Follow the steps below:

Preparation for Replacement

1. Stop ALL Archer Jobs. This task stops the processing of new jobs while allowing currently running jobs to process (Jobs in progress and their associated child jobs can finish processing). Follow the steps below:

a. Open Archer Control Panel and navigate to Plugins menu > Job Engine Manager.
b. Go to the Servers tab.
c. Click Discontinue Job Processing.
d. Click Update at the bottom right and then Save at the top left.

2. Stop all Archer Services (except for the Archer Configuration service) on all servers:
This process ensures that all Archer services are stopped while the Archer Configuration service continues to run. Follow the steps below:

a. Run Windows Services as an Administrator.
b. Scroll down until the Archer Services appear.
c. Right-click each Archer Service (except for the Archer Configuration Service) and stop it or select the service and click on Stop the service in the top left.
0EMVM000006MjmE.png

Note:
The Archer Job Engine service may fail to stop with the error below.
0EMVM000006MqKf.png
This is due to an ArcherTech.JobFramework.Job.exe job running in the Task Manager under the Details tab.
To stop the Job Engine service, you can either wait for these jobs to complete and then stop the Job Engine service or you can kill the jobs by selecting it and then click on End Task (as shown below).
Killing these jobs may result in any Archer Jobs/processes running in the UI (e.g., Package generation, Data Feed, etc.) not completing successfully. It is recommended to wait for the Jobs to complete, if needed.
0EMVM000006MnjO.png

3. Stop IIS on all web servers:
Note: This step prevents access to Archer while replacing the Advanced Workflow Certificate.

a. Open a Command Prompt as Administrator.
b. Execute the following command:

iisreset/STOP

Listing SSL Certificates in-use

To list the SSL Certificates in use with their bindings, use the following Windows command:
Note: The below example shows the command being run in PowerShell which is not mandatory. This assumes that the same prompt is later used to change the certificates using Method 2 (you may scroll down  to check Method 2).

netsh http show sslcert

0EMVM000006HNj9.png

To display the specific SSL Certificate which has a binding to port 8443:

1. Open a Command Prompt.
2. Enter the following command and press Enter:

netsh http show sslcert 0.0.0.0:8443

• Note down the Application ID to be used in Method 2.
• Application ID is the GUID of the owning application.
• Certhash is the thumbprint of the certificate (found in the properties of the certificate).

0EMVM000006HNjA.png

Remove the binding of the SSL Certificate with port 8443
Ensure you have recorded the Application ID PRIOR to removing the binding and before proceeding with the steps below.
Please refer to Listing SSL Certificates in-use. Then follow the steps below:

1. Open a Command Prompt and run it as Administrator.
2. Enter the following command and press Enter:

netsh http delete sslcert 0.0.0.0:8443

0EMVM000006HNjB.png

netsh http show sslcert 0.0.0.0:8443

0EMVM000006HNjC.png
 

Method 1: Replacing the Advanced Workflow SSL Certificate using the Archer Installer

The purpose of this method is to run the Archer Installer and select the new SSL certificate for the Advanced Workflow. Follow the steps below:

1. A Certificate Services Administrator needs to create a new dedicated SSL certificate for the Advanced Workflow service and the new SSL certificate needs to be placed in the Personal folder under the Certificate Store (using the Microsoft MMC Console).

• Please do NOT use the SSL HTTPS Certificate or Archer Configuration Certificate as the Advanced Workflow Certificate.
• Advanced Workflow requires a dedicated SSL certificate, check the Planning and Installation guide in the Archer Help.
• The SSL certificate has to be issued to the Fully Qualified Domain Name of the host where the Archer Workflow Service is installed. If there are multiple Archer Workflow Service hosts, the Hostname is the DNS name for the Load Balancer and the port number refers to the port for which you have configured the Load Balancer.

• Whichever components are installed on the AWF server  MUST be selected
• If the AWF is installed on Web server, you MUST reinstall and select the components "Services", "Web Application", and "Advanced Workflow"
• If the AWF is Installed on the Services server, you MUST reinstall and select the components "Services" , "Advanced Workflow"

0EMVM000006Mr3q.png

0EMVM000006HNjE.png 

netsh http show sslcert 0.0.0.0:8443

0EMVM000006HNjF.png

7. Then start IIS by running the below command in a Command Prompt:

iisreset /START

Method 2: Replacing the Advanced Workflow SSL Certificate using Windows PowerShell

Get-ChildItem Cert:\LocalMachine\my | Select-Object Subject,FriendlyName,Thumbprint,Issuer,PublicKey,SignatureAlgorithm,NotAfter

0EMVM000006MkSA.png

• The Thumbprint in the above command is the Certificate Hash under the Server Certificates in Internet Information Services (IIS).
• Ensure to record the Thumbprint for the next step.

0EMVM000006MoYz.png

• The screenshot below shows the certificate's Thumbprint from the Personal store in the Certificates snap-in. As seen below, the Thumbprint matches that of the certificate listed above; therefore, it is confirmed that the My store seen in PowerShell is the same as the Personal store seen in the Certificates snap-in.

0EMVM000006MofR.png

2. Run the following Windows command to add the new SSL Certificate to match to the right Certificate Hash and Application ID:

netsh http add sslcert ipport=0.0.0.0:8443 certhash=<cert thumbprint minus spaces> appid= '{<appID>}' certstorename=My

netsh http add sslcert ipport=0.0.0.0:8443 certhash=af13967b090e7ba6647812c19fba5b079a4d0232 appid= '{e182be7b-95c5-492a-92c2-e87311b90b0b}' certstorename=My

0EMVM000006HaEv.pngNote:

• There is a equal '=' sign after the.0:8443 certhash.
• Make sure there is no question mark in the beginning of the certhash string. If you copy the above command into the PowerShell terminal, it may add a question mark to the certhash after the equal sign.

0EMVM000006HaEw.png

3. Verify and ensure that the new SSL certificate is binding to port 8443 by running the below command from a Command Prompt:

netsh http show sslcert 0.0.0.0:8443

0EMVM000006HNRO.png

4. Start the Archer Jobs:

a. Open Archer Control Panel and navigate to Plugins menu > Job Engine Manager.
b. Go to the Servers tab.
c. De-select Discontinue Job Processing.
d. Click Update at the bottom right and then Save at the top left.

5. Start the Archer Services on each Web Server and Services Server:

a. Run Windows Services as Administrator.
b. Scroll until the Archer Services appear.
c. Right-click each Archer Service and start it except for the Archer Configuration Service.

6. Then start IIS by running the below command in a Command Prompt:

iisreset /START

Verifying that Advanced Workflow is working using the browser (User Interface)

1. Login to Archer and open the Job Troubleshooting page (Administration menu > Advanced Workflow > Job Troubleshooting). Then run the following command while accessing the Job Troubleshooting page:

netstat -ano | find "8443"

0EMVM000006HNRP.png

2. Check the Advanced Workflow tab in the Application Builder page of an Application that has Advanced Workflow enabled (Administration menu > Application Builder > Applications > Findings
0EMVM0000071Fln.jpg

3. Run a test by enrolling a record into the Advanced Workflow.

0EMVM0000071NZe.jpg

4. Test visiting Workpoint and from each Web Server by accessing the following URL in the browser from the server:

https://localhost:8443/wpservices/rest/auth

The following page should be returned:
0EMVM000006HbNt.png