== Certificate ==
A secure connection between the {{UBIK}} clients and web service requires a SSL certificate on both, the server and client. This certificate can either be a root authority certificate, a self-signed or any other public key certificate from a certificate authority enabling a secured connection between the web service and the clients.Self-signed certifcates will be rejected by the client {{Version/WinXSince|4.0}} {{Version/XamarinSince|4.0}}
A new self-signed certificate can be created in the ''Internet Information Server (IIS) Manager'', exported using the export function and sent to the development team. As already mentioned, the client has to know this certificate as well, hence it need to be integrated it into the mobile application.
{{Attention|{{UBIK}} requires a valid certificate for SSL encryption, free certifcates can be obtained e.g. from [https://letsencrypt.org/ Let's Encrypt]!}}
<gallery widths="400" heights="400" >
File:UI Certificate.04.png|5 - Installed certificates
</gallery>
* CPU: Compression will require additional CPU processing power (more for higher levels).
* Network bandwidth: The lower the bandwidth, the more sense it makes to enable compression.
In the table above, one might already notice the reduction in time is not linear to the reduction in data amount. Take level 0 and level 9 for example, the time is "only" cut in half even when the data amount is reduced by 85%. These were tested with a 54Mbps bandwidth. Once we did our tests again with a 450Mbps bandwidth, the time reduction is even less (less than 6 minutes v.s. 3 minutes). If the bandwidth increases further, e.g. to Gbps, the time reduction might become negligible. Combined with a weak CPU, it is even possible that the time is will be increased with higher compression levels.
Therefore, there is no general rulebooks for whether to turn on compression or not. The safest approach is still to try out different settings in the real setup.
<nowiki>https://<SERVER-IP>[:<PORT>]/<PATH-TO-UBIK-WEBSERVICE>/UBIKContent.svc/GetVersion</nowiki>
</code>
== Further Security Configuration & Hardening ==
=== TLS Level ===
If the {{UBIK}} WebServices are supposed to communicate with other WebServices, e.g. an interface component or an Azure Blob container for file storage, the appropriate TLS level needs to be ensured. While this can be enforced with a registry key, it is best practice to let the OS and the .NET Framework negotiate it. To enable that, the ''targetFramework'' attribute of the ''httpRuntime'' element in the ''Web.config'' file of the WebService in question (normally the {{UBIK}} content WebService) has to be set to the desired .NET Framework level, should typically be the same that the service was compiled against. So if TLS 1.2 shall be supported and default, the ''targetFramework'' needs to be set to 4.6 like in this example:
<source lang="xml">
<system.web>
<customErrors mode="Off"/>
<httpRuntime maxRequestLength="65536" targetFramework="4.6" />
<compilation debug="true"
defaultLanguage="c#"
targetFramework="4.6" />
</system.web>
</source>
The full documentation on TLS best practices with .NET can be found [https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls here].
=== Hardening ===
For hardening instructions of IIS, please follow the following best practice guidelines:
* [https://www.cisecurity.org/benchmark/microsoft_iis/ Center for Internet Security IIS Benchmark]
* [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj635855(v=ws.11) Security Best Practices for IIS]
== Configure Upload of large files ==
{{Attention|The [[Configuration_Files/web.config#Upload_of_large_files]] and [[Configuration_Files/Bindings.config#Upload_of_large_files]] must also be adapted otherwise, the upload will fail.}}
The following description was taken from: https://www.inflectra.com/Support/KnowledgeBase/KB306.aspx
* Open IIS Manager.
* Select the website that you want to configure.
* Make sure you are in the Feature View per the button at the bottom of the manager.
* Select Requests Filtering and open it by double-clicking the icon. The Request Filtering pane displays:
<gallery widths="400" heights="400" >
File: IIS1.png|1 - Request Filtering
</gallery>
* From the Actions pane on the right-hand side of the screen click Edit Features Settings.
* Edit Request Filtering Settings window will open.
* In the Request Limits section, enter the appropriate Maximum allowed content length ('''Bytes''') and then click the OK button
<gallery widths="400" heights="400" >
File: IIS2.png|2 - Edit Feature Settings
</gallery>
* Restart IIS
[[Category:How-To|Configure Microsoft IIS for UBIK]]
[[Category:Installing|Configure Microsoft IIS for UBIK]]
[[Category:Pages with broken file links|Configure Microsoft IIS for UBIK]]
[[Category:Web service|Configure Microsoft IIS for UBIK]]
== See also ==