Configure the SolarWinds Platform Web Console to use HTTPS

This topic applies to all SolarWinds Platform products.

SolarWinds Platform products support binding Secure Sockets Layer (SSL) certificates to your SolarWinds Platform server port to enable secure communications with the SolarWinds Platform Web Console.

SolarWinds recommends that you install a certificate from a certificate authority before adding the bindings to the website, and that you enable the certificate auto enrollment group policy to prevent the certificate from generating browser errors.
This information refers to SolarWinds products running on Orion Platform 2017.1 or later. For configuration steps for older versions of the product, see Configure the for SSL (deprecated).

Due to security concerns, SolarWinds recommends that you disable SSL v3.0 and earlier.

Configure the SolarWinds Platform Web Console for HTTPS during the installation
Use a previously installed SSL certificate
Generate a self-signed certificate
Certificate categories
Use the Centralized Certificate Store (2023.3 and later)
Configure SolarWinds Platform Web Console for HTTPS after you install a SolarWinds Platform product
Enable/disable the SWIS endpoint port

Configure the SolarWinds Platform Web Console for HTTPS during the installation

When running the Configuration wizard, select the Enable HTTPS option on the Website Settings screen.

Decide the whether you want to bind an existing certificate to your SolarWinds Platform server port or create a new certificate.

Use a previously installed SSL certificate

On the Website Settings screen of the Configuration wizard, select Enable HTTPS.
Choose the certificate you want to use. Certificates with a green check mark are least likely to generate browser warnings.
If you want to use Smart Card (CAC/PKI) login, select the Enable automatic login using Windows Authentication box. For further configuration details, see Set up SSL and enable Smart Card (CAC/PKI) user authentication for SolarWinds Platform Web Console.
Complete the Configuration wizard.

The Configuration Wizard enables the SolarWinds Platform Web Console to use SSL for the specified port, adds the website binding to the SolarWinds Platform Web Console, and forces the website to use HTTPS by default.

After the Configuration wizard is finished, the SolarWinds Platform Web Console opens using HTTPS. If you used a certificate with a green check mark next to it, there should be no browser warnings. If you used a certificate with a yellow warning sign next to it, you may have a browser warning.

Generate a self-signed certificate

You can generate a self-signed certificate directly in the Configuration wizard.

On the Website Settings screen of the Configuration wizard, select Enable HTTPS.
Expand the drop-down list, scroll to the bottom, and select Generate Self-Signed Certificate.
If you want to use Smart Card (CAC/PKI) login, select the Enable automatic login using Windows Authentication box. For further configuration details, see Set up SSL and enable Smart Card (CAC/PKI) user authentication for SolarWinds Platform Web Console.
Complete the Configuration wizard.

A self-signed certificate is issued to the machine host name or fully qualified domain name (FQDN) when the computer is part of a domain, and the certificate is added to the trusted certificate store. After the Configuration wizard is finished, the SolarWinds Platform Web Console opens using HTTPS.

The certificate authority for self-signed certificates is the computer hosting your SolarWinds Platform server. Depending on your security and group policy settings, the SolarWinds Platform Web Console may generate browser errors because the certificate was not issued by a known certificate authority.

Certificate categories

Make sure that the certificate contains SAN (Subject Alternative Name) extension in form of DnsName=OrionDomainName. Otherwise, some browsers, such as Google Chrome or new Microsoft Edge, might evaluate it as invalid.

Certificate category	Icon	Explanation
Valid		The certificate is valid and should not generate browser warnings. Certificates are marked green if they meet one or more of the following criteria: The certificate's Issued To (CN) field fully matches the server's FQDN The certificate's Issued To (CN) field partially matches the server's FQDN using wildcards The certificate's Issued To (CN) field partially matches the server's FQDN
May generate warnings		The certificate can be used, but may generate browser warnings. Certificates are marked yellow if they meet one of the following criteria, ordered from least likely to most likely to generate browser errors: Self-signed certificates where the Issued To and Issued By fields match the server's FQDN Certificates issued to the IP address instead of the host name or FQDN Certificates issued to a computer with different hostname
Invalid	n/a	The following certificates are considered to be invalid: Client certificates Certificates that have expired Certificates that use an untrusted authority You cannot use invalid certificates, and thus they are not available in the drop-down list on the Website Settings page of the Configuration wizard.

Certificate category

Icon

Explanation

Valid

The certificate is valid and should not generate browser warnings. Certificates are marked green if they meet one or more of the following criteria:

The certificate's Issued To (CN) field fully matches the server's FQDN
The certificate's Issued To (CN) field partially matches the server's FQDN using wildcards
The certificate's Issued To (CN) field partially matches the server's FQDN

May generate warnings

The certificate can be used, but may generate browser warnings. Certificates are marked yellow if they meet one of the following criteria, ordered from least likely to most likely to generate browser errors:

Self-signed certificates where the Issued To and Issued By fields match the server's FQDN
Certificates issued to the IP address instead of the host name or FQDN
Certificates issued to a computer with different hostname

Invalid

n/a

The following certificates are considered to be invalid:

Client certificates
Certificates that have expired
Certificates that use an untrusted authority

You cannot use invalid certificates, and thus they are not available in the drop-down list on the Website Settings page of the Configuration wizard.

Use the Centralized Certificate Store (2023.3 and later)

Starting with 2023.3, you can use the Centralized Certificate Store in the Configuration Wizard.

Step 1: Enable the Centralized Certificate Store in the Server Manager

On your main polling engine server, open the Server Manager.
On Dashboard, click Add roles and features.
In the Add Roles and Features Wizard, on Server Roles screen, select Centralized SSL Certificate Support, and complete the wizard.

When you complete the wizard, a new item for using the Centralized Certificate Store will be added to the Configuration Wizard.

Step 2: Enable and define Centralized Certificates in IIS

On your main polling engine server, open the IIS Manager.
Select your main polling engine, click Centralized Certificates, and then click Open Feature in the Actions pane in the top right corner of the window.
On Centralized Certificates, click Edit Feature Settings, enable centralized certificates, and specify the location, credentials, and private key password (optional).

Step 3: Prepare the certificate for SolarWinds Platform

Get the private key (PFX file) and rename it so that the file name matches the main polling engine name. For example, if your main polling engine name is WIN-MP, the private key file should be called WIN-MP.pfx

The certificate password must match the password you defined in the Centralized Certificates settings.
Paste the PFX file to the location set in Centralized Certificates settings.
Check the settings: Open the IIS Manager, select your main polling engine, and click Centralized Certificates. Your certificate should be listed there.

Step 4: Use the Centralized Certificate Store in the Configuration Wizard

On the Website Settings screen of the Configuration wizard, select Enable HTTPS.
Select Use Centralized Certificate Store.

The certificate field next to Enable HTTPS will become grayed out and the certificate specified in your certificate store for your main polling engine will be used. If issues occur, re-check the certificate name and location.

Configure SolarWinds Platform Web Console for HTTPS after you install a SolarWinds Platform product

You can still use the Configuration wizard to add the binding to your SolarWinds Platform Web Console after you have installed a SolarWinds Platform product.

You must install an SSL certificate on the SolarWinds Platform server before performing the following steps.

Log in to your SolarWinds Platform server as an administrator.
Run the Configuration wizard from the Start menu.
Confirm the Database screens with Next. No changes are necessary.
On Website Settings, clear the Skip website binding option.
Select Enable HTTPS.
Choose the installed certificate.

If the certificate does not show in the list, review how certificates are categorized.
If you want to use Smart Card (CAC/PKI) login, select the Enable automatic login using Windows Authentication box. For further configuration details, see Set up SSL and enable Smart Card (CAC/PKI) user authentication for SolarWinds Platform Web Console.
Complete the Configuration wizard.

Enable/disable the SWIS endpoint port

SWIS REST Endpoint is available on port 17774. You can use a custom HTTPS certificate for this port and disable SWIS REST endpoint on port 17778 or 17774.

If you are using DPAIM, make sure you are running DPA 2024.2 or later to switch to port 17774. Earlier DPA versions cannot send data to DPAIM on port 17774. See Specify the port DPA uses... for more information.

Log in to the SolarWinds Platform Web Console using an account with administrator privileges.
Go to Advanced Settings.

Copy the following string ad paste it into your browser address bar, after /Orion:

/Admin/AdvancedConfiguration/ServerSpecific.aspx

The URL will look as follows, with <your_server> being the IP address or hostname of your web console: https://<your_server>/Orion/Admin/AdvancedConfiguration/ServerSpecific.aspx.

If you make the changes on the ServerSpecific tab, the port will be disabled for the server. To disable the port globally for all servers, click the Global tab. The URL ending will change to https://your_server/Orion/Admin/AdvancedConfiguration/Global.aspx.
Search for Swis.RestEndpoint.
Adjust the settings:

For the server (ServerSpecific tab)
1. Click Override next to CertificateNameForSafeguardCommunicationOnSwisRestEndpoint and provide the name or thumbprint of your certificate.
  
  By default, the name is SolarWinds-Orion. Make sure the certificate is in the same place as the SolarWinds-Orion certificate (Local Machine - Personal).
2. Click Override next to DisableSwisRestndpointOnPort1777* for the port you want to disable and select the box.
  
  Make sure the DisableSwisRestndpointOnPort1777* box for the port you want to use for the SWIS port is NOT selected.
For all servers (Global tab)
1. In CertificateNameForSafeguardCommunicationOnSwisRestEndpoint, provide the name or thumbprint of your certificate.
  
  By default, the name is SolarWinds-Orion. Make sure the certificate is in the same place as the SolarWinds-Orion certificate (Local Machine - Personal).
2. Select the DisableSwisRestndpointOnPort1777* box for the port you want to disable.
Click Save.
Restart the SolarWinds Information Service V3.

To do so, go to Settings > All Settings, click Service Manager in the Product Specific Settings, select the service, and click Restart.

Search SolarWinds Support