You can help by commenting or suggesting your edit directly into the transcript. We'll review any changes before posting them. All comments are completely anonymous. For any comments that need a reply, consider emailing email@example.com.
We are experiencing playback issues from our video hosting provider. Please check back shortly.
Enabling SSL in Ignition will set up secure communications between the Gateway and any of the various Ignition runtimes. Learn more about the Web Server page and how to enable SSL on an Ignition Gateway.
Transcript(open in window)
[00:00] To enhance Security in Ignition, you may opt to enable SSL encryption. The Ignition Gateway is a web server that serves information to web clients such as, your web browser. The use of SSL allows for the data the Gateway shares with web browsers to be encrypted and therefore, more secure. Additionally, the communication between the Gateway and the designer sessions, vision clients, and perspective sessions will also be encrypted, making them more secure. Enabling SSL is simple. All we have to do is to go over to the configure section of the Gateway and select "Web Server" under "Networking". Here, we will see the setup SSL/TLS button. And when we press it, we will begin the SSL/TLS setup wizard. First, we are asked for a list of requirements to be able to setup SSL. The list includes, a private key, as well as a list of certificates, which should be provided to you by your CA, or Certificate Authority. The concept here is that Ignition will generate a Certificate Signing Request, or CSR, to be sent to a Certificate Authority, who reviews a request, and grants users signed certificates to be installed on their Ignition Gateway web server. By doing so, if a web client, such as your web browser, connects to the Ignition Gateway web server, the server will present it's certificate to the client. The client will see that it is a signed certificate, by a valid Certificate Authority, and it will trust the server, and proceed to securely transact with it. If I have all the items on this list, I can simply click on this option here, where I will be prompted to upload any and all relevant files. I don't have any signed certificates, so I will hit "Cancel". If you do not have any of the items listed, you can click on this option, where you will be asked to fill out some basic information such as, your organization name, domain, location, et cetera. Upon completion of this form, Ignition will automatically generate a CSR to be sent to a CA for review. The CA will then provide you with the necessary signed certificates, to be installed on the Ignition server. Users also have the option to have a self signed certificate. If we head down to the "Advanced properties" here, you will see the option to install a self signed certificate. If I select it, we see that a warning is presented to me by my web browser. Clicking "Advanced" and then selecting to proceed, I am able to go to my Gateway's web interface, which now has SSL/TLS enabled. At this point, you might be wondering, what is a self signed certificate? Well, we previously explained how a certificate must be signed by a valid Certificate Authority. What we did instead, was have Ignition sign it's own certificate, which allows for the enabling of the SSL/TLS without a CA getting involved. The only drawback is that, since this certificate is not signed by a valid CA, your browser will not trust the Ignition web server, and therefore, you will see warnings telling you the connection is not secure. It is worth mentioning, that these warnings will only be visible in your web browser, meaning they will appear on your perspective sessions. Your vision clients and designer sessions, will not see any security warnings. Also, if you look at the address bar at the top here, we're using HTTPS S for Secure connection. And we're using Ignition's default SSL port, 8043. Heading back to the web server settings, we can configure the ports, ACTP and ACTPS traffic we'll use. We also have the freedom to force or direct, all HTTP traffic to it's HTTPS counterpart. Additionally, you can include or exclude cipher suites for clients connecting to Ignition, using SSL/TLS.