Configure the CryptoService

1. Drag and drop CryptoService from the palette onto the Services node in the Nav tree.

   Figure 2. Dropping CryptoService on the Services node

   
   
   
   
   

2. To confirm the CryptoService is configured correctly, double-click the CryptoService component in the Nav tree.

   The CryptoService property sheet view appears in the view pane.

   Figure 3. Example of a CryptoService property sheet

   
   
   
   
   

3. Expand the Ssl node and confirm the CryptoService properties.

   Figure 3 shows the default properties.

   • Console Debug

     true causes the system to display details of the SSL handshake in the station output view pane. This information is valuable for debugging communication problems, and requires SSL expertise to decipher.

     false is the default. It disables the console. Unless you are an experienced in debugging SSL, leave Console Debug set to false.

   • Key Store

     Defines the path to the Tridium Key Store (TKS) file that contains keys and certificates. By default, this string value points to: file: !security/ssl.tks, which is located under the security folder of the NiagaraAX installation directory. You may change the path to use your own TKS. To create your own TKS, see Install a signed certificate.

   • Key Store Password

     The string password protects the Key Store file and is set when the Key Store is generated. The password for the default Tridium Key Store is “tridium.” If you intend to use the default Key Store, do not change this password. (For obvious security reasons, you are encouraged to create your own TKS, certificates and strong password.)

   • Key Store Type

     The TKS is the only supported type of store for the CryptoService feature.

   • Trust Store

     While the Trust Store is not required to use the CryptoService, the value of this property must point to the same ssl.tks file defined for the Key Store.

   • Trust Store Password

     While the Trust Store is not required to use the CryptoService feature, if you change the Key Storepassword, the Trust Store password must also be changed to the same password you set up for the Key Store.

   • Trust Store Type

     The TKS is the only supported type of store for the CryptoService feature.

4. Update the properties as needed.

   If you change the location or password of the Key Store, make sure you also change the location of the Trust Store and password. The Trust Store must point to the same file used for the Key Store and the password must be the same.

Enable the https protocol

1. To configure the station for https, double-click the station’s WebService under Services in the Nav tree.

   The WebService property sheet appears in the view pane.

   Figure 4. WebService property sheet with https properties enabled

   
   
   
   
   

   • Https Enabled

     Turns on SSL encryption.

   • Https Only

     Restricts communications to the https protocol only. This property is not required for secure https communications, however, to strengthen the security of web-based access to the system, configure Https Only with a value of true, configure users for Hx profiles, and use only Hx views. Doing so will prevent un-encrypted http connections from being made.

2. Set Https Enabled to true, and, to ensure security, Https Only also to true.

3. To configure a user profile for the https protocol, double-click UserServices in the Nav tree and double-click the user record.

   The UserManager property sheet appears.

   Figure 5. User configured for Basic Hx profile

   
   
   
   
   

   When using a Workbench-type profile (uses a Java applet), communication between the browser client and the station uses both http and Fox connections. With CryptoService it is only possible to encrypt the http connection by using an https socket. Even though the https communication is encrypted, some communication still occurs over the unencrypted Fox connection.

   The most robust security implementation uses Hx profiles instead of Workbench profiles. When using an HX profile with an https connection, all communication between the browser client and station occurs over an encrypted https connection.

4. Select the profile from the drop-down list.

   For more information about web profiles, see “About Web Profiles” in the NiagaraAX User Guide.

   Once configured, if a client browser attempts an http connection, the station redirects the connection from http to https.