In order to use the
HTTP service (for the
HTTP protocol, but especially for the
HTTPS protocol) it is necessary to configure the
Windows OS. The
HTTP service is a part of the
Windows OS and there are
Windows OS tools and commands for configuration. However using the
Windows OS tools for
HTTP service configuration is not easy because it is necessary to use multiple tools and commands from the command line.
In order to simplify the configuration for PROMOTIC users, the
PmHttpConfig.exe (
\Promotic\Tools\PmHttpConfig\PmHttpConfig.exe) HTTP service configuration utility is supplied with the PROMOTIC system. This utility allows complete service configuration, from permission settings of the PROMOTIC system to access the
HTTP service, to import and management of certificates for the
HTTPS protocol.
1. Permissions to run PROMOTIC Web servers (HTTP or HTTPS)
In order to communicate with the
HTTP service, the
Windows user, in whose context the PROMOTIC application with Web server is running, must have the corresponding permissions. Each
Windows application is running in context of some
Windows user (most commonly the user that is currently logged in and launched the application).
Administrators group members always have the permission to run the HTTP service, therefore it is not necessary to authorize it. Other users must be authorized namely.
For each Web server running on current computer (protocol, domain, port and relative path) there must be a list of authorized
Windows groups and users. The configurator is therefore represented by a list of Web servers authorized on the computer based on the
HTTP service. Each row represents one configured and enabled Web server. The present row does not mean that the Web server is currently running. The row means that the Web server (on specified address, port and protocol) is allowed to run. The Web server itself is launched by the corresponding application, e.g. PROMOTIC application.
Caution! There is a number of system configured Web servers in
Windows OS, that are in the list and it is not recommended to delete them without the exact knowledge.
The corresponding buttons can be used for adding, editing and deleting configured Web servers.
"Web server" tab:
The tab serves for configuration of the corresponding Web server. The typical Web server configuration is
http://+:80/ and
https://+:443/.
| Web server | Configured Web server written in the syntax that is used by the HTTP service. The value cannot be directly edited, but is created by following configurators. |
|---|
| Protocol | Specifies the Web server protocol type (HTTP or HTTPS). |
|---|
| Domain | Specifies the domain (by computer name, IP address or additional characters + and *) of the Web server.
(+) All domains (strong wildcard) (recommended value) - All possible domains in the context of this protocol, port and relative path. Together with empty relative path, this is a recommended setting, that ensures that there is only one Web server running on a single TCP port.
(*) Other domains (weak wildcard) - Domains in the context of the protocol, port and relative path, that have not been asociated so far.
Explicit domain name - Specific domain name entered in the next configurator. |
|---|
| TCP port | Specifies the TCP port of the Web server. For example 443. |
|---|
| Relative path | Specifies the relative path of Web server beginning with regard to domain and port. It is possible to define that the Web server does not start by the domain root and port, but in some subdirectory of domain and port. This way it is possible to use one domain and port by multiple Web servers (and applications) simultaneously. Usually this is an empty value (means that the Web server begins in the root of the domain and port) and the Web request for domain and port is processed by this Web server. Caution! For PROMOTIC Web server, it is necessary to leave the value blank, because the current PROMOTIC Web server must start by the domain root and port. |
|---|
"Permissions" tab:
This tab serves for specifying the
Windows users or groups authorized to run the corresponding Web server. This is a standard
Windows OS tab for setting the user/group permissions (e.g. file acces rights setup etc.). Typical authorization setting for Web server is all allowed (
Execute and
Delegate) for
Promotic users. Use the "
Edit" button to modify the settings.
| Group name or user name | A list of Windows users or groups and their permissions to run the Web server. It is necessary to enter the specific Windows user that will be running the PROMOTIC application with Web server. For example SafeOper component recommends the Promotic user. |
|---|
| Permissions for ... | It allows to define the permissions to Execute and Delegate the current Web server for a specific Windows user or group, selected in the previous configurator (e.g. user Promotic). When setting up the permissions it is recommended to always set both permissions (Execute and Delegate) accordingly. |
|---|
2. Certificates of PROMOTIC Web servers (HTTPS)
In order to configure the
HTTP service so the Web server communicates by the
HTTPS protocol, the digital certificate is needed, to sign the computer domain with running
HTTPS Web server. See
HTTPS - secured HTTP protocol.
For each
HTTPS Web server running on the computer (IP address, port) a corresponding certificate must be set, in order to sign the domain with
HTTPS Web server and enable the
SSL/TLS encryption of the communication. The configurator is represented by a list of
HTTPS Web servers authorized on the computer, that are based on the
HTTP service. Each row represents one configured and enabled Web server. The present row does not mean that the Web server is currently running. The row means that the Web server (on specified address, port and protocol) is allowed to run. The Web server itself is launched by the corresponding application, e.g. PROMOTIC application.
The corresponding buttons can be used for adding, editing and deleting configured Web servers.
"Web server" tab:
The tab serves for configuration of the corresponding
HTTPS Web server including the certificate setup.
| Any IP address | If checked, then the Web server listens on all IP addresses of the computer (both IPv4 and IPv6) and the following configurators for entering IP address are disabled.
If not checked, then the Web server listens only on a specific address, that is defined by following configurators. |
|---|
| IP address type | Specifies the IP address type of the HTTPS Web server: IPv4 or IPv6. |
|---|
| IP address | HTTPS Web server own IP address.
The address format must comply with the selected IP address type (IPv4 or IPv6). For example "192.168.1.2", "fe80:0000:0000:0000:0202:b3ff:fe1e:8329", "fe80:0:0:0:202:b3ff:fe1e:8329", "fe80::202:b3ff:fe1e:8329", "::1" |
|---|
| TCP port | Specifies the TCP port of the Web server. For example 443. |
|---|
| Available certificates | A complete list of certificates stored in Windows OS storage.
It is necessary to pick one certificate (left checkbox) and bind it with the corresponding IP address and TCP protocol.
The configurator also allows certificate management on the computer. The certificates can be imported and deleted. The advantage of importing such certificate in this configurator is that the certificate is imported into the Windows Registry into the computer branch and therefore is visible for the HTTP service. Caution! If the certificate is imported the default way (by left mouse button double-clicking the certificate file in Windows OS) the certificate is imported only to the branch of current user and will not be visible for the HTTP service. |
|---|