(theDISC)(April 2006).iso/Software/Internet & Communication/OmniWeb-5.1.2.dmg/OmniWeb.app/Contents/Resources/English.lproj/Help.htmld/images/omniweb.png)
Advanced Topics
Defaults List | Site-wide Preferences | defaults tool | Security Certificates
Defaults is another name for preferences, and not all of OmniWeb's preferences are visible from within the application. Some preferences don't have any user interface for adjusting them - usually because most users will never need to make any adjustments to the default settings and including them in the preference dialogs would only cause clutter and confusion.
Omni maintains a list of nearly all defaults that OmniWeb will pay attention to. Many of these are already visible preferences that can be adjusted using OmniWebs preferences window or other functions, but there are also many hidden settings.
In most cases, these hidden preferences are untested and unsupported. A certain amount of familiarity with the Terminal or property list editing is also required. Proceed at your own risk.
In an effort to keep the defaults list as up-to-date as possible, it is no longer included with these online help files. Instead, the list is available from our website.
Visit the Defaults List on omnigroup.com.
Setting up site-wide preferences
System administrators can change OmniWeb's preferences for all their users. This can be used to change any preference the user can change (and more). For example, administrators may want to change the site-wide default for their users' start page, bookmarks files, or font settings.
At startup, OmniWeb looks for files named Defaults.plist in each of the following folders: /Network/Library/Application Support/OmniWeb 5/, /Library/Application Support/OmniWeb 5/, and ~/Library/Application Support/OmniWeb 5/. If it finds any, it will configure its default settings to match those in the file(s). If a given setting is present in more than one place, the /Network/Library setting will be replaced by the /Library setting, and the /Library setting by the ~/Library setting. (Generally it's of little use to put anything in the user-level defaults file, as users can just as easily edit their settings in the Preferences window.) If you have the PropertyListEditor application installed (it comes as part of the Developer Tools package available from Apple) you can use it to create and edit one of these files.
|
The Defaults.plist file should have an entry for each default you want to change. For example, this Defaults.plist file will set behaviors for Automatic Software Update, window cascading, Java applets, Shorcut addresses, and Speech Recognition preferences for all users:
All settings go within the OAPreferenceController block, under the OWHiddenPreferences block. For a complete list of acceptable default names and values, see the Defaults List. |
Note that defaults files only specify the default settings -- a user can still customize their own preferences.
The defaults command-line utility
It's also possible for advanced users and administrators to edit OmniWeb's settings via the defaults command-line utility. Type defaults or man defaults in a Terminal window for information about using it. You'll find acceptable keys and values for use with this utility in the Defaults List.
If a website uses a self-signed certificate, or if it uses a certificate issued by an authority we don't know about (either because we missed it or because it's an authority that's private to an company intranet, etc.) you can get OmniWeb to trust that cert (certificate) by adding it to the list of authorities OmniWeb trusts.
(The two possibilities above are actually the same. A root certificate authority is just anybody who's issued their own certificate instead of getting it vouched for by someone else.)
Omniweb looks in various places for certificates to trust:
- some .pem files inside the application package
- some .pem files in standard locations in the system (/Library/Application Support/MoreRootCerts.pem)
- the system X509Anchors keychain
- some .pem files in the user's account (~/Library/Application Support/OmniWeb 5/RootCerts.pem)
- any user keychains
(Apple doesn't advertise it, but you can put certificates into keychains even under 10.2.)
".pem" files are text files. They contain certificates, which are unintelligible encoded blobs, between lines that say "BEGIN CERTIFICATE" and "END CERTIFICATE". They can also contain other text, which will be skipped over by OmniWeb but might describe what's in the blobs (e.g.).
How to add a new root (anchor) certificate
1. Get a copy of the certificate.
Best way:
The best way to get a copy of the certificate is to ask the administrator of the server for the certificate ("certificate authority", "CA cert", "root cert", "anchor cert"). Ask for it in PEM format — other formats are usable too, but PEM is easiest to deal with. It's also the most common format, so it shouldn't be a problem.
Another way:
If that doesn't work, then you can ask the server itself for its certificates. Open a Terminal window and type openssl s_client -showcerts -connect SERVERHOSTNAME:443 (where SERVERHOSTNAME is, of course, the server's hostname. The "443" is the normal port number for HTTPS.) This should spit out a few pages of information, starting with the word "CONNECTED" and ending with a line of three dashes. Hit control-C to quit openssl.
In the middle of the output should be the certificate chain offered by the server. There might just be one certificate, or there might be several. The first certificate is the server's own certificate. The next one is the certificate of whoever issued the server's certificate, followed by whoever issued that cert, and so on until you reach the root of authority. That last one is the one you want. Copy-and-paste it (including the BEGIN/END lines) into a text file, ideally one whose name ends in ".pem".
2. Put the certificate where OmniWeb will find it.
I recommend using the keychain, because then you can see (and delete) the certificate using Keychain Access. To add a certificate (in .pem format) to your keychain, type the following command in a terminal window:
certtool i /path/to/pemfile
You can do this by just typing certtool i , with the trailing space, and then dragging the .pem file's icon onto the window. Anyway, certtool should respond "certificate successfully imported", and you can then see the certificate in Keychain Access and it will be used by OmniWeb.
If you want to store the cert in one of the RootCerts.pem files mentioned above, you can just move/rename the .pem file you have, or (if the other .pem file already exists) append the new block of text to the existing list of certs. The order of certs in a .pem file doen't matter.
Example of a certificate in .PEM format
This is the relevant snippet of the output of "openssl s_client..." talking to my test webserver:
2 s:/C=US/ST=Washington/L=Seattle/O=JJJJ Associates/OU=Dummy Security/Email=user@jjjj.org
i:/C=US/ST=Washington/L=Seattle/O=JJJJ Associates/OU=Dummy Security/Email=user@jjjj.org
-----BEGIN CERTIFICATE-----
MIICgDCCAemgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhTELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAWBgNVBAoT
D0hISEggQXNzb2NpYXRlczEXMBUGA1UECxMORHVtbXkgU2VjdXJpdHkxHDAaBgkq
hkiG9w0BCQEWDXdpbWxAaGhoaC5vcmcwHhcNMDMwODE4MjAxMDA3WhcNMDQwODE3
MjAxMDA3WjCBhTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1NlYXR0bGUxGDAWBgNVBAoTD0hISEggQXNzb2NpYXRlczEXMBUGA1UE
CxMORHVtbXkgU2VjdXJpdHkxHDAaBgkqhkiG9w0BCQEWDXdpbWxAaGhoaC5vcmcw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALTFv4ts52lXl0aomu9/LaOfiUZx
Jdtb3BfSKkem2feD0AhAIX/1k1KLiOi6PB3aRGyXwxs5AOPxjloc/q6mpGRaJy/w
nJ/LfSG6TSsvrVY4Ksu2rTAQ9Io35PX1OUsgHDWkKOwHoAzLNgK7Q9I2lflDSPuZ
6Sk748VhDvzGSBEBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAhUnqFeO30hr7N888
NnQT/aDuJL8MoDqQkSkXUdVj+5F2m/Ssf7mqApKh/2GiXkL2cJ38XfWXi+gLFgv/
Do8cuh3h2oBxY7ylrBD9AmFHa8oRQboS4npV9GVgue/K/YtxqQOrrW2IY3Ikm6RY
ln6CdGy7bmMRr5qMuDxhlT37Cg0=
-----END CERTIFICATE-----
The certificate is the stuff from BEGIN CERTIFICATE to END CERTIFICATE (inclusive). The two lines before it are from OpenSSL describing what the certificate is. The s: line indicates the subject, i.e., who or what the certificate is for. The i: line indicates the issuer, i.e., who is vouching for the subject's authenticity. Since this is the root cert, the two lines are the same. Subjects and issuers are described in the X.500 format; the example here includes the country, state, city (locality), organization, organizational sub-unit (the "Dummy Security" department of "JJJJ Associates"), and email address.