Security for the IRM is divided into the following
areas:
- A firewall stops most intrusions
- Microsoft security on the IRM server and data server
- Anti-Virus software should be installed on the IRM server and
must be set to
NOT scan network drives
- All credit card data is encrypted when sent from the guest using
Secure Socket Layer (SSL) technology
- All sensitive data, such as credit card information, is stored on the Data
Server in an encrypted Pervasive file, not the IRM server
- Credit card numbers are not stored in the RDP system at all. A
token which represents the credit card is stored in the RDP database and the
credit card number is stored by the credit card gateway on a remote server.
See IRM Hardware
Requirements for additional information on IRM Security.
Web Server Certificates and Secure Socket Layer
Encryption
The main part of IRM Security is protecting the guest’s private information
as it passes from the browser to the IRM server. Without a secure website,
all information can be compromised.
The SSL security certificate is used to encrypt data that is sent or received to
the IRM server. A security certificate must be purchased from a
certificate authority. A certificate authority is a third-party company
that authenticates websites. Once a certificate is obtained from the
certificate authority, install it on the web server to activate SSL, encrypt
data and protect the property and the internet guest.
Common Names, Domain Names and SSLs
Also known as the URL, the common name is the fully-qualified domain name
used for DNS lookups of your server. This information is used by browsers to
identify your website. Client browsers connecting to your IRM server check for a
match between your SSL certificate common name and your URL. Do not use wildcard
characters (such as *,?, etc), IP addresses, or port numbers in the common name.
Do not include the "http://"or "https://" in your Common Name. Entering the
wrong common name while creating an SSL certificate can result in security
warnings when Internet customers access the IRM server.
The property's marketing website domain name cannot be used
because the SSL certificate is installed on the IRM server and not the marketing
website. The IP address of the IRM needs to be resolved with a common name
or a second registered domain name. The following two options exist:
- Use a common name that is a part of your existing domain name. For
example, RDP owns the Domain Name
www.resortdata.com. RDP can create a different common name by using a
sub-domain. For example, the domain IRM.resortdata.com can be used.
Do not include "http://" in sub-domains.
- Buy a second domain name. The common name to be used when creating a new
certificate request in IIS and enrolling for an SSL Certificate would
include the www lead (host). For example
www.resortdatairm.com can be used
when requesting a new certificate.
Purchasing an SSL Certificate From a
Certificate Authority
-
Access the certificate authority's website and purchase the SSL
certificate. Decide the level of encryption. Print the detailed instructions
on how to install the certificate for a Microsoft IIS web server and review
before beginning.
-
The enrollment form requires an organizational contact, technical
contact, billing contact, the owned common name of the IRM server, form of
payment and possibly your Dun & Bradstreet number.
-
A list is provided by the certificate authority to select server
software. The IRM only runs on a Microsoft IIS we server.
-
When the certificate authority is satisfied that it can issue a
certificate, follow the instructions provided by them for installation.
Note: It is critical that the SSL be installed on the IRM server.
- Browse to your SSL provider's website for directions.
- Follow the instructions for creating a CSR file on the IRM server using
the IIS management tool.
- Once the CSR file is created, log into your SSL account on the SSL
provider's website and follow their instructions to input into your account.
- Follow the SSL provider's instructions for installing the SSL
certificate on your IRM server based on the version of IIS installed.
- Once the SSL is installed, go to RDPWin --> IRM.Net main menu -->
Configuration --> Misc tab. In the System Maintenance section, check the box
Use Secure (SSL) Connection and enter the port in the SSL Port field if the
port used for the SSL is NOT port 443. If using port 443, leave the
field blank.
- Restart IIS.
- Change the links for the owner, travel agent, group, returning guest or
brochure request login pages to be HTTPS:
- Owner login: https://irmserver.yourdomain.com/irmnet/owner/ownerhome.login.aspx
- Travel Agent or Group login: https://irmserver.yourdomain.com/irmnet/login.aspx
- Returning Guest login: https://irmserver.yourdomain.com/irmnet/login.aspx?LoginType=guest
- Brochure request login: https://irmserver.yourdomain.com/irmnet/res/requestbrochure.aspx
Displaying the Secure Site Seal on IRM.Net
When an SSL certificate is installed on the IRM server, the IRM.Net pages are
accessed using Secure Sockets Layer (SSL) protocol. However, when the IRM.Net is
displayed in an iFrame within a non-secured page, the lock icon that is normally
displayed by the browser when accessing a secure site is not visible because the
containing page is not secure. RDP Recommends strongly to not use the IRM in an
iFrame.
It is not possible for IRM.Net to change this behavior. As an option, a
security seal from the SSL vendor can be displayed showing visitors that the
site is secured by SSL technology. When a visitor clicks on the security seal, a
link to the SSL vendor is displayed showing full business authentication
information. See more information regarding
Verisign's Secured Seal.
Other SSL vendors provide a similar capability.
If it exists, IRM.Net pages include the file /IRMNet/Custom/<dataserver>/RDPnn/UserText
SecuredSeal.htm. Create this file and modify it to include the security seal
code to be obtained from the SSL vendor.
The SSL security seal can be displayed within the IRM.Net pages whether or not
the IRM.net is included in an iFrame.
A place holder (SecuredSeal.htm) is included in the IRM.
Other IRM.Net Links
Linking or Passing Search Criteria into IRM.Net from Marketing Website
IRM.Net Best Practices
IRM.Net Troubleshooting
IRM.Net Knowledge Base Article Index