Platform TLS settings

Platform TLS settings

This window sets up the platformtls (niagarad) properties that provide server authentication and encryption. To access it, right-click Platform > Views > Platform Administration and double-click Change TLS Settings.

Figure 46. Platform TLS Settings window

Name	Value	Description
State	TLS	Defaults to TLS only.
Port	number	The port for secure communication. Defaults to 5011
Certificate Alias	text (defaults to the `default` self-signed certificate)	Provides a list of available certificate aliases to choose from. As of Niagara 4.13, the default certificate is the self-signed certificate automatically created when you first accessed the platform. NOTE: If the `tridium` certificate is already used on the station or the platform runs a pre- Niagara 4.13 version, the `tridium` certificate is used, but it will not serve as a recovery certificate. It cannot be deleted and should be used for recovery purposes. The default certificate is protected by the global certificate password. If other certificates are in the host platform’s key store, you can select them from the drop-down list.
Certificate Password	text and check box	As of Niagara 4.13, the certificate is password-protected by a unique password or the global certificate password. Prompts the user to provide the user-defined password or the global certificate password associated with the certificate.
Protocol	TLSv1.0+ — Includes TLS versions 1.0, 1.1, and 1.2, providing the most flexibility; TLSv1.1+ — Only TLS versions 1.1 or 1.2 are accepted; TLSv1.2+ — (default) Only TLS versions 1.2 or 1.3 are accepted; TLSv1.3 — Only TLS version 1.3 is accepted.	Defines the minimum TLS (Transport Layer Security) protocol version that the platform daemon’s secure server accepts to negotiate with a client for a secure platform connection. During the handshake, the server and client agree on which protocol to use.
Use Extended Master Secret	`true` (default) or `false`	Turns on and off the “Extended Master Secret” on a server. When turned off (set to `false`) and the platform restarts, the CPU usage does not change significantly when connecting to the Platform Administration view from a FIPS-mode Workbench.
TLS Cipher Suite Group	drop-down list, `recommended` (default) or `supported`	Controls which cipher suites can be used during TLS negotiation. The default is more secure than the other option (`Supported`) and should be used unless it causes compatibility issues with the client.