Index | Prev | Next

Opening a secure platform connection (niagarad)

Even before you configure digital certificates to provide server identity verification, every connection you make from a client to a server can be secure because you can manually verify the authenticity of the server.
Perform the following steps:
  1. Right-click My Host (for Supervisor) or an IP address (for a controller) and click Open Platform.
    The Connect window opens with Platform TLS Connection already selected.
    Image

    This window identifies the entity to which you are connecting: your local computer, a Supervisor platform, or a controller with an IP address.

  2. If needed, enter the host IP and click OK.
    If you are accessing the platform for the first time, the system displays an identity verification warning and a self-signed, default certificate.

    This message and certificate are expected for these reasons:

    • The Subject or CN (Common Name) of the default certificate (Niagara4) does not match the host name, which is usually the host IP address or domain name.
    • The default certificate’s Issued By and Subject are the same indicating that the certificate is self-signed. No third-party CA (Certificate Authority) has verified the server’s authenticity.
    • The certificate is signed, but no root CA certificate in the client’s User or System Trust Store can verify its signature.
  3. If you are presented with this warning and a certificate, make sure you recognize the certificate’s Issued By and Subject properties.
     CAUTION: Do not approve a certificate if you do not recognize these properties. 
  4. Assuming that this is the default certificate (default as of Niagara 4.13), which is intended for use during bootstrapping or recovery, click Accept.
    Accepting the certificate creates an approved host exemption in the platform/station Allowed Hosts list.
     NOTE: Although the name of the default certificate is the same for each controller and for Workbench, the content of each certificate is unique. Do not use the same default certificate for each controller in your network. 

    The system asks you to enter or confirm your platform credentials.

    Image
  5. Enter your platform credentials and click OK.
    The platform is now connected over a secure connection. All data transmitted are encrypted. If you logged on for the first time and accepted the default certificate, only the server's identity cannot be validated.
  6. To confirm that you are using the self-signed certificate, right-click Platform in the Nav tree and click Session Info.
    The system displays session information.
    Image
    • The red shield with the X indicates that the handshake was unable to verify the authenticity of the server’s certificate. To view the certificate, click the link (Certificate Information).
    • The green shield with the check mark indicates that encryption is enabled. In this example, the secure connection is using TLSv1.3 as the protocol and data is encrypted using RSA (Rivest-Shamir-Adleman) and AES_256_GCM (Advanced Encryption Standard) with CBC and SHA1 ciphers disabled by default.
  7. Click OK.
    The tiny lock on the platform icon in the Nav tree indicates a secure, encrypted connection.

Related Links

  • Certificate set up (Parent Topic)

    • Index | Prev | Next