Switch Autoform DM Between HTTP and HTTPS

When installing Autoform DM, HTTPS support is now enabled by default and the ability to provide custom HTTPS certificates for the server to use is provided.

HTTPS support is ready with minimal configuration required to help increase security.

However, note that HTTP connectivity is also enabled, so an installation can be used over both HTTP and HTTPS once completed. This allows the application to be tested using either protocol and to facilitate the upgrade of legacy integrations that are still using HTTP, if present.

We recommend that you disable or restrict access to Autoform DM via HTTP when possible. To allow you to do this, we have provided a tool to adjust the application configuration. This is run via the command line and details of the usage are included on this page.

Configuration Tool

The configuration tool http-mode-switcher.jar can be found in the installation location: <path/to/installation>/<Server_xx - name>/tools. Wrapper scripts (httpModeSwitcher.[bat|sh] depending on platform) are provided to make usage easier; these should be used to run it.

Open a command prompt in that directory and run the relevant script – this will print usage documentation which you can refer to for the most accurate and up-to-date usage details.

Example

> httpModeSwitcher.bat

Usage: <cmd> <path/to/ear/file.ear> 

<cmd> may be:

  - http-and-https: Enable both HTTP and HTTPS access

  - require-https: Require HTTPS, this allows for HTTP->HTTPS redirects, or HTTPS-only if disabling the HTTPS redirect on the listener.

  - require-https-only: Require HTTPS only, this enforces the use of HTTPS via the HSTS header.

 The original .ear file will have the '.bak' extension added and be replaced with the modified version.

As indicated, the tool takes a cmd parameter and a path to the DM ear file – when run, the target .ear file will be moved to have a .bak extension and a new copy with the requested changes will take its place.

For example:

> httpModeSwitcher.bat http-and-https "C:\Program Files\Formpipe Software\Autoform DM\Server_10.1 - Production\wildfly-22.0.1.Final\standalone\deployments\pdm_app_module.ear"

This will result in two files:

• The original: C:\Program Files\Formpipe Software\Autoform DM\Server_10.1 - Production\wildfly-22.0.1.Final\standalone\deployments\pdm_app_module.ear.bak

• The newly-modified version ready for use: C:\Program Files\Formpipe Software\Autoform DM\Server_10.1 - Production\wildfly-22.0.1.Final\standalone\deployments\pdm_app_module.ear

We recommend either leaving the .bak version in place or moving to a safe location; if problems occur in future, this can be restored to undo any changes.

cmd Options

The options available for <cmd> are described in this section.

http-and-https

This restores the 'default' configuration, enabling both HTTP and HTTPS access. We recommend this option if you want to restore HTTP access after using one of the other <cmd> options.

require-https

This changes the application to require HTTPS, meaning that by default, an attempt to access the application on HTTP will cause a redirect that switches the user across to HTTPS instead. Both HTTP and HTTPS are enabled for connection, but connecting on HTTP will redirect to HTTPS.

We recommend this configuration for production, and when application installation has been verified and HTTPS certificates have been installed as required.

It is possible to remove the redirect configuration from the application server in addition to this if required. In this scenario, connection attempts to HTTP will fail instead than being redirected.

require-https-only

This does the same as require-https, but additionally enables the HSTS (HTTPS Strict Transport Security) headers.

Warning

Only use this option if you understand the effect of doing so.

When HSTS headers are enabled and a user connects once to the application, the browser will record that access should be via HTTPS only. Any further attempts to connect to the application via HTTP will cause the browser to change the protocol on the client side before sending the request.

This enhances security by forcing client-side protocol switching rather than relying on the redirect; however, note that if you then switch back to HTTP, the HSTS configuration will have to be manually cleared from the browser. Refer to the vendor-specific documentation on how to do this.

Note

Restart the Autoform DM server after running the cmd command and updating the .ear file.