Platform credentials improvements

In AX-3.8, security improvements were also made in platform credentials for digest authentication—where digest authentication is the only authentication method for any QNX-based JACE host, and an option for a Windows or Linux based host. Digest platform credentials in AX-3.8 now use the strong, two-way AES-256 encryption against the unique keyring and key material file of each JACE host.

Digest platform credentials were also relocated to a more secure location in the registry of AX-3.8 JACEs (or with Windows hosts, relocated in the Windows registry).

Station backup and restore changes

For the most part, AX-3.8 platform credentials improvements are transparent. However, be aware of this when restoring an AX-3.8 station backup:

Platform credentials are no longer included in a station backup .dist of an AX-3.8 host (unlike in a backup .dist file for any AX-3.7u1 or earlier release JACE).

Sometimes, this may be confusing. For example, say you have an AX-3.8 JACE running with platform credentials unique to a job, and you make a station backup. The backup .dist for that JACE does not contain these platform credentials, as stated above. This applies whether an “online backup” via a station’s BackupService (or Supervisor’s provisioning), or an “offline backup” with the station stopped, via a platform connection and from the Platform Administration view.

Now say you have another AX-3.8 JACE running that has been commissioned with different unique (non-default) platform credentials. If you restore the backup .dist described above to this JACE, it will reboot with the same platform credentials that it had before restoring the backup.
Or, in the case where you install a “clean dist” file in a JACE first, note that when the JACE reboots from the cleaning, it will be using factory default platform credentials (set by the cleaning operation).
- If you restore the AX-3.8 backup .dist file at this point, following the restore the AX-3.8 JACE reboots with factory default platform credentials.
- If (after the cleaning) you first change the platform credentials in the JACE to non-defaults, then restore the AX-3.8 backup .dist file, following the restore the AX-3.8 JACE cannot use the credentials you previously entered—again, it reboots with factory default platform credentials.
In particular, this can lead to confusion—and you should never leave a JACE running in this state. In either case, always reopen a platform connection and change the platform credentials to non-default values, via the “Update Authentication” choice in the Platform Administration view.

For details, see “Downgrading a JACE (Clean Dist)” and “Update Authentication” in the Platform Guide.

Backup and restore changes described here are dependent on the NiagaraAX release level of the target backup host (JACE), and not the release level of the Workbench client. In other words, if you use AX-3.8 Workbench to backup a JACE that is running an earlier release (e.g. AX-3.7u1, AX-3.6u4), when you restore that backup, the JACEs will reboot with the platform credentials from that backup .dist file.