Versions Compared

Old Version 39

changes.mady.by.user Paul Scott

Saved on

compared with

New Version Current

changes.mady.by.user Brandon Au

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


What Is SSL?

Secure Socket Layer (SSL) is a widely used security protocol for data as it goes across a network or the internet. SSL and TLS are protocols that secure the network traffic of the Gateway. This means using HTTPS for all traffic between the Designer, Vision Clients, and Perspective Sessions when connecting to the Gateway. It is highly recommended that SSL / TLS is always used as it will help protect against your data being vulnerable.

Enabling SSL

To enhance security in Ignition, you may opt to enable SSL encryption. This will affect all communication to and from the Gateway that is done over the HTTP protocol. This includes not only browsers interacting with the Gateway's web interface, but all Vision Client communication as well. Turning on SSL will encrypt all data sent over HTTP. This protects your installation from anyone "snooping" the data as it passes over the network. This may be important if data transferred between the Gateway and Clients is sensitive in nature. This also helps to thwart a security vulnerability known as "session hijacking".

On_this_page


Iulink
URLhttps://inductiveuniversity.com/video/requiring-ssl?r=/video/search/?q=ssl&checked_videos=
NameRequiring SSL




Turn on SSL

  1. Go to the Config section of the Gateway Webpage.
  2. Choose Networking> Web Server from the menus on the left.
  3. Select the checkbox for Force Secure Redirect, and click the Save button at the bottom of the page. 



After SSL is enabled, all Clients, Designers, and web browsers are redirected to the SSL port if they try to use the standard HTTP port. By default, the SSL port is 8043. You can change it here to another port like the standard SSL port of 443. If you are using a firewall, make sure to open the appropriate ports.


Adding an SSL Certificate

Ignition supports using SSL communications to the Gateway Webpage as well as Client/Designer communication with the Gateway. It is highly recommended that you purchase an SSL certificate from a certificate authority if you turn this feature on. The procedures for how to install a genuine SSL Certificate are below.

When you turn on SSL in Ignition, the web browser uses what is called a "self-signed" certificate. This gives you the encryption benefits of SSL, but not the identity validation, and it isn't a "real" certificate. This is why a web browser will display nasty warnings to users that they shouldn't trust the website.

We are not able to ship a real certificate with Ignition because security certificates have to be obtained individually from a Certificate Authority (CA). Ignition supports certificates from both your organization's internal CA, as well as commercial CAs (Verisign, GoDaddy, Comodo, etc). In either case, the procedure for how to install a certificate is listed below.

Note

After you have added an SSL certificate, the keystore KeyStore will automatically refresh every 15 minutes. You can disable this in the ignition.conf file by altering the ignition.ssl.refresh entry (Set to 0 to not refresh).

Get a Certificate Signing Request

Since SSL/TLS requires the installation of an SSL certificate, filling out the form below will generate a certificate signing request (CSR) to provide to a certificate authority. It is the first step required in getting an SSL certificate from a trusted Certificate Authority (CA), which is why details such as Organization and Location are being collected.

  1. Go to the Config tab of the Gateway Webpage and choose Networking > Web Server. 
  2. You'll see a warning message indicating that SSL/TLS is not enabled.  Click on the Click here link. 



  3. Click on the I don't have all the items above button.  The Create Certificate screen is displayed. 

  4. Fill in the required fields on the screen, then click the Generate Certificate Signing Request button. This can be brought to a Certificate Authority.

    Basic Details
    FieldDefinition
    Common Name

    Full DNS name (required). This is typically what you type in your browser URL bar in order to navigate to this gateway, for exampleyourdomain.com

    Organization NameName of company (required). For exampleInductive Automation.
    Organization DepartmentDepartment or section (required). For example: Engineering.
    EmailEmail address. For exampleyour@email.com.
    CountryTypically an ISO 3166 2 character code (required). For exampleUS.
    State / Province

    State, province or region, for example: California.

    Locality (City)Name of city. For example: Folsom
    StreetStreet number and street name. For example90 Parkshore Dr
    Postal CodePostal Code Example: 95630
    Key Type

    The algorithm of the key pair which will be generated for the self signed certificate. Options are RSA or EC. Recommended: RSA

    Key Size

    The strength of the generated Key. Recommended: 2048 bits

    Expires inThe number of days the generated Certificate will be valid. Only applies to the self-signed certificate.
    Subject Alternative Names
    FieldDefinition
    IP AddressesThe IP addresses of all the servers you plan on installing the certificate. Click the Add button for each additional IP address.
    DNS NamesDNS names which map to the list of IP addresses above. Click the Add button for each additional IP address.

Install an SSL Certificate

Once you have an SSL certificate, it needs to be added to Ignition.

  1. Go to the Config tab of the Gateway Webpage and choose Networking > Web Server. 
  2. You'll see a warning message indicating that SSL/TLS is not enabled.  Click on the Click here link. 
  3. The Setup SSL/TLS screen is displayed. Review the following list:  
    • Private Key
    • Certificate Signed By A Certificate Authority (CA)
    • Any Intermediate CA Certificates (Provided by your CA)
    • Root CA Certificate (Provided by your CA)

  4. If you have the items, click on the I have all the items above button.  If you don't have all the items, click on the I don't have all the items above button, and follow the previous procedure, To Get an SSL Certificate from a CA.



  5. The Certificate Wizard is displayed. The first step is to import your private key in one of the following three ways. 
    • Drag and Drop your certificate from your computer onto the screen. 
    • Click anywhere on the grey box to browse for the private key.
    • Click Manually enter data button to type in the private key information



  6. If the private key is encrypted, click the checkbox to enable a password for this certificate and enter the password in the field. Click Continue.

  7. The next step is to import the server certificate. This is the The DER or PEM encoded X.509 SSL Certificate that Ignition will use for SSL / TLS. Drag and drop the certificate file, browse for it, or manually enter the data.




  8. The next step is to import the certificate chain. This gives you the Intermediate CA Certificate. Drag and drop the certificate file or bundle, browse for it, or manually enter the data.  
    You'll see a message that the Intermediate CA Certificate was successfully uploaded. 



  9.  Finally, import the root CA certificate:  Drag and drop the certificate file, browse for it, or manually enter the data.  You'll see a message that the Root CA Certificate was successfully uploaded. 

    Editor_notes

    Why does the description for the previous certificate, the intermediate one, change to say Root certificate now? - This is a question for Dev., probably a bug. The text is a duplicate of the step 4 too.This is a bug. Alex Lu submitted FB14677 for it.




  10. Click the Continue button. 

  11. You'll see a confirmation message that the certificate is installed and SSL/TLS is enabled.



  12. If you have a redundant installation, you'll need to repeat this procedure on your backup server.


Next_link