HTTPS Support
By default, the Windows, Linux and All Platforms distributions of Web Author handle both HTTP
and HTTPS traffic. The default certificate used for HTTPS is a self-signed certificate that is
not trusted by web browsers. However, this certificate is trusted by Oxygen XML Web Author itself when it connects to the internal License Server.
Note:
The
recommended way to deploy HTTPS is to use an HTTPS-capable reverse-proxy (such as NGINX) in
front of Oxygen XML Web Author.
Replacing the HTTPS Certificate
To avoid warnings displayed by web browsers, always use a valid certificate. To install a
new certificate, follow these steps:
- Obtain the certificate files from a trusted Certificate Authority and convert them to PEM format.
- Save them in a Java Keystore:
- Build the certificate chain (if needed):
cat myhost.pem intermediate.pem root.pem > import.pem
- Convert the private key and certificate files into a PKCS12
file:
openssl pkcs12 -export -in import.pem -inkey myhost.key.pem -name web-author > server.p12
- Import the PKCS12 file into Java keystore:
keytool -importkeystore -srckeystore server.p12 -destkeystore [install dir]/tomcat/conf/web-author.keystore -srcstoretype pkcs12 -alias web-author
Note:This command will prompt you for two passwords:- The keystore password - The password found in [install
dir]/tomcat/conf/server.xml (in the
keystorePass
attribute). - The key password - One option is to provide the same password as for
the keystore. If you want to specify a different password, you should also
configure it in the [install dir]/tomcat/conf/server.xml
file by adding it in the
keyPass
attribute on theCertificate
element.
- The keystore password - The password found in [install
dir]/tomcat/conf/server.xml (in the
- Build the certificate chain (if needed):
Redirecting HTTP to HTTPS
To strengthen the security of your deployment, you should make sure all users connect to
Web Author using HTTPS. To redirect all HTTP traffic to HTTPS, you have to set the
oxygen.ssl.redirect.domain
system property to the domain and
port of your server.
Example:
-Doxygen.ssl.redirect.domain=web-author-domain:8443
Removing the Web Author-specific Keystore
By default, Oxygen XML Web Author is configured to consider its HTTPS certificate as
trusted when presented by any server it connects to. This helps you get started quickly and
without errors before installing a trusted certificate. Once you configured Oxygen XML Web Author with a trusted certificate, you should remove the
oxygen.ssl.trusted.keystore
system property.