[00:00] In this lesson, we'll learn how to configure additional security settings for the gateway. The Ignition Gateway web server can provide modern end-to-end security using transport level security or TLS, the successor to SSL. This allows us to use the more secure HTTPS, instead of HTTP, to encrypt data, and it verifies identities through digital certificates. In order to configure this, we can navigate to network, network settings, web server. This page allows us to configure HTTP and HTTPS settings for communications with the gateway. However, in order to use HTTPS and configure these settings, we need to set up SSL/TLS, which we can do by clicking on this button at the top of the page. Setting up SSL/TLS requires you to install a certificate so that when a web client, such as your web browser, connects to the Ignition gateway web server, the server will present this certificate to the client. The client will see that it's a signed certificate by valid Certificate Authority, or CA, and it will trust the server and proceed to securely transact with it.

[01:05] There are some items you'll need in order to do this. This includes a private key as well as a list of certificates, which should be provided to you by your CA. Once you have these items, you can click "Yes I have all the items above", and click next. This will start the process of uploading your items and enabling SSL/TLS. I don't have these items, so I'll click back and select "No I don't have all the items above" instead, and click next. This will allow me to create a Certificate Signing Request or CSR to send to a CA. I'll need to provide the full DNS name, AKA, the common name, my organization name, the department, and a country code. Then the CA can review the information and sign the certificate. Alternatively, I can also use the information above and install a self-signed certificate to bypass a CA. This allows me to get the encryption benefits of SSL/TLS, but since it's not a certificate signed by a CA, I don't get the benefits of identity validation.

[02:07] I'll click the install self-signed certificate button to enable this for my gateway, and we'll see what this looks like. In my address field, you'll see that my web browser is connecting via HTTPS and using the default HTTPS port of 8043, instead of the default HTTP port of 8088. However, because it's a self-signed certificate, the browser will warn me to not trust the site. In order to move forward, I'll have to show advanced options here and click proceed. At the top of the page, I can see that SSL/TLS is enabled and a self-signed SSL certificate is installed. Now that it's enabled, I can also modify the HTTPS settings and change things like the HTTPS port, I can force all traffic to use HTTPS instead of HTTP, and I can add a whitelist or blacklist of cipher suites for any clients connecting to Ignition using SSL/TLS. I'll include a link to our user manual for these settings, as well as links to some security guides for additional security recommendations.