Configure Reporting Services SSL Binding with WMI & PowerShell

Recently I’ve been building some scripts in PowerShell  to automate the deployment of business inteligence bits like: SSAS, SSRS, SSIS, Databases,…

And one of the tasks was to configure the SSRS (Reporting Services) with ssl binding. The problem is that the only way to do that is with the SSRS WMI Provider.

With powershell we have a cmdlet “get-wmiobject” that make things a lot easier, this cmdlet builds a “proxy” to a wmi class and let us call the methods in this class.

All we need to do is to obtain an instance of the WMI Class ”MSReportServer_ConfigurationSetting”

$serverClass = get-wmiobject -namespace “rootMicrosoftSqlServerReportServerRS_sql2008v10Admin” -class “MSReportServer_ConfigurationSetting”

Reserve the Url calling the “ReserveURL” method

$result = $serverClass.ReserveURL(“ReportServerWebService”, “https://mysite:443”, 2070)

This method receives the folowing parameters:

  • Name of the SSRS web application: ReportServerWebService or ReportManager
  • The url to be reserved in http.sys
  • The locale id (LCID) of the return messages, in this case I’am using Portugal LCID

Then I need to call the “CreateSSLCertificateBinding” method

$result = $serverClass.CreateSSLCertificateBinding(“ReportServerWebService”, “‎e9b993f5a5101bf9bea71896ffc07118b9ca2dcc”, “0.0.0.0”, 443, 2070)    

This method receives the folowing parameters:

  • Name of the SSRS web application
  • The certificate hash or thumbprint
  • The Ip address of the webapplication, in this case I use Wildcard IP address 0.0.0.0
  • The ssl port
  • The LCID

The sintax of members & methods of the WMI Class ”MSReportServer_ConfigurationSetting” can be found here:

http://technet.microsoft.com/en-us/library/ms154070.aspx

To wrap it up, I will post a complete powershell script solution to this problem:

function Config-SSRSSystemConfiguration($sslUrl, $certHash, $sslPort)
{

# The .ToLower() avoids the error “A Secure Sockets Layer (SSL) certificate is not configured on the Web site.” (Thanks Michel)

$certHash = $certHash.ToLower()

Write-Output “Configure SSRS SSL binding”

$serverClass = get-wmiobject -namespace “rootMicrosoftSqlServerReportServerRS_sql2008v10Admin” -class “MSReportServer_ConfigurationSetting”

if ($serverClass -eq $null) { throw “Cannot find wmi class” }
$lcid = [System.Globalization.CultureInfo]::GetCultureInfo(“pt-PT”).LCID
$result = $serverClass.RemoveURL(“ReportServerWebService”, $sslUrl, $lcid)
if (!($result.HRESULT -eq 0)) { write-error $result.Error }
$result = $serverClass.ReserveURL(“ReportServerWebService”, $sslUrl, $lcid)
if (!($result.HRESULT -eq 0)) { write-error $result.Error }
$result = $serverClass.RemoveSSLCertificateBindings(“ReportServerWebService”, $certHash, “0.0.0.0”, $sslPort, $lcid)
if (!($result.HRESULT -eq 0)) { write-error $result.Error }
$result = $serverClass.CreateSSLCertificateBinding(“ReportServerWebService”, $certHash, “0.0.0.0”, $sslPort, $lcid)
if (!($result.HRESULT -eq 0)) { write-error $result.Error }
$result = $serverClass.RemoveURL(“ReportManager”, $sslUrl, $lcid)
if (!($result.HRESULT -eq 0)) { write-error $result.Error }
$result = $serverClass.ReserveURL(“ReportManager”, $sslUrl, $lcid)
if (!($result.HRESULT -eq 0)) { write-error $result.Error }
$result = $serverClass.RemoveSSLCertificateBindings(“ReportManager”, $certHash, “0.0.0.0”, $sslPort, $lcid)
if (!($result.HRESULT -eq 0)) { write-error $result.Error }
$result = $serverClass.CreateSSLCertificateBinding(“ReportManager”, $certHash, “0.0.0.0”, $sslPort, $lcid)
if (!($result.HRESULT -eq 0)) { write-error $result.Error }
}

#Create SSL Certificate

$certificatesFolder = “c:Certificates”
$cn = “mysite”

& makecert -r -pe -n CN=”$cn” -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine `
-sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 “$certificatesFolderSSLCert.cer”

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“$certificatesFolderSSLCert.cer”)

$certHash = $cert.Thumbprint

#Configure the SSL binding
Config-SSRSSystemConfiguration “https://$($cn):443″ $certHash 443

In this script I create the certificate with “makecert” command, and I load it to obtain the certificate hash.

In the powershell function “Config-SSRSSystemConfiguration”  before calling the methods (I had described earlier) I call the respective remove method witch signature is similar.

Note: This was tested in SSRS 2008, do not know if it works on SSRS 2005

Hope it helps.

Advertisements