The steps below can be used as a guide to change your Web Services from http to https. 

Before we begin, there are a few notes to consider:

1. You’ll need to find new ports for your Microsoft Dynamics GP Web Services application to run on.

   1. By default it probably installed to 48620.

   2. For the example below we’ll be using port 48622. You can use any available ports on your Web Services machine

2. It is highly recommended that you backup any .config file before making changes.

3. If you need to access Microsoft Dynamics GP Web Services externally you'll need to use a publicly routable namespace in both your certificate as well as in the new base addresses that you specify.

Certificate Binding

1. Create (or acquire) the SSL certificate. If your requirements include accessing Dynamics GP Web Services externally a 3^rd party certificate may work best. Otherwise an internal Certificate Authority may work.

2. Register the certificate for the new ports by running the following in an elevated Command Prompt (right-click on the Command Prompt shortcut and select Run as Administrator):

   1. NETSH: netsh http add sslcert ipport=0.0.0.0:<SSLPORT#> certhash=<THUMBPRINT ID> appid=<ARBITRARY GUID>

   2. EXAMPLE: netsh http add sslcert ipport=0.0.0.0:48622 certhash=05a298da9200ee2e18250452e07928ce8f716f27 appid={07663267-F6A1-4F6F-9833-56FD0ABE0B89}

3. Add a URL reservation for your new https base addresses (e.g. the native/legacy endpoint (48622) and Dynamics Security Admin (48623)) by running the following in an elevated Command Prompt:

1. NETSH: netsh http add urlacl url=https://+:<SSLPort#>/ user=<SERVICE USER>

2. EXAMPLE: netsh http add urlacl url=https://+:48622/ user=domain\user

NOTE: Trailing slash is required

Update Binding

1. Update the wsHttpBinding in WSBindings.config (found in C:\Program Files\Microsoft Dynamics\GPWebServices\ServiceConfigs)

   1. Create a second binding that is a duplicate of the existing WSHttpBindingTarget binding

   2. Rename it to something like WSHttpBindingTargetSSL

   3. Set the security mode to “Transport”

Example:

<wsHttpBinding>

   <binding name="WSHttpBindingTarget" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">

     <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>

     <security mode="Message">

       <message clientCredentialType="Windows"/>

     </security>

   </binding>

   <binding name="WSHttpBindingTargetSSL" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">

     <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>

     <security mode="Transport">

       <message clientCredentialType="Windows"/>

     </security>

   </binding>

</wsHttpBinding>

You then need to update the service configuration file that corresponds to the endpoint you are using (e.g. Native or Legacy).

Legacy:

1. Open DynamicsGPLegacy.config (found in C:\Program Files\Microsoft Dynamics\GPWebServices\ServiceConfigs)

2. Make the following change under <services>

<service name="Microsoft.Dynamics.GP.WebServices.LegacyContract.DynamicsGP" behaviorConfiguration="GPLegacyStaticMetadataBehavior">

To

<service name="Microsoft.Dynamics.GP.WebServices.LegacyContract.DynamicsGP" behaviorConfiguration="GPDynamicMetadataBehavior">

1. Add another entry under <baseAddresses> with your secure URL:

Example:

<baseAddresses>

                               <add baseAddress="http://<machinename>:<assignedport#>/DynamicsGPWebServices"/>

                              <add baseAddress="https://<machinename.domain.com>:<SSLPort#>/DynamicsGPWebServices"/>

</baseAddresses>

*NOTE: Replace <machinename.domain.com> with an appropriate URL and <SSLPort#> with the new port (e.g. 48622).

1. Update the <serviceMetadata> attribute of the GPDynamicMetadataBehavior section as follows:

       <behavior name="GPDynamicMetadataBehavior">

              <serviceThrottling maxConcurrentSessions="1024"/>

<serviceMetadata httpsGetEnabled="true"/>

              <serviceDebug includeExceptionDetailInFaults="true"/>

              <dataContractSerializer maxItemsInObjectGraph="2147483647"/>

              <serviceCredentials>

                              <userNameAuthentication cacheLogonTokens="true"/>

              </serviceCredentials>

       </behavior>

Native:

1. Open DynamicsGP.config (found in C:\Program Files\Microsoft Dynamics\GPWebServices\ServiceConfigs)

2. Make the following change under <services>

Change:

<service name="Microsoft.Dynamics.GP.WebServices.Contract.DynamicsGP" behaviorConfiguration="GPWCFStaticMetadataBehavior">

To

<service name="Microsoft.Dynamics.GP.WebServices.Contract.DynamicsGP" behaviorConfiguration="GPDynamicMetadataBehavior">

Change:

<endpoint address="GPService" name="GPWebService" binding="wsHttpBinding" bindingConfiguration="WSHttpBindingTarget" contract="Microsoft.Dynamics.GP.WebServices.Contract.IGPServices"/>

To:

<endpoint address="GPService" name="GPWebService" binding="wsHttpBinding" bindingConfiguration="WSHttpBindingTargetSSL" contract="Microsoft.Dynamics.GP.WebServices.Contract.IGPServices"/>

1. Add another entry under <baseAddresses> with your secure URL:

Example:

<baseAddresses>

               <add baseAddress="http://<machinename>:<assignedport#>/Dynamics/GPService"/>

               <add baseAddress="https://<machinename.domain.com>:<SSLPort#>/Dynamics/GPService"/>

</baseAddresses>

*NOTE: Replace <machinename.domain.com> with an appropriate URL and <SSLPort#> with the new port (e.g. 48622).

1. Update the <serviceMetadata> attribute of the GPDynamicMetadataBehavior section as follows:

       <behavior name="GPDynamicMetadataBehavior">

            <serviceThrottling maxConcurrentSessions="1024"/>

             <serviceMetadata httpsGetEnabled="true"/>

            <serviceDebug includeExceptionDetailInFaults="true"/>

            <dataContractSerializer maxItemsInObjectGraph="2147483647"/>

            <serviceCredentials>

                            <userNameAuthentication cacheLogonTokens="true"/>

            </serviceCredentials>

       </behavior>

Web Services and Workflow 2.0

If you’re using Workflow 2.0 functionality that was introduced in Microsoft Dynamics GP 2013 R2 and you want users to have the ability to approve from e-mails you need to provide Dynamics GP Web Services connection information. If you want that process to use a more secure connection you’ll need to make the following adjustment.

1. Another entry needs to be made to the WSBindings.config file, but this time it should be a duplicate of the "WebHttpBindingTarget" section. Rename it to something like "WebHttpBindingTargetSSL" and set the security mode to "Transport"

Example:

   <binding name="WebHttpBindingTargetSSL" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" useDefaultWebProxy="true">

     <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>

     <security mode="Transport">

       <transport clientCredentialType="Ntlm"/>

     </security>

   </binding>

2. Open the GPWorkflowService.config (found in C:\Program Files\Microsoft Dynamics\GPWebServices\ServiceConfigs)

a.Change the following line to point to the new binding definition from Step 1:

<endpoint behaviorConfiguration="GPWorkflowService.RestBehavior" binding="webHttpBinding" bindingConfiguration="WebHttpBindingTargetSSL" contract="Microsoft.Dynamics.GP.WebServices.WorkflowActionRenderingEngineContract.IWorkflowActionRenderingEngine"/>

b. Add another entry under <baseAddresses> with your secure URL:

 Example:

<baseAddresses>

   <add baseAddress="http://<machinename>:<assignedport#>/Dynamics/GPService/rest "/>

   <add baseAddress="https://<machinename.domain.com>:<SSLPort#>/Dynamics/GPService/rest "/>

</baseAddresses>

When you enter the Microsoft Dynamics GP Web Services information in the Workflow Setup window in Microsoft Dynamics GP you'll need to specify the correct URL (<machinename.domain.com>) and port (<SSLPort#>) as well as marking the "This server requires a secure connection (SSL)" box.

Final Configuration

1. Update your firewall configuration

   1. Make sure your new ports are allowed

   2. You can simply add this port to the existing GPService rule

      1. Start -> Control Panel -> Administrative Tools -> Windows Firewall and Advanced Security

      2. Click on Inbound Rules

      3. Double click on GP Service

      4. Select the Protocols and Ports tab

      5. Insert a comma and your new SSL port in the Local port: field

2. Restart the Microsoft Dynamics Service Host service to force the changes. If you encounter errors you can review the Dynamics Event Viewer log (under Applications and Services Logs) for more information. The service should start successfully. If not, check the Dynamics Event Viewer log, found under Applications and Services Logs for more information.