Communication Security Expander

Project Settings Section

Item

Description

Process monitor (Pmon) user

Displays the Pmon user configured for the current project. If you change the System account user after project creation, there is an inconsistency between the System account user and the Pmon user and causing the Pmon user to display in red. To synch, you must stop the project, edit and save it.

Communication

Allows you to secure the communication between the Server project and the Client connected to that project. It provides the following Client/Server communication types:
Stand-alone: (default) The project is always created by default in the Stand-alone mode. In a Stand-alone Server project, no communication is possible between the Server and a linked Client project on another machine.
Secured: (recommended) When selected, allows you to enable secure communication by configuring the proxy port and certificates.
Unsecured: When selected allows you to set up unsecured and unencrypted Client/Server communication.

Server Proxy port

This is enabled only when you set the communication type as secured.
This port is used for secure Client/Server communication.
Default port number is 5678. Type the port number or increase/decrease it using the spin control buttons.

Certificate type

This is enabled only when you select communication type as secured. The default certificate type is Windows store. You can change this and select the option file (.pem) based.
Windows store: When selected, you can browse and select root and host certificates from those already imported in the Windows store.
File (.pem) based: When selected, you can browse and select root and host certificates of the File (.pem) based type. For File (.pem) based certificates, you need to select an additional host key certificate.

Root certificate

This is enabled only when you set the Client/Server communication type as Secured. By default, it displays the root certificate that you set as default.
Allows you to browse for and select the root certificate, either from the Windows store or from the disk, depending on the selected certificate type.
NOTE 1: For a Windows store certificate type, when you click Browse, the displays. In the Select Certificate dialog box, in the Store Location field, select either Local machine certificates or User certificates and select the root certificate from the Trusted Root Certification Authorities tab.

Host certificate

This is enabled only when you set the communication type as secured. By default, it displays the host certificate that you set as default.
Allows you to browse for and select the host certificate, either from the Windows store or from the disk, depending on the selected certificate type.
NOTE 1: For a Windows store certificate type, when you click Browse, the Select Certificate dialog box displays. In the Select Certificate dialog box, in the Store Location field, select either Local machine certificates or User certificates and select the host certificate from the Personal tab.
NOTE 2: Make sure that the host certificate is generated from the root certificate provided and the host certificate must contain a private key and this key should be marked as exportable.
NOTE 3: For Windows store certificate type, only certificates with RSA signature algorithm are supported. CNG certificates are not supported..

Host certificate users

This field is available only when you set the communication type as secured and the certificate type selected is Windows store.
Only users and groups listed for the selected host certificate can launch the Installed Client on the Client/FEP station. You can add/remove the user from this list.
NOTE: Even when a user's group is included in the host certificate users list, you still need to add the individual Client/FEP logged in user as well as the Client/FEP project’s Pmon user, to ensure the rights on the host certificate's private key while launching the Installed Client successfully on the Client/FEP station.
This must be the same user who has rights on the configured Server project folder and its subfolders.
Special Considerations When Applying Security for Closed Mode Configurations:
– To work with closed mode you must explicitly provide permissions to the Closed Mode user (GMSDefaultUser) on the private key of the Host certificate configured for the Client/Server communication. You must do this even if the Closed Mode user (GMSDefaultUser) is a member of a user group (for example, Administrators group) that has rights on the private key of the host certificate.
– If you are configuring closed mode on the Client/FEP system, you must provide rights to the local GMSDefaultuser (server user) on server project folder in order to have access to it from Client/FEP station. The logged-on Windows user on client is a local GMSDefaultuser.

Host key

This is enabled only when you set the communication type as secured and the certificate type as file (.pem) based. Allows you to browse for the host key certificate from the disk. This field is only available for File (.pem) based certificates.

Communication Security Expander

Item

Description

Communication

Allows you to secure the communication between the Server and web server (IIS) by configuring the CCom port and the host certificate. The web server (IIS) may be installed on the same computer as the Server (as a local web server) or it may be installed on a separate computer (acting as a remote web server).
Disabled: (Default selection) Indicates that the communication between the CCom manager of the project on the Server and the web server (IIS) is disabled. In this case, you cannot work with Windows App client.
Use this option for stand-alone installations where you do not have any Windows App client installed on the server.
Local: When selected, enables the communication between the CCom manager of the project on the Server and the web server (IIS) without certificates.
You can select this option when you have IIS on the same station as the server, and all Windows App clients are running on a secure, dedicated network.
Although you can use Windows App Clients with local communication, we recommend securing it.
Secured: When selected, enables a secure Web server communication between CCom manager of the project on Server and the web server (IIS). You must secure it by selecting a host certificate.
Select this option when you have IIS on a different (remote) station than the Server or when Windows App clients are running on a lower-security or non-dedicated network.

CCom port

(Available only on Server SMC) Default port number is 8000 and the support range is 1 through 65535. The CCom port is used by the CCom manager of a project to communicate with web server (IIS), which is required for working with Windows App client.
You can type or increase/decrease the port number using the spin control buttons. Once you edit the CCom port number, the equivalent value in the ServerProject Information expander gets updated when you save the project.
It displays in red indicating that the CCom port communication is local (without certificates). It is recommended to enable it by selecting Secured from the Communication drop-down list.
NOTE: On server, whenever the web server communication settings of a project are changed you need to edit, align with Server, and save the Web application linked with the Server project on the Client/FEP station.

Host certificate

This field is enabled only when you select Secured from the Web communication drop-down list. By default, it displays the host certificate that you have set as default. However, you can browse and select another host or self-signed certificate using the Select Certificate dialog box.