HTTPS Support
By default, the Windows, Linux and All Platforms distributions of Web Author handle both HTTP
and HTTPS traffic. The default certificate used for HTTPS is a self-signed certificate that is
not trusted by web browsers. However, this certificate is trusted by Oxygen XML Web Author itself when it connects to the internal License Server.
Note: The
recommended way to deploy HTTPS is to use an HTTPS-capable reverse-proxy (such as NGINX) in
front of Oxygen XML Web Author.
Replacing the HTTPS Certificate
To avoid warnings displayed by web browsers, always use a valid certificate. To install a
new certificate, follow these steps:
- Obtain the certificate files from a trusted Certificate Authority and convert them to PEM format.
- Save them in a Java Keystore:
- Build the certificate chain (if needed):
cat myhost.pem intermediate.pem root.pem > import.pem
- Convert the private key and certificate files into a PKCS12
file:
openssl pkcs12 -export -in import.pem -inkey myhost.key.pem -name web-author > server.p12
- Import the PKCS12 file into Java keystore:
keytool -importkeystore -srckeystore server.p12 -destkeystore [install dir]/tomcat/conf/web-author.keystore -srcstoretype pkcs12 -alias web-author
Note: The password for the web-author.keystore can be found in [install dir]/tomcat/conf/server.xml, in thekeystorePass
attribute.
- Build the certificate chain (if needed):
Redirecting HTTP to HTTPS
To strengthen the security of your deployment, you should make sure all users connect to
Web Author using HTTPS. To redirect all HTTP traffic to HTTPS, you have to set the
oxygen.ssl.redirect.domain
system property to the domain and
port of your server.
Example:
-Doxygen.ssl.redirect.domain=web-author-domain:8443
Removing the Web Author-specific Keystore
By default, Oxygen XML Web Author is configured to consider its HTTPS certificate as
trusted when presented by any server it connects to. This helps you get started quickly and
without errors before installing a trusted certificate. Once you configured Oxygen XML Web Author with a trusted certificate, you should remove the
oxygen.ssl.trusted.keystore
system property.