Enabling SSL after RMS is provisioned

Let’s say that you decide that you want to enable SSL on your RMS pipelines after RMS is provisioned. It is recommended that you decrypt all RMS-protected content, re-install and re-provision RMS, and then encrypt the content again. However, this is not always possible.

One alternative option is to provision a new RMS environment and redirect all of your RMS clients to use this new license server. Before we see how to do this, there are several assumptions made about your RMS environment:

• The RMS deployment is configured with a software-based Server Licensor private key. This scenario will not work if you’re using an HSM to secure your RMS server’s private key.
• An SSL certificate is already installed and configured to require SSL encryption within IIS on the RMS vroots.
• The existing RMS database and servers have been backed up and the tapes stored in a safe place. Just in case… :)
• Because this requires that a registry entry is added to every RMS client, you must have a way to update the clients. Preferably through some automated fashion but a new pair of sneakers would work too.

Whew! Now for the fun stuff. To enable SSL in your RMS environment after the RMS server has been provisioned, you should follow these steps:

• Provision a new RMS server using the HTTPS option for the Intranet Cluster URL.
• Configure the old server as a Trusted User Domain on the new server. For instruction on this, see https://technet2.microsoft.com/WindowsServer/f/?en/Library/1c96ee74-fd28-4511-be21-087e2b04c3ee1033.mspx
• Configure the old server as a Trusted Publishing Domain on the new server. For more information on this, see https://technet2.microsoft.com/WindowsServer/f/?en/Library/1c96ee74-fd28-4511-be21-087e2b04c3ee1033.mspx
• Add a new String Value named LicenseServerRedirection registry entry to all of your RMS clients. The registry entry should be added to HKCU\Software\Microsoft\Office\11.0\Common\DRM. The value of this entry should be set to the name of the new server in the format of https://NewRMSServer/_wmcs/licensing.
• Update your Active Directory Service Connection Point to the new server. This can be done manually or via the ADScpRegister utility available from the RMS Toolkit. NOTE: You must be a member of the  Active Directory Enterprise Admins group to do this.
• Retire the old RMS server.

The method described in this blog post have not been fully tested and may lead to undesirable effects.  For example, rights policy templates and trusted user domains will not be transferred using the steps outlined in this post.  The recommended method to enable SSL after RMS is provisioned is to do the following:

• Back up the publishing certificate
• Remove the service connection point (SCP) from Active Directory
• Unprovision RMS
• Provision RMS again using HTTPS
• Register the new SCP
• Import the publishing certificate
• Modify the LicenseServerRedirection registry on all RMS-enabled client to point to reflect this change

 Feel free to let you know what you think by posting comments. Your feedback is welcomed.