SSL and certificate notes in AX-3.8

This section explains a little more about the Workbench SSL certificate warning seen in the section Connect to the SoftJACE. Note that in AX-3.8, a few SSL-related changes were made since the releases for AX-3.7/AX-3.7u1 that affect an AX SoftJACE, which are also described below.

It is safe to “Accept” the certificate (Identification Verification) warning seen in Workbench when following the steps in Connect to the SoftJACE. However, don’t assume that always accepting similar certificates is the correct choice. An overview with a few background details is below. For complete details about SSL and NiagaraAX, refer to the NiagaraAX SSL Connectivity Guide.

Since AX-3.7, NiagaraAX has included integral support for industry-standard Secure Socket Layer (SSLv3) and Transport Layer Security (TLSv1) protocols, via an “SSL Toolset”. Included are Workbench tools for managing PKI (Public Key Infrastructure) digital certificates or “self-signed” digital certificates, which are used in verifying SSL connections. When you install an AX SoftJACE, a local self-signed “tridium” certificate is generated on it, and is available for (default) SSL usage by that host.

In AX-3.7 (and AX-3.7u1), after installing a SoftJACE you could optionally enable SSL for platform connections. To do this, you make a regular (non SSL) platform connection to it, say to run the Commissioning Wizard, then access its Platform Administration view. By default, its “tridium” certificate is presented to any Workbench client that attempts an SSL platform connection.
In AX-3.8 this changed—now when you install a SoftJACE, platform SSL is already enabled by default—again, using its self-signed “tridium” certificate.

In either case just described, when you open the first platform SSL connection from Workbench (the client) to the SoftJACE’s platform daemon (a server), Workbench presents a warning “Identity Verification” popup that shows you the details of its local self-signed “tridium” certificate.

If you Accept, an “allowed host” exemption is created for your Workbench (client), and you proceed to the Authentication dialog to enter your platform credentials. This warning should not appear again unless you delete the allowed host exemption, or unless the certificate expires.
If you Reject, no exemption is created, nor do you see the Authentication dialog to make a connection. Instead, an error message is generated.

Note this Workbench certificate warning repeats when you use Workbench to open the first station SSL connection (Foxs) to any station running on the SoftJACE When you click Accept, yet another “allowed host” exemption is created for your Workbench client, this time for a different software port: 4911 Foxs default, (vs. 5011 platformssl default). Similarly, secure web browser (HTTPS) access of a station running on the SoftJACE produces a warning in your client browser.

In general, usage of PKI signed certificates with NiagaraAX is recommended over the (default) self-signed “tridium” certificate. However, details are well outside the scope of this document. Again, refer to the NiagaraAX SSL Connectivity Guide for complete details.