Change TLS Settings window

This window provides access to the primary TLS settings.

Figure 1. Platform TLS Settings with default values (enabled)

To access, expand Platform > Platform Administartion and click Change TLS Settings.

Properties	Value	Description
State	Tls Only	Specifies how Workbench clients connect to this host’s platform daemon. Tls Only — Only secure platform connections are allowed. Any attempt to connect without security goes unresolved (errors out). This state is reflected among the properties listed on the main Platform Administration view, as “Platform TLS Support” state. Note: The Tls Only option provides the best security. All platforms support secure (TLS) platform connections.
Port	four-digit number (default is 5011)	Identifies the software port monitored by the platform daemon for a secure platform connection. This is different than the default HTTP port (3011) for a regular platform connection that is not secure. CAUTION: If there is a firewall on the host (or its network), before changing this port make sure that the firewall will allow traffic to the new port.
Certificate Alias	text (defaults to the `default` self-signed certificate for Niagara 4.13 and later; defaults to `tridium` self-signed certificate for pre-Niagara 4.13 versions)	The alias for the server certificate in the platform’s key store to use for any platformtls connection. The default is automatically created when Niagara is first loaded. Note: If the `tridium` certificate is already used on the station or the platform runs a pre-Niagara 4.13 version, the `tridium` certificate is used, but it will not serve as a recovery certificate. If another certificate has been imported in the platform’s key store, use the drop-down control to select it instead. Certificates on the platform are managed via the platform Certificate Management view. For general information on this topic, see Niagara Station Security Guide.
Certificate Password	text and check box	As of Niagara 4.13, the certificate is password-protected by a unique password or the global certificate password. Prompts the user to provide the user-defined password or the global certificate password associated with the certificate.
Protocol	TLSv1.0+ — Includes TLS versions 1.0, 1.1, and 1.2, providing the most flexibility; TLSv1.1+ — Only TLS versions 1.1 or 1.2 are accepted; TLSv1.2+ — (default) Only TLS versions 1.2 or 1.3 are accepted; TLSv1.3 — Only TLS version 1.3 is accepted.	Defines the minimum TLS (Transport Layer Security) protocol version that the platform daemon’s secure server accepts to negotiate with a client for a secure platform connection. During the handshake, the server and client agree on which protocol to use.
Use Extended Master Secret	true (default) or false	Turns on and off the “Extended Master Secret” on a server. When turned off (set to false) and the platform restarts, the CPU usage does not change significantly when connecting to the Platform Administration view from a FIPS-mode Workbench.
TLS Cipher Suite Group	drop-down list, recommended (default) or supported	Controls which cipher suites can be used during TLS negotiation. The default is more secure than the other option (Supported) and should be used unless it causes compatibility issues with the client.