How To Configure SSL and TLS

Vertafore recommends using HTTPS for all network traffic, if you are not already doing so. Sagitta has been certified with TLS 1.2, and it fully supports HTTPS.

Sagitta Web Services require HTTPS; also, HTTPS is required by default for the Sagitta Web Application as of Sagitta 22R1.0.0 and later.

Bind Certificate to HTTPS Traffic in IIS

An SSL certificate and a port must be bound to HTTPS traffic in IIS prior to using HTTPS for Sagitta.

  1. Install an SSL certificate on the server.

  2. Bind the Certificate to the Default website.

    • With the Default website highlighted in IIS, click the Bindings… link on the Action pane.

    • In the Site Bindings window, click the Add button.

  3. In the Edit Site Bindings window, choose the Type “https,” enter “443” for the Port, and choose the certificate that was just installed in the SSL Certificate drop-down.

    • The http entry must remain in the Site Bindings window, as shown above.

SAGITTA WEB APPLICATION ONLY – CHECK REQUIRE SSL

When deploying Sagitta, use the check box shown below in the Sagitta Deploy tool to require SSL in Sagitta. This setting is checked by default in Sagitta 22R1.0.0 and later.

(Optional) Configure TLS Ciphers using IISCrypto

In this optional section, a third-party tool — IIS Crypto — is used to configure SSL-related IIS-settings.

Depending on your organization, you may have to follow different standards than those highlighted below. Contact your IT department for questions as to which TLS ciphers and HTTP protocols are supported.

  1. Download the latest version of IISCrypto, found at this link: https://www.nartac.com/Products/IISCrypto.

  2. Install IISCrypto to the Application Server.

  3. Run IIS Crypto. At the bottom of the window, click the Best Practices button:

  4. In the Schannel tab, disable TLS 1.0 and TLS 1.1 in the Server Protocols section, disable TLS 1.0 and TLS 1.1 in the Client Protocols section, disable Triple DES 168 in the Ciphers section, and disable MD5 in the Hashes section.

  5. In the Cipher Suites tab, disable “TLS_RSA_WITH_3DES_EDE_CBC_SHA."

  6. Click Apply to save your changes.

  7. Restart the server.