Ssl

I want to convert one of my projects over to use SSL.
In order to avoid warnings to the users I presume I will need to get a SSL certificate.
Presumably this will come in the form of a file?
What do I do with this file to ensure that Ignition operates with it?
DO you have any recommended Vendor for SQL certificates?

Stay tuned - I’m writing a guide on how to do this right now.

That’s great. I’ll wait with interest.

Ok, here is the guide to purchase and install a real SSL certificate into an Ignition installation. This guide will be incorporated into the user manual for an upcoming release.

[u]How to Install a Real SSL Certificate in Ignition[/u]

When you turn on SSL in Ignition, the web browser uses what is called a “self-signed” certificate. This gives you the encryption benefits of SSL, but it isn’t a ‘real’ certificate. This is why browser will display nasty warnings to users that they shouldn’t trust your website.

We are not able to ship a real certificate with Ignition because SSL certificates have to be purchased individually from a certificate authority.

This guide will show you how to purchase and install a real SSL certificate from a certificate authority and install it in Ignition.

1) Install the JDK.
There are some command-line tools you’ll need to use to create a certificate request and to install your certificate. These tools come with the Java Development Kit (JDK). Most likely you only have the Java Runtime Environment installed. Go to http://java.oracle.com and click on Java SE. Download the Java SE 6 JDK and install it.

2) Open a command prompt
Open a command prompt (Start > Run > cmd) and change directory into your JDK tools directory.
[tt]cd C:\Program Files\Java\jdk1.6.0_24\bin[/tt]

3) Create your keystore
SSL certificates for Ignition are stored in a file called a keystore. You’ll need to create your own keystore file with a certificate in it before you can purchase the SSL certificate.
[ol]
[li] Enter the following command:
[tt]keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore C:\ssl.key[/tt]
(you can put the file wherever you want for now but it should be called “ssl.key”)
[/li][li] It will prompt you to enter a password. Use the password: [tt]ignition[/tt]
[/li][li] You will then be prompted for your “first and last name”. Do not actually use your first and last name. This value must be one of these for your Ignition Gateway:

  • Fully Qualified Domain Name (e.g. “secure.yourdomain.com”)
  • Public IP address (e.g. “202.144.8.10”)
  • Full Server Name of your internal server (e.g. “scadaserver”)
  • Private IP address (e.g. “192.168.0.1”)
    [/li][li] It will then prompt you for information about your company. Input all data accurately, as the certificate authority will need to verify this information.
    [/li][li] Lastly, it will ask you for the password for alias . Press RETURN to use the same password as the keystore file.[/li][/ol]

4) Generate a Certificate Signing Request
At this point, you have a keystore file named “ssl.key” at the root of your C:\ drive (or wherever you specified it to be in step 3a )

In your command prompt window, enter this command:
	[tt]keytool -certreq -alias tomcat -file C:\csr.txt -keystore C:\ssl.key[/tt]
It will prompt you for the keystore password (ignition)

You now have a certificate request file at [tt]C:\csr.txt[/tt]

5) Buy the SSL certificate
Now you need to get your SSL certificate signed by a certificate authority. When you go to a certificate authority (Verisign, Thawte, Comodo, etc), they’ll ask for your CSR, which is the csr.txt file that you created in step 4. Typically they’ll ask you to paste your CSR into their web form. Open csr.txt in notepad, and copy-and-paste it into the certificate authority’s form.

If prompted what software generated the CSR, choose Tomcat or Java

After the certificate authority has processed your payment and reviewed your CSR, they will send you your certificate via email.

6) Install the SSL certificate
After your SSL certificate has been emailed to you, you will want to follow the instructions provided for installing the certificate into a Java keystore. Your certificate authority will provide these instructions. The following is the procedure for installing a Comodo SSL certificate, provided as an example:
[ol][li] Extract the certificate files that were emailed to you, in this example they were extracted to C:\cert
[/li][li] Install the root certificate with the following command:
[tt]keytool -import -trustcacerts -alias root -file C:\cert\AddTrustExternalCARoot.crt -keystore C:\ssl.key[/tt]
[/li][li] Install the COMODO intermediate certificate:
[tt]keytool -import -trustcacerts -alias INTER -file C:\cert\COMODOHigh-AssuranceSecureServerCA.crt -keystore C:\ssl.key[/tt]
[/li][li] Install your server’s certificate:
[tt]keytool -import -trustcacerts -alias tomcat -file C:\cert\192_168_1_7.crt -keystore C:\ssl.key[/tt][/li][/ol]

7) Replace Ignition’s default keystore
You now have a keystore file at C:\ssl.key that holds your SSL certificate. The certificate alias is “tomcat” and the password is “ignition”. You can now replace the keystore file that ships with Ignition with your file. Make a backup of the file at
[tt]C:\Program Files\Inductive Automation\Ignition\tomcat\ssl.key[/tt]
and replace it with your keystore file. You will need to restart the Ignition service after replacing this file.

Make sure your SSL port is allowed through your server’s firewall. The default SSL port is 8043, and can be changed to the standard SSL port (443) through the Gateway Control Utilitiy (GCU).

Thanks! Are there any special considerations when using the built-in clustering, or do you just repeat this process on the backup machine?

Thanks for that. No wonder I couldn’t figure it out for myself :slight_smile:

No special considerations for clustering - you would have to simply repeat the process for the backup machine. Since it has a different hostname/ip, it’ll need its own certificate.

Yeah no kidding - I figured I’d finally write the process down rather than stepping people through it. “One-click” it is not! Too bad we’re not a certificate authority or we’d be able to make the process much easier.

Would there be any reason to use SSL on a internal network?

Any traffic through firewall from WAN is connected through a secured VPN, and is limited to which host’s it can talk with.

Nope, unless you don’t trust your own internal network, there is no reason to use SSL on an internal network.

Axis - are you asking if you should enable SSL on the connection or if there’s a reason to use a valid SSL certificate for your internal network?

Here’s my $.02:

In general, SSL/TLS is designed to prevent eavesdropping, tampering, and session hijacking on your network traffic. It’s a good practice to enable even on a closed network. The only good reason I can think of not to, would depend on bandwidth. For example, if you have a slow VPN connection and you notice a significant performance hit when using SSL.

Using your own “real” certs tells the client computer (and user) who they’re talking to. Suppose, for example, you’re logging on to your bank account at the Wells Fargo web site. It’s reassuring to know that you’re actually communicating with your bank. Certificate Authorities are companies whose job is to provide the service of validating that you are who you claim, then issuing certificates based on that. Using your own certificate is a better practice than using the default one, but probably not necessary in most cases. You would probably want a real certificate if you were providing a hosted service over the Internet. In the case of a closed industrial network there’s probably minimal risk of a malicious user hosting another Ignition gateway and trying to trick you into using it.

That’s what I thought. Just wanted to make sure I was not missing something.

Our current production server has the SSL turned on. What all can I expect to need a adjustment if I turn it off? All shortcuts on existing PC’s I assume. Is there anything else?

I wouldn’t expect anything else.

Also as a heads up now that we have this guide out there I think we’re going to change the Gateway so that when you turn SSL on it turns it on for everything - even the home page of the Gateway. You used to be able to get away with the self-signed cert, but increasingly browsers are rejecting them with more force, so our position is that we strongly recommend buying a real cert if you want to turn SSL on.

One last question. I’m hoping to purchase a “Single Domains with Unlimited Sub Domains (Wildcard)” certificate and use it on a number of systems located at different sites, on different physical servers, but which all have the same domain name - e.g. server1.megacorp.com, server2.megacorp.com, server3.megacorp.com and so on.

If I follow steps one to five in your post on just one of the servers, can I then follow steps six and seven on all the servers and have it work like that? Or is there something unique to each individual server generated in step three?

I think that should work. Not 100% positive as I’ve never done it personally. Make sure your “first and last name” is the fully qualified domain like you typed it in: server1.megacorp.com.

I think you’ll probably have to generate a CSR for each server, but your certificate authority will probably sign it for free since you bought the wildcard version.

If you end up doing this, please post back with your experiences.

I just finished using a UCC cert (not wildcard, but similar) to secure an Ignition box, without generating a CSR from Java at all (just using the OpenSSL-generated key and cert files). Made a post at inductiveautomation.com/forum/v … 43&#p50743 for anyone who’s interested. Wasn’t trivial, but not terribly difficult either.

Hi,
In 7.7.8 the “tomcat” folder doesn’t exist.
Should I place my ssl.key in C:/Programmes/Inductive Automation/Ignition/webserver ?

Thanks,