Change TLS Settings (AX38U1)

This selection from the Platform Administration view lets you configure for secure (TLS) platform connections, as well as change related secure platform connection (platformtls) parameters.

The figure below shows the dialog with default values.

Figure 57. Platform TLS Settings with default values (enabled)

Fields in this dialog are as follows:

State
Either Disabled, Enabled, or Tls Only, to specify how Workbench clients can connect to this host’s platform daemon.
- Disabled — Secure platform connections not possible (only regular platform connections).
- Enabled — Secure platform connections permitted, as well as regular platform connections.
- Tls Only — Only secure platform connections are allowed. Any attempt to connect without security goes unresolved (errors out).
  This state is reflected among the properties listed on the main Platform Administration view, as “Platform TLS Support” state.
  
  NOTE: The “Tls Only” setting provides the best security. However, for any AX JACE in which you are about to install a "clean dist" file, you should first change State to "Disabled". Otherwise after the unit reboots from the clean dist installation, you will be unable to make a default (non-TLS) platform connection. In this case, a direct serial shell session to the JACE is required, with intervention during the boot process. Note that in Niagara 4, all platforms support secure (TLS) platform connections, even if a freshly “clean disted” controller.
Port
Software port monitored by the platform daemon for a secure platform connection, where port 5011 is the default. Note this is different than the default HTTP port (3011) for a regular platform connection that is not secure.

CAUTION: Again, if there is a firewall on the host (or its network), before changing this port make sure that it will allow traffic to the new port.
Certificate
The “alias” for the server certificate in the platform’s “key store” to use for any platformtls connection. The default is the tridium self-signed certificate, which is automatically created when Niagara 4 is first loaded. If another certificate has been imported in the platform’s key store, you can use the drop-down control to select it instead.

Certificates on the platform are managed via the platform Certificate Management view. For general information in this document, see Station Security Guide.
Protocol
The minimum TLS protocol (Transport Layer Security) that the platform daemon’s secure server will accept to negotiate with a client for a secure platform connection. During the handshake, the server and client agree on which protocol to use.
- TLSv1.0+ — (default) Includes TLS versions 1.0, 1.1, and 1.2, providing most flexibility.
- TLSv1.1+ — Only TLS versions 1.1 or 1.2 are accepted.
- TLSv1.2 — Only TLS versions 1.2 is accepted.

The figure below shows an example dialog for a controller enabled for platform TLS (only).

Figure 58. Example settings for a controller enabled for TLS, with a signed certificate

In this example, the controller uses a signed certificate with alias tpubsjace3 (previously imported), with the port and protocol settings left at defaults.