Change SolarWinds Information Services SSL Certificate

Hi hortonew,

I'm checking your question with engineering, we will let you know shortly. In the mean time, why are you trying to replace certificate?

Government compliance scans (using eEye Retina Security Scanner) returns results for that certificate which include:

     SSL Weak Signing Algorithm

     SSL Certificate Domain Name Mismatch

     SSL Certificate self signed

All for TCP:17778 (SolarWinds-Orion) certificate, which applies to the certificate used for Information Service v2 and v3  (pretty sure both).

Assigning our own 3rd party certificate like we did for IIS would remove these 3 items from our scans.

This is possible, but it is not well supported. Setting it up is a manual process and if you run the Configuration Wizard again it will mess it up. That said, I understand your concerns about having invalid certificates. If you want to correct this, here are the steps:

1. Obtain a valid certificate for the FQDN of your Orion server. You should be able to use the same one you used for IIS.

2. Get the thumbprint of this certificate. See Microsoft's instructions for this.

3. Configure http.sys to use this certificate for all connections on port 17778. See Microsoft's instructions for this as well. The commands are different depending on which OS you are on. The Configuration Wizard will have already created an association between the self-signed CN=SolarWinds-Orion certificate and port 17778, so you will have to delete this association before you can create a different one.

4. Edit the config files for SWISv2 and SWISv3 ("C:\Program Files (x86)\SolarWinds\Orion\Information Service\2.0\SolarWinds.InformationService.Service.exe.config" and "C:\Program Files (x86)\SolarWinds\Orion\Information Service\3.0\SolarWinds.InformationService.Service.exe.config") to change how the certificate is selected for the "OrionBasic" (v2 and v3) and "/Json" (v3 only) endpoints. For the "OrionBasic" endpoint, look for a block of XML that looks like this:

        <endpoint

          address="OrionBasic"

          binding="basicHttpBinding"

          bindingConfiguration="BasicInteropBinding"

          contract="SolarWinds.InformationService.Core.IInformationService">

          <identity>

            <certificateReference

              x509FindType="FindBySubjectDistinguishedName"

              storeName="My"

              storeLocation="LocalMachine"

              findValue="CN=SolarWinds-Orion" />

          </identity>

        </endpoint>

And change the "certificateReference" part to point to your valid certificate. For the "/Json" endpoint, the block of XML looks like this:

        <endpoint address="/Json" binding="webHttpBinding" bindingConfiguration="RestBinding" contract="SolarWinds.InformationService.Core.IRestInformationService"

                  behaviorConfiguration="RestEndpointBehavior">

          <identity>

            <certificateReference x509FindType="FindBySubjectDistinguishedName" storeName="My" storeLocation="LocalMachine" findValue="CN=SolarWinds-Orion" />

          </identity>

        </endpoint>

Once you have edited those config files, restart SWIS and it should start using the valid certificates. I highly recommend you test out this procedure on a lab server before affecting your production system if at all possible. Download an evaluation copy of NPM if you need to.

You said, "...to change how the certificate is selected for the "OrionBasic" (v2 and v3) and "/Json" (v3 only) endpoints. ..."

Does this mean the JSON interface is unable to access any NCM tables? 

That's correct. This will be fixed when NCM updates to SWISv3.

It's now 2018.  This issue has come again, with the push to retire port 80 everywhere and move things to port 443.  We've updated our IIS certs to a new cert signed by our own CA for port 443, but the REST interface is still using the self-signed Solarwinds original certificate.

Is installing a custom, signed/trusted cert for use in the other (not port 443) solqrwinds-npm services still a barely-supported operation, or is it easier now?  We did some hunting through the configuration settings in the npm web gui and didn't find anything regarding ssl certificates.

What is the current guidance for this issue?

Same story as before.

After following the instructions on this thread to change the IIS bindings and cert, I also had to do this:

Wrong URL in email alert

. . .in order to get the links in the alerts to work properly.

Hi,

I went through this process and when browsing to https://OURSORIONSITE:17778 I could see the correct cert being used, the new one issued from our PKI and the same one successfully applied in IIS for 443 access. So that bit seems fine.

The SWIS services (SolarWinds Information Service and SolarWinds Information Service V3) start okay and I can login to SW Orion but get generic errors when trying to actually access anything. In the app event logs I see errors for both SWIS services:

Error starting plugin Orion

Cannot load the X.509 certificate identity specified in the configuration.

I'm not sure why, I've used the correct common name in the config files (the 3 entries mentioned further up in this thread). Though the file in the 2.0 path is slightly different and has V2 in the name i.e. SolarWinds.InformationService.ServiceV2.exe.config

Any ideas? Is there a different config file for later versions of Orion? Do I need to configure some permissions somewhere for access to the new cert?

I've rolled back to the original self-signed cert and everything works again, but I would like to be able to use our PKI cert to address security scan concerns.

Cheers.

I also had some issues trying to get my cert to work.  In my case, it didn't like my cert's distinguished name.  I changed the command to identify the cert with the thumbprint instead before it finally worked:

<certificateReference x509FindType="FindByThumbprint" storeName="My" storeLocation="LocalMachine" findValue="put your cert thumbprint here" />

You can find your cert thumbprint if you view the cert in Windows.

Cheers,

Tony