Yes, in fact it is recommended to configure NiagaraAX platforms and stations for SSL. For newer JACE models and all Windows-based hosts (using the Hotspot JVM), refer to the NiagaraAX SSL Connectivity Guide for related details. For older JACE models (JACE-2 or JACE-4/5 series), which use the IBM J9 JVM, refer to the NiagaraAX CryptoService (SSL) engineering notes document. Note that Kerberos is not supported on these older JACE models, however.

No, the NiagaraAX “network user” feature is incompatible with using LDAP or Active Directory user services (no “hybrid system” supported). All centralized user management is provided by the LDAP server or Active Directory server, and each station requires a user service sourced from the ldap module. However, “local” station users, unique to each station, are still supported.

Starting in AX-3.8, Kerberos is an available authentication method for LDAPv3 compatible user services in the ldap module (LdapV3UserService, LdapV3ADUserService). Alternatively, you can use another authentication method instead—for example DIGEST-MD5, CRAM-MD5, or simple (clear text). Currently outside of these two LDAP-based user services, Kerberos is not used in NiagaraAX.

Yes, but only to “local” users created in the station—and not to any LDAP users. The same is also true of the “Password Configuration” properties of the LDAP user service and users, first introduced in AX-3.7. These properties that define periodic password expirations and enforce “unique passwords” apply only to local station users, and not to any LDAP users.

Yes, these newer LDAP user services are backwards-compatible with an LDAPv2-based system. However, Kerberos authentication is not available in this scenario.

No, when running in FIPS mode, the set of permitted cryptographic algorithms is smaller—only algorithms that are FIPS-approved may be used. Due to these restrictions, Kerberos cannot be used when running in FIPS mode, as the algorithms it requires are not supported by the FIPS cryptographic provider.