This page describes how to enable HTTPS for the Studio server to ensure secure and encrypted communitation with the Studio server and its clients. The Studio server includes the Managment Service. Examples of clients are: Blueriq Encore, Development Dashboard (Runtime) BPU, and the Blueriq Model Analyzer (BMA).

Enable HTTPS in Internet Information Services (IIS)

1. Open Internet Information Services (IIS) Manager on the site where Blueriq is installed. 
2. Select the Blueriq site and from the context menu, open the Bindings... dialog:
   Image Modified
   
   
3. Add a new binding

1. of type 'HTTPS' and select the certificate you want to use.

1. In this example, we use a self signed certificate, which is not recommended on a production environment.
   Image Modified
   
   
2. Click on 'View' to check the 'Issued to' property of the certificate.  In a real situation, the 'Issued to' field should be the host of your Blueriq deployment instead of localhost:
   

1. Image Added
   
   
2. Now select OK in both the 'Certificate' and 'Add Site Binding' dialog.
3. It is recommended but not required to remove any site binding of type 'HTTP' from the list of site bindings.
4. To use HTTPS, go to the 'Issued to' host from step 4, using the https scheme. In this example, that is https://localhost/. 
   
   1. The URL for user management in Keycloak will be: https://localhost/Keycloak/admin/master/console/#/BlueriqStudio17 for Blueriq 17

Establishing a connection from the

runtime dashboard to the Studio server

If you have removed the HTTP binding in step 6, the URL of the

management service has changed

which makes it likely that the runtime dashboard does not display the list of projects that are available in Blueriq Encore anymore. 

To fix this, the blueriq.studio.url property needs to be updated in the application-development-tools.properties file in the conf folder of the runtime.

There are two options:

1. use the external port, e.g.: https://localhost/Studio/Server/Services/ManagementService

   Info
   If you are using a self signed certificate, you will have to add this certificate to the java truststore as explained here: Security: HTTPS

2. use the internal port if the runtime is deployed on the same server as the Studio server (http://localhost:17093/Services/ManagementService for Blueriq 17)

Additional configuration for a reverse proxy

When you want to be able to approach Blueriq from an external network, you may want to take some extra security measures such as a reverse proxy and firewalls as shown in the figure below.

Image Added

Running the Blueriq installation behind a reverse proxy requires the correct headers to be forwarded for Keycloak. To do so:

1. Open Internet Information Services (IIS) Manager on the site where Blueriq is installed. 
2. Select the Blueriq site and open 'URL Rewrite'
3. Open 'ReverseProxy_Keycloak' and set the following headers in the 'Server Variables' section:
   1. HTTP_X_FORWARDED_HOST should be your hostname from which you approach the Blueriq installation 
   2. HTTP_X_FORWARDED_PROTO should be https
      Image Added

We have encountered some cases in which the keycloak console did not load. In this case, additional configuration about the hostname was needed. You can find more information about how to do so here: https://www.keycloak.org/server/hostname#_example_scenarios

Use

the runtime behind a reverse proxy server

Additionally, read more about using the runtime behind a reverse proxy server here to configure the runtime dashboard so that it is able to retrieve the list of projects that are available in Blueriq Encore.