Enforcing SSL Encryption for the Opencms workplace

Prerequisites

The main prerequisite for this is that the workplace can be reached through SSL at all. For this to workl, the webserver must be configured to use SSL and it needs a certificate and a private/public key pair.

The certificate certifies that the server is authentic - that means - that no other server is just posing as your server. The private/public key is used for the encryption process itself.

For not-very-public setups, a self-signed certificate will be sufficient. In that case a third person, that does not know the website administrator will not be able to certify that the server is really the authentic server that should serve the given website. But still the website is encrypted, so for the opencms workplace, self-signed certificates may be enough. Most web hosting providers provide simple Webbased tools that generate and install a set of self-signed certificates into the webserver.

Enabling SSL for the workplace

If the webserver has been configured to allow SSL, then the workplace URL must be changed.

The configuration file contains a section like this

<sites>
  <workplace-server>http://www.server-name.com/opencms/opencms/</workplace-server>
  <!-- etc -->
</sites>

This has to be changed so that the workplace is accessed with SSL (https) instead:

<sites>
  <workplace-server>https://www.server-name.com/opencms/opencms/</workplace-server>
  <!-- etc -->
</sites>

After that you have to restart opencms. Now, even if somebody tries to access the workplace using an unsafe connection, they will be automatically redirected to the secured connection.