Saturday, March 29, 2008

A primer on array-based and network-based replication

Replication helps protect your data and files by producing a duplicate copy at a second site, server, or storage array. I covered host-based replication in a previous blog.

In this blog, I’ll cover two other types of replication — array-based replication and network (or fabric) based replication.

Array-based replication
Array-based replication requires a central data storage unit (SAN or NAS) and a partner unit. With array-based replication, the SAN or NAS processes the data and the commands to process and validate the data being replicated.

Advantages of array-based replication
The work is offloaded from the servers to the storage device.
You only need one location to control many replications of multiple servers.
Hosts (Servers) are not required at the second site or to be attached to the second SAN/NAS.
A central SQL server can be set up to replicate with the servers that actually present applications to users, such as order tracking applications.
The right software can queue databases to ensure that transactions and the database are in a recoverable state.
Disadvantages of array-based replication
Cost per device can be high, especially when you’re not replicating all of the data on the SAN.
Only SAN or NAS based data can be replicated or controlled.
A second SAN or NAS is required, increasing the cost for the solution.
There could be compatibility problems of replication technology/software between SAN/NAS hardware and vendors.
Examples of array-based replication software
HP StorageWorks XP
EMC SANCOPY - Supports EMC and some other vendor arrays
EMC MirrorView - EMC only replication
NetApp SnapMirror
Network-based replication
The last type of replication is network (or fabric) based replication. This type of replication works separately from the hosts (servers) and the storage devices. A device on the network intercepts packets being sent to and from hosts and arrays and copies them. These copies are replicated to a second device that then replays the packets at a second location. The devices are, in essence, splitters. The data goes in and then it’s split out to different sources.

Advantages of network-based replication
It’s a separate component from the SAN/NAS or the hosts.
Processing is independent to the host and SAN/NAS.
It allows replication between multi-vendor products.
Disadvantages of network-based replication
The cost of implementing devices to support this kind of replication is high.
Newer technology for the data center, standards, and process are still being worked out.
There are a limited number of “players” in this area of replication.

Five new developments in storage infrastructure solutions

First there was Ethernet. Then, there was IP over Ethernet. Next came the mixed use of Ethernet, IP, and the SCSI command set (iSCSI) to simplify storage and to bring down the cost and complexity of storage. Today, iSCSI and Fibre Channel are fighting it out in all but the largest enterprises, and both have their pros and cons. Even though these are the two primary contenders in today’s block-level shared storage market, there are some other alternatives. The line is continuing to blur between these solutions as new initiatives are brought to market. Let’s take a look at some new developments in storage infrastructure solutions.

Faster Fibre ChannelTwo Gbps and 4 Gbps Fibre Channel are very common in the marketplace, and manufacturers are just now beginning to demonstrate 8 Gbps Fibre Channel gear. There are also standards in the works for Fibre Channel running at 10 Gbps and 20 Gbps. This venerable technology continues to improve to meet the increasingly robust storage needs demanded by the enterprise. In some cases, Fibre Channel solutions on the market rival iSCSI solutions from a price perspective (i.e., Dell/EMC AX150) for simple solutions. However, faster Fibre Channel still has the same skill set hurdles to overcome. Just about every network administrator knows IP, but Fibre Channel skills are a different matter.

iSCSI over 10G EthernetiSCSI has become a technology that deserves short-list status… and at a gigabit per second, no less. Many iSCSI naysayers point to its slower interlink speed as a reason that it won’t stack up to Fibre Channel. However, iSCSI solutions are now on the cusp of moving to 10 Gbps Ethernet, meaning that iSCSI’s link speed could surpass even the fastest Fibre Channel solutions on the market. Of course, iSCSI still has IP’s overhead and latency, so we’ll see how well 10 Gbps Ethernet performs in real-world scenarios when compared to 8 Gbps Fibre Channel.

Further, 10 Gbps Ethernet gear is still extremely expensive, so, for the foreseeable future, 10 Gbps-based iSCSI solutions probably won’t fit the budgets of many organizations considering iSCSI as a primary storage solution. All this said, interlink speed is not necessarily the primary driver for replacement storage infrastructure in the enterprise. Performance boosts are often achieved by adding more disk spindles to the infrastructure or by moving to faster disk drives (i.e., SATA to 15K RPM SAS or Fibre Channel).

Fibre channel-over-IP (FCIP)Fibre Channel-over-IP (FCIP) is a method by which geographically distributed Fibre Channel-based SANs can be interconnected with one another. In short, FCIP is designed to extend the reach of Fibre Channel networks over wide distances.

Internet Fibre Channel Protocol (iFCP)Internet Fibre Channel Protocol (iFCP) is an effort to bring an IP-based infrastructure to the Fibre Channel world. Much of the cost of Fibre Channel is necessary infrastructure, such as dedicated host bus adapters (HBAs) and switches. These components can, on a per-port basis, add thousands of dollars to connect a server to the storage infrastructure. In contrast, transmitting Fibre Channel commands over an IP network would drive down infrastructure costs in a major way, requiring only gigabit Ethernet connections, which are already found on most servers. Further, even high-density Gigabit Ethernet switches cost only a couple thousand dollars. The main drawback to this proposal is the limitation to 1 Gbps Ethernet; although 10 Gbps gear is available, it would negate some of the cost benefit. On the plus side, iFCP (even on 10 Gbps Ethernet) would open Fibre Channel solutions to administrators that have IP-based skill sets. iFCP was ratified by the Internet Engineering Task Force in late 2002/early 2003.

ATA-over-Ethernet (AoE)ATA-over-Ethernet (AoE) hasn’t enjoyed the popularity of iSCSI, but this isn’t due to any technical hurdles. The AoE specification is completely open and only eight pages in length. AoE doesn’t have the overhead of IP as does iSCSI since it runs right on top of Ethernet. Of course, this does limit AoE’s use to single locations, generally, since raw Ethernet can’t be routed. You can find more about AoE in one of my previous posts.

SummaryThe future of storage is wide open. Between iSCSI, Fibre Channel ,and even AoE, solutions abound for organizations of any size and as the lines blur between some of these technologies, cost becomes less of an issue across the board.

Rolling back device driver updates in Windows Server 2003’s Device Manager

When updating a device driver to solve a problem or improve the performance of a device, there may be other things included with the new driver that produce unexpected results or cause other aspects of your Windows Server 2003 system to function differently than you expect.

Fortunately, there is a safeguard for situations where you have updated driver files that aren’t performing as needed: You can roll back the updates.

In this tip, we’ll take a look at the process for rolling back driver updates.

Note: You will only be able to roll back the driver file if the driver has been updated. If it has not yet been updated, there will be no driver available to revert back to.

Rolling back driver updates is simple. Follow these steps:

Open the Computer Management Console by right-clicking the My Computer icon on the Start menu and selecting Manage.
In the left pane of the console, select Device Manager.
Once loaded in the right pane, expand the category for the device whose drivers you wish to roll back.
Right-click the device in the list and select Properties.
On the device’s Property sheet, select the Driver tab.
Click the Rollback Driver button.
Note: If the Rollback Driver button is grayed out, the driver has not been updated and cannot be rolled back.

The driver will roll back to the previously installed version. You should also keep in mind that some drivers from Windows Update may need rolling back due to conflicts within a system. This may not happen often, but is a great tool for correcting problems with driver updates.

How do I… Add music and narration to a PowerPoint presentation?

The best presentations engage the audience using a number of creative tools. Sound effects, such as music and voice recordings can mean the difference between a good presentation and an outstanding presentation. You can energize your audience with a quick tempo, play your company’s latest jingle, or add narration to an on-demand presentation. At the very least, you can play music at the beginning and ending of a presentation as the audience enters and leaves the room. The only limits are good taste and your imagination.

Microsoft PowerPoint supports media clips, which include sound and video files. The computer playing your presentation will need a sound card and speakers. That doesn’t mean just the system you use to create the presentation, but any system on which you might play the presentation. Today, most systems come with everything you need, but older systems might need an upgrade. (It’s highly unlikely that you’ll encounter such an old system, but don’t rely on that — check it out first!)

Table A lists the media files PowerPoint supports, although this article deals only with sound files.

Table A: Media support
File Explanation Attributes
MIDI Musical Instrument Digital Interface Sound
WAV Microsoft Windows audio format Sound
MPEG Motion Picture Exerts Group Standard video format with a frame per
second rate
AVI Microsoft Windows video format Video format with a constant frame rate per second
GIF Graphical Interface Format 256 color picture that supports animation.

Like most special effects, sound can catch the attention of your audience and convey a message or emotion in a way words or pictures can’t. On the other hand, used poorly, sound can be distracting or even annoying. As always, your purpose will determine how much, if any, sound your presentation needs.

The basics — inserting soundIncluding sound is as simple as selecting a file:

Use existing clips by double-clicking one of the Title, Text and Media Clip layouts from the Slide Layout task pane. Double-click the media clip icon shown in Figure A to launch the Media Clip dialog box.

Figure A


Choose a media slide from the Slide Layout task pane
When you double-click a WAV or MIDI file, PowerPoint displays the prompt shown in Figure B. The options Automatically and When Clicked are self-explanatory.

Figure B


PowerPoint will play the sound file when the slide is current, or you can click the icon to play it
Work with unique sound files by choosing Movies and Sound from the Insert menu and then selecting Sound From File or Sound From Clip Organizer. You can also record sound or play a track from a CD. After selecting a file, PowerPoint prompts you to specify how to execute the file (see Figure B).

If PowerPoint doesn’t support a clip’s format, choose Object from the Insert menu and choose the appropriate object type. Alternately, you can convert the file to a supported type. Use a search engine to search for “video file conversion.” However, don’t be surprised if the converted file is less than satisfactory. It’s difficult to maintain quality when converting media files.

In PowerPoint 2007, you’ll find the Sound option in the Media Clips group on the Insert tab.

PowerPoint displays a sound clip as a small icon, which shows during Slide Show view. When the presentation plays the clip automatically, you might want to hide the icon. There’s really no good reason to display it.

To hide the icon, right-click the icon and choose Edit Sound Object from the resulting submenu. In the Sound Options dialog box, shown in Figure C, check the Hide Sound Icon During Slide Show option, and click OK. Double-click the icon in PowerPoint 2007 to find these options.

Figure C


Edit the file’s attributes
If you choose the click option, it’s worth mentioning that clicking the icon a second time doesn’t disable the sound — the file plays from beginning to end once you click it. In PowerPoint 2007, clicking the icon restarts the file.

To learn just how long a file lasts, right-click the icon and choose Edit Sound Object. The file’s playing time is in the Information section at the bottom (see Figure C). If you want the file to play continuously, while the slide is current, check the Loop Until Stopped option. Moving to the next or previous slide will cancel the loop.

Narrating a presentationTo record a unique sound or message, you’ll need a microphone. Unfortunately, some microphones that come with today’s systems aren’t very sophisticated. If you record someone talking, it may sound distorted when played. Suddenly, you may have a lisp or an accent! Specialized software can clear up some problems, but they’re expensive and that’s just one more piece of software you’ll have to learn. It might be more efficient to invest in a better microphone.

PowerPoint makes it easy to narrate a presentation, which is a plus in a Web-based, automated, or on-demand presentation. You might also use this feature to include a statement from an individual, such as a celebrity or your company’s CEO.

Don’t jump right into recording. First, write a script and rehearse it. Once you’re comfortable with your speaking part, you can record your narration:

Choose Record Narration from the Slide Show menu to open the Record Narration dialog box. In PowerPoint 2007, this option is in the Set Up group on the Slide Show tab.
Click Set Microphone Level to check your microphone. Read the sentence that appears in the Microphone Check dialog and let the Microphone Wizard adjust your microphone automatically. Click OK.
If you need to adjust the quality to CD, radio, or telephone, click Change Quality to open the Sound Selection dialog box. Just remember that quality increases the file’s size. If file size is a concern, you may have to compromise quality just a bit.
By default, PowerPoint stores the narration with the presentation. To store the sound file in a separate WAV file (in the same folder) check Link Narrations In. Click Browse to change the location of the separate WAV file, but use caution when doing so — only store the two separately when you have a good reason for doing so. If a sound file is over 50MB, you must link it.
Click OK and start recording. As PowerPoint displays your presentation, you narrate just as you want the message played. Continue to narrate each slide until you’re done.
At the end of the presentation, PowerPoint will prompt you to save the timings with each slide. This can be helpful if you didn’t get each slide just right and you need more practice.
Step five mentions linked files. If you’re using the same system to both create and show the presentation, linked files are fine, but not necessary. Linked files are a good choice if the sound files are large or if you plan to change the source file. By default, PowerPoint automatically links sound files that are larger than 100KB.

To change this setting, choose Options from the Tools menu, and then click the General tab and update the Link Sounds With File Size Great Than option. PowerPoint 2007 users will find this option by clicking the Office button, clicking the PowerPoint options button (at the bottom right) and then choosing Advanced. The option is in the Save section.

Use the Package for CD (PowerPoint 2003) or Pack And Go Wizard (PowerPoint 2002) to make sure you save linked files with the presentation. Names can be problematic: A linked file’s path name must be 128 characters or less.

More optionsNarration is only one type of recoding you might consider. If you can record it, you can include it in your presentation. To record a single message or unique sound, choose Movies and Sound from the Insert menu and choose Record Sound. In PowerPoint 2007, this option is in the Sound option’s dropdown list, in the Media Clips group on the Insert tab.

In the resulting Record Sound dialog box shown in Figure D, enter a description and name. Click Record when you’re ready to begin. Click Stop when you’re done. Use Play to listen to the new recording. Click OK to save the sound with the presentation. Or, click Cancel to exit and try again. If you save a sound, it appears as an icon, which you can use anywhere in the presentation you like. Mix this capability with action settings for a unique effect. Just don’t over do it!

Figure D


You can record sounds inside PowerPoint
Playing a CDPlaying music is a great way to begin or end a presentation. However, the music doesn’t have to be a top 10 tune. It only needs to be appropriate. For example, you might play Mendelssohn’s Wedding March if your presentation is about catering receptions. Or, pleasing dinner music might be the way to go. It’s really up to you; just keep your audience in mind. To include a song from a CD, do the following:

Insert the CD.
From the Insert menu, choose Movies and Sound. Then, select Play CD Auto Track to open the Insert CD Audio dialog box. In PowerPoint 2007, choose Play CD Audio Track from the Sound option’s dropdown list. You’ll find this option in the Media Clips group on the Insert tab.
The Start At Time and End At Time fields let you capture just part of a track instead of using the entire track.
Use the Sound Volume button to control the audio’s volume.
Check the Hide While Not playing option in the Display Options section if you don’t want the audio’s icon to show when the music isn’t playing.
Click OK when you’re done. PowerPoint lets you play the track by clicking or displaying the slide.
Like other sound files, Power Point displays a CD icon on the current slide. Just be careful that you don’t violate any copyright laws when including someone else’s music in your presentation.

A word on animationYou can use custom animation to control sound files to add a unique and creative dimension to your presentation. To get started, select a sound icon and display the Custom Animation task pane. PowerPoint offers a ton of options, and does a good job of disabling inappropriate choices for the selected clip.

Creating custom animation can be complicated and the truth is most presentations won’t need that much energy. However, the feature’s there and you might as well learn a bit about it. There’s an entire tab dedicated to animation in PowerPoint 2007. Click the Custom Animations option in the Animations group to create custom effects.

Design for effectMultimedia files can liven up any presentation and sound is definitely part of that mix. You can play an appropriate tune or your company’s jingle. With one click, you can play your company’s latest radio ad for the head honchos. Whether you’re pitching a new product or sharing photos of your new baby, use sound to set the mood.

Saturday, March 8, 2008

Securing end users’ pesky password problems

This is the first of a three-part series introducing simple fixes to security breaches that your end users might be committing.

If you are anything like me, you have worked with varying degrees of security requirements for some time now. Regardless of what you do in technology, there is a requirement, spoken or otherwise that you have at least an awareness of what policies are in place.

In most HIPPA/GLBA/SOX/PCI shops, the policy is likely to be something that you sign off on when you begin working and possibly before you are allowed to have access to the network. In many companies, you are required to listen to a lecture, take a training course, or participate in a Webinar. Generally, it will cover such things as password requirements, acceptable use, and possibly a component on social engineering and how to avoid it. It will, or should, also tell you how you will maintain paper documents and dispose of them. If that policy is really good, it will include information on the classification of documents.

If business has gone through all the trouble of making all that information available to you, they must have some intention of enforcing the policies, right? The answer is “sometimes.”

Don’t get me wrong, business wants those policies adhered to. In many cases, there are audit standards that must be met and those audit standards require compliance. Business just may not have considered the step of how to communicate the policies in a way that the average user can be compliant and still get the job done. This is a place that IT can step in and help out.

Let’s look at password length and complexity. Generally, a password requires uppercase and/or lowercase, numerals, and special characters. The most common minimum length I have run across is eight. Today’s user is generally managing multiple passwords on multiple systems and in frustration may find it easier to just write them down. I even had a user who took to writing them on the monitor bezel! (Some things you just can’t make up!) Most will make some effort to keep them from becoming public knowledge but many will leave their written copies in an easily accessible location. That is where I can help.

One solution is to consider password vault software. A utility on my Mac is called Keychain. It stores and manages passwords in an encrypted state until I provide a master password on challenge. It is a simple and useful tool. Another good one is the open-source Password Safe. It works on a master PIN. There are also a variety of enterprise-level tools available.

If your environment is anything like where I have worked, getting a new piece of software to the end user is tough. It is at least a lengthy process. So try a couple of other ideas.

Most cubicles have an overhead bin or lockable drawer. I encourage end users to store their password file there. At least it is locked. For laptop users who don’t have a lockdown cable but DO have a lockable bin or drawer, I encourage them to put their laptops away nightly. I recall coming in to the office early one morning to find one of the cleaning staff struggling with a trash can with several laptops in it. I have been vigilant ever since.

If you don’t have a key for your desk or bin, ask your manager how to obtain one or ask Facilities for one. If your company has a Compliance Officer, that person will likely be able to help you out. While I am sure it can happen, I have never heard of a key request being turned down.

Because the solution is simple, most end users don’t have a problem with complying. And that is really what is at the heart of failure to comply with security requirements at the end user level. It needs to be simple.

Sometimes in IT we forget that the end user is there to do a very different kind of job than we are. What they care about most is their work product– the ability to turn out work that meets or exceeds business needs. Anything that they perceive is in the way of that effort is likely to meet with resistance. When we take the time to work through roadblocks with them, that resistance will go away.

What kinds of advice do you give end users on being more secure with their multiple passwords?

Using the Windows Server 2003 Computer Management Console’s Device Manager snap-in

Windows Server 2003 supports devices large and small, both as internal cards and external USB devices, which can be cumbersome for admins. Fortunately, Device Manager is included as a snap-in to the Computer Management Console. I view Device Manager as one of the hidden gems in Windows Server 2003 system maintenance.

To access Device Manager, open the Computer Management Console and select the Device Manager object in the left pane. This will display the Device Manager in the right pane.

Once it’s open, Device Manager displays a list of the categories of devices detected in the local system. Expanding these categories will show each device of this type installed, both internal and external. (Note: If a device fits multiple categories, its name will appear in all relevant categories. For instance, a USB CD-ROM drive will appear in the USB devices category, as well as the CD/DVD ROM device category.)

You can also get to Device Manager from the system applet in Control Panel, grouped in Computer Management for ease of use.

Using Device Manager
If you expand a device’s category in the right pane, you will see a list of all of the devices in the category. Devices that are experiencing problems will have a yellow exclamation point on them. Devices that are disabled will typically appear with a red x in Device Manager.

To view a device’s Properties, expand its Category, right-click the device in the list, and then select Properties. This will display the Properties dialog box for the device. These tabs are available:

General: Contains a description of the device and displays any issues with the device. This tab is useful for identifying a problem between Windows Server 2003 and the device by showing a description of the error message — regardless of whether it concerns communication or drivers.
Driver: Displays the options available for managing device drivers.
Resources: Displays the resource usage information for the device.
By using the Driver tab, you can perform the following actions against the device’s driver:

Driver Details: View the details of the driver, including the publisher and installation date.
Update Driver: Update the existing device driver to a newer version.
Rollback Driver: Undo a driver update, rolling back to the previously installed version.
Uninstall Driver: Completely remove a device driver from the system.

How do I… Request and install SSL certificates in IIS 7.0?

SSL (Secure Sockets Layer) certificates are perhaps the most common way to protect information being transmitted between a visitor Web browser and your Web site. SSL provides encryption services to information flowing between systems and can protect Web traffic, e-mail, instant messages and a host of other kinds of data transmittals.

I’m not going to go into great detail about the inner workings of SSL except to say that it is a critical infrastructure component for any organization that has a desire to protect customer or other confidential information. SSL is widely used by banks, e-commerce companies, and other Web entities that require transmission of sensitive information, such as passwords, social security numbers, etc.

I will show you how to obtain and install a third-party SSL certificate into Microsoft Internet Information Server 7.0 (IIS 7) running on Windows Server 2008. I am running the RC0 version of Windows Server 2008.

In the most simplistic view, there are four kinds of certificates to which you will be exposed during your SSL installation:

Self-signed SSL certificates: These are certificates that you generate and use to encrypt information passing between a client and your server. These certificates are good insofar as they do allow you to encrypt data, but since they are created on-site, the certificates have not been verified by a third party entity, meaning that the site can’t necessarily be trusted.
Third-party SSL certificate: A third-party SSL certificate provides the same encryption capabilities as a self-signed certificate. However, since the certificate is issued by a third party, it is considered a more trusted type of certificate, especially when the certificate chain extends to a trusted root certificate.
Intermediate certificate: Not all SSL certificate vendors are created equal. In order to be fully trusted, any certificate you obtain needs to eventually link to a root certificate that is trusted by your Web browser. However, not all vendors’ SSL certificates are natively trusted by root certificates. As such, with these vendors, you need to complete the SSL trust chain by (in addition to installing your SSL certificate) installing an intermediate certificate between a root certificate and your new SSL certificate. If you skip this step, users will continue to get certificate errors until this trust chain is established. The use of an intermediate SSL certificate requires a bit of additional network communication at the initial establishment of an SSL-secure session but beyond that, there is no performance penalty.
Trusted root certificate (or Trusted root certification authorities): A root certificate is the Grand PooBah of the certificate world. In order to complete the trust chain, your individual certificate must, in some way, link to a root certificate.
A third-party SSL certificate is generally considered more trusted than a self-signed certificate since the certificate information is verified by a third party and the certificate ultimately maps to what is called a trusted root certificate.

Note: I am assuming that you will be installing a brand new certificate that you do not yet own and not importing some kind of existing certificate. Further, I assume that you do not have a complex public key infrastructure in-house and that you need to get your certificate from a third party. Finally, I’m making the assumption that you have already installed IIS 7 on your Windows Server 2008 system.

Step 1: Prepare a Certificate Signing Request (CSR)Regardless of the SSL vendor you use, you first step in the process is to create a Certificate Signing Request (CSR) that will be sent to the SSL vendor of your choice. The CSR is a Base-64 encoded PKCS#10 message (this basically means it’s a bunch of gobbledygook that is unreadable by humans) that contains all of the information necessary to identify the person or company applying for the certificate. The request also includes the applicant’s public key. This key is the public portion of a combined public key/private key structure that, together, is able to effectively and securely encrypt information.

Choose Start | Administrative Tools | Internet Information Services (IIS) Manager
In the IIS Manager, choose your server name
In the Features pane (the middle pane), double-click the Server Certificates option (Figure A) located under the Security heading.

Figure A



Open the properties page for the site you want to protect
You will notice two default certificates already installed on this server. To begin the process of requesting a new certificate, from the Actions pane, choose the Create Certificate Request option as shown below in Figure B.

Figure B



Click the Server Certificate button to begin the process
The first screen of the wizard asks for details regarding the new site. The common name should match the fully-qualified domain name for the site. Otherwise, provide information about your site, making sure to spell out the name of your state. (Figure C)

Figure C



Provide information about your site
Click Next to continue.
The next screen of the wizard asks you to choose cryptography options. The default, Microsoft RSA SChannel Cryptography Provider is fine. A key length of 1,024 bits is the default option and is fine as well. (Figure D)

Figure D



Choose a cryptography provider and key length
Click Next to continue.
Finally, provide a filename to which to save the certificate request. You will need the contents of this file in the next step, so make sure you know where to find it. (Figure E)

Figure E



Save the CSR
Here’s some of the CSR mumbo jumbo associate with this certificate request:



Step 2: Request a certificate from a certificate vendorNow, with your CSR in hand, visit the Web site of your favorite SSL certificate provider and buy your new certificate. During the registration process, you need to provide the certificate company with information validating you or your company’s identity. Some consider this part a hassle, but it really is a vital part of the overall SSL chain. After all, you don’t want just anyone receiving a certificate that uses your company name!

The certificate request process varies by certificate company, so I can’t really provide the exact steps for the certificate request. What I can tell you is that, at some point, you’ll need to open up the text file that contains the certificate request in order to copy and paste the encrypted certificate request in the appropriate field on the order form.

Once you complete the vendor’s certificate request (Figure F) form and provide them with payment, you’ll need to wait for the SSL certificate to be delivered to you via e-mail.

Figure F



Provide the necessary information for the SSL certificate vendor
Step 3: Save the provided certificate somewhere accessibleWhat you get back from a certificate vendor depends on the vendor you choose. In the case of the company that I used to get my certificate, they sent back a zip file with three certificates. One of the certificates is named ssltest_westminster-mo_edu.crt. This is the certificate I need for the new Web site. The other two certificates are required if you need to chain the new certificate back to a root certificate. We will not be discussing them in this document.

The new certificate is nothing more than a text file, as was the case with the CSR. However, in this case, the information starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–. In the previous step, the terms were BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST. Extract the contents of this zip file to a location accessible from your Web server.

Step 4: Install the certificateAfter making sure that your Web server can access the certificate files, you need to install the new certificate so that it can be used by your Web site.

Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.
In the IIS Manager, choose your server name.
In the Features pane (the middle pane), double-click the Server Certificates option located under the Security heading.
To complete the process of requesting a new certificate, from the Actions pane, choose the Complete Certificate Request option.
The Complete Certificate Request window opens and asks you to provide the location at which the certificate file can be located (Figure G). Provide this location and also indicate what friendly name you would like to use for the certificate.

Figure G



Tell the wizard where it can find the certificate file and provide a friendly name
The certificate is now installed and ready to be assigned to a Web site.

Step 5: Add an HTTPS binding to a Web siteNow, with the certificate installed, it’s time to put it to work. In IIS 7, you need to bind the HTTPS protocol to a Web site and then assign an installed certificate to be used to protect that Web site. Follow these steps:

Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.
In the IIS Manager, browse to your server name | Sites | Your SSL-based site. You may need to create a new site. In Figure H below, notice that my site is named ssltest. The full Internet path to this site is ssltest.westminster-mo.edu. Since this Windows Server 2008 machine is running in a lab, you will see that it is a member of the Contoso domain, but I have added westminster-mo.edu sites to this server and appropriately configured DNS.

Figure H



A look at a site to which HTTPS will be bound
From the Actions pane, choose Bindings. This opens the Site Bindings window shown in Figure I.

Figure I



The Site Bindings window
In the Site Bindings window, choose Add. This opens the Add Site Binding window shown in Figure J.
From the Site Bindings window, provide the binding type (HTTP or HTTPS, but for this purpose use HTTPS), the IP address that will be used for this site (192.168.0.16 for me), and the port that will be used for SSL.
Next, choose the SSL certificate that you want to use to protect this site. Note that I have chosen ssltest.westminster-mo.edu. Use the Browse button to locate the right certificate.

Figure J



Provide the appropriate details for the Add Site Binding dialog box
Click the OK button. See Figure K for the result.

Figure K



The results of the new binding
Step 6: Test your certificateNow, test your certificate by browsing to the new site. You should not get any certificate errors. In Figure L note that I have successfully browsed to the new site and that there is a lock icon indicating that SSL is active. Figure M is a look at the certificate as detailed in the Web browser.

Figure L



The site is being protected by SSL

Figure M



The certificate is valid