Support Home Sales Website Technology Contact Us
RDP Support  


RDPWin KB Booking Engine - IRM.Net RDPWin4 & PCI Compliance Search

Updated: 11/12/12

Installation of Secure Socket Layer (SSL) Certificate on IRM or IRM.Net Server


Security for the IRM is divided into the following areas:

  1. A firewall stops most intrusions
  2. Microsoft security on the IRM server and data server
  3. Anti-Virus software should be installed on the IRM server and must be set to NOT scan network drives
  4. All credit card data is encrypted when sent from the guest using Secure Socket Layer (SSL) technology
  5. All sensitive data, such as credit card information, is stored on the Data Server in an encrypted Pervasive file, not the IRM server
  6. Credit card numbers are not stored in the RDP system at all.  A token which represents the credit card is stored in the RDP database and the credit card number is stored by the credit card gateway on a remote server.

See IRM Hardware Requirements for additional information on IRM Security.

Web Server Certificates and Secure Socket Layer Encryption

The main part of IRM Security is protecting the guest’s private information as it passes from the browser to the IRM server.  Without a secure website, all information can be compromised.

The SSL security certificate is used to encrypt data that is sent or received to the IRM server.  A security certificate must be purchased from a certificate authority.  A certificate authority is a third-party company that authenticates websites.  Once a certificate is obtained from the certificate authority, install it on the web server to activate SSL, encrypt data and protect the property and the internet guest.

Common Names, Domain Names and SSLs

Also known as the URL, the common name is the fully-qualified domain name used for DNS lookups of your server. This information is used by browsers to identify your website. Client browsers connecting to your IRM server check for a match between your SSL certificate common name and your URL. Do not use wildcard characters (such as *,?, etc), IP addresses, or port numbers in the common name. Do not include the "http://"or "https://" in your Common Name. Entering the wrong common name while creating an SSL certificate can result in security warnings when Internet customers access the IRM server.

The property's marketing website domain name cannot be used because the SSL certificate is installed on the IRM server and not the marketing website.  The IP address of the IRM needs to be resolved with a common name or a second registered domain name. The following two options exist:

  1. Use a common name that is a part of your existing domain name. For example, RDP owns the Domain Name www.resortdata.com. RDP can create a different common name by using a sub-domain.  For example, the domain IRM.resortdata.com can be used.  Do not include "http://" in sub-domains.


  2. Buy a second domain name. The common name to be used when creating a new certificate request in IIS and enrolling for an SSL Certificate would include the www lead (host). For example www.resortdatairm.com can be used when requesting a new certificate.

Purchasing an SSL Certificate From a Certificate Authority

  1. Access the certificate authority's website and purchase the SSL certificate. Decide the level of encryption. Print the detailed instructions on how to install the certificate for a Microsoft IIS web server and review before beginning.

  2. The enrollment form requires an organizational contact, technical contact, billing contact, the owned common name of the IRM server, form of payment and possibly your Dun & Bradstreet number.

  3. A list is provided by the certificate authority to select server software. The IRM only runs on a Microsoft IIS we server.

  4. When the certificate authority is satisfied that it can issue a certificate, follow the instructions provided by them for installation.

Installing SSL

Note: It is critical that the SSL be installed on the IRM server.

  1. Browse to your SSL provider's website for directions.
    • Follow the instructions for creating a CSR file on the IRM server using the IIS management tool.
    • Once the CSR file is created, log into your SSL account on the SSL provider's website and follow their instructions to input into your account.
    • Follow the SSL provider's instructions for installing the SSL certificate on your IRM server based on the version of IIS installed.
  2. Once the SSL is installed, go to RDPWin --> IRM.Net main menu --> Configuration --> Misc tab. In the System Maintenance section, check the box Use Secure (SSL) Connection and enter the port in the SSL Port field if the port used for the SSL is NOT port 443. If using port 443, leave the field blank.
  3. Restart IIS. 
  4. Change the links for the owner, travel agent, group, returning guest or brochure request login pages to be HTTPS:
    • Owner login: https://irmserver.yourdomain.com/irmnet/owner/ownerhome.login.aspx
    • Travel Agent or Group login: https://irmserver.yourdomain.com/irmnet/login.aspx
    • Returning Guest login: https://irmserver.yourdomain.com/irmnet/login.aspx?LoginType=guest
    • Brochure request login: https://irmserver.yourdomain.com/irmnet/res/requestbrochure.aspx

Displaying the Secure Site Seal on IRM.Net

When an SSL certificate is installed on the IRM server, the IRM.Net pages are accessed using Secure Sockets Layer (SSL) protocol. However, when the IRM.Net is displayed in an iFrame within a non-secured page, the lock icon that is normally displayed by the browser when accessing a secure site is not visible because the containing page is not secure. RDP Recommends strongly to not use the IRM in an iFrame.

It is not possible for IRM.Net to change this behavior.  As an option, a security seal from the SSL vendor can be displayed showing visitors that the site is secured by SSL technology. When a visitor clicks on the security seal, a link to the SSL vendor is displayed showing full business authentication information. See more information regarding Verisign's Secured Seal.  Other SSL vendors provide a similar capability.

If it exists, IRM.Net pages include the file /IRMNet/Custom/<dataserver>/RDPnn/UserText SecuredSeal.htm. Create this file and modify it to include the security seal code to be obtained from the SSL vendor.

The SSL security seal can be displayed within the IRM.Net pages whether or not the IRM.net is included in an iFrame.

A place holder (SecuredSeal.htm) is included in the IRM.

 

Other IRM.Net Links

Linking or Passing Search Criteria into IRM.Net from Marketing Website 

IRM.Net Best Practices

IRM.Net Troubleshooting

IRM.Net Knowledge Base Article Index

Support Home  RDPWin4 & PCI Compliance Enhancement Requests Open A Web Support Ticket
Training New Sales Website Old Sales Website Contact Us
 Facebook     Twitter      LinkedIn   TODF