SSL certificate for DesktopUI connection
Posted: Mon Sep 13, 2021 4:00 pm
We're trying to replace default SSL certificates with our own ones before deploying the project to the customer. So far, we've replaced host-cert.pem, host-key.pem and root-cert.pem files in project's config folder with new root & host certificates generated using the standard OpenSSL toolchain.
We've also added the following lines to configuration file and the project seems to start just fine (not sure if needed):
However, we are observing that, when connecting to the project via DesktopUI client, the SSL certificate received is not the new one but the default one provided by ETM. We have tried adding the same lines to the [webClient] section of the config file, but this doesn't seem to make any difference.
By adding a "-dbg all" to the manager starting web_client.ctl, I can see the following lines in the log file:
So, if I understand it correctly, WinCC-OA is loading certificate from project's certificate.pem file (which I could certainly replace, just as done for the others), but it's instead using always a private key file from default WinCC-OA installation, which totally ruins my attempt to use a custom certificate. Obviously, I don't want to replace base private key from WinCCOA, as who knows what could be broken by that...
¿How can we specify the certificate & key files to use for desktop UI access? By following the logic, this shall be done via the securityMode / sslCertificate settings in [webClient] section, but those seem to be ignored by the webclient_http script.
For context, we are using WinCC-OA v3.18. Project runs headerless in a Linux server, and users connect to synoptics by using DesktopUI client from Windows 10 PCs.
We've also added the following lines to configuration file and the project seems to start just fine (not sure if needed):
Code: Select all
securityMode = "cert"
sslCertificate = "config/host-cert.pem config/host-key.pem config/root-cert.pem"
By adding a "-dbg all" to the manager starting web_client.ctl, I can see the following lines in the log file:
Code: Select all
WCCOActrl (3), 2021.09.13 15:35:06.436, WORK, OaFileSys::fileExists found file: "/srv/synoptics/current/config/certificate.pem"
WCCOActrl (3), 2021.09.13 15:35:06.436, WORK, OaFileSys::fileExists found file: "/opt/WinCC_OA/3.18/config/privkey.pem"
¿How can we specify the certificate & key files to use for desktop UI access? By following the logic, this shall be done via the securityMode / sslCertificate settings in [webClient] section, but those seem to be ignored by the webclient_http script.
For context, we are using WinCC-OA v3.18. Project runs headerless in a Linux server, and users connect to synoptics by using DesktopUI client from Windows 10 PCs.