Last week I talked about setting up your own certificates on RS servers. Today I'll cover a few issues around using SSL with the Report Server web service and the Report Manager application.
There are two ways to enforce SSL requirement with Reporting Services. One option is to configure the Reports web application and the ReportServer web service in IIS Manager console to require SSL. The other option is to modify the value of the SecureConnectionLevel setting in the Report Server configuration file (RSReportServer.config). The SecureConnectionLevel can have 4 different levels - 0, 1, 2 and 3. Depending on the level you choose, SSL will be required for none, some, most or all calls to the RS. The level 3 is the equivalent of using the site properties in IIS Manager to require SSL, it basically enforces SSL for all method calls. Level 0 means no SSL will be required.
The initial RTM release of RS has a few issues that make using SSL with RS complicated. The levels 1 and 2 require only certain methods to use SSL, but the Report Manager app doesn't always get those methods right and it renders some links with http instead of https. If you click on one of those links, you'll get an error telling you that SSL needs to be used. The level 3 works the best - all application links are rendered as https, with the exception of Help. The help link still renders with http instead of https, and you get the same error when you open the link.
My personal opinion is that there is very little reason to use levels 1 or 2, why not just go all the way and make everything secure. You can follow these steps in the RTM version to set up Report Manager so that all links render with https and Help still works:
- In IIS Manager, configure the ReportServer web service to require SSL. Instead of this step you can set the SecureConnectionLevel to 3 in the config file, but I prefer enforcing it in IIS.
- Do the same in the Reports web application setting (Report Manager). After this change all links in RM will be rendered with https, except for Help. We will fix that in the next step
- Expand the Reports site in IIS Manager, open the properties of the EN subfolder and uncheck the SSL setting. The EN folder contains the English help files so deselecting SSL on that folder will allow you to view help without SSL. You will need to modify other folders if you use help other than English.
It appears that all of these issues have been addressed in SP1. I tested all levels without getting any errors. Levels 1 and 2 seem to correctly render links with https or just http as needed. Level 3 renders everything with https. If you manually change the link to http, Report Manager redirects the call to https. You now have two options for fully enforcing SSL - you can either follow the previous steps and configure the folders in IIS, or you can just set SecureConnectionLevel to 3 in the config file.
The Vermont .NET User Group and the Vermont SQL Server SIG will be cohosting a meeting tomorrow night at Gardener's Supply in Burlington, Vermont. Rod Paddock from Seattle, the editor of Code Magazine and author of several programming books will be presenting Creating SQL 2005 Custom Data Types and Aggregates using VS NET 2005. He'll be doing the same presentation on Tuesday at the Montreal SQL Server UG meeting.