Enabling SSL for Datacap Web Services

You can enable Secure Sockets Layer (SSL) for Datacap Web Services by modifying settings in the Datacap Web Services configuration file.

1. Import the SSL certificate.

   For example, use the Microsoft Management Console (MMC) to import the certificate. After the import, verify that the certificate is trusted, that the private key is in the store, and that it is not expired.

2. Update the port. The port is set in the binding in Internet Information Services (IIS) or in the configuration file for the service.
   • When hosting the web services by using IIS, see the following steps for configuring an IIS-hosted Windows Communication Foundation (WCF) service with SSL https://msdn.microsoft.com/en-us/library/hh556232
   • When hosting the web services as a Windows Service, see the following steps for configuring a port with an SSL certificate: https://msdn.microsoft.com/en-us/library/ms733791
3. Enable SSL for Datacap Web Services:
   • When hosting the web services by using Microsoft Internet Information Services (IIS), do the following steps:
     1. Open \Datacap\wTM\web.config.
     2. Add the SecureWebHttpBinding binding by changing the following line:

        <webHttpBinding />

        to:

        <webHttpBinding>
          <binding name="SecureWebHttpBinding">
            <security mode="Transport">
              <transport clientCredentialType="Basic" />
            </security>
          </binding>
        </webHttpBinding>

     3. Change the following line:

        <serviceMetadata httpGetEnabled="true" />

        to:

        <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>

     4. Save your changes.
   • When hosting the web services as a Windows Service, do the following steps:
     1. Open \Datacap\wTM\wTMservice.exe.config.
     2. Change the following line:

        <serviceMetadata httpGetEnabled="true" />

        to:

        <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>

     3. Change the following line:

        <binding name="NewBinding1" maxBufferSize="104857600" 
           maxReceivedMessageSize="104857600" />

        to:

        <binding name="NewBinding1" maxBufferSize="104857600" 
           maxReceivedMessageSize="104857600">
        <security mode="Transport" />
        </binding>

     4. Change http to https in the following attribute, as follows:

        <add baseAddress="https://localhost:port/service" />

     5. Save your changes.
4. If you have a Datacap Navigator configuration, deploy a client certificate on IBM® WebSphere® Application Server for IBM Content Navigator:
   1. Log in to the WebSphere Application Server administrative console on the IBM Content Navigator server that acts as the SSL client.
   2. Navigate to Security > SSL certificate and key management.
   3. In the Related Items section, click Key stores and certificates.
   4. Select the default truststore:

      Table 1. Truststores for IBM WebSphere Application Server

      Configuration Type	Truststore
      IBM WebSphere Application Server Network Deployment	CellDefaultTrustStore
      WebSphere Application Server base and standalone	NodeDefaultTrustStore

   5. In the Additional Properties section, click Signer certificates.
   6. Click Retrieve From Port.
   7. In the Host field, enter the hostname of the wTM server.
   8. In the Port field, enter the secure wTM port.
   9. In the Alias field, enter a name for this certificate.
   10. Click Retrieve Signer Information.
   11. Verify that the certificate information is for a certificate that you can trust.
   12. Click Apply, and click Save.
   13. Restart the IBM Content Navigator application.
   14. On IBM Content Navigator, update the Datacap repository with the Datacap Web Services HTTPS URL.
   15. On IBM Content Navigator, update the plug-in with the Datacap Web Services HTTPS URL.