientCredentialType="None" />
    </security>
   

7. Enter the following command in PowerShell to restart CLEAR Engine for the changes to take effect:

    Stop-Service "CLEAR Engine"; Start-Service "CLEAR Engine"
   

8. For Lucent Sky AVM cluster, repeat the steps above on each node in the cluster.

After enabling TLS over TCP on CLEAR Engine, clients accessing it using TCP, such as the CLI or a Web UI installed on a different server, would need to enable TLS over TCP as well.

Configure TLS over HTTP for Web UI

After the Web UI is installed, it only has an HTTP binding. Adding a HTTPS binding enables browsers to access the Web UI using HTTPS. Follow these steps to add an HTTPS binding:

1. Place the X.509 certificate to be used by the TCP endpoints in the machine-level WebHosting certificate store.
2. Open Windows PowerShell as administrator.

3. enter the following command to add a new IIS site binding:

    # Replace CertificateThumbprint with the thumbprint of the X.509 certificate.
    $certificateThumbprint = "<CertificateThumbprint>"
    New-IISSiteBinding -Name "CLEAR Web" -BindingInformation "*:443:" -CertificateThumbPrint "$certificateThumbprint" -CertStoreLocation "Cert:\LocalMachine\WebHosting" -Protocol https
   

4. Enter the following command in PowerShell to restart CLEAR Engine for the changes to take effect.

    Stop-IISSite -Name "CLEAR Web"; Start-IISSite -Name "CLEAR Web"
   

5. For Lucent Sky AVM cluster, repeat the steps above on each node in the cluster.

Configure TLS over TCP for CLI

The default configuration for the CLI enables it to communicate with a CLEAR Engine instance running on the same host. To use the CLI with a CLEAR Engine instance running on another host, TCP endpoints must be enabled. The default TCP endpoint configuration used by the CLI is not secured. Follow these steps to enable transport security (TLS over TCP) for TCP endpoints:

1. Open the CLI configuration file SkyAnalyzer.Interface.Console.exe.config with a text editor. It is located in the same directory as the CLI executable.

2. Locate the <binding name="DefaultTcpBinding"> tag in the <system.serviceModel> section, and replace <security> tag with the following:

    <security mode="Transport">
        <transport clientCredentialType="None" />
    </security>
   

3. Locate the tag in the section, and replace tag with the following:

    <security mode="Transport">
        <transport clientCredentialType="None" />
    </security>
   

These steps assume that the CLI has been configured to use TCP endpoints instead of named pipe endpoints. To learn more about enabling TCP endpoints for the CLI, view the following article in the Lucent Sky Knowledge Base:
Administration guide to CLEAR Engine and Web UI