Home Software Sales Crystal KB Contact Us
RDP Support  


RDPWin KB IRM.Net RDPWin3 & PCI Compliance Search

Installation of Secure Socket Layer (SSL) Certificate on IRM or IRM.Net Server

Updated: 2/15/11 MC

 

Security with the IRM has proven excellent, and is divided into the following areas:

  1. A good firewall stops most intrusions.
  2. Microsoft security on the IRM server, and data server, is very strong.
  3. Anti-Virus software should be installed on the IRM server and must be set to NOT scan network drives.
  4. All credit card data is encrypted when sent to the guest using Secure Socket Layer (SSL) technology.
  5. All sensitive data, such as credit card information, is stored on the Data Server, and not the IRM.  If a hacker manages to get through the firewall and Microsoft security to the IRM server, he/she still has to get from the IRM server to the Data server to retrieve data.  

Although the IRM has been installed at over 300 sites and has proven to be very secure, there is always some security risk. The only way to prevent all theoretical security problems is to completely remove the IRM from the Internet.  Unfortunately this would also prevent all reservations.

Please see IRM Hardware Requirements for additional information on IRM Security.

Web Server Certificates and Secure Socket Layer Encryption

The second part of IRM Security is protecting the guest’s private information as it passes from the browser to the web server via the Internet.  Without a secure website, virtually any piece of information can be compromised.

The SSL, which is part of Windows 2003/2008 and Internet Information Services (IIS), is used to encrypt data that is sent or received by the web server.  In order to invoke SSL, a security certificate must be purchased from a Certificate Authority.  A Certificate Authority is a third-party company that authenticates websites.  The security certificate insures that browsers view the IRM website in a secure fashion.  Different levels of insurance protection against economic loss due to accidental occurrences are typically included when purchasing an SSL. Once a web server certificate is obtained from the Certificate Authority, install it on the web server to activate SSL, encrypt data, and protect the property and the internet guest. Cost is based on encryption level, insurance coverage, and SSL provider.

Common Names, Domain Names and SSLs

Common Name: Also known as the URL, the common name is the fully-qualified domain name used for DNS lookups of your server. This information is used by browsers to identify your website. Client browsers connecting to your host check for a match between your Digital ID's (SSL) common name and your URL. Do not use wildcard characters (such as *,?, etc), IP addresses, or port numbers in the Common Name. Do not include the "http://"or "https://" in your Common Name. Entering the wrong Common Name while enrolling for an SSL certificate from a Certificate Authority can result in security warnings when Internet customers access the Internet Reservation Module (IRM).

Many times there are questions about which domain name to use when enrolling with a Certificate Authority.  The property's marketing website domain name cannot be used because the processing of credit cards takes place from the IRM server and not the marketing website.  The marketing website is simply a portal to the IRM.  The IP address of the IRM needs to be resolved with a common name or a second registered domain name. The following two options exist:

  1. Use a common name that is a part of your existing domain name. For example, RDP owns the Domain Name www.resortdata.com. RDP can create a different common name by using anything to the left. Rather than buy another domain, we can create IRM.resortdata.com. We would use the common name (IRM.resortdata.com) when creating a new certificate request in IIS and enrolling for an SSL Certificate from a Certificate Authority. Our ISP would resolve the IP address of the IRM with irm.resortdata.com, and our marketing site would link to http://irm.resortdata.com/irm. Do not include "http://" in the common name.
  2. Buy a second domain name. If you buy a second domain name, the common name to be used when creating a new certificate request in IIS and enrolling for an SSL Certificate would include the www lead (host). For example; RDP buys a second domain: www.resortdatairm.com. We would then use www.resortdatairm.com as the common name when requesting a new certificate in IIS and enrolling for an SSL Certificate from a Certificate Authority. The ISP would resolve the IP address of the IRM with www.resortdataIRM.com and our marketing site would link to http://www.resortdatairm.com/irm. Do not include "http://" in the common name.

Determine how you want your internet guests to access the IRM. If you want them to always go through your marketing website, create a common name that is a part of your existing domain name. If you want them to access the IRM directly, and you plan on marketing the IRM address, buy a second domain so that the www. lead (host) can be used. 

 

Note: With IP addresses, there is a host and a domain name. In www.resortdatairm.com, www is the host name and resortdatairm.com is the domain name. In irm.resortdata.com., "irm" is the host name and resortdata.com is the domain name. 

Purchasing an SSL Certificate From a Certificate Authority

  1. Access the vendor’s website and visit the "purchase" or “buy” SSL section (most commonly found under Products and Services). Decide the level of encryption, the amount of insurance protection, and the length of the SSL certificate necessary. Print the detailed instructions and review before beginning. The Creating Server Certificates steps are explained in more detail in the vendors steps.

  2. The Enrollment form requires an Organizational Contact, Technical Contact, Billing Contact, the owned Common name resolved with the IRM bridge, form of payment, and your Dun & Bradstreet number or Faxed Proof of Organization document.

  3. A list is provided by the Certificate Authority to Select Server Software. Server Software refers to the web server software on the IRM Bridge. All RDP customers should be using Microsoft IIS.

  4. The Certificate Authority uses this information to verify the company and website.

  5. The Certificate Authority contacts references.

  6. When the Certificate Authority is satisfied that it can issue a certificate, follow the instructions provided by the Certificate Authority for installing.

Installing SSL

    Note** It is critical that the SSL be installed on the IRM server.

  1. Browse to your SSL provider's website for directions.
    • Follow the instructions for creating CSR file based on the version of IIS installed on the IRM server.
    • Once the CSR file is created, log into your SSL account on the SSL provider's website and follow their instructions to input into your account.
    • Follow the SSL provider's instructions for installing the SSL certificate on your IRM server based on the version of IIS installed.
  2. Once the SSL is installed, go to RDPWin --> IRM.Net main menu --> Configuration --> Misc tab. In the System Maintenance section, check the box Use Secure (SSL) Connection and enter the port in the SSL Port field if the port used for the SSL is NOT port 443. If using port 443, leave the field blank.
  3. Restart IIS. 
  4. Change the links for the owner, travel agent, group, returning guest or brochure request login pages to be HTTPS:
    • Owner login: https://irmserver.yourdomain.com/irmnet/owner/ownerhome.login.aspx
    • Travel Agent or Group login: https://irmserver.yourdomain.com/irmnet/login.aspx
    • Returning Guest login: https://irmserver.yourdomain.com/irmnet/login.aspx?LoginType=guest
    • Brochure request login: https://irmserver.yourdomain.com/irmnet/res/requestbrochure.aspx

    Note: The Reservation main page can also be HTTPS:// if using RDPWin version 3 and IRM.Net version 3. https://irmserver.yourdomain.com/irmnet/res/resmain.aspx

RDP recommends that a backup be made of the SSL incase of a server crash. Backup instructions should be provided by your SSL vendor.

Displaying the Secure Site Seal on IRM.Net

When an SSL certificate is installed on the IRM server, the IRM.Net pages including private information are accessed using Secure Sockets Layer (SSL) protocol. However, when the IRM.Net is displayed in an iframe within a non-secured page (which is usually the case when integrating with a marketing website), the lock icon that is normally displayed by the browser when accessing a secure site is not visible because the containing page is not secure.

It is not possible for IRM.Net to change this behavior. Instead, a security seal from the SSL vendor can be displayed showing visitors that the site is secured by SSL technology. When a visitor clicks on the security seal, a link to the SSL vendor is displayed showing full business authentication information. See more information regarding Verisign's Secured Seal.  Other SSL vendors provide a similar capability.

If it exists, IRM.Net pages include the file /IRMNet/Custom/<dataserver>/RDPnn/UserText SecuredSeal.htm. Create this file and modify it to include the security seal code to be obtained from the SSL vendor.

The SSL security seal can be displayed within the IRM.Net pages whether or not the IRM.net is included in an iframe (provided that an SSL certificate has been purchased and installed). It is a highly recommended practice if the the IRM is included within an iframe as this will be the visitors confirmation that the site is secured by SSL.

(The place holder for SecuredSeal.htm is included in the pages as of IRM.Net version 2.091.20. Prior to that, the security seal can be included in BannerFooter.htm.)

Displaying the Secure Site Seal on IRM Classic

The SSL vendor provides instructions on displaying the Secure Site Logo to your website. Use the directions for Non-JavaScrIPt Code. Using Front Page, Expression Web or any other HMTL editing program, the Non-JavascrIPt code is inserted into any IRM pages you want to display the Secure Seal. RDP suggest inserting the seal into AccessType2.htm and ResRules2.htm. Use the digest number you were given from the SSL provider.  

 

Linking or Passing Search Criteria into IRM.Net from Marketing Website 

IRM.Net Best Practices

IRM.Net Troubleshooting

IRM.Net Knowledge Base Article Index

 
Support Home  RDPWin3 & PCI Compliance Enhancement Requests Open A Web Support Ticket
Training 3rd Party Interfaces RDP Sales Website Contact Us
 Facebook     Twitter      LinkedIn   TODF