Info: Performing the steps described in this article requires direct server access. Depending upon how your system is hosted and the level of access you have to that system, coordination may be required with your Partner or WoodWing Support team. For a full overview of the steps that need to be done by WoodWing and how to request them, see WoodWing Cloud - Change management.
Studio Server and all its client applications support the use of SSL as a way of securing the communication between the server and the client applications. For more information see SSL support in Studio Server.
Setting up SSL in Studio Server is a 3-step process:
- Generating a certificate
- Installing the certificate
- Testing the Web Server
Step 1. Generating a certificate
Generating a certificate for Studio Server can be done in the following ways:
- Using a certificate signed by the WoodWing provided CA certificate
- Using a certificate signed by a trusted root Certificate Authority
Using a certificate signed by the WoodWing provided CA certificate
This implementation of SSL relies on the fact that both client and server are from the same party: WoodWing. This removes the necessity to use a third party as the one trusted by both parties.
Step 1. Download and unzip the SSL.SDK.zip package.
Step 2. (Optional) Generate a new CA certificate and use that instead of the one provided by WoodWing by using the genCA script from the Terminal or command line:
Step 3. Run the genSignedCert script, and complete the questions:
Important: the common name (CN) must match the host name as used in URL.
After a successful run, the newcerts folder will contain the following:
- cert.pem. The certificate in PEM format),
- key.pem. The private key
- cert.p12. The certificate and private key in PKCS#12 format (by default the password is ‘ww’).
Note: Obviously the private keys should remain private.
Step 4. Copy the generated cacert.pem file to your server on <web root>/StudioServer/config/encryptkeys. During this process, overwrite the existing file.
Note: Make sure that the internet user (www/inet_usr) has 'read' access to the copied file.
This file is picked up by the Health Check page.
Using a certificate signed by a trusted root Certificate Authority
To use a trusted root CA signed certificate, purchase an SSL certificate from a Certificate Authority.
Note: Make sure that the Common Name (CN) field contains the name of the Studio Server as shown in the URL that is used to connect to the server.
Step 2. Installing the certificate
Setting up SSL on IIS is described in the Microsoft documentation: IIS Manager.
Note: For server certificates derived from the WoodWing root CA certificate, don’t click the Self Signed Certificate menu option but click the Import menu option instead. In the Import Certificate dialog, click the […] button. In the Open dialog, change the pre-selected *.pfx option into the *.* option and browse to the cert.p12 file and click OK. In the Password field of the Import Certificate dialog fill in “ww” and click OK.
On Apache v2.x
Setting up SSL on Apache is described in the Apache documentation: SSL/TLS Strong Encryption: How-To.
Example: SSLCertificateFile /usr/local/ssl/cert.pem.
Example: SSLCertificateKeyFile /usr/local/ssl/key_unenc.pem file.
Both files can be copied from the newcerts folder.
Changing the default https port
(Optional) You can change the default https port '443' into something else, for example '1234'. In that case you need to change the two '443' values into '1234' in your httpd.conf file, restart the Web service and run the following URL in a Web browser:
Step 3. Testing the Web Server
Step 1. Run the following command:
openssl s_client -connect your_server_name:443 -state -debug -CAfile cacert.pem
It should give an extensive report, but no errors.
Step 2. Check if the Studio Server Web applications are able to run correctly by entering the URL for the Server in a Web browser.
Note: For troubleshooting SSL, visit the Apache documentation: SSL/TLS Strong Encryption.