Communication Security Expander

The CommunicationSecurity expander allows you to configure the proxy port for secured Client/Server communication. It also allows you to configure security settings for Client/Server communication and Web communication by use of certificates.

For securing the Client/Server communication you can use either file (.pem) based certificates or certificates from the Windows store. The file (.pem) based certificates must be available on the disk (.pem). The Windows store certificates must be imported into the appropriate Windows certificate store.

For securing the Web Server communication over the CCom port, only certificates available in the Windows store can be used.

On a Server SMC

On a Server SMC, when you edit a project you can configure the security settings for Client/Server communication using the Server Communication section. In addition, you can modify the Web Server communication settings and the CCom port number.

Communication Security Expander – Server Communication Section

The Project Settings section of the Communication Security expander allows you to configure the details of the project, including the type of Communication, the Server Proxy port number, and Windows store or File (.pem) based certificates for root and host.

Project Settings Section

Item

Description

Process monitor (Pmon) user

Displays the Pmon user configured for the current project. If you change the System account user after project creation, there is an inconsistency between the System account user and the Pmon user and causing the Pmon user to display in red. To synch, you must stop the project, edit and save it.

Communication

Allows you to secure the communication between the Server project and the Client connected to that project. It provides the following Client/Server communication types:
Stand-alone: (default) The project is always created by default in the Stand-alone mode. In a Stand-alone Server project, no communication is possible between the Server and a linked Client project on another machine.
Secured: (recommended) When selected, allows you to enable secure communication by configuring the proxy port and certificates.
Unsecured: When selected allows you to set up unsecured and unencrypted Client/Server communication.

Server Proxy port

This is enabled only when you set the communication type as secured.
This port is used for secure Client/Server communication.
Default port number is 5678. Type the port number or increase/decrease it using the spin control buttons.

Certificate type

This is enabled only when you select communication type as secured. The default certificate type is Windows store. You can change this and select the option file (.pem) based.
Windows store: When selected, you can browse and select root and host certificates from those already imported in the Windows store.
File (.pem) based: When selected, you can browse and select root and host certificates of the File (.pem) based type. For File (.pem) based certificates, you need to select an additional host key certificate.

Root certificate

This is enabled only when you set the Client/Server communication type as Secured. By default, it displays the root certificate that you set as default.
Allows you to browse for and select the root certificate, either from the Windows store or from the disk, depending on the selected certificate type.
NOTE 1: For a Windows store certificate type, when you click Browse, the displays. In the Select Certificate dialog box, in the Store Location field, select either Local machine certificates or User certificates and select the root certificate from the Trusted Root Certification Authorities tab.

Host certificate

This is enabled only when you set the communication type as secured. By default, it displays the host certificate that you set as default.
Allows you to browse for and select the host certificate, either from the Windows store or from the disk, depending on the selected certificate type.
NOTE 1: For a Windows store certificate type, when you click Browse, the Select Certificate dialog box displays. In the Select Certificate dialog box, in the Store Location field, select either Local machine certificates or User certificates and select the host certificate from the Personal tab.
NOTE 2: Make sure that the host certificate is generated from the root certificate provided and the host certificate must contain a private key and this key should be marked as exportable.
NOTE 3: For Windows store certificate type, only certificates with RSA signature algorithm are supported. CNG certificates are not supported..

Host certificate users

This field is available only when you set the communication type as secured and the certificate type selected is Windows store.
Only users and groups listed for the selected host certificate can launch the Installed Client on the Client/FEP station. You can add/remove the user from this list.
NOTE: Even when a user's group is included in the host certificate users list, you still need to add the individual Client/FEP logged in user as well as the Client/FEP project’s Pmon user, to ensure the rights on the host certificate's private key while launching the Installed Client successfully on the Client/FEP station.
This must be the same user who has rights on the configured Server project folder and its subfolders.
Special Considerations When Applying Security for Closed Mode Configurations:
To work with closed mode you must explicitly provide permissions to the Closed Mode user (GMSDefaultUser) on the private key of the Host certificate configured for the Client/Server communication. You must do this even if the Closed Mode user (GMSDefaultUser) is a member of a user group (for example, Administrators group) that has rights on the private key of the host certificate.
If you are configuring closed mode on the Client/FEP system, you must provide rights to the local GMSDefaultuser (server user) on server project folder in order to have access to it from Client/FEP station. The logged-on Windows user on client is a local GMSDefaultuser.

Host key

This is enabled only when you set the communication type as secured and the certificate type as file (.pem) based. Allows you to browse for the host key certificate from the disk. This field is only available for File (.pem) based certificates.

Communication Security Expander – Web Server Communication

The Web Server Communication group in the Communication Security expander allows you to configure secure web communication between Server project and IIS (typically remote web server) that takes place over the CCom port. The communication is secured using host certificate.

For securing the communication between Server and the local web server, you can leave the web server communication as local (without certificates).

You can configure the web server communication during project creation and modification on Server, Client/FEP installations.

NOTE:
With Version 5.0, the Unsecured communication type is replaced with Local. It is recommended to configure the communication of all remote web applications to Secured as Unsecured communication will not work.

 

Communication Security Expander

Item

Description

Communication

Allows you to secure the communication between the Server and web server (IIS) by configuring the CCom port and the host certificate. The web server (IIS) may be installed on the same computer as the Server (as a local web server) or it may be installed on a separate computer (acting as a remote web server).
Disabled: (Default selection) Indicates that the communication between the CCom manager of the project on the Server and the web server (IIS) is disabled. In this case, you cannot work with Windows App client.
Use this option for stand-alone installations where you do not have any Windows App client installed on the server.
Local: When selected, enables the communication between the CCom manager of the project on the Server and the web server (IIS) without certificates.
You can select this option when you have IIS on the same station as the server, and all Windows App clients are running on a secure, dedicated network.
Although you can use Windows App Clients with local communication, we recommend securing it.
Secured: When selected, enables a secure Web server communication between CCom manager of the project on Server and the web server (IIS). You must secure it by selecting a host certificate.
Select this option when you have IIS on a different (remote) station than the Server or when Windows App clients are running on a lower-security or non-dedicated network.

CCom port

(Available only on Server SMC) Default port number is 8000 and the support range is 1 through 65535. The CCom port is used by the CCom manager of a project to communicate with web server (IIS), which is required for working with Windows App client.
You can type or increase/decrease the port number using the spin control buttons. Once you edit the CCom port number, the equivalent value in the ServerProject Information expander gets updated when you save the project.
It displays in red indicating that the CCom port communication is local (without certificates). It is recommended to enable it by selecting Secured from the Communication drop-down list.
NOTE: On server, whenever the web server communication settings of a project are changed you need to edit, align with Server, and save the Web application linked with the Server project on the Client/FEP station.

Host certificate

This field is enabled only when you select Secured from the Web communication drop-down list. By default, it displays the host certificate that you have set as default. However, you can browse and select another host or self-signed certificate using the Select Certificate dialog box.

On a Client/FEP SMC in Automatic Mode

When you edit a project on a Client/FEP SMC, the Communication Security expander allows you to configure security details setting Server Communication to Automatic configuration or Manual configuration.

In automatic mode, once you select the Server and the Server project, the appropriate security settings for that project are automatically set. For example, if you select an unsecured or stand-alone Server project the all the fields of the Communication Security expander are disabled.

If you select a secured Server project, the certificate type is set to match that of the Server project. For example, if you select a secured Server project that has secured communication using Windows store certificates, the certificate type is automatically set to Windows store during the Client/FEP project creation/modification. Note that, for the Windows store certificate type, you must add the host certificate users, who can launch the Desigo CC Client on the Client/FEP station.

On a Client/FEP SMC in Manual Mode

When you edit the Client/FEP project in the Manual configuration mode, you must manually enter the same server communication details for the selected Server project.

 

NOTE1:
When modifying a project on a Client/FEP, if you select a Server project with Secured Client/Server communication, you must provide the same root certificate configured for Client/Server communication in the selected Server project. The host certificate can be different; but it must be created using the root certificate provided on Client/FEP. Otherwise, the Desigo CC Client application does not launch.
NOTE 2:
The host certificate is used by the Desigo CC Client/FEP. Therefore, the Client/FEP logged-in operating system user must be given access to the private key of the host certificate stored in the Windows Certificate store.
NOTE 3: On Server/Client stations, for Windows store certificate type, only certificates with RSA signature algorithm are supported. CNG certificates are not supported.