Web-based Management 2:
Configuration - Web services

Valid from firmware release 2025.0 - for earlier firmware see the former Configuration - Web Services

Web Services page

The Web Services page provides access to the configuration of Web Services, e.g. HTTPS certificate used for nginx web server. 

On the WBM Certificate management page you can either select to use an existing IdentityStore or to use self-signed certificates.

  • When using an existing IdentityStore the symbolic links are changed and refer now to the specified IdentityStore.
  • When using self-signed certificates a self-signed certificate is generated at /opt/plcnext/Security/IdentityStore/HTTPS-self-signed/*.* and the symbolic links refer to that IdentityStore
  • When creating a self-signed certificate via the Certificate management WBM page, the /opt/plcnext/Security/IdentityStores/HTTPS-self-signed-Backup directory is not modified.

nginx web server

You can either select an HTTPS certificate of an Identity Store from the selection field or let the controller create a self-signed certificate by choosing HTTPS-self-signed. 

warning label NOTICE    

Applying the configuration may affect the real-time behavior of the system.

Operated stations may show a delay which can cause crashes.

Avoid reconfiguring the Web Services during productive operation.

TLS configuration

Perform TLS configuration using the following options:

  • Check TLSv1.3 and/or TLSv1.2 to be used for nginx configuration.
  • Select a predefined cipher suite to be used for nginx configuration.  
  • Click Save & apply page in the lower-right corner of the WBM page to activate the configuration on the controller.

Security note: 

  • If you cannot set TLS version TLSv1.3, set TLS Version TLSv1.2.
  • If you set TLS version TLSv1.2, you must set Secure HTTPS TLS Ciphers  as the cipher suite.
  • If the target browsers your audience will use does not support the secure cipher suite, set the Default HTTPS TLS Ciphers, but be aware that this is not considered a secure approach.

HTTPS certificate

The HTTPS certificate is used by the PLCnext web server to authenticate the controller towards the browser. The certificate is also valid for the HMI. 

In the configuration table for the nginx web server you have the possibility to select the HTTPS certificate from one of the Identity Stores stored on the controller

  • Select an Identity Store in the selection field. The corresponding HTTPS certificate is applied.
  • To apply the configuration to the system, click Save & apply page
HTTPS certificate HTTPS-self-signed 

In addition to the HTTPS certificates of the Identity Stores stored on the controller, you also have the possibility to select a self-signed certificate created by the firmware.

  • If you want to use the HTTPS certificate generated by the firmware for the nginx configuration, select HTTPS-self-signed in the selection field. 

 

The current configuration of the self-signed HTTPS certificate is shown in the following table. You can adjust this configuration and regenerate the certificate to apply the changes in the configuration. The following configuration options are available:

Distinguished Name (Dn)

You can configure the following DN attributes:

  • Common Name (CN)
  • Organization (O)
  • Organizational Unit (OU)
  • Location (L)
  • State or Province Name (ST)
  • Country Name (C)

Validity of the certificate

  • Not before: Date in format DD.MM.YYYY - hh:mm:ss (if the input field remains empty, the current date of the controller is used)
  • Not after: Date in format DD.MM.YYYY - hh:mm:ss (if the input field remains empty the date point 31.12.9999 - 23:59:59 is used)

Subject Alternative Names

The IP addresses from the network configuration of the controller are suggested by default. You have the possibility to extend or adjust them.

  • Subject Alternative Name: Enter an IP address or DNS name (depending on the setting in the Typefield)
  • Type: Select the type of the subject alternative name from the drop-down list.

Below and in the table you will find the buttons to  add and  remove subject alternative names.

Note: If the web server is to be accessible via different IP addresses of the interfaces without error message, all IP addresses must be entered as Subject Alternative Name of type IP address (e.g. for controllers with more than one Ethernet adapter). If the controller is also accessible via DNS names, these must also be entered.

 

Related Topics

  1. Security_User_authentication

 

 

• Published/reviewed: 2025-05-28  ✿  Revision 079 •