The steps below can be used as a guide to change your Web Services from http to https. 

Before we begin, there are a few notes to consider:

  1. You’ll need to find new ports for your Microsoft Dynamics GP Web Services application to run on

             a. By default, Web Services uses port numbers 48620 and 48621 to install onto.

             b. For the examples below, we'll be using port number 48622.  You can use any available port numbers on your Web Services machine.

        2. It is highly recommended that you backup any .config file before making changes.

        3. If you need to access Microsoft Dynamics GP Web Services externally, you'll need to use a publicly routable namespace in both your certificate as well as in the new base addresses that you specify.

 

Certificate Binding

  1. Create (or acquire) the SSL certificate. If your requirements include accessing Dynamics GP Web Services externally, a 3rdparty certificate may work best. Otherwise, an internal Certificate Authority may work

        2. Register the certificate for the new ports by running the following in an elevated Command Prompt (right-click on the Command Prompt shortcut and select ‘Run as Administrator’)

             a. NETSH: netsh http add sslcert ipport=0.0.0.0: certhash= appid=

             b. EXAMPLE: netsh http add sslcert ipport=0.0.0.0:48622 certhash=05a298da9200ee2e18250452e07928ce8f716f27 appid={07663267-F6A1-4F6F-9833-56FD0ABE0B89}

       3. Then, add a URL reservation for your new https base addresses (e.g. the native/legacy endpoint (48622) and Dynamics Security Admin (48623)) by running the following in an elevated Command Prompt:

           a. NETSH:    netsh http add urlacl url=https://+:/ user=

           b. EXAMPLE:    netsh http add urlacl url=https://+:48622/ user=domain\user

        **NOTE: Trailing slash is required

 

Update Binding

In the wsBindings.config file, found in C:\Program Files\Microsoft Dynamics\GPWebServices\ServiceConfigs, the wsHttpBinding needs to have a second binding created that is a duplicate of the existing WSHttpBindingTarget binding, named WSHttpBindingTargetSSL. The security mode for this second binding will be 'Transport'. 

Also, for the basicHttpBinding, in the same WSBindings.config file, a duplicate of the BasicHttpBinding binding needs to be made, naming it BasicHttpBindingTargetSSL, with the security mode for this binding set to 'Transport' also.

***NOTE: You can use this attached modified WSBindings.config file, as the above changes have already been made, so nothing needs to be done to it.

You then need to update the service configuration file that corresponds to the endpoint you are using (e.g. Native or Legacy).  In most cases, such as approval of Workflow through email notification links, the Native endpoint is being used, so the next changes to the DynamicsGP.config for the Native endpoint  need to be done.

Modified Config Files for Web Services HTTP/SSL >> Here is a file exchange link to all four of the config files, already configured minus the changes mentioned in this blog.

 

Native:

In the DynamicsGP.config, found in C:\Program Files\Microsoft Dynamics\GPWebServices\ServiceConfigs, under 'services', we must change the 'GPWCFStaticMetadataBehavior' behaviorConfiguration to show as 'GPDynamicMetadataBehavior'.

Also, for the 'GPService' endpoint address, we need to change the 'WSHttpBindingTarget' bindingConfiguration to show as 'WSHttpBindingTargetSSL'.

We also need to add another entry under 'baseAddresses' with your secure HTTPS URL. I.e. https://machinename.domain.com:SSLPort#/Dynamics/GPService, replacing machinename.domain.com with an appropriate URL per your certificate being used and replacing SSLPort# with the new port number, such as port 48622.

Lastly, for the GPDynamicMetadataBehavior behavior section, update the 'serviceMetadata' attribute to show 'httpsGetEnabled' instead of 'httpGetEnabled'

***NOTE: This DynamicsGP.config file has been modified for the above changes and only needs these added changes made to it:

1. Under baseAddresses, change the http://SERVERNAME:48620/Dynamics/GPService URL to be your actual default native endpoint URL for Web Services.

2. Under that URL, change the https://MACHINENAME.DOMAIN.COM:48622/Dynamics/GPService URL, as mentioned above, according to the certificate and port number being used for the HTTPS/SSL configuration.

3. About 9 lines under the https URL, there is a externalMetadataLocation URL that you'll need to change from http://SERVERNAME:48620/Metadata/WCF/Full/schemas.microsoft.com.dynamics.gp.2010.01.wsdl, replacing SERVERNAME with the actual server name that Web Services for Microsoft Dynamics GP is installed onto.      

 

Web Services and Workflow 2.0

If you’re using Workflow 2.0 functionality and you want users to have the ability to approve from e-mails notification links, you need to provide Dynamics GP Web Services connection information. If you want that process to use a more secure connection, you’ll need to make the following adjustments as well.

First, another entry needs to be made in the WSBindings.config file, making a duplicate of the 'WebHttpBindingTarget' binding, naming it 'WebHttpBindingTargetSSL' and setting the security mode to 'Transport'.

***NOTE: This change is already done in the modified WSBindings.config file attached above, so no manual changes should need to be changed, other than removing this added entry, if you're not using the functionality to approve Workflow 2.0 through email notifications via Web Services links.

Second, open the GPWorkflowService.config file, found in C:\Program Files\Microsoft Dynamics\GPWebServices\ServiceConfigs, and change the 'WebHttpBindingTarget' bindingConfiguration to use the new binding definition made to the WSBindings.config file in step 1, changing the name to 'WebHttpBindingTargetSSL'.

We also need to add another entry under 'baseAddresses' with your secure HTTPS URL. I.e. https://machinename.domain.com:SSLPort#/Dynamics/GPService/rest, replacing machinename.domain.com with an appropriate URL per your certificate being used and replacing SSLPort# with the new port number, such as port 48622.  This is similar to the added https URL we put in the DynamicsGP.config file.

***NOTE: This GPWorkflowService.config file has been modified for the above changes and only needs these added changes made to it:

1. Under baseAddresses, change the http://SERVERNAME:48620/Dynamics/GPService URL to be your actual default native endpoint URL for Web Services.

2. Under that URL, change the https://MACHINENAME.DOMAIN.COM:48622/Dynamics/GPService URL, as mentioned above, according to the certificate and port number being used for the HTTPS/SSL configuration.

 

**NOTE: When you enter the Microsoft Dynamics GP Web Services information in the Workflow Setup window in Microsoft Dynamics GP you'll need to specify the correct URL (machinename.domain.com) and port (SSLPort#) as well as marking the "This server requires a secure connection (SSL)" box.

If you are planning to use the legacy endpoint for Web Services and want this endpoint to also use the HTTPS configuration, you’ll need to make the following changes.

***NOTE: If not actually using the legacy endpoint URL, the recommendation is to leave the DynamicsGPLegacy.config file as default, as we have seen it cause issues with the Dynamics Security Console and Web Services Exceptions Console.

 

Legacy:

In the DynamicsGPLegacy.config, found in C:\Program Files\Microsoft Dynamics\GPWebServices\ServiceConfigs, under 'Services', change the 'GPLegacyStaticMetadataBehavior' behaviorConfiguration to show as 'GPDynamicMetadataBehavior', for the 'Microsoft.Dynamics.GP.WebServices.LegacyContract.DynamicsGP' service name.

Also, change the 'BasicHttpBindingTarget' bindingConfiguration, for the 'basicHttpBinding' to be 'BasicHttpBindingTargetSSL'. 

We also need to add another entry under 'baseAddresses' with your secure HTTPS URL. I.e. https://machinename.domain.com:SSLPort#/Dynamics/GPService, replacing machinename.domain.com with an appropriate URL per your certificate being used and replacing SSLPort# with the new port number, such as port 48622.

Lastly, for the GPDynamicMetadataBehavior behavior section, update the 'serviceMetadata' attribute to show 'httpsGetEnabled' instead of 'httpGetEnabled'

***NOTE: This DynamicsGPLegacy.config file has been modified for the above changes and only needs these added changes made to it:

1. Under baseAddresses, change the http://SERVERNAME:48620/Dynamics/GPWebServices URL to be your actual default legacy endpoint URL for Web Services.

2. Under that URL, change the https://MACHINENAME.DOMAIN.COM:48622/Dynamics/GPWebServices URL, as mentioned above, according to the certificate and port number being used for the HTTPS/SSL configuration.

3. About 9 lines under the https URL, there is a externalMetadataLocation URL that you'll need to change from http://SERVERNAME:48620/Metadata/Legacy/Full/DynamicsGP.wsdl, replacing SERVERNAME with the actual server name that Web Services for Microsoft Dynamics GP is installed onto.      

 

Additional Changes for Console Applications

After changes above are made to the WSBindings.config, DynamicsGP.config (and maybe DynamicsGPLegacy.config) files, after you’ve stopped and restarted the ‘Microsoft Dynamics GP Service Host’ service, if you find the Dynamics Security Console or Web Services Exception Console do not work, you might need to also make these changes to get them working properly:

***NOTE: Only do these steps if after the changes above, you launch the Dynamics Security Console and Dynamics Web Services Exceptions Console and they are not working, if they seems to be working, you can by-pass this section/steps.***

1. In the Microsoft.Dynamics.GP.Administration.Policy.dll.config, found in: C:\Program Files\Common Files\Microsoft shared\Microsoft Dynamics\ManagementConsole, change the 'DynamicsGPServiceURL' value from this:  http://machinename:assignedport#/DynamicsGPWebServices/DynamicsGPService.asmx to use your https configuration as per this example: https://machinename.domain.com:SSLPort#/DynamicsGPWebServices/DynamicsGPService.asmx

2. In the Microsoft.Dynamics.GP.Administration.Exceptions.dll.config, found in: C:\Program Files\Common Files\Microsoft shared\Microsoft Dynamics\ManagementConsole, change the 'DynamicsGPServiceURL' value from this: http://machinename:assignedport#/DynamicsGPWebServices/DynamicsGPService.asmx to use your https configuration as per this example: https://machinename.domain.com:SSLPort#/DynamicsGPWebServices/DynamicsGPService.asmx

3. In the Microsoft.Dynamics.GP.Administration.EntityIDAssignments.dll.config, found in: C:\Program Files\Common Files\Microsoft shared\Microsoft Dynamics\ManagementConsole, change the 'DynamicsGPServiceURL' value from this: http://machinename:assignedport#/DynamicsGPWebServices/DynamicsGPService.asmx to use your https configuration as per this https://machinename.domain.com:SSLPort#/DynamicsGPWebServices/DynamicsGPService.asmx

 

Final Configuration

  1. You will also need to update your firewall configuration to make sure your new SSL port numbers are allowed.

        2. You can simply add this port to the existing ‘GPService’ rule:

        3. Start -> Control Panel -> Administrative Tools -> Windows Firewall and Advanced Security

        4. Click on Inbound Rules

        5. Double click on GP Service

        6. Select the Protocols and Ports tab

        7. Insert a comma and your new SSL port in the Local port:

        8. Restart the ‘Microsoft Dynamics GP Service Host’ service to force the changes onto Web Services.

***NOTE: Restart the 'Microsoft Dynamics GP Service Host' service after making any changes to the above config files or Web Services.

 

If you encounter errors, you can review the Dynamics Event Viewer log (under Applications and Services Logs) for more information.

The ‘Microsoft Dynamics Service Host’ service should start successfully. If not, check the Dynamics Event Viewer log, found under Applications and Services Logs for more information.

To summarize, for the HTTPS/SSL configuration of Web Services to use with the approval of Workflows through email notifications, you should only need to have the modifications for the WSBindings.config, DynamicsGP.config and GPWorkflowService.config files, making only these changes to these three files from the download above:

1. WSBindings.config >> No changes are needed to the already modified file.

2. DynamicsGP.config >> Three changes are needed to the already modified file, changing the two HTTP URLs and one HTTPS path to be valid to your environment.

3. GPWorkflowService.config >> Two changes are needed to the already modified file, changing the one HTTP and one HTTPS URL paths to be valid to your environment.

Please let us know if you have any issues with this new blog and/or updated files. Hopefully it'll make this configuration easier for everyone going forward.

Thank you!!