Platform and station security are independent of one another. You can configure SSL for only your stations or for both your platforms (Niagarad) and stations (Fox).
A station’s “window” into the platform-resident SSL features is just like any other platform service under the station’s PlatformService node in the Nav tree. This means that anything configured in PlatformServices is independent of whatever station is running.
This topic explains how to:
To configure SSL for your stations, see Enable SSL for the Supervisor and JACE stations.
Enable SSL
This procedure involves making an unencrypted platform connection, enabling SSL, disconnecting from the unencrypted platform, and re-connecting using a secure connection.
-
Make an unencrypted connection to the platform.
-
Under Platform in the Nav tree, double-click Platform Administration.
The Platform Administration view appears.
-
Click Change SSL Settings.
The Platform SSL Settings dialog appears.
The default Port for platform connections over SSL is 5011.
Certificate provides a drop-down list of available certificates. Assuming this is a new platform, the only certificate in the list is tridium, the auto-generated self-signed certificate.
The Protocol list allows you to choose one protocol over the other (SSL or TLS). SSL Toolset supports both, which is the default way browsers work. There is no performance reason to choose one over the other. This property is provided in case your situation (contract or agreement) requires you to use one or the other.
-
Change State to Enabled and click Save.
The system enables the SSL port and restarts the unencrypted connection, most likely using the TLS protocol. This restart occurs for reasons other than security.
-
Disconnect the Fox connection (right-click the Station node in the Nav tree and select the action to disconnect all Fox sessions.
-
Disconnect from the platform session (right-click the platform in the Nav tree and click Close).
Open a secure platform connection (Niagarad)
Now that SSL is enabled, you can open the platform securely.
-
Click .
The Open Platform dialog appears.
-
Select Platform SSL Connection from the Session Type drop-down list.
-
Define the host IP, enter your Credentials and click OK.
The system displays the identity verification warning.
This error message is expected for two reasons:
-
The certificate’s Subject, or Common Name (CN) is NiagaraAX. This name does not match the host’s name, which is usually its IP address or domain name.
-
The certificate signature does not match the signature on any certificate in the client Trust Store. The fact that the Issued By and Subject are the same would indicate that the certificate has been self-signed.
-
-
Since this is the default tridium certificate, which can be trusted, click Accept.
Accepting the certificate creates an approved host exception in the Allowed Hosts list. If you did not select Remember these credentials when you logged in, the system asks you to confirm your platform credentials again.
-
Enter your credentials and click OK.
The platform is now connected over a secure connection. All data transmitted is encrypted, but the server’s identity was not validated.
-
To confirm this state, right-click and click Session Info.
The system displays session information.
-
The red shield with the X indicates that the software was unable to verify the authenticity of the server certificate. It
is a self-signed certificate and no matching CA (root) certificate exists in the platform Trust Store. To view the certificate,
click the link.
-
The green shield with the check mark indicates that encryption is enabled (this is a secure connection). In this example,
the secure connection is using TLSv1 as the protocol and data is encrypted using “AES_128_CBC with SHA1.”
-
-
Click OK.
The tiny lock on the platform icon
in the Nav tree indicates a secure connection.
-
To view this allowed host, click and check the Allowed Hosts tab.
The green shield indicates that the exception is approved.