Content Classification Service Integration Guide › CCS Deployment › Configure Security for the CCS Web Service

Configure Security for the CCS Web Service

We recommend that you configure the CCS so that calling applications must use SSL to connect to the CCS web service. If the CCS web service is not secure, any documents that are passed to the CCS for classification are transferred across your network in plaintext format.

CCS Integration with CA SiteMinder

To establish mutual authentication over SSL between the SiteMinder client and the CCS Server, the two applications must trust the identity of each other. In particular:

• The SiteMinder Policy Server must trust the CCS server certificate that is used by IIS. You must therefore deploy the CCS server certificate on the SiteMinder Policy Server.
• For the primary CCS server, its trusted root certification authorities certificate store must include the root certificate that was used to sign the SiteMinder Policy Server client certificates.

To configure security for the CCS web service over HTTPS

This section describes how to configure IIS so that the CCS web service uses SSL. The instructions are based on IIS 7.

Important! Repeat these instructions on your primary CCS server and each secondary CCS server.

1. Launch the Internet Information Services (IIS) Manager on the CCS server.
2. Click the host server in the left-hand pane.

   Available features for the host server are displayed in the center pane.

3. Click the Server Certificates feature in the IIS group.

   Any SSL certificates that are already installed on the CCS server are displayed in the Server Certificates pane. Choose the certificate that you want to use.

   If no certificates are installed, use the Actions options in the right-hand pane to create or import a certificate.

4. Add an HTTPS binding for the IIS server.
   1. In the left-hand pane, expand the Sites branch.
   2. Right-click the Default Web Site and click Edit Bindings.

      The Site Bindings dialog displays.

   3. Click Add.

      The Add Site Binding dialog displays.

   4. Set the Type to 'https'.
   5. Set the SSL Certificate to the certificate that you chose, created, or imported in step 3.
   6. Click OK to save the changes and return to the Site Bindings dialog.
   7. Click Close.
5. In the left-hand pane, click Sites, Default Web Site, CADLPCCS.

   Available settings for the CADLPCCS web application are displayed in the center pane.

6. Click the SSL Settings item.

   Available SSL settings for CADLPCCS web application are displayed in the center pane.

7. Verify that the Require SSL checkbox is selected.
8. If you require client authentication, verify the Require checkbox under 'Client certificate' is selected.
9. Click Apply in the Actions pane.
10. Edit the web.config file to allow the CCS to work over HTTPS.

    Note: By default, the CADLPCCS web application is only configured for HTTP access and net.tcp access.

    1. Find web.config on the CCS server in the \CCS\WebService subfolder of the CA DLP installation folder.
    2. Find the following section:

       <basicHttpBinding>
           <binding [values]name="basic" maxReceivedMessageSize="78643200" 
            maxBufferPoolSize="1048576" maxBufferSize="78643200" 
            sendTimeout="00:06:00">
               <security mode="None"></security>
               <readerQuotas maxArrayLength="78643200"/>
           </binding>
       </basicHttpBinding>
       

    3. Change the security mode from None to Transport:

        <security mode="Transport"></security>
       

    4. Save the change to web.config.
11. By default, the CCS allows external users to browse to the WSDL over HTTP and view the CCS metadata. Edit web.config so that users can only view the CCS metadata over HTTPS.
    1. Open web.config. (See step 10 for details.)
    2. Find the following line:

       <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange">
       

    3. Change the binding assignment from 'mexHttpBinding' to 'mexHttpsBinding':

       <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange">
       

    4. Find the following line:

       <serviceMetadata httpGetEnabled="True"/> 
       

    5. Change the property from 'httpGetEnabled' to 'httpsGetEnabled':

       <serviceMetadata httpsGetEnabled="True"/>
       

12. Test that the HTTPS connection is working:
    1. Browse to the CCS web service WSDL over HTTPS:

       https://localhost/CADLPCCS/WgnCCS.svc
       

    2. Verify that the CCS metadata displays correctly.
13. (Applies only to integrations between the CCS and CA SiteMinder) In a SiteMinder-CCS integration, you must export the CCS server certificate that you chose or created in step 3 when configuring the primary CCS server.

    The SiteMinder administrator must then deploy this certificate on the SiteMinder Policy Servers. For details about integration with the CCS and the associated SSL requirements, see the SiteMinder Implementation Guide.

14. (Optional) In a typical integration, the CCS and the external application share a common certification authority. That is, the external application and the CCS use the same CA to sign their respective SSL certificates. For example, when the external application presents a certificate that was signed by VeriSign, the CCS root certification authorities certificate store already includes a root certificate from VeriSign. Likewise, when the CCS presents a certificate that was signed by VeriSign to the external application, the external application already trusts VeriSign.

    However, if the external application and the CCS use different certification authorities, you must:

    1. Export the root CA certificate that was used to sign the certificate that you chose or created in step 3.
    2. Deploy this certificate on the relevant servers hosting the external application.

To establish mutual authentication between the CCS and client applications

(Optional) If you want to use mutual authentication based on client certificates, a further change to web.config is required.

1. Open web.config.

   Find web.config on the CCS server in the \CCS\WebService subfolder of the CA DLP installation folder.

2. Find the following line:

   <basicHttpBinding>
       <binding name="basic" maxReceivedMessageSize="78643200"
        maxBufferPoolSize="1048576" maxBufferSize="78643200" sendTimeout="00:06:00">
           <security mode="Transport"></security>
           <readerQuotas maxArrayLength="78643200"/>
       </binding>
   </basicHttpBinding>
   

3. Add the following transport element to the security element.

   <security mode="Transport">
       <transport clientCredentialType=”Certificate”/>
   </security>
   

4. Remove the following two elements.

   <serviceMetadata httpsGetEnabled="True"/> 
   <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange">
   

Note: All security settings in web.config must match the security settings that are configured for the CADLPCCS web application in IIS.