WinccOA 3.11 - Webclient SSL issue

[fabiorez]

Hello everybody,
we are trying tyo configure an encrypted connection to a Wincc OA 3.11 CentOS Webclient.

Following the instructions and modifying the general "webclient_http.ctl" script and the "webclient_index.html" included in the project, we can now access the SSL initial page, but we cannot proceed with the connection, getting the following output

WCCOAWebClient(0), 2016.05.17 11:44:50.930, SYS, INFO, 1, , PROJ, AAAAAAAAAa, V 3.11 - not initialized
WCCOAWebClient(0), 2016.05.17 11:44:50.946, SYS, INFO, 3, , (SYS: 0 Data -num 0 CONN: 1) @ UI1:4897$UI2:4897
WCCOAWebClient(0), 2016.05.17 11:44:51.936, SYS, INFO, 101, , 20 sec

The error 101 message is repeated of course every 20 seconds, and these rows are the only significat output we can get from the system.

Do you have any suggestions?

We just followed the instructions and re-created the certificate through the Openssl utility.

Https port is the 8079 (the same default port as in WinccOA 3.13, which works differently without problems).

Thank you in advance for your support.

[mkoller]

It seems the WebClient can not contact the Data Managers port. Check if you have firewall rules set up, which block access to Port4897.
Alternatively the WebClient should be able to run via the tunnel-tool, which needs the HTTP Server having Port 80 still open (AFAIR to use the tunnel tool is the default).

[fabiorez]

Hi Martin,
I have two WinCC Webservers:

1) the first one is still configured with the default HTTP port 8080 and works fine, connecting to the same Data Managers;

2) the second one should use the SSL encryption, but causes the same problems.

Both the servers are placed on the same network and can access freely to the data managers.

I configured the webclient_http.ctl to use ONLY the encrypted port, disabling the 8080... I'll try to re-enable it.

[mkoller]

The Webclient still needs the non-SSL Port from the HTTP Server (just only to send the HTTP CONNECT message which in turn starts the tunnel tool on the server).

[fabiorez]

Hi, I tried to configure my files as you suggested, by re-enabling also the 8080 port.

I'm not using the 80 standard port since my project is run by a non-root Linux user.

However, I still get the same error, even if the server starts correctly, by telling it's listening to both the https:// - 8079 and http:// -8080 ports.

Do you have any other suggestion?

Is there any other file to modify?

The required SSL libraries are correctly installed.

Thanks

[fabiorez]

Hi!
I succeeded in enabling the SSL support, but I had to

1) configure the 80 http standard port

2) run the project as the root user

Does this mean that this is the only way to run SSL in the WinCC OA 3.11 release?

Many thanks again for your support!

[mkoller]

sadly yes. Since the WebClient does not know on which port the non-SSL socket is listening, it defaults to 80

[fabiorez]

OK, now I've understood and everything works fine.

Thanks again!