Opened 14 years ago
Closed 12 years ago
#3070 closed defect (fixed)
Set up MapServer as a client to access a secure WMS/WFS server
Reported by: | nsavard | Owned by: | jmckenna |
---|---|---|---|
Priority: | normal | Milestone: | 5.6 release |
Component: | Documentation - MapServer | Version: | 5.4 |
Severity: | normal | Keywords: | wms, wfs, secure connection, client, server, ssl, curl |
Cc: | jmckenna, dmorissette, havatv |
Description (last modified by )
This ticket is about documenting the steps to set up MapServer as a client to access a remote WXS server over https. This information could be added to the relevant documentation section.
Change History (3)
comment:1 by , 14 years ago
Description: | modified (diff) |
---|---|
Summary: | Client set up to access a secure WXS server → Client set up to access a secure WXS server with MapServer |
comment:2 by , 14 years ago
Summary: | Client set up to access a secure WXS server with MapServer → Set up MapServer as a client to access a secure WMS/WFS server |
---|
comment:3 by , 12 years ago
Cc: | added |
---|---|
Resolution: | → fixed |
Status: | new → closed |
Added (en/ogc/wxs_secure http://www.mapserver.org/ogc/wxs_secure.html) to trunk and 6.0 documentation in r12522. I don't have access to services over https, so it would be great if someone could test.
Note:
See TracTickets
for help on using tickets.
The text below could be seen as a draft to the documentation on how to set up MapServer as a client to access a WMS/WFS server through a secure SSL connection using the HTTPS protocole. It describes the common errors a user could be confronted to and what are the solutions to them.
It is the editor's responsibilities to present this documentation in the best format proper to be published for user understanding.
INTRODUCTION
The following documentation is to explain how to set up MapServer as a client to access a WMS/WFS server through a secure SSL connection using the HTTPS protocole. It describes the common errors a user could met and what are the solutions to them.
REQUIREMENTS
MapServer 5.4.1 and up, compiled with Curl, Curl must be built with SSL support
STANDARD INSTALLATION (with apt-get install, rpm, manual, etc)
The Curl CA bundle file should be located in the standard directory.
Verify your connection with the Curl command line: curl https://targethostname:port/gmap-demo/gmap75.phtml
Edit your map file to add the WMS connection URL for example:
If the layer is displayed correctly you do not need to read further on.
NONE STANDARD INSTALLATION (commonly within ms4w and fgs)
If you got the following error it means that your CA bundle is not found. It may be caused by the CURL_CA_BUNDLE environment variable pointing out to the wrong location or the CA bundle file not beeing present. Follow the steps below to correct either case.
Set the CURL_CA_BUNDLE environment variable to point out to the bundle file (e.g. export CURL_CA_BUNDLE=/path/to/my-ca-bundle.ext where my-ca-bundle.ext could be cacert.pem or ca-bundle.crt)
Download the CA bundle file "cacert.pem" found at http://curl.haxx.se/docs/caextract.html or if you have the Curl source you could create the CA bundle by executing "make ca-bundle" or "make ca-firefox" (if you have Firefox and the certutil tool installed). If you used the second choice, the bundle file will be named ca-bundle.crt and will be found in the lib directory under Curl root directory. See http://curl.haxx.se/docs/caextract.html for more details. Store this file in the location pointed out by URL_CA_BUNDLE environment variable.
Verify your connection with the Curl command line:
Note:
If you use ms4w, osgeo4w or fgs installation, these installers are taking care of this problem for you.
REMOTE SERVER WITH A SELF-SIGNED SSL CERTIFICATE
If you got the following error it means that your remote server is probably a self-signed SSL certificate and the server certificate is not included in your CA bundle file.
To get the remote server certificate you have to execute this command:
Copy all from "-----BEGIN CERTIFICATE-----" tag to "-----END CERTIFICATE-----" tag. Paste it at the end of the my-ca-bundle.ext file.
Verify your connection with the Curl command line:
NOTE:
If you got the following error, it means that the domain name in the URL request is not corresponding to the one that was declared when creating the remote server certificate.
You have to use the exact same domain name as the one appearing in the "Common Name" prompt used when generating the remote server certificate. You cannot use the remote server ip for instance. It means that the following URL is not acceptable.