Removal of HTTP Support Release Notes

Release Date: 1st April 2019 This release note is aimed at IT personnel who support
Audience: IT Personnel BigHand Systems. It explains why HTTP is no longer
going to be supported. It will also explain what needs
to be completed in order for existing deployments to be
fully secure using HTTPS.

What is in this Release Note?

Why are we making this change?......................................................................1
When are we making this change?....................................................................1
Is my Organisation affected by this change?......................................................1
Mobile Platforms Affected?.................................................................................2
Which BigHand Apps are affected?....................................................................2
How will your users be affected?........................................................................2
What you need to do?........................................................................................2
Assigning a Certificate to a BigHand Website....................................................2
How to Request and Install SSL Certificates for a BigHand Mobility website....4
Requesting a Certificate................................................................................5
Completing a Certificate Request..................................................................8
IIS Server Certificates Configuration................................................................12
What needs to be done now?...........................................................................13

Why are we making this change?

For increased security when data is sent from mobile applications data should be encrypted, ensuring
information is not accidentally disclosed or intercepted over the Internet. Currently BigHand allows
information to be sent via http and https.
We will no longer support http for transferring data over the Internet for unmanaged applications;
supporting https only as this provides an extra layer of security.

When are we making this change?

1st April 2019.

Is my Organisation affected by this change?

• If your deployment is using HTTP without mobile device management (MDM), you will need to either:
• set up an MDM for your organisation to push the HTTP/HTTPS settings. OR
• configure HTTPS. If you choose this option, follow the instructions in the Assigning a Certificate to a
BigHand Website section on page 2.
• If your deployment is using a secure tunnel from an MDM to encrypt all traffic and access local mobile
gateway but the BigHand settings are not deployed through this MDM:
• push the HTTPS/HTTP settings through the MDM or
• follow the instructions in the Assigning a Certificate to a BigHand Website section on page 2.
• If your deployment is using an MDM for the BigHand apps and HTTPS is disabled, no changes are

Confidence 1
 required.
• If your deployment is using an MDM for the BigHand apps and HTTPS is enabled, no changes are
required.
• If you have a setup that is not covered in the above scenarios, please contact BigHand Support or your
BigHand Project Manager if your organisation is undergoing an active project.
• The changes in configuration can be done now, in advance of April 2019. These changes may require
the purchase of an SSL certificate.

Mobile Platforms Affected?

Mobile Platforms Android iOS Windows BlackBerry

Which BigHand Apps are affected?

Unmanaged Go for iOS Legacy for iOS Android Windows Go BlackBerry
Managed MobileIron

How will your users be affected?

From early 2019, BigHand apps running on Windows, iOS and Android mobile devices will display an
information banner stating the following: In order to protect your data, we will no longer support
connections via HTTP from April 2019 and recommend using HTTPS. Please contact your system
administrator for further information.
This banner is ONLY shown if BigHand users are logged in using HTTP. It is not shown if they are using an
MDM.
When your organisation has upgraded to BigHand version 5.2, mobile devices still running on HTTP or not
running the latest updates for BigHand apps will be presented with the following error message: Error Your
current server version does not allow insecure connection via http, please connect using https or
contact your administrator. They will not be able to use BigHand apps until they connect using https and
upgrade their BigHand apps to the latest software. BigHand recommend making the Removal of HTTP
Support Release Notes for Mobile Device Users documentation readily available to all BigHand users within
your organisation.

What you need to do?

Follow the instructions in the Assigning a Certificate to a BigHand Website section below to make your
BigHand system secure. You will then need to inform mobile device users to update their BigHand app on
their mobile device. They will then need to follow the instructions in the Removal of HTTP Support Release
Notes for Mobile Device Users.
Note: The instructions in the Assigning a Certificate to a BigHand Website section (below) needs to be
completed prior to BigHand mobile device users completing the instructions in the Removal of HTTP
Support Release Notes for Mobile Device Users.

Assigning a Certificate to a BigHand Website

Note: The instructions in this section have been created using Windows Server 2012 R2 Standard.
Please be aware the instructions may be slightly different if you are using another Windows Server
operating system (e.g. Windows Server 2008) that is compatible with BigHand systems.

2 Confidence
1. Open Internet Information Services (IIS) Manager on the machine running the BigHand Mobile
Gateway.
This will display the IIS Manager console.
2. In the directory structure under Sites, right-click BigHand Mobile Gateway and select Edit Bindings....

This will display the Site Bindings dialog.

In the above illustration, the http binding on port 80 is displayed.

3. Ensure port 443 is not being used by another binding. This port will be used for setting up https binding.
4. Select Add.
This will display the Add Site Binding dialog.

5. Do the following:
• Set the Type option to https.
• Set the Port option to 443. If port 443 is already in use, set it to port 444.
• Select the appropriate certificate using the SSL certificate option. If you do not have a certificate
in place, refer to the How to Request and Install SSL Certificates for a BigHand Mobility website
section on page 4.
Confidence 3
6. Select OK.
Note: If the warning The specified port is being used by a different binding is displayed, it means
another binding is using port 443/444.
7. Restart the IIS site. To do this, on the right side pane of the Window under Actions and Manage
Website, select Restart.

Assuming the DNS has been created and bound by the external IP, and the Firewall has been config-
ured, you should now be able to test the configuration by browsing to the BigHand website. Follow the
step below to perform this test.
8. Test the configuration by opening a web browser from a different machine and navigate to the site, (e.g.
https://bighand.company.com:443).
9. Contact BigHand mobile device users and make them aware of this change. Provide them with the
Removal of HTTP Support Release Notes for Mobile Device Users. This release note provides
instructions of what needs to be completed on the mobile devices.
10. When all mobile device users have been upgraded and put on https on port 443/444, decommission
the http binding on port 80 by removing it.

How to Request and Install SSL Certificates for a BigHand Mobility website
This section will describe how to set up an SSL (Secure Socket Layer) Certificate. Please note there are
many different ways to set up SSL Certificates. This is, therefore, just a suggestion from BigHand on how to
set it up. In the first instance, refer to your organisation’s IT security policy documentation, if it exists. This
document may contain information on how to set up SSL Certificates that is specific to your organisation.

4 Confidence
Note: The information in this section is intended as a guide only. SSL Certificates are a prerequisite
for the BigHand Mobility module. The BigHand Service Desk is unable to assist with the set up of SSL
Certificates. If assistance is required, please contact your BigHand Account Manager.

Requesting a Certificate
The request of a certificate needs to be made on the machine/server where the BigHand Mobile Gateway is
installed. IIS also needs to be installed beforehand.
To publish the BigHand Website to the internet, you will need to have an external IP address which can
be bound. A Domain Name System (DNS) record (A-record) will also need to be configured with whoever
manages your external DNS.
1. Open IIS Manager console.
2. Ensure the server in the directory tree structure in the left pane and Server Certificate icon in the
central pane are both selected as shown in the illustration below. Then select Open Feature on the
right pane.

Important: If the Server Certificate icon is not displayed in the central pane within the IIS section,
this is likely due to the IIS Client Certificate Mapping Authentication role not being installed. For
information on installing this role, refer to the IIS Server Certificate Configuration section on page
12 and follow the instructions. Return back to this section when you have completed the steps.
This will display the Actions pane on the right hand side.

Confidence 5
3. On the pane on the right side of the Window, select Create Certificate Request..
This will display the Request Certificate Distinguished Name Properties wizard.
4. Type your desired Uniform Resource Locator (URL) in the Common Name text box, (e.g. bighand.
company.com). Complete the remaining options in the wizard. The information in the illustration below
are used for example purposes.

5. Select Next.
This will display the Request Certificate Cryptographic Service Provider Properties wizard.
6. Set the Cryptographic service provider and Bit length to Microsoft RSA SChannel Cryptographic
Provider and 2048 respectively, and select Next.

6 Confidence
 This will display the Request Certificate File Name wizard.
7. Type a file name in the text box with a .txt extension and if required, change the default location (C:\
Windows\System32) the file will be saved in and select Finish.
In the illustration below the file name Security Certificate.txt is used for example purposes.

8. Begin the purchase process of your preferred Certificate Authority (CA) on their website. Some of the
most well-known CA’s are:
• GeoTrust - https://www.geotrust.com/uk/ssl/ssl-certificates-premium/
• GlobalSign - https://www.globalsign.com/en/ssl/
• GoDaddy - https://uk.godaddy.com/web-security/ssl-certificate
• VeriSign - https://www.websecurity.symantec.com/en/uk/ssl-certificate
Some CA’s will request the .txt file created in step 7 (in the above illustration, Security Certificates.txt
was used). Others will require the contents of the text file which looks similar to what is displayed below:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEaTCCA1ECAQAwdjELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0G
A1UEBwwGTG9uZG9uMRowGAYDVQQKDBFZb3VyIENvbXBhbnkgTHRkLjELMAkGA1UE
CwwCSVQxHDAaBgNVBAMME2JpZ2hhbmQuY29tcGFueS5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCygj9aiYseGZxxDKP1cipMB9EAG6wjm5q+gNdl
w4HpElscRhrrmLcuXRFzcHjps5muCHhSl4IA8sLcPSX6o9nYEAgAGcBtktMvSrAU
loCTKfYm5ZEuIRQ7MPkXNYMmCUYoBlMe2kYkswHUrGqk/s9r6TCHvTN6MMA6jRdG
gxcA0csCIJxvbBvyvmG4800SRz9/r2hGy0v4pebAYmtOxnGEEHylyheiPWTECgtu
mVtzrGVNagPYAzuIEgx1O41BR7sFZF2UkJJ2ZN2CS8LA62rGaCLvgqnQUcSDNpXV

Confidence 7
 V8Fdf7bMdBDGOqVG3M5y5onAsOai5fqNpUot0pK2nrAoLvBJAgMBAAGgggGsMBoG
CisGAQQBgjcNAgMxDBYKNi4yLjkyMDAuMjBIBgkrBgEEAYI3FRQxOzA5AgEFDBRF
YXJsU2VydmVyLmRldi5sb2NhbAwRREVWXGFkbWluaXN0cmF0b3IMC0luZXRNZ3Iu
ZXhlMHIGCisGAQQBgjcNAgIxZDBiAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABS
AFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABp
AGMAIABQAHIAbwB2AGkAZABlAHIDAQAwgc8GCSqGSIb3DQEJDjGBwTCBvjAOBgNV
HQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwEweAYJKoZIhvcNAQkPBGsw
aTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjAL
BglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAK
BggqhkiG9w0DBzAdBgNVHQ4EFgQUDZIIbR1Hm/SoaOcBbqJ2lSyqhKQwDQYJKoZI
hvcNAQEFBQADggEBAEnRuIRQmZ7iJlOaQb2mMWVHPKNGobeibzrfyLZSLcjFmhwM
ZRZW+f/E8dLDeBVHvPoWhMrGvNZdxZRPxRaC+zGURaeNnSBMr4LUk2gtVBw1zQnr
2Yp4G8wsPSZscldCg2JgjvGssM85lCamm6Pm0HPVIUoRJ4VJJjb2ObzuHxqQyZQ4
xiV6shDprYPGzdwoV41gZc7SVtNA6pGxPtrJguBkoUnYbVzp5JzFLuZOBHCESOTf
AbSjAOZsFhItLDP9g7UYvxSouq9s9p3OnL9cVBsUEXllpFvDh13s8HA/E0rUYY+G
wkUR1SZNc5rL/nw/wAMO6t2P5s0RxfmV9P/HDKU=
-----END NEW CERTIFICATE REQUEST-----
Once your request has been accepted, the CA will contact the Administrator of your domain to ensure
that you have the rights to the URL you chose in step 4. This would normally happen within a couple of
hours of the application. The certificate is typically available within 48 hours.

Completing a Certificate Request

This section needs to be completed when you have received your response from the CA. This section
describes how to complete the request in the form of a text (.txt) file.
1. If the CA sent you the response in the form of a text file (.txt), change the file extension from .txt to .cer.
The illustration below is an example of how the contents of the file should appear.
-----BEGIN CERTIFICATE -----
MIIEazCCA1MCAQAwcDELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0G
A1UEBwwGTG9uZG9uMRQwEgYDVQQKDAtDb21wYW55IEx0ZDELMAkGA1UECwwCSVQx
HDAaBgNVBAMME2JpZ2hhbmQuY29tcGFueS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCbUJAtMDrKsL/yWgiHwCW2BQyFgAjWlPzMTCP8NUcxNZi5
9ML9JcAg8N5Dnf9sW4vtRc5bWiR727D3/+UvzXVF5XA6GPHcv+Zkq1RiuoVgkqV8
9ukzZZCa9QdBZDr+uV+Ddq6r4kuDgADjDkwSHtLoga443bzytpwJaf3RYegzAEiL
QXV+WO6lf0ovKe+Ro2XeTCRjdEF96ejTA8HIMXKwI6gFOOLaKilOKSaeEAyBxHGn
tKcjxrTc6k/BYIfIgGTwqP21mNoW5zPFgd3fc9lJDRHZvSAG0ZhYNEBIiLt8q8SE
qdXnbIC7vTqQeR1BYUn/hM96BcE8SDIVbjgSRlQtAgMBAAGgggG0MBoGCisGAQQB
gjcNAgMxDBYKNi4yLjkyMDAuMjBQBgkrBgEEAYI3FRQxQzBBAgEFDBZMT05MNzA3
LmJpZy1oYW5kLmNvLnVrDBdCSUdIQU5EXGRhbmllbC5maW5uZWdhbgwLSW5ldE1n
ci5leGUwcgYKKwYBBAGCNw0CAjFkMGICAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAg
AFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABo
AGkAYwAgAFAAcgBvAHYAaQBkAGUAcgMBADCBzwYJKoZIhvcNAQkOMYHBMIG+MA4G

8 Confidence
 A1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATB4BgkqhkiG9w0BCQ8E
azBpMA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwCwYJYIZIAWUDBAEq
MAsGCWCGSAFlAwQBLTALBglghkgBZQMEAQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIH
MAoGCCqGSIb3DQMHMB0GA1UdDgQWBBS0IhGbEIIRpZVwVLg8u6NZ4Ous0TANBgkq
hkiG9w0BAQUFAAOCAQEAN03lvYuEhSI74e6ZWqCPdC98TEDQme91p3Zq0uYw+YIv
ddsuhc64ZHyc0rxWxlGPYYkhW5XOowQ0dnV/OL7dyVUTP4kjKlw4CTGtJEO7lIFa
CxmHbVvU3K8RVfWZhTOmR8r56285p+ZU3Q1i9zL2n7ZIBXVCC1YYOFNTHES3qjRX
WFho0BIxBsHnISMc1YlfHnIqmk0+mslaupvhRWDgvI2PrjdqOEygTTcAdbW/9j8Z
rAsnCtNJKKVSHjzk2/pF/hPdyWs/c25drPA8i8NRNmCnjidvARx6Y23wxwGHREu1
/eIEB/XD4Dhqng7I+WE4nXaSjGu/GUgG0U6NVuQ6Iw==
----- NEW CERTIFICATE -----
When you have made the change, the file will look similar to the illustration below:

2. On the machine/server the Certificate Request (CSR) was originally created on, open the IIS Manager
console.
3. Ensure the server in the directory tree structure on the left pane and Server Certificate icon in the
central pane are both selected as shown in the illustration below. Then select Open Feature on the
right pane as shown in the illustration below.

This will display the Actions pane on the right side.

Confidence 9
4. On the pane on the right side of the Window, select Complete Certificate Request..
This will display the Complete Certificate Request dialog.
5. Navigate to the .cer file from step 1 using the browse button associated with the first text box.
6. In the Friendly name text box, type the URL that was typed in the Common Name text box (e.g.
bighand.company.com) in the previous section in step 4.

7. Select OK.
8. In the Server Certificates Window in IIS Manager, you should see the new certificate listed.
If you refresh the window and the certificate is no longer visible in the list, it is quite likely something is
wrong with the certificate itself or with the details completed in steps 5 and 6. Otherwise, you should
now be able to apply the new certificate to your website.
9. If the certificate is not available, you can try and manually import it. The instructions on how to do this
are below.

If you have received your response in the form of a PFX

You should have received a password for the file. These instructions will remain the same for nearly all
certificate formats available (i.e. .CER, .CRT, P12 etc.). It is rare a CA will send you anything other than a
PFX, CER or a response in the format of a text file (.txt).
1. On the machine/server where the BigHand website is, or will be installed, launch “Run command”
10 Confidence
 (Windows Key + R).
2. Type CertLM.msc and press the <ENTER> keyboard key to launch the certificates console for Local
Machine.
3. Expand the Personal folder to display the Certificates sub folder.
4. Right click on Certificates (if it exists), otherwise right click on Personal and select All Tasks >
Import...

This will display the welcome Certificate Import Wizard.

5. Select Next.
This will display the file to import Certificate Import Wizard.
Navigate to the .pfx file and select Next.

This will display the private key protection Certificate Import Wizard.
6. Type the password in the text box.

7. Ensure the appropriate check box options are selected based on your requirement. The two available
check options are explained below.

Confidence 11
 • Mark this key as exportable - This option is only necessary if you may need to reinstall the
certificate in the future and do not have the original provided by the CA. If you do not have this
option selected and did not keep a copy of the original, it is usually possible to get the original
certificate from the CA for no additional cost. Keeping it un-selected is more secure as it prevents
exporting the Private Key.
• Include all extended properties - When this option is selected, the entire certificate chain is
imported. This is required for your machine to trust this certificate and the CA who issued it. Your
machine will more than likely already trust the CA and certificate, however you may find that the
Extended Properties include newer certificates which will expire later. These additional certificates
would need to be moved to the Trusted Root Certification Authorities and\or Intermediate
Certification Authorities instead of Personal (as in step 3). For more information, please refer to
https://msdn.microsoft.com/en-us/library/windows/desktop/aa376515(v=vs.85).aspx.
8. Select Next.
9. On the next wizard, ensure Place all certificates in the following store is selected. The Certificate
store option should also display Personal.

10. Select Next and Finish.

You should be able to see the certificate under Personal > Certificates.
11. Go to the Assigning a Certificate to a BigHand Website section on page 2 to assign this
certificate to the BigHand website.

IIS Server Certificates Configuration

The steps in this section explain what needs to be completed if the Server Certificates icon is unavailable
in the IIS Manager. The reason why the icon is unavailable is because the IIS Client Certificate Mapping
Authentication role, in the Server Manager console, is not installed. To install it:
1. Open the Server Manager console and select Add roles and features.
2. Select Next on the Before you begin wizard.
3. Select Next on the Select installation type wizard.
4. Select Next on the Select destination server wizard.
5. On the Select server roles wizard,• Select Web Server (IIS) to display its options, • Select Web
Server to display its options, • Select Security to display its options, • and select the IIS Client
Certificate Mapping Authentication check box.

12 Confidence
6. Select Next twice.
This will display the Confirm installations selection wizard.
7. Ensure Client Certificate Mapping Authentication is displayed as shown in the illustration below and
select Install.

8. When the installation is complete, restart IIS Manager. The Server Certificate icon should be visible in
the middle pane.

What needs to be done now?

Inform mobile device users to update their BigHand app on their mobile device and change the port
number, if required. They will need to follow the instructions in the Removal of HTTP Support Release
Notes for Mobile Device Users. Please ensure this guide is made available for your BigHand users.
If your BigHand users continue use the http connection method for BigHand apps, they will receive the
following message on their Android mobile device: In order to protect your data, we will no longer
support connections via HTTP from April 2019 and recommend using HTTPS. Please contact your
system administrator for further information.

The message displayed in the above illustration will be similar for both Windows and iOS mobile devices.

Confidence 13