Configuring WebCC for SSL Support on GNU/Linux

Like other WebCC options, configuring WebCC to use SSL is done by using command line parameters when launching WebCC. To use WebCC with SSL, you must specify the -https parameter followed by the port WebCC should use for https connections, the certificate and key file.

The following are examples of parameters to use for configuring WebCC to use SSL:

  • If you have a PEM certificate and key file:

    -https 8443 -key <path to PEM key file> -cert <path to PEM certificate>
  • If you have a PEM certificate and its private key in the same file, specify the same file using both the -key and -cert parameters:

    -https 8443 -key <path to PEM certificate> -cert <path to PEM certificate>
  • If you have a PFX certificate, simply specify its path with the -pfx parameter:

    -https 8443 -pfx <path to PFX certificate>
  • If you want to allow users to connect to your server via either http or https, you can do so by specifying a port number for each protocol:

    -http 8080 -https 8443 -key <path to key file> -cert <path to certificate>
  • If you have a root certificate, an intermediate certificate, or both, you can specify each file preceded by the -ca parameter, in any order:

    -http 8443 -key <path to key file> -cert <path to certificate> -ca <path to intermediate certificate 1> -ca <path to intermediate certificate 2> -ca <path to root certificate>

HTTPS/SSL Parameters Table

The following parameters can be used to enable and configure SSL for your WebCC server.

Parameter Description

-https <port number>

Enables connection to the server through the https protocol using the specified port number.

A commonly used port for accessing WebCC through the https protocol is 8443. For web browsers to access WebCC via https without specifying the port number—provided that the address of the server is preceded by https://—you can use port 443.

For https to work, you must either specify a pair of PEM format key and certificate with the -key and -cert option, or a PFX format certificate with the -pfx option.

-http <port number>

If access through the https protocol is enabled, this parameter allows you to also allow access through the http protocol through the specified port.

Using this parameter is optional. If the -https parameter is specified, but not the -http parameter, WebCC will only accept connections through https.

The default port for accessing WebCC through the http protocol is 8080. For browsers to access WebCC via http without specifying the port number, you can use port 80.

-key <key file>

The location of the private key file for the SSL session. This must be specified along with the -cert parameter.

The private key must be in Privacy Enhanced Mail (PEM) format, which is an ASCII format where the key is encoded in Base64 and located between -----BEGIN PRVATE KEY----- and -----END PRIVATE KEY----- tags. Typically private keys in this format have a .key extension.

-cert <certificate file>

The location of the security certificate file for the SSL session. This must be specified along with the -key parameter.

The certificate must be in Privacy Enhanced Mail (PEM) format, which is an ASCII format where the certificate is encoded in Base64 and located between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Typically, such certificates have a .crt, .cer or .pem extension.

-pfx <pfx certificate file>

If you have a Personal Information Exchange (PFX) certificate, you can use this parameter to specify its location, instead of using a PEM certificate and key. Typically, such certificates have a .pfx or .p12 extension. Since these certificates include their own private key, specifying a key with this certificate type is not required.

-ca <root ca certificate file>

If you have a domain certificate that is signed by a certificate authority (CA), this parameter allows you to specify the root CA certificate and/or its intermediate certificates.

If you want to specify several certificates so as to compose the chain going from your domain certificate to the root CA certificate, you can repeat the parameter, like so:

-ca <intermediate certificate 1> -ca <intermediate certificate 2> -ca <root CA certificate>

Typically, you will be able to log on to WebCC using SSL from a Web browser even if WebCC is only configured with your domain certificate, provided that it is signed by a reputable certificate authority. However, if you want project collaborators to be able to use the Download Database Changes and Update Database Scene functionalities in Harmony via SSL, it may be necessary to specify the root CA certificates and/or its intermediates, as Harmony may not otherwise be able to recognize the authority of the CA who signed your certificate.

Typically, you can obtain the root CA certificates or intermediate certificates from the root certificate authority of the certificate authority who signed your domain certificate.

NOTE: If necessary, you can allow Harmony to trust the WebCC server even if it has a self-signed certificate—see Disabling SSL Certificate Validation for WebCC in Harmony.