Enabling SSL after RMS is provisioned

Let’s say that you decide that you want to enable SSL on your RMS pipelines after RMS is provisioned. It is recommended that you decrypt all RMS-protected content, re-install and re-provision RMS, and then encrypt the content again. However, this is not always possible.

One alternative option is to provision a new RMS environment and redirect all of your RMS clients to use this new license server. Before we see how to do this, there are several assumptions made about your RMS environment:

  • The RMS deployment is configured with a software-based Server Licensor private key. This scenario will not work if you’re using an HSM to secure your RMS server’s private key.
  • An SSL certificate is already installed and configured to require SSL encryption within IIS on the RMS vroots.
  • The existing RMS database and servers have been backed up and the tapes stored in a safe place. Just in case… :)
  • Because this requires that a registry entry is added to every RMS client, you must have a way to update the clients. Preferably through some automated fashion but a new pair of sneakers would work too.

Whew! Now for the fun stuff. To enable SSL in your RMS environment after the RMS server has been provisioned, you should follow these steps:

The method described in this blog post have not been fully tested and may lead to undesirable effects.  For example, rights policy templates and trusted user domains will not be transferred using the steps outlined in this post.  The recommended method to enable SSL after RMS is provisioned is to do the following:

  • Back up the publishing certificate
  • Remove the service connection point (SCP) from Active Directory
  • Unprovision RMS
  • Provision RMS again using HTTPS
  • Register the new SCP
  • Import the publishing certificate
  • Modify the LicenseServerRedirection registry on all RMS-enabled client to point to reflect this change

 Feel free to let you know what you think by posting comments. Your feedback is welcomed.