Enable the HTTPS Protocol for the AVEVA P&ID Report Service

As of AVEVA P&ID 12.4, security for the AVEVA P&ID Report Service has been enhanced with the option of using the HTTPS protocol.

The additional setup required before this option can be used, and the procedure for enabling the HTTPS option are described in this topic.

Configuration

1. To facilitate configuration, a PowerShell script (PowerShellScriptToCreateSSLCerForPID.ps1) is provided in the installation folder of AVEVA P&ID Report Service 12.4.

   

2. Open Windows PowerShell ISE as an administrator:

   

3. Run PowerShellScriptToCreateSSLCerForPID.ps1.

   

   Note: You should not execute the PowerShell script if you are upgrading from AVEVA P&ID 12.4, because the SSL Certificate creation and port number binding will already have been completed.

   Note: The PowerShell script creates a self-signed certificate and binds it to the port number.

   Note: If you are using a valid certificate from certificate authority then make sure to create the certificate for the hostname and check if it is a trusted root.

Steps to Verify the Certificate is a Trusted Root

4. Select Run from the Start menu, and then enter certlm.msc.

5. The Certificate Manager tool for the local device appears.

6. Navigate to Certificates (Local Computer) > Personal > Certificates and locate the certificate you have created for the current host.

7. Navigate to Trusted Root Authorities > Certificates and locate the same certificate.

8. If not found, follow the below steps to import the certificate from personal certificates.

Export the Certificate from Personal Certificates

9. Navigate to Certificates (Local Computer) > Personal > Certificates and locate the certificate you have created for the current host.

10. Select the certificate, right-click and select All Tasks, then Export. The Certificate Export Wizard window appears:

    

11. Click Next.

12. Continue to click Next, accepting the default settings:

    

    

13. On the next page of the wizard, enter a password:

    

14. Continue to click Next, until the final page is displayed, and click Finish.

    

    

Import the Certificate to the Trusted Root

15. Right-click on the Trusted Root Certification Authorities tab in the Certificate Manager tool and select All Tasks, then Import. The Certificate Import Wizard window appears.

16. Click Next until the File to Import page is displayed.

17. Click Browse... and select the certificate file you saved earlier. Click Next.

18. Enter the password you entered in the export wizard. Click Next and Finish.

19. A security warning is displayed. Click Yes.

Generate the Certificates "Manually"

If the PowerShell script failed to generate SSL certificates or binding to the port number is failed, then follow the instructions to generate the certificates:

• Step 1. Create new SSL certificate.

• Step 2. Bind the generated SSL certificate to the required port number.

• Step 3. Copy the SSL certificate to the trusted root (as described previously).

Step 1. Create New SSL Certificate.

Open the Command Prompt as an Administrator:

20. Select Run from the Start menu, and enter cmd.

21. Right-click Command Prompt.

22. Select Run as administrator.

Copy the following command and paste it into the command prompt window:

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "localhost"

Replace "localhost" with hostname.

Step 2. Bind the Generated SSL Certificate to the Required Port Number

Copy the following command and paste it into the command prompt window:

netsh http add sslcert ipport=0.0.0.0:8082 certhash=<certificate_thumbprint> appid={<your_app_id>}

Replace <certificate_thumbprint> with the actual thumbprint. If you do not know the thumbprint, follow the "Finding the Certificate Thumbprint" instructions later in this topic.

Replace <your_app_id> with your application GUID (can be any valid GUID).

Run the following command in PowerShell for the new GUID:

[guid]::NewGuid()

Finding the Certificate Thumbprint

23. Select Run from the Start menu, and then enter certlm.msc.

24. The Certificate Manager tool for the local device appears.

25. Navigate to Certificates (Local Computer) > Personal > Certificates.

26. Double-click on the certificate.

27. Go to the Details tab.

28. Find the Thumbprint field and copy its value.

    

If the Certificate Fails to Bind with the Port

If the certificate fails to bind to the port:

29. Check whether there is already a certificate bound to that port by using the following command:

    netsh http show sslcert

30. Look for port number 8082 in the results of the command. If the results include 8082, delete the binding using the following command:

    netsh http delete sslcert ipport=0.0.0.0:8082

31. Run Step 2 again. The port should now bid successfully.

Enable the HTTPS Protocol

32. Start the AVEVA P&ID Reports Service by running ServiceEditor.exe.

    Note: To access the AVEVA P&ID Reports Service if it is on a different machine from the AVEVA Integration Service (AIS), follow the Access the PIDReportService across Different Machines procedure (see later in this topic).

33. The PIDReportDataWinService Settings dialog is then displayed.

34. Select Use HTTPS.

    

Note: You must stop and start the service manually while switching between the HTTP and HTTPS protocols.

Access the PIDReportService across Different Machines

To access the AVEVA P&ID Reports Service (PIDReportService) on a different machine, for example if PIDReportService is installed on a different machine from the AVEVA Integration Service (AIS), then follow this procedure.

Since PIDReportService is a self-hosted application and uses self-signed certificates, to access it on another machine on the same network, the user must set the certificate on the other machine (where AIS is installed) to be trusted.

35. Open the PIDReportService URL in the machine in Chrome (or any other web browser).

36. On the site you want to add, right-click the red lock icon in the address bar:

    

37. Click the tab labeled Connection, then click Certificate Information.

38. Click the Details tab, the click Copy to File... This will open the Certificate Export Wizard (as shown previously in this topic). Click Next until the Export File Format page is displayed.

39. Choose DER encoded binary X.509 (.CER). Click Next.

40. Click Browse... and save the file to your computer. Name it something descriptive. Click Next, then Finish.

41. Open the browser settings, scroll to the bottom, and (for example in Chrome), click Show advanced settings....

42. Select Run from the Start menu, and then enter certlm.msc. The Certificate Manager tool appears.

43. Right-click on the Trusted Root Certification Authorities tab in the Certificate Manager tool and select All Tasks, then Import. The Certificate Import Wizard window appears.

44. Click Next until the File to Import page is displayed.

45. Click Browse... and select the certificate file you saved earlier. Click Next.

46. Enter the password you entered in the export wizard. Click Next and Finish.

47. A security warning is displayed. Click Yes.

48. Restart Chrome.