(AX-3.7 or later platforms that use the Hotspot Java VM, and with the necessary modules installed). This selection from the Platform Administration view lets you configure for secure (SSL/TLS) platform connections, as well as change related secure platform connection (platformssl) parameters.
Figure 53 shows the dialog with default values.
Fields in this dialog are as follows:
-
State
Either Disabled, Enabled, or Ssl Only, to specify how Workbench clients can connect to this host’s platform daemon.
-
Disabled — Secure platform connections not possible (only regular platform connections).
-
Enabled — Secure platform connections permitted, as well as regular platform connections.
-
Ssl Only — Only secure platform connections are allowed. Behavior from an attempt to open a regular platform connection differs between AX-3.7 and AX-3.8, as follows:
-
With a AX-3.8 platform, any such attempt goes unresolved (errors out).
-
With a AX-3.7 platform, any such attempt is automatically redirected to the port servicing secure platform connections. (Note this not supported for the host as a target in a tunneled platform connection).
-
This state is reflected among the properties listed on the main Platform Administration view, as “Platform SSL Support”
state. -
-
Port
Software port monitored by the platform daemon for a secure platform connection, where port 5011 is the default. Note this is different than the default HTTP port (3011) for a “regular” (unsecure) platform connection.
Again, if there is a firewall on the host (or its network), before changing this port make sure that it will allow traffic to the new port.
-
Certificate
The “alias” for the server certificate in the platform’s “key store” to use for any platformssl connection. The default is the “
tridium” self-signed certificate, which is automatically created when SSL is first loaded (by presence of certain modules and proper host licensing). If another certificate has been imported in the platform’s key store, you can use the drop-down control to select it instead.Certificates on the platform are managed via the platform Certificate Management view. For general information in this document, see Certificate Management, or for complete details refer to document NiagaraAX SSL Connectivity Guide.
-
Protocol
Either SSLv3, TLSv1, or SSLv3+TLSv1, specifying the protocol for the secure platform connection.
-
SSLv3 — Only SSL version 3 (Secure Socket Layer) is used.
-
TLSv1 — Only TLS version 1 (Transport Layer Security) is used.
-
SSLv3+TLSv1 — Either TLS version 1 or SSL version 3 can be used for the platform connection. This is typically recommended, and is the default.
If an AX-3.8 platform configured for FIPS 140, protocol is automatically set to TLSv1, and made read-only. For related FIPS
140 details, refer to the NiagaraAX FIPS 140 Configuration Guide.
-
Figure 54 shows an example dialog for a a JACE enabled for platform SSL (only).
In this example, the JACE uses a signed certificate with alias “tpubsjace6” (previously imported), with the port and protocol settings left at defaults.
When you click after making any changes in Platform SSL Settings, those changes are immediately applied. Often this means your current platform
connection closes, and then reopens in Workbench. For example if you change state from “Ssl Only” to “Disabled”, your secure connection will close and then reopen
as a regular (unsecure) platform connection. Or, if while secure connected, if you change Port from (default) 5011 to another
port number, your reopened platformssl connection will use this new port, shown in parentheses (nnnn) to indicate a “non-default” port is being used.
Before closing the host (removing it from the Nav tree), carefully note the new (non-default) secure platform port number you entered. In the future you must specify that port number whenever reopening
this platform using the “Platform SSL Connection” method.