Home RDP Sales Contact Us Training  
RDP Support  

     Open a Web Support Ticket
RDPWin
Knowledge Base		 RDP-DOS
Knowledge Base		 IRM and IRM.Net
Knowledge Base		 Crystal
Knowledge Base
         

Installation of Secure Socket Layer (SSL) Certificate on IRM Server

Security with the IRM has proven excellent, and is divided into the following areas:

  1. A good firewall stops most intrusions.
  2. Microsoft security on the IRM server, and data server, is very strong.
  3. Anti-Virus software should be installed on the IRM server and must be set to NOT scan network drives.
  4. All credit card data is encrypted when sent to the guest using Secure Socket Layer (SSL) technology.
  5. All sensitive data, such as credit card information, is stored on the Data Server, and not the IRM.  If a hacker manages to get through the firewall and Microsoft security to the IRM server, he/she still has to get from the IRM server to the Data server to retrieve data.  

The IRM has been installed at over 300 sites over the last 10 years, and there has not yet been an instance of someone "hacking" into the Data Server from the IRM.  However, there is always a first time; and there is some security risk. The only way to prevent all theoretical security problems is to completely remove the IRM from the Internet.  Unfortunately this would also prevent all reservations!

Please see IRM Hardware Requirements for additional information on IRM Security.

Web Server Certificates and Secure Socket Layer Encryption

The second part of IRM Security is protecting the guest’s private information as it passes from the browser to the web server via the Internet.  Without a secure website, virtually any piece of information can be compromised.

The SSL, which is part of Windows 2003/2008 and Internet Information Services (IIS), is used to encrypt data that is sent or received by the web server.  In order to invoke SSL, a security certificate must be purchased from a Certificate Authority.  A Certificate Authority is a third-party company that authenticates websites.  The security certificate insures that browsers view the IRM website in a secure fashion.  Different levels of insurance protection against economic loss due to accidental occurrences are typically included when purchasing an SSL. Once a web server certificate is obtained from the Certificate Authority, install it on the web server to activate SSL, encrypt data, and protect the property and the internet guest. Cost is based on encryption level and insurance coverage. The prices below are quoted based on basic levels of encryption and insurance and are subject to change.

Three Certificate Authorities are listed below.

Authority Cost (approximate as of 4/1/2001) Website
Verisign $349 ($249 Renewal) http://www.verisign.com
Entrust $299 for one year/$499 for two years http://www.entrust.com
Thawte $125 ($100 Renewal) http://www.thawte.com

Common Names, Domain Names and SSLs

Common Name: Also known as the URL, the common name is the fully-qualified domain name used for DNS lookups of your server. This information is used by browsers to identify your website. Client browsers connecting to your host check for a match between your Digital ID's (SSL) common name and your URL. Do not use wildcard characters (such as *,?, etc), IP addresses, or port numbers in the Common Name. Do not include the "http://"or "https://" in your Common Name. Entering the wrong Common Name while enrolling for an SSL certificate from a Certificate Authority can result in security warnings when Internet customers access the Internet Reservation Module (IRM).

Many times there are questions about which domain name to use when enrolling with a Certificate Authority.  The property's marketing website domain name cannot be used because the processing of credit cards takes place from the IRM server and not the marketing website.  The marketing website is simply a portal to the IRM.  The IP address of the IRM needs to be resolved with a common name or a second registered domain name. The following two options exist:

  1. Use a common name that is a part of your existing domain name. For example, RDP owns the Domain Name www.resortdata.com. RDP can create a different common name by using anything to the left. Rather than buy another domain, we can create IRM.resortdata.com. We would use the common name (IRM.resortdata.com) when creating a new certificate request in IIS and enrolling for an SSL Certificate form a Certificate Authority. Our ISP would resolve the IP address of the IRM with irm.resortdata.com, and our marketing site would link to http://irm.resortdata.com/irm. Do not include "http://" in the common name.
  2. Buy a second domain name. If you buy a second domain name, the common name to be used when creating a new certificate request in IIS and enrolling for an SSL Certificate would include the www lead (host). For example; RDP buys a second domain: www.resortdatairm.com. We would then use www.resortdatairm.com as the common name when requesting a new certificate in IIS and enrolling for an SSL Certificate from a Certificate Authority. The ISP would resolve the IP address of the IRM with www.resortdataIRM.com and our marketing site would link to http://www.resortdatairm.com/irm. Do not include "http://" in the common name.

Determine how you want your internet guests to access the IRM. If you want them to always go through your marketing website, create a common name that is a part of your existing domain name. If you want them to access the IRM directly, and you plan on marketing the IRM address, buy a second domain so that the www. lead (host) can be used. 

Note** With IP addresses, there is a host and a domain name. In www.resortdatairm.com, www is the host name and resortdatairm.com is the domain name. In irm.resortdata.com., "irm" is the host name and resortdata.com is the domain name. 

Creating Server Certificates

  1. On the IRM bridge server, open Internet Information Services, right-click on Default Website, Properties, and choose the Directory Security tab.  

  2. Under Secure Communications, choose Sever Certificate.  The Web Server Certificate Wizard prompts through creation of a new certificate request (CSR) to be used with the issuing Certificate Authority. This is referred to by Certificate Authorities as generating a Key Pair and CSR (Certificate Signing Request). At this point, you are generating a CSR to be used later in the enrollment process and the installation..

  3. When following the Web Server Certificate Wizard, it is critical to enter the correct information when creating a new certificate. Choose 1024 for the bit length of the encryption key and use the common name that your ISP has resolved the address of the IRM with. The common name must be a valid DNS name

  4. The certificate is now a pending request and a cert request is issued and stored in c:\certreq.txt of the IRM bridge server. The information contained in the c:\certreq.txt is copied and pasted into the issuing Certificate Authority's online enrollment form explained below. 

Purchasing an SSL Certificate From a Certificate Authority

  1. Access the vendor’s website and visit the "purchase" or “buy” SSL section (most commonly found under Products and Services). Decide the level of encryption, the amount of insurance protection, and the length of the SSL certificate necessary. Print the detailed instructions and review before beginning. The Creating Server Certificates steps are explained in more detail in the vendors steps.

  2. The Enrollment form requires an Organizational Contact, Technical Contact, Billing Contact, the owned Common name resolved with the IRM bridge, form of payment, and your Dun & Bradstreet number or Faxed Proof of Organization document.

  3. One of the purchasing steps is to copy and paste the cert request (CSR) saved in c:\certreq.txt on the IRM into the online enrollment form in the box provided by the Certificate Authority.

  4. A list is provided by the Certificate Authority to Select Server Software. Server Software refers to the web server software on the IRM Bridge. All RDP customers should be using Microsoft IIS. If using a Windows 2000 Server IRM bridge, the version of IIS is 5.0. If using a Windows 2003 Server IRM Bridge, the version of IIS is 6.0.

  5. The Certificate Authority uses this information to verify the company and website.

  6. The Certificate Authority contacts references.

  7. When the Certificate Authority is satisfied that it can issue a certificate, an e-mail is sent with an attachment: the cert.cer that is used by the key manager to activate SSL on the IRM server. Save the cert.cer in a folder on the IRM so you can direct the SSL install to the location. You will also receive an Issuer Digest number to copy and paste when the Secure Site Seal is inserted into the appropriate IRM pages.

Installing a Secure Site Server ID

  1. Open Internet Services Manager.
  2. Browse to the default website where you have a pending certificate request (CSR).
  3. Right-click on the site and select Properties.
  4. Click the Directory Security Tab.
  5. Under the Secure Communications section, click Server Certificate.
  6. On the Web Site Certificate Wizard, click Next.
  7. Choose to Process the Pending Request and Install the Certificate.
  8. Type in the location of the certificate response file and click Next.
  9. Read the summary screen to be sure that you are processing the correct certificate, and click Next.
  10. When you have read the confirmation screen, click Next, then Finish. You now have a server certificate installed. Test the website with https://IRM common name/irm.

Displaying the Secure Site Seal

The e-mail you receive from the Certificate Authority leads you to the directions for adding the Secure Site Logo to your website. Use the directions for Non-JavaScrIPt Code. Using Front Page, the Non-JavascrIPt code is inserted into any IRM pages you want to display the Secure Seal. RDP suggest inserting the seal into AccessType2.htm and ResRules2.htm. Use the digest number you were sent in the e-mail. 

Adding the MMC Certificate Snap-In

  1. From the IRM bridge server, click Start| Run.  Type “mmc” and click "OK". 

  2. From the "Console1" windows, click Console | Add/Remove Snap-in...

  3. Click Add | "Certificates” | Add.

     

  4. After clicking the "Add" button, the "Certificates Snap-In" windows displays.  Enter the option for "Computer Account" at the “This snap-in will always manage certificates for:” question.

  5. Once the Select Computer prompt displays, select the option for "Local Computer” and click Finish.

  6. Click the "Close" button from the Snap-in List and "OK" from the "Add/Remove Snap-in" dialog window. 

  7. Click Console | Save and save the setting in the c:\winnt\system32 folder with the name “Certificate.msc”. 

  8. Close the Microsoft Management Console.

  9. Right-click on the Start button and choose “Open All Users”.

  10. Click “Programs” and then “Administrative Tools”. 

  11. Right-click anywhere in the open space (the white area of the windows) and select New | Shortcut.

  12. Point the shortcut to c:\winnt\system32\certificate.msc, name the shortcut "Certificates" and click "Finish".

Back Up the Certificate

Once an SSL certificate is installed on the IRM bridge server, the certificate should be backed up.  The backup certificate can be used in the event that the IRM bridge server needs to be reinstalled.  If the server needs to be reinstalled and a backup copy of the certificate is not available, the Certificate Authority charges a fee to re-issue the security certificate.  In order to create the backup, add a security certificate snap-in to the Microsoft Management Console (MMC)

Use the following steps for backing up the security certificate:

  1. Click Start| Programs | Administrative Tools | Certificates.

  2. Expand the “Certificates (Local Computer)” tree in the left-hand frame by clicking the plus (+) sign.

  3. Expand “Personal” and then click on “Certificates”.  The SSL certificate for this computer should be displayed in the main frame on the right.

  4. Right-click the certificate and select All tasks | Export.

  5. Click "Next" on the initial page of the Export Wizard.

  6. Be sure the option for “Yes, export the private key” is selected.

  7. In the following window, “Personal Information Exchange…” should be selected with the option for “Enable strong protection…” as the only item checked.  Click "Next". 

  8. Enter and verify a password.  Click "Next".  (Make a note of the password.) 

  9. Choose a file name (i.e., “CertificateBackup”).  Click "Next" then "Finish".

  10. The backup file with the sample name listed in the previous step would be c:\winnt\system32\CertificateBackup.pfx.  Copy this file to a floppy disk or CD.  Store the copy in a safe place.  

  11. In the event the security certificate needs to be restored, import it with the Microsoft Management Console Certificate utility by right-clicking the "Personal Certificates" folder and selecting All tasks | Import.  Follow the steps for the Import Wizard using the password set in Step 8.

Configuring the Internet Reservation Module

The Internet Reservation Module (IRM) allows Internet guests to make reservations directly into the RDP system without involvement from the property’s reservation staff.  This section provides links to instructions for configuring the IRM after the Windows 2000/2003 bridge server has been installed.  

Remember to backup the C:\Inetpub directory every day on the IRM server to avoid losing important files and pictures.  See Backup for more details.

IRM Configuration Links

 
Home RDPWin RDP-DOS IRM/IRM.Net Open A  Web Support Ticket
Version 2.xxx Upgrade to RDPWin Link to Marketing Site Contact Us
Training Vendor Interfaces Troubleshooting RDP Sales Website