Jose,
I’ve never dealt with SSL certificates before.
Can you walk me through creating one or point me to a good resource?
I created a self-signed certificate on the server and installed it on my client, but I still receive that message.
For a decent walk thru on the server side I still go back to Scott Gu’s post when self signed came out in IIS:
My current preferred article on trusting it on the client is:
If anyone has better, I’d love to see them!
Looks like I needed to use https://isiepicor.ispdc.int/LIVE instead of https://isiepicor/LIVE.
It tries to connect, but now I get a mismatched bindings message.
SSL is finicky. It likes perfect alignment on names for the obvious reasons - it doesn’t want anyone spoofing the server name in the middle of the conversation.
1 Like
Open https://isiepicor.ispdc.int/LIVE in the browser.
It looks like you will see some yellow screen of error instead of normal data.
Probably error in your web.config
Olga,
This is what I see when I do what you suggest.
The certs seem fine for now.
The issue I’m running into now is it’s coming up with a service mismatch between the client and the server.
Bart–do I need to add anything to the server web.config to allow for the Windows binding and the https binding?
and what the https://isiepicor.ispdc.int/LIVE/Ice/Lib/SessionMod.svc shows?
I am asking because your exception information contains some runtime error shown in html, it should not happen.
Olga,
Initially it said I needed to add a tag in the web.config: < customErrors mode=“Off” />
Once I did that, the link now showed this:
Upon trying to log in, I now get this:
ok, this it correct screen.
So you now need to check the binding in web.config
Find <system.serviceModel> <protocolMapping>
for https there should be something like
<remove scheme="https" /> <add scheme="https" binding="customBinding" bindingConfiguration="HttpsBinaryUsernameChannel" />
Right now I have it as TcpCompressedWindows since we use single sign on.
Am I able to add the second binding without messing up the single sign on?
<protocolMapping>
<remove scheme="net.tcp" />
<!--<add scheme="net.tcp" binding="customBinding" bindingConfiguration="TcpCompressedWindows" />-->
<!--<add scheme="net.tcp" binding="customBinding" bindingConfiguration="TcpCompressedUsernameSslChannel" />-->
<add scheme="net.tcp" binding="customBinding" bindingConfiguration="TcpCompressedWindows" />
<!--
<remove scheme="http" />
<add scheme="http" binding="wsHttpBinding" bindingConfiguration="SOAPHttp" />
<add scheme="http" binding="customBinding" bindingConfiguration="HttpBinaryUsernameSslChannel" />
<add scheme="http" binding="customBinding" bindingConfiguration="HttpsOffloadBinaryUserNameChannel" />
-->
<!--
<remove scheme="https" />
<add scheme="https" binding="customBinding" bindingConfiguration="HttpsBinaryUsernameChannel"/>
<add scheme="https" binding="customBinding" bindingConfiguration="HttpsBinaryWindowsChannel"/>
<add scheme="https" binding="basicHttpBinding" bindingConfiguration="BasicHttp" />
-->
</protocolMapping>yes, one mapping per scheme
1 Like
Awesome! It’s working.
Thanks for everyone’s help!
2 Likes
Well, I ran into another issue. The user was trying to print labels and was receiving an error:
Failed to launch task to submit report. Error: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘isiepicor.ispdc.int’. —> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
I thought that maybe it was because the task agent was pointing at the SSO task agent, so I tried to set up one for httpsBinaryUsernameChannel, but couldn’t get past this error. Thoughts?
***EDIT: It appears to just be auto print labels. It prints SSRS and Crystal reports just fine.
It looks like that you certificate contains isiepicor.ispdc.int in subject name.
You need to use that name exactly in the AppServer URL, not just ICIEpicor.
That is https://isiepicor.ispdc.int/LIVE
I realized that and changed to what you suggested, but the result ends the same.
Additionally, I’m not entirely sure the task agent is the issue anymore since the reports generate fine. It’s just the BPM auto printed labels (using Epicor’s Auto Print widget) that serve up that error.
In any case, the steps are the same - use same URL that written in the cert, whenever you connect.
And, if it is self-signed certificate, you also need to put in the proper certificate storage on the client - so client can trust the self-signed certificate.
Yup–all that has been done.
I can connect and use Epicor with the binding just fine.
I can use the modules, run processes, and print SSRS and Crystal reports.
I still can’t, however, generate auto printed labels. This is what is generating this error:
Failed to launch task to submit report. Error: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘isiepicor.ispdc.int’. —> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Turns out that, when using the httpsBinaryUsernameChannel binding, the auto print widget within the BPM needs to be set to “Queued” instead of “Immediate”.
Apparently Queued is recommended by development anyways.
1 Like
Hi folks. I know this is an old post but it very relevant to setting up SSL via cloud / external.
Question to you all, what is the deployment path you’re using when you’re installing a new E10 client on a PC? It wants and \smb_share\deployment path … can it take an FTP/HTTP/HTTPS path instead to remove the dependency on the on-prem config?
Thanks.
Hi Nick,
That is how it works for Epicor SaaS. In fact, this is what our Education link looks like:
<deploymentServer uri="http://deployepicorsaas..../CENTRALUSDT/Edu/"
Name changed to protect the still-wants-to-be-innocent…