Communication Security Expander (On Client/FEP)

While creating or editing a Client/FEP project, the Communication Security expander allows you to configure the Server Communication details.

On Client/FEP, the Communication Security expander is enabled only during the Client/FEP project creation and editing.

  • In the Automatic configuration mode, when you select a server project, the security settings including the Communication mode, the Server proxy port, and the Certificate type are configured with the same details as those of the selected Server project.
  • In the Manual configuration mode, you must manually enter the same communication security details as those of the selected Server project.
    • When you configure a server project with Communication mode set to secured, you must provide the same root certificate as the one configured on the server.
      The host certificate and host key (only applies to .pem-based certificates) can be different, must be created with the same root certificate provided on Server. Otherwise, the Desigo CC client will not launch.

After Client/FEP project creation using file (.pem) based certificates, the root and host certificates and the host certificate key file used for secure communication are copied to the path ..\[ProjectName]\Config and the config file are updated. In case of Windows store certificates, only the config file is updated.

Project Settings — Communication Security Expander

Item

Description

Communication

By default this field is disabled and set to secured.
In Automatic configuration mode, this field is configured depending on the selected Client/Server communication mode in the Communication Security expander of the selected Server project and you cannot change this unless you switch to Manual configuration mode.
In Manual configuration mode, this field is enabled, allowing you to select one of the following Client/Server communication types. However, it is strongly recommended to set it as secured.
Secured: Allows you to enable secure communication between Server and Client/FEP projects by configuring the proxy port and the root and host certificates.
Stand-alone: When selected, no connection is established between Client/FEP project and the Server computer.
Unsecured: When selected, allows you to set up unsecured Client/Server communication.

Server proxy port

This is enabled only when you select Client/Server communication type as secured and you are creating/editing a project in Manual configuration mode.
Type in the port number, or increase/decrease it using the spin control buttons. The default port number is 5678. During secured Client/Server communication, all communication happens using this port of the Server.

Certificate type

By default, the Certificate type is set as Windows store. This is enabled only when you select Client/Server communication type as secured.
In Automatic configuration mode, the certificate type is configured depending on the certificate type configured in the Server project.
In Manual configuration mode, the Certificate type option buttons are enabled allowing you to change the Windows store default selection.
Once enabled, it allows you to select the root and host certificate either from Windows store or a .pem-file.
In case of a .pem file, you need to select an additional host certificate key file.

Root certificate

By default, it is enabled and the root certificate, if set as default on the Client/FEP machine, is selected.
Depending on the selected certificate type, you can browse the root certificate either from Windows store or from the disk for .pem-based files.
For the Windows store certificate type, when you click Browse, in the Store Location field, you can select either Local machine certificates or User certificates and select the root certificate from the Trusted Root Certification Authorities tab.
NOTE: SMC displays a certificate (root/host) in red, or as not configured in red, if the certificate is deleted from the Windows Certificate store, is expired, or if the certificate is not configured.

Host certificate

By default, it is enabled and the host certificate, if set as default on the Client/FEP machine, is selected.
Depending on the selected certificate type, you can browse the host certificate either from Windows store or from the disk (for .pem file).
For the Windows store certificate type, when you click Browse, in the Store Location field, you can select Local machine certificates or User certificates and select the host certificate from the Personal tab.
NOTE 1: For the Windows store certificate type, the host certificate must contain a private key, and this key must be marked as exportable. You can verify this by previewing the host certificate.
NOTE 2: Make sure the host certificate and the host key (only for File .pem based certificates) must be generated from the Server root certificate you provided. If you select the host certificate from the User certificates store, the Add button is disabled. Since the User certificates store is local to a user account on the computer, you cannot add users to the Host Certificate User list.

Host key

This is enabled only when you select Client/Server communication type as secured and you have selected the certificate type as .pem file. Allows you to browse for the host key certificate from the .pem file based.

Host certificate users

By default, it displays the group or users of the host certificate that you have set as default on the Client/FEP. Add is always enabled, allowing you to add the user for the selected host certificate. You can also remove a user from the list other than the System user and the Administrator group, if available.
This field is available only when you select the secured Client/Server communication type and the Windows store certificate type.
NOTE 1: Only users and groups listed for the selected host certificate can launch the Desigo CC Client on the Client/FEP station.
NOTE 2: Even if a Client/FEP system user is present in the Administrators group and the Administrator group had rights on the private key of the host certificate, you must explicitly assign rights to the user of the host certificate’s private key. Typically you can add a non-admin user to the list of host certificate users, so that a non-admin can work with the Desigo CC Client on the Client/FEP station.