web-WebService

WebService encapsulates access to the HTTP server as well as the servlet infrastructure used to expose custom applications over HTTP. The WebService is available in the web palette. It is also one of the default services in a station created by using the New Station tool. Only one WebService is supported in a station.

In AX-3.8, several WebService properties in a new station (via New Station tool in Workbench) have different defaults than in previous NiagaraAX releases. See New station WebService defaults in AX-3.8. In addition, any AX-3.8 station that provides “Web Workbench” to browser clients requires those browser client PCs to have Java configured with “Unlimited Strength Policy Files”. For details refer to “Additional AX-3.8 client-side Java installation” in the NiagaraAX 2013 Security Updates document.

Properties of the WebService determine the port usage and authentication methods of the station’s web server, among other things. Properties include:

Status

Read-only property that displays the status of the WebService.
Fault Cause

If status is fault, provides an error message that indicates the reason.
Enabled

By default true (enabled); if necessary it can be set to false (disabled).
To increase security in a scenario where the WebService is not used, for example in a JACE station where browser access is not needed, set this to false to disable this service.
Http Port

TCP port the service listens on for HTTP client connections, where port 80 is the default.
Http Enabled

Boolean to determine if HTTP client requests are processed, it is true by default (before AX-3.8). If false, and HTTPS is enabled, HTTP requests are redirected to HTTPS. See New station WebService defaults in AX-3.8.
Https Port

TCP port the service listens on for HTTPS (secure) client connections, where port 443 is the default.
Https Enabled

Boolean to determine if HTTPS client requests are processed, it is false by default (before AX-3.8). See New station WebService defaults in AX-3.8.
- Starting in AX-3.7, any “Hotspot JVM” NiagaraAX host can be configured for secure (SSL/TLS) connections for browser (HTTPS) access, as well as secure Fox connections (Foxs) and platform connections (platformssl). Complete details are in the NiagaraAX SSL Connectivity Guide.
- Any “IBM J9” host (earlier JACE models) can provide SSL connections to the station via browser access , regardless of NiagaraAX release level. The inital station login screen is always encrypted (secure), as well as all Hx access of the station. However, if browser access uses a Workbench profile (WbApplet), data transmitted over Fox is not secured with an SSL socket. A different architecture is used, where station requires the CryptoService, with the crypto module installed. For details, refer to the NiagaraAX CryptoService (SSL) engineering notes document.
Https Only

If both HTTP and HTTPS are enabled, all HTTP requests are redirected to the HTTPS port. See New station WebService defaults in AX-3.8.
Https Min Protocol

For “Hotspot JVM” SSL only. Specifies the security protocol to use, where the default is either standard protocols (SSLv3+TLSv1). Other choices are one or the other: SSLv3 or TLSv1.
Https Cert

For “Hotspot JVM” SSL only. Specifies the server certificate to use for HTTPS connections, which may be different (or the same) as the one used for secure platform and secure fox connections.
Authentication Scheme

The authentication scheme used for HTTP requests, where choices are:
- Cookie Digest — (default) The most secure (and recommended) authentication method. However, in some scenarios another authentication method may be necessary.
- Cookie — Applies if the station uses the LdapUserService or ActiveDirectoryService instead of the standard UserService.
  
  Also applies if using “domain-wide cookies authentication”, in which case the WebService’s property Single Sign On Enabled (new in AX-3.7u1) also should be set to true. For related details, see Domain-wide cookies authentication.
- Basic — Typically not used, except if the client did not support one of the other (preferred) authentication schemes.
Gzip Enabled

Default is true, to enable gzip compression for basic text types: html, xml, css, js, and so on. Gzip support is new starting in AX-3.7. If set to false, gzip compression is not used.
Log File Enabled

Default is false. If set to true, a log file of HTTP transactional messages from client connections is created in the station’s specified log file directory.
Log File Format

File format for log files (if enabled). Choices include:
- NCSA Common Log Format (default)
- NCSA Extended Log Format
- W3C Extended Log Format
Log File Directory

Default is file:^httpd. The folder in the station’s file space in which log files are stored. Log file names use a YYMMDD.log (date) convention, such as 130501.log for a file created May 1, 2013.
Log File Policy

Determines when a new log file is started, whether Daily (the default) or else Weekly, Monthly, or Limited Size.
Log Maximum Size

Specifies the maximum size of a log file, in MB, where 100MB is the default.
Auto Login Enabled

Boolean to determine if auto-login can occur using cookies, it is false by default. Only valid if the authentication scheme is set to Cookie.
Single Sign On Enabled

Boolean to determine if “domain-wide cookies authentication” can occur using cookies, it is false by default. Only valid if the authentication scheme is set to Cookie. Other WebService modification is necessary for this feature, see Domain-wide cookies authentication.
Login Template

Specifies the template for the browser login page. If null (default), the default login template is used.
Tunneling Enabled

Boolean to specify if this station provides HTTP tunneling to other stations (default is false). If set to true (and the host is licensed for tunneling), the station can act as a proxy and redirect HTTP requests/responses where appropriate. Note you may also need to enable Fox tunneling for full support. For more details, refer to the Fox Tunneling and HTTP Tunneling engineering notes document
Proxy Authentication When Tunneling

Boolean to specify if authentication is required at this (proxy) station before rerouting HTTP tunnel requests to other stations (default is false). If set to true authentication is required, otherwise this proxy station simply reroutes all HTTP tunel requests without requiring additional authentication.
This is required only when using Cookie Digest on the target station when:
- A non-default Fox port is used on the target station, or
- The target station has not been upgraded to AX-3.7u1 or later.
- The target station has a different password.
Cookie Digest Session Timeout

Applicable only if authentication type is Cookie Digest. Specifes the maximum amount of time, in minutes, without activity during a browser session, whereafter the session is considered timed out—the user must log in again).

The default is 5 minutes. If set to 0, there is no timeout (but typically not recommended, as this could be a security risk).
Client Environments

(New starting in AX-3.7) Container for Mobile Client Enviroment (mobile) entries, available if the station’s host is licensed with the mobile feature. It is used in detection of a user’s browser type (e.g. desktop or mobile) and the selection of the appropriate webProfile for that user. For details, refer to “About the Mobile Client Environment (mobile) property ” in the NiagaraAX Mobile Guide.

New station WebService defaults in AX-3.8

By default in AX-3.8, any new station created in Workbench using the New Station tool (wizard) is created for SSL access only, including both its WebService and FoxService (the latter a container under its NiagaraNetwork component).

A “Use secure connections (recommended)” checkbox in the New Station wizard enables this. If left checked, the station’s WebService has these properties set as follows:

Http Enabled: false
Https Port: 443 (or whatever Https Port was specified in the New Station wizard).
Https Enabled: true
Https Only: true

Sometimes when using the AX-3.8 New Station wizard you may wish to uncheck secure connections, which makes a WebService (and FoxService) with different values for the properties above. You might do this when making a station to be installed in a “J9 JVM” JACE (JACE-2/4/5 series), which cannot use Foxs (Fox SSL), but could use SSL for the WebService, if you also configured it with the station-based CryptoService.

In any case, after creating a new station, you can always re-edit its WebService (and FoxService) properties offline if needed—before installing it in the target host platform. For related details New Station wizard.