Securing OMS Server with HTTPS (on-premise)
For Pavo to connect successfully to an on-premise OMS Server, the server must be accessible over HTTPS using a publicly trusted TLS certificate.
There are two options to secure your OMS Server: automated certificate renewal with a domain hosted by Master System, or self-managed certificate renewals.
Option A: Automated Certificate Renewal (recommended)
Master System will own the domain used to secure your server with a certificate. Master System will use industry standard tools (e.g., Let's Encrypt, certbot, win-acme) to secure OMS Server.
To get started with this method, Master System needs the following:
-
A static IP address that our DNS will use for its A record. You will be assigned a subdomain on a domain we own.
- Ports 80 and 443 opened and routed to your web service (e.g., IIS, nginx)
If you cannot open Port 80
Port 80 is required by the Certificate Authority to validate domain ownership during the request and renewal process. If you cannot permanently open port 80, you must open the port once every three months during certificate renewals.
Port 443 must remain available for normal HTTPS communication between Pavo and your OMS Server.
Option B: Customer Managed Renewal
If your security policy prohibits opening 80 and 443 or you wish to manage your own certificates, we will need a URL that is secured by your company that Pavo can access.
Under this option, your team will be fully responsible for purchasing (if relevant), installing, and manually renewing the SSL certificate for that subdomain. We will then configure Pavo to use the custom subdomain you provide.
TLS & Certificate Requirements
Pavo at a minimum requires TLS1.2+. Certificates must be publicly trusted and self-signed/private certificates cannot be used.