Configuring Proficy Historian 7 and/or Plant Applications 7

Universal Client for SSL Signed Certificates

Contents
Prerequisites ........................................................................................................................................................................... 2
Installing A Certificate to the Proficy Plant Applications 7.0 Reporting/Web Server ............................................................. 3
Appendices .............................................................................................................................................................................. 6
How to Leverage OpenSSL To Create A Certificate Request For Submission To A Certificate Authority (CA) ................... 6
How to Install OpenSSL To Leverage Tools for SSL Certificate Creation on the Proficy Plant Applications Report Server 8
Prerequisites
A signed certificate from a trusted certificate authority (CA). The certificate MUST contain at least TWO SANs
(Subject Alternative Names) with the report server’s FQDN (Fully Qualified Domain Name)
(servername.mydomain.suffix) and the NetBios/Short/Host) computer name (servername).

This is required to facilitate the Report Server’s reliance on a Hostname (NetBios) or FQDN of 25 characters or
less.

If the Report Servers FQDN is 25 characters or less, the FQDN may be used and a NetBios SAN will not be
required. However, it is HIGHLY recommended to leverage the NetBios name to ensure compatibility.

This document also explains how to prepare a certificate request with the OpenSSL toolset

 Win64 OpenSSL (not the light version)

 Win32 OpenSSL (not the light version)

This toolset will need to be installed on the Report Server. The above links are to the direct, current version downloads
as of 8/1/2017. The latest version(s) can be obtained from SLProWeb.com. The tool may be uninstalled once the
certificates are installed.

This document is based on the OpenSSL tool, other tools may exist but OpenSSL is recommended for use with
this documentation. Support does not support any tool in particular, including OpenSSL. But, it is the one we
are most familiar with. If there are any issues with the OpenSSL tool, support will not be able to assist. This
document assumes a working OpenSSL installation is available.
Installing A Certificate to the Proficy Plant Applications 7.0 Reporting/Web Server
These steps assume that a SSL certificate with a public and private key have been obtained from a trusted authority and
the OpenSSL software tools have been installed – if a certificate request is needed)

1. Copy the Certificate file received from the

Certificate Authority to the \bin folder of the
OpenSSL installation path as well as the key
(.key) file that was created during the Certificate
Request.

Note: You may have also received a Certificate

Path file (.p7b). If so, copy it to the bin folder as
well.

2. Certificate Validation (Common Name) - Double

click (open, not install) the certificate -> Details
tab, Validate the Subject line is expected, the CN
value should be your servers FQDN.

3. Certificate Validation (Subject Alternative Names

- SANs) - Click on the Subject Alternative Name
(SAN) (if you submitted the certificate request
with SAN(s) and validate the alternate, DNS
names that may be used for this system are
displayed correctly.
4. Certificate Validation (Certification Path) - Click
on the Certification Path Tab. Validate your root
CA is in the path

5. Open the certificate file with Notepad (be

careful not to edit and/or save the)
6. Validate the file is readable as ASCII text with a –
Begin Certificate – and a – End Certificate – line
7. If any of the certificate validation steps (2-5 are
not accurate, it is recommended to resolve the
issues before proceeding. If step 2, 3, and 5
validations are correct it is safe to proceed but
you will need to redo these steps to add SANs to
the certificate.

8. Open Windows Administrative Tools -> Internet

Information Services (IIS) Manager
9. Select the root IIS Manger level -> Center pane -
> Double click Server Certificates
10. Validate the certificate has been installed

11. If the certificate is not present. The instructions

for Importing, Completing a Certificate Request,
etc.. provided by the Certifcate Authority need
to be completed first
12. If the certificate is present - continue
13. Navigate to the Default Web Site
14. Select the Bindings Action
15. Select the https option and click Edit (if not
present click Add)
16. Select Type https, IP Address (All Assigned is
default), and the Port number (443 is default)
17. Select the SSL Certificate from the drop-down
list
18. Click OK
19. Close Internet Information Services (IIS)
Manager
20. Restart IIS (Open Command Prompt, Run as
Administrator, IISReset <enter>
21. Open Plant Applications Administrator -> Global
Configuration -> Administer Site Parameters
22. Client Section -> UseHttps = True
23. Dashboard Section -> Dashboard Engine Server =
Report Server NetBios (Host, short) name
24. General Section -> ReportServer = Report Server
NetBios (Host, short) name:443/PAReporting

*Note: Port 443 must match the port number

used in the Internet Information Services (IIS)
Manager HTTPS port configured for the
Certificate

25. Web Server Section:

FTPSiteName = Report Server NetBios (Host,
short) name
HttpPort = 80 (Must match IIS port)
HttpSecurePort = 443 (Must match IIS SSL Port)
26. Close Site Parameters
27. Open SQL Manager -> Select PA database -> Run
Update Query 
spSupport_RS_HTTPS_Toggle.sql
Appendices
How to Leverage OpenSSL To Create A Certificate Request For Submission To A Certificate Authority
(CA)
Use these steps if a certificate is needed.

1. Open a Command Prompt as Administrator by

Right Clicking the Windows Menu Icon or Right
Clicking the Command Prompt and selecting Run
as Administrator

2. Change to the bin folder in the location OpenSSL

was installed

1. Open Windows Explorer -> Navigate to the \bin

folder were OpenSSL was installed -> Right click
in the window -> New Text Document -> Rename
file as MyCertSettings.txt

2. Edit MyCertSettings.txt and paste the parameters [req]

default_bits = 2048
from the right. prompt = no
3. Modify the parameters to match your certificate default_md = sha256
requirements req_extensions = req_ext
a. C = Country 2 Letter Code distinguished_name = dn
b. ST = State [ dn ]
c. L = City C=US
d. O = Organization (Company Name) ST=State
e. OU = Organization Department L=City
f. emailAddress = Email@Address.com O=Organization (Company Name)
OU=Organization Department
g. CN = Common Name (FQDN) emailAddress=mydistributionlist@email.address
 h. Modify the [alt_names] list for any CN = Common Name (FQDN of Server)
additional names needed on the
[ req_ext ]
certificate (Subject Alternative Names) subjectAltName = @alt_names

Note: The file created can be saved for [ alt_names ]

use as a template if you need to change,
get additional, or generate new
certificates.
4. Create the Certificate Request with the following
command
DNS.1 = my.fqdn.address
DNS.2 = www.my.fqdn.address
DNS.3 = my
DNS.4 = another.dns.address
DNS.5 = another

openssl req -new -sha256 -nodes -out

<FileName>.csr -newkey rsa:2048 -keyout
<FileName>.key –config MyCertSettings.txt

5. Validate the Certificate Request was created

successfully.

OpenSSL req -text -noout -in <CSRFileName>.csr

6. The <CSRFileName>.csr is now ready to submit to

a Certificate Authority.
7. When the Certificate is returned it can be
imported into the Plant Applications IIS Report
Server.
How to Install OpenSSL To Leverage Tools for SSL Certificate Creation on the Proficy Plant Applications
Report Server

OpenSSL – Win64 OpenSSL (not the light version) or Win32 OpenSSL (not the light version) will need to be installed on
the Historian server. These links are to the direct current version downloads as of 8/1/2017. The latest version can be
obtained from SLProWeb.com

The OpenSSL tool is used to create the certificate request (if needed) and to convert the received files to the required
format for Tomcat/Apache servers. The tool may be uninstalled once the certificates are installed.

1. Locate the installation file downloaded

for Operating System
2. Right Click and Run as administrator

3. Welcome Screen -> Click Next

4. License Agreement -> Select “I accept the

agreement” -> Click Next
5. Select Destination Location -> Click Next

6. Select Start Menu Folder -> Click Next

7. Select Additional Tasks -> Click Next

*Note: Either option is acceptable. The

location selected will be referenced later
when leveraging the OpenSSL tools

8. Ready to Install -> Click Install

9. Completing the OpenSSL Setup -> Select
option if you would like to donate to the
OpenSSL project -> Click Finish

*Note: This document does not provide

instructions if you choose to donate.