Post-installation best practices

Applies To: Windows Azure Pack

After you install the Windows Azure Pack for Windows Server, perform the following best practices.

Replace untrusted self-signed certificates with trusted certificates

Each Windows Azure Pack component is installed on an Internet Information Services (IIS) website that, by default, is configured with a self-signed certificate. Because these self-signed certificates are not issued by any of the trusted root certification authorities that your browser loads on startup, your browser displays a security warning when you attempt to connect to any of the sites. To avoid this experience, we recommend that you replace the self-signed certificates that are used by the MgmtSvc-TenantSite (management portal for tenants) and MgmtSvc-TenantPublicAPI as publicly facing services with certificates that are issued by a trusted root certification authority. The MgmtSvc-AdminSite (management portal for administrators) can also benefit from a replacement of the self-signed certificate.

The configuration settings that govern this validation override are in each website’s Web.config file as follows:

• For the management portal for administrators and for the management portal for tenants, MgmtSvc-AdminSite and MgmtSvc-TenantSite:

  <configuration>

    <appSettings>

      <add key="Microsoft.Azure.Portal.Configuration.AppManagementConfiguration.Rdfe2DisableCertificateValidation" value="false" />

    </appSettings>

  </configuration>

• For the Service Management API websites, MgmtSvc-AdminAPI, MgmtSvc-TenantAPI, and MgmtSvc-TenantPublicAPI:

  <configuration>

    <appSettings>

      <add key="DisableSslCertValidation" value="false" />

    </appSettings>

  </configuration>

For each of these keys, the default value is true. It grants permission to use untrusted certificates, so when the value is set to false, the use of untrusted certificates is disallowed.