Saturday, June 21, 2008

Enabling SSL in IIS on all Windows( it will help to run oracle in xp) must working

Enabling SSL on IIS is not as simple as clicking a checkbox setting, especially on Windows XP Professional. This site describes how to use OpenSSL to create a self-signed certificate that will freely enable SSL encryption for testing and private purposes


Running IIS on Windows XP Professional
Many people do not know that Windows XP Professional includes a fully functional web server, Microsoft IIS 5.1. For a small office or home, this is incredibly convenient. If you're a developer who wants to try web development with HTML, Javascript, Active Server Pages (ASP), or VBScript, having IIS can allow you to experiment quickly with files on your local system. Of course, you could always download and install the free and robust Apache web server, but IIS is somewhat simpler and the documentation is better. [begin heated debate...]
You don't need to buy the more expensive Windows XP Advanced Server or Windows 2000 Server to run IIS. However, the XP Professional standard EULA (license) states that at most 10 computers may connect to your machine for IIS, File/Printing services, and remote access. That means you would be violating the license if you ran a web server using IIS from your house or office, and more than 10 people connected to it at once. If you want a free solution and don't need ASP, you could also run Apache+PHP on your XP Professional machine. The duo is free, unrestricted, and serves the same purpose.

Installing IIS on Windows XP Professional

The Internet Information Server (IIS) is not installed by default on Windows XP. To install it, one must log in under an account with administrator priviledges, and go to "Control Panel"->"Add Remove Programs"->"Add/Remove Windows Components." Just check the "Internet Information Services" checkbox and complete the installation. (Note, if you click the "Details..." button, you can also install Microsoft's free FTP server.)
Once that finishes, you will have a directory called c:\Inetpub\wwwroot on your hard drive that contain the files that your web server will serve. To test your server, use Internet Explorer or Mozilla and type in "http://localhost" or "http://127.0.0.1" in the URL. You will see either an "Under Contruction" page or a Microsoft page that says your web service is now running. These are default files installed by IIS in the wwwroot directory, and it is safe to delete them if you want a barebones IIS installation. Create a text file called "Default.asp", type something in it, and save it to the wwwroot directory. When you reload your site again, you will see the file you just made displayed in the browser. Now you are free to experiment with HTML, Javascript, CSS, etc. If you don't want to learn ASP, you can download and install the free and powerful PHP scripting engine, which integrates into IIS easily. PHP is an up-and-coming all-star in web server-side scripting; it is used by Yahoo!, CBS, and other large corporations. For example, one can create custom GIF images on the fly using one of the PHP function libraries. There are dozens of other useful function libraries in PHP. Furthermore, the documentation is superb.
Requirements for Installing Self-Signed Certificate
Now that you have IIS running and have set up some pages, let's say you would like to share your documents or web application securely, making sure everything is encrypted during its transmission over the wild, wild web. Encryption on the web is possible using a technology called SSL (Secure Sockets Layer). However, enabling SSL on IIS is not as simple as clicking a checkbox setting. In particular, enabling SSL independently on Windows XP Professional is not possible. This site describes a method of creating a self-signed certificate to enable SSL encryption for testing and private purposes. For businesses, novices, and individuals who don't have time to mess with server settings, you should hire an expert. I recommend you skim through this entire site before attempting the procedure, because it is fairly advanced. The requirements are below.
OpenSSL i386 binary and source distributions (free)
Active Perl (free)
Basic knowledge of how to use the command shell "cmd"
Ability to use a text editor
IIS Directory Security
First open the IIS configuration console. To do this the easy way, right click on the "My Computer" on your desktop and select "Manage". You can also get to it via "Control Panel"->"Administrative Tools"->"Computer Management". Expand through the following heirarchy: "Services and Applications"->"Internet Information Services"->"Web Sites"->"Default Web Site."
Right click on "Default Web Site", and select "Properties". Then click on the "Directory Security" tab.
Prepare a Certificate Request
Click on the "Server Certificate..." button. This will open the Web Server Certificate Wizard. Click "Next". At this point, you have the options of "Create a new certificate", "Assign an existing certificate", and "Import a certificate from a Key Manager backup file." Select "Create a new certificate" and click Next. (Update 9/5/2003. See Create a self-signed SSL certificate with IIS 6.0 Resource Kit SelfSSL for a much simpler method.)

Digression: The Certificate Business
Though it's labelled "Create," this step actually means to request a certificate from a "certificate authority," and requires some elaboration. There is this thing called the Public Key Infrastructure (PKI), which is basically a group of companies that have agreed to trust each other, and a set of mechanisms for validating that trust. It is similar to the Kerberos system developed at MIT. Practically, this means that Windows comes pre-installed with the certificates of trusted companies. These certificates can be viewed by running certmgr.msc from a command window, and updated using Windows Update. For any certificate in the list of trusted certificates, your programs, particularly Internet Explorer, will not give you warning when you access their website with SSL enabled. If the web server uses a certificate that is not issued by a trusted company (a.k.a Certificate Authority or CA), then Internet Explorer will warn you that the certificate is not automatically trusted, and you should proceed with caution.
To the end-user of the website, it's the difference between having a security warning and not having one. Everything sent over SSL is encrypted regardless of whose certificate is used, whether it is one you cooked up on your own machine or one you're paying $400 per year for. The upshot is that when you request a certificate the traditional way, you are requesting it from the administrator of a 'trusted' party, who has the power to deny your request. For websites, this is almost always a company like Verisign or Thawte, whose trusted certificates are installed in almost all web browsers. They keep the trust by charging you a fee, which they use to monitor that no one who has been granted a certificate signed by them is doing anything illegal or untrustworthy.
To create your own certificate, you can pretend to be a certificate authority. The software that allows one to be a certificate authority in Windows is called "Certificate Services", but Windows XP Professional does not include an option to install it. If you have XP Advanced Server, then you can use the certificate generation procedure described on the IISFaq.com SSL page. Alternatively, you could also request a certificate from the administrator of a server running Certificate Services on your domain, if you are so lucky.
For the poor man who does not have money to spend on a trusted certificate or to buy XP advanced server, you can follow these steps to use the freeware OpenSSL tools to create your own certificate. This is the way I figured out after rummaging around on the Internet today, and may not be the easiest way in town.
Create the Self-Signed Certificate using OpenSSL
Continuing on in the wizard, choose "Prepare the request now, but send it later." The next four dialogs will ask you about the names that should be in the certificate. You can leave the defaults, or enter a name and location for your company. Finally, the wizard will ask you to save the certificate request to a file named certreq.txt.
In order to create a private key and sign the certificate, you will need to download the free OpenSSL for Windows Binaries and Source packages, courtesy of the GnuWin32 project on SourceForge. From the GnuWin32 project downloads page, download the two OpenSSL zip files labeled as "src" and "bin" for i386.
To make the process easier, you will also need to download and install the free ActivePerl. Download and install this so you will be able to run Perl scripts on your machine, independently or as scripts on IIS.
Next, unzip both of the OpenSSL packages to temporary folders. From the binaries package "bin" folder, copy the files "openssl.exe" and the two DLLs into the source package's "apps" folder. In the "apps" folder is a file called CA.pl. Open this perl script in a text editor and change the line $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; to read $SSLEAY_CONFIG="-config openssl.cnf";. (Alternatively, you can change the individual occurrences. Change $CA="openssl ca $SSLEAY_CONFIG"; to $CA="openssl ca -config openssl.cnf"; and $REQ="openssl req $SSLEAY_CONFIG"; to $REQ="openssl req -config openssl.cnf";.) Now copy the certreq.txt file you made above into this "apps" directory, and rename it to "newreq.pem".
Next, open a command prompt window in the apps directory, and run the following commands:
perl CA.pl -newca
perl CA.pl -signreq
Install the Certificate
If all is successful, you should have a file called "newcert.pem" in the "apps" directory, which contains your certificate. Open this file in a text editor and remove everything before the -----BEGIN CERTIFICATE----- line.
Go back into the "IIS management console"->"Directory Security" tab and click "Server Certificates". In the wizard, select "Process the pending request and install the certificate" and press Next. Browse to and open the newcert.pem file in the "apps" directory. (Note, you will have to set the file filter to "all files" in order to see the .pem file.) Click next to complete the process.
That's it! Now you have IIS set up with an SSL certificate. To turn on SSL, make sure in the "IIS configuration"->"Web Site tab"->"Advanced"->"Multiple SSL identities for this Web Site", you have a default IP address registered on port 443. If you want to only allow SSL encrypted connections from web browsers, click the "Edit" button in the "Secure Communications" section of the "Directory Security" tab, and check the "Require secure channel (SSL)" checkbox.
Results of Installing the Certificate in IE
Whenever anyone visits your web server using the https:// prefix in Internet Explorer (6.0), they will see the dialog shown below.
The first sentence of the IE dialog says Information you exchange with this site cannot be viewed or changed by others, which means that the data is being encrypted. However, because the certificate was not signed by a CA in the trust heirarchy, the warning is displayed. Therefore, this procedure is not recommended for any businesses collecting sensitive data from the public at-large, such as e-commerce. However, for testing and private use, you may find it useful. This certificate could be permanently installed as trusted by the client, and the warning would thereafter be automatically bypassed for that client.
TEXT: Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. * The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. * The security certificate has expired or is not yet valid. * The name on the security certificate is invalid or does not match the name of the site.
Results of Installing the Certificate in Netscape
In Phoenix/Mozilla/Netscape, they would see a similar dialog.
TEXT: Website Certified by an Unknown Authority, Unable to verify the identity of xyz as a trusted site. Possible reasons for this error: * Your browser does not recognize the Certificate Authority that issued the site's certificate. * The site's certificate is incomplete due to a server misconfiguration. * You are connected to a site pretending to be xyz, possibly to obtain your confidential information.
Encryption in Exchange 2000 with Outlook Web Assistant
Jeremy, from JD Technology, points out that these instructions are almost identical to the steps needed to create and install a certificate for Exchange 2000 with IIS5, (or for just IIS5 on Windows 2000 for that matter). The only difference is that the Directory Security section is in the Internet Services Manager in Administrative Tools.
In a typical Exchange 2000/IIS5 with Outlook Web Access configuration behind a firewall, the admin will need to open ports 25 (SMTP), 80 (HTTP), 1025-1028 (MAPI), 500-5020 (RPC), 53 (DNS), 135 and 139 (RPC Listening Ports), and perhaps 88, 110, 143, 189, 445, 636, 993, 995, 3268, 3269 for various other protocols. With an SSL configuration, only port 443 to the Exchange server needs to be opened. The only hurdle is to create and sign a certificate.
Note that if your Windows 2000 server is acting as a domain controller, you could also generate certificates by installing Certificate Services from the installation CD. Please search for the Windows 2000 Certificate Services White Paper or visit IISFAQ.com for more information.
SSL-Related Links
Someone wrote these Security notes, where I figured out that the .pem file must be stripped for IIS to recognize it as a certificate. See the section titled "Signing IIS keys with OpenSSL".
You can read about the CA.pl script - a friendlier interface for OpenSSL certificate programs.
Here is the main OpenSSL site
AnalogX PortMapper is a small freeware program that allows one to enable IP address restriction for a server.
CIS164: Introduction to Managing a Web Server - A course on using web servers with online lessons.
securityspace.com publishes a monthly research report on the top SSL Certificate CAs
whichssl.org provides an SSL Provider comparison table as well as information about how to purchase SSL certificates
IIS-Related Links
IIS Toolshed is a new site that provides tools, scripts, and utilities for running IIS.
IIS FAQ is a premiere site for resources on installing, configuring, and troubleshooting IIS.
Companies that Sell SSL Certificates
These companies sell secure certificates. Note that even for 'free' certificates, the companies will require some form of validation that you are who you claim to be. This is because those certificates are at some level automatically trusted by web browsers. A self-signed certificate will not be trusted automatically by anyone, but is also completely unrestricted.
Verisign - the 400 lb gorilla of security certificates
Thawte - purchased by Verisign in Dec. 1999, but retains its brand
Quality SSL - a smaller player (cheaper)
Instant SSL - offers 30-day free trusted trial certificates
GeoTrust - another established company
ipsCA - really cheap
FreeSSL - offers first-year free certificate for low volume & transaction commercial sites
XRamp Technologies, Inc. - secure certificates and security software vendor
Go Daddy SSL - Fully validated, low cost, secure SSL Certificates
CACert.org - a community-operated service that offers certificates free of cost
Network Solutions - Offers low volume and high volume options


How to istall on Window vista

If you are a developer using ASP.NET, one of the first things you'll want to install on Vista is IIS (internet information server). Keep in mind that your version of Vista may not come with IIS. I'm using Vista Ultimate edition.
First, go to Control Panel, and then click on Programs. You'll see a link for "Turn Windows features on or off"
If you expand the Internet Information Services tree node, you can see that there are a lot of options beneath it. You will probably want to explore these options, because even if you click on IIS, some of the necessary options for doing development aren't checked.
Once you've gone ahead and checked the items you want, and clicked OK, you'll see this dialog for a while….

Now when you navigate in your browser to localhost, you'll see the new default page… slick!

Installing IIS on Windows XP Home


Requirements
These instructions have the following requirements:
You are running Windows XP Home SP2.SP2 contains many changes to how Windows manages computer security. These instructions may not work on versions of XP older (or newer) than SP2.
Your Windows XP Home installation disc.
A Windows 2000 installation disc (any version.)You must copy IIS from a version of Windows 2000. These instructions do not work if you try to copy from XP Professional or Windows Server 2003.
Windows Script 5.6 or higher.
Please note!
At the risk of being redundant: This document only works when you copy IIS from a Windows 2000 CD. It will not work if you try to copy IIS from Windows XP Professional, or any newer version of Windows.
Path and CD-ROM notes
I assume that your windows folder is C:\Windows which is the default location. Substitute your actual windows folder if needed.
I assume that your CD-ROM drive is assigned the letter X:. Substitute your actual CD-ROM drive letter if needed.
Windows Script Installation
You need to be running Windows Script 5.6 or higher for these instructions to work. Newer versions of Windows XP will come with this version installed, but if you have a very old installation you may need to update this component manually.
To verify your version of Windows Script, open a command prompt and run:cscript
You should see "Microsoft (R) Windows Script Host Version 5.6" or "...5.7". If you have a prior version, use the following link to update your scripting components.
Micrsoft Download: Windows Script 5.7 for Windows XP
IIS Installation
Open the file C:\WINDOWS\INF\SYSOC.INF and find the section [Components].
Find the line:iis=iis.dll,OcEntry,iis.inf,hide,7and replace it with:iis=iis2.dll,OcEntry,iis2.inf,,7
Typographical notes
This file is case-sensitive, so make sure you type OcEntry and not OCEntry or ocentry.
In the replacement text, there are two commas in a row before the 7.
From your Windows 2000 CD, copy the files X:\I386\iis.dl_ and X:\I386\iis.in_ to a folder on your hard drive.
Go to the folder from step #3 in a command window.
"Open Command Window Here"
Microsoft provides a PowerToy that lets you easily get to any folder in a command window. After installing the PowerToy, right-click on any folder to open it in the shell.
See: Microsoft PowerToys for Windows XP, and install "Open Command Window Here".
In the command window, decompress the two files with the following commands:expand iis.dl_ iis2.dllexpand iis.in_ iis2.inf(You may close the command prompt at this time.)
Move the files:iis2.inf to C:\Windows\INFiis2.dll to C:\Windows\System32\Setup
Open the Control Panel and choose Add or Remove Programs. From the column of icons on the left, choose Add/Remove Windows Components. IIS will now be available.
Optional Windows Components
You can also remove unused Windows components from this form. I unchecked "MSN Explorer". Note that some of these options (IE, Outlook Express) only remove a program from the Start Menu list, and don't actually remove the executables.
Check IIS and then click the details button. You can add or remove optional components in this form.
Do not install SMTP
I recommend unchecking SMTP. When I leave SMTP checked, my install hangs trying to configure SMTP. It's possible that I'm just not waiting long enough, but as I don't need that service I installed without it.
Click OK to close the details window and then Next to continue with the installation.
When prompted, insert your Windows 2000 disc and browse for X:\I386; do the same when prompted for your XP Home disc.
Once installed, you can access the Internet Services Manager by opening the Control Panel and choosing Administrative Tools.
Add Administrative Tools to the Start Menu
To add Administrative Tools to the Start Menu:
Right-click on the start button and choose Properties.
Click the Customize... button then select the Advanced tab.
Scroll the Start menu items list to the bottom, and select where you want Administrative Tools to appear.
Now that basic installation is complete, you must configure IIS.
IIS Configuration
When cross-installing IIS from Windows 2000 to Windows XP Home, the default Directory Security and Home Directory settings will not work correctly out-of-the-box.
Configure Directory Security
The default IIS account is IUSR_NAME. We need to replace this with NAME\IUSR_NAME (where NAME is your computer name.)
IIS User Accounts
IIS creates some user accounts, based on your computer's name, that it uses to run ASP applications: IUSR_NAME and IWAM_NAME, where NAME is the name of your computer.
This allows custom security settings to be applied to ASP and ISAPI applications.
Start Internet Services Manager from Administrative Tools.
Your computer will appear under Internet Information Services. Right-click on your computer and choose Properties.
Select Master WWW Service in the drop-down, then click Edit....
Select the Directory Security tab.
Under Anonymous access and authentication control click Edit...
In the Authentication Methods form, make sure only Anonymous access is checked, then click Edit....
The default username will be IUSR_NAME. We need to replace this with NAME\IUSR_NAME where NAME is your computer name. You can type it in manually or use these steps:
Click the Browse... button.
On the Select User form click the Advanced... button in the bottom left.
Click the Find Now button in the middle-right of this form.
Select IUSR_NAME in the user list at the bottom of the form, then click OK
Click OK to dismiss the Select User form.
Uncheck Allow IIS to control password. (This is important!)
Click OK to dismiss the Anonymous User Account form.
Click OK to dismiss the Authentication Methods form.
Click OK to dismiss the WWW Service Master Properties form.
Click OK to dismiss the Computername Properties form.
If you see "The requested resource is in use." trying to access your new web server, follow the Home Directory steps below to modify the Application Protection settings for the default web site.
Configure Home DirectoryWith Internet Services Manager:
Your computer will appear under Internet Information Services. Click on your computer to expand its list of servers.
Right-click on Default Web Server and choose Properties.
Select the Home Directory tab.
In the Application Protection drop-down under Application Settings choose Low (IIS Process).
Click OK to dismiss the form.
The default website may not work
If you go to http://localhost in a browser, chances are you will see an ASP error on line 19. Don't panic.
IUSR_NAME does not have permission to run the default IIS website. The default IIS website attempts to create admin-only ActiveX objects.
Testing your IIS installation
To test your IIS installation you should create some test files and point the default website to the folder containing those files.
Download iistest.zip.
Copy the iistest folder inside the .zip to your harddrive.
Click on your computer to expand its list of servers in Internet Services Manager.
Right-click on Default Web Server and choose Properties.
Select the Home Directory tab.
In the Local Path: textbox, type in the path to the iistest folder you extracted (or use the Browse... button to find it.)
Click OK to dismiss the Default Web Site Properties form.
If everything is set up correctly, you should be able to see the test at http://localhost/default.htm.
Troubleshooting
If your site is not enabled after following these directions, you cannot choose IIS components to install, or serves HTML but not ASP, here are some things you can try:
Are you using Windows 2000? These instructions only work if you copy IIS from Windows 2000. They will not work with Windows XP Professional or Windows Server 2003.
Double-check your edits to C:\WINDOWS\INF\SYSOC.INF. The file must be edited exactly as shown, and saved to the correct place.
Reboot. Some users report that rebooting causes IIS to start properly.
Rebuild the IIS COM+ components. This page by Brooks Younce shows how.
Additional XP Home Hacks
The ScottXP website has tips on how to enable additional advanced functionality on XP Home.
When running IIS, it is useful to enable User and Group management and advanced file security.
-->
Alternative Web Servers
There are other web servers that can run on Windows XP Home.
Apache has a native Windows version.
Lighttpd has a Windows version that runs with cygwin or mingw.
Note that neither of these support ASP applications natively, which is presumably why you are installing IIS in the first place.
Versions
2.0:
New styling.
1.2:
Additional troubleshooting section added, with a link to rebuilding the IIS COM+ components. (Thanks to Richard Castellon.)
1.1.1:
Added link to "Windows Script 5.6 for Windows XP and Windows 2000".
1.1:
Added note that IIS must be copied from Windows 2000, not Windows XP Pro.
1.0:
Initial posting.
Contact Information
Email: play4s@yahoo.co.in