When using optiSLang Web Service with Transport Layer Security (TLS), you must create SSL certifcates and add them to the configuration file.
Modern browsers accept only certificates of a trusted authority. There are two possible ways to achieve this:
Consult a trusted authority (for example LetsEncrypt) to issue a trusted certificate.
Become a trusted authority by:
creating a self signed certificate
creating certificate authority files
registering the certificate authority in client browsers or operating systems (root certificate)
When using optiSLang Web Service from an external origin (for example, embedded in another environment like Ansys Minerva) using TLS is necessary with modern browsers, as they do not accept unsecured communication. You must also enable cross origin resource sharing (see the cross origin resource sharing section of the table in Editing the Configuration File's Default Settings).
Create the SSL Certificate and Authority Certificate
Use openssl to:
Become your own Certificate Authority
Sign your SSL certificate as a Certificate Authority
###################### # Become a Certificate Authority ###################### # Generate private key openssl genrsa -des3 -out myCA.key 2048 # Generate root certificate openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem ###################### # Create CA-signed certs ###################### NAME=ows_machine # Use your own domain name # Generate a private key openssl genrsa -out $NAME.key 2048 # Create a certificate-signing request openssl req -new -key $NAME.key -out $NAME.csr # Create a config file for the extensions >$NAME.ext cat <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here) IP.1 = 192.168.0.13 # Optionally, add an IP address (if the connection which you have planned requires it) EOF # Create the signed certificate openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \ -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext
Replace Name
with the DNS machine name of the server. The
[alt_names] section can contain alternative domain
names or IP addresses.
Import the CA Certificate in Client Browsers
Import myCA.pem as an authority in the client browser settings. For example, in Chrome go to > > > .
Add SSL Certificate to optiSLang Web Service Configuration
Add the paths to SSL key and certificate files to config.ini configuration file.
[listener] # SSL key file for optional SSL encryption (https://) sslKeyFile=[Installation Path]
/web_service/ssl/ows_machine.key # SSL certificate file for optional SSL encryption (https://) sslCertFile=[Installation Path]
/web_service/ssl/ows_machine.crt
Replace [Installation Path]
with the full path.