CoLOS®

Security and Certificate – Configuration and Troubleshooting Guide

DATE: April 6, 2022

DOCUMENT REVISION: 1.0
 Security and Certificate – Configuration and Troubleshooting guide REV.:1

Table of Contents
Overview ........................................................................................................................................... 4

Introduction ........................................................................................................................................... 4

CoLOS End Points ...................................................................................................................................... 4

CLI ................................................................................................................................................... 4

OPC UA .................................................................................................................................................. 5

Web API ................................................................................................................................................. 5

CAT ................................................................................................................................................... 6

Web Production Panel ......................................................................................................................... 6

Certificate Management ......................................................................................................................... 7

Configuring HTTPS Web Production Panel / WEB API / CAT (operator panel) .............................. 8

Known behavior with Chrome/Firefox on certificates ..................................................................... 8

Configuring CLI ..................................................................................................................................... 9

Configuring Certificates for OPC UA .................................................................................................. 9

Configuring Certificates for SAML .....................................................................................................10

Systech Proprietary and Confidential Page 2 of 10

 Security and Certificate – Configuration and Troubleshooting guide REV.:1

Revision History

Rev. No. Date Description of Change

1.00 April 6, 2022 The initial release of the publication.

Systech Proprietary and Confidential Page 3 of 10

 Security and Certificate – Configuration and Troubleshooting guide REV.:1

Overview
This guide provides information on the configuration and troubleshooting of the CoLOS security settings
and certificate.

Introduction
CoLOS provides multiple endpoints with different protocols (e.g., OPC/TCP, CLI/TCP, Web API/HTTP, etc.).

CoLOS allows securing the endpoint via a TLS/SSL, for which a certificate will be required for signing and
encrypting the data being exchanged.

CoLOS End Points

Before applying the certificate, security on the endpoint needs to be turned on.

CLI
On CoLOS Administrator left side panel, go to Control Panel > Integration Services > CLI Service >
Properties > Configuration.

Systech Proprietary and Confidential Page 4 of 10

 Security and Certificate – Configuration and Troubleshooting guide REV.:1

OPC UA
On CoLOS Administrator left side panel, go to Control Panel > Integration Services > OPC UA Server >
Properties > Configuration.

Web API
On CoLOS Administrator left side panel, go to Control Panel > Integration Services > Web API > Properties
> Configuration.

Systech Proprietary and Confidential Page 5 of 10

 Security and Certificate – Configuration and Troubleshooting guide REV.:1

CAT
On CoLOS Administrator left side panel, go to Control Panel > CAT > Properties > Configuration.

Web Production Panel

On CoLOS Administrator left side panel, go to Control Panel > Web Production Panel > Properties >
Configuration.

Any changes in the security settings require a restart of the Markem-Imaje Connectivity service for the
changes to take effect.

Systech Proprietary and Confidential Page 6 of 10

 Security and Certificate – Configuration and Troubleshooting guide REV.:1

Certificate Management
CoLOS endpoint certificates can be managed under:

On CoLOS Administrator left side panel, go to Control Panel > System > Properties > Certificate
management.

Note: Importing of Certificate is allowed only from the Server Computer and not from Client Computer (This
is done for security reasons as it is not recommended to transfer certificates with Private key over network.)

Self-signed certificates are commonly used in networks within a firewall and to test the deployments.
CoLOS creates the self-signed certificate right from the CoLOS installation. It is recommended to use the
certificates signed by the known signing authorities.

It is also common for large organizations to use their signing authority to create certificates.

Users can import the certificates using the CoLOS administrator and secure the endpoints using the given
certificate.

Systech Proprietary and Confidential Page 7 of 10

 Security and Certificate – Configuration and Troubleshooting guide REV.:1

Configuring HTTPS Web Production Panel / WEB API / CAT (operator panel)
CoLOS generates a self-signed certificate for these endpoints.

The certificate generated for Web API and be reused for CAT also (by importing the certificate from the
windows store)

The CAT certificate can be overridden at the Project level by adding the certificate thumbnail in the
project profile (under the key HTTPThumbprint).

Some of the references to create an SSL certificate to secure web server endpoints,

• Key Manager Plus: https://www.manageengine.com/key-manager/ssl-certificate-deployment-mi-

crosoft-iis.htm

DigiCert for IIS: https://www.digicert.com/kb/csr-creation-ssl-installation-iis-10.htm

DigiCert for Apache: https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm

If a custom certificate is used, the certificate needs to be imported using the import link in CoLOS. The
imported certificate is automatically added to the personal folder of the Windows certificate store.

This enables Customer IT to manage the certificate through the Windows certificate manager.

After setting up the certificate for the endpoint (server), the server certificate can be exported using CoLOS
Administrator, which will export the certificate having only the public key. These exported certificates need
to be installed in Enterprise Trusted folder at all client computers from where this is being accessed.

Even though the server endpoints are secured with an SSL certificate, third-party clients like browsers may
put additional restrictions on the certificate usage.

Even though the CoLOS endpoint is secured, the clients may show a warning since they cannot
verify/establish the certificate's trust or match the server's name with the one accessed in the URL.

Known behavior with Chrome/Firefox on certificates

Firefox stopped allowing the use of self-signed certificates. Using self-signed certificates in CoLOS, Firefox
will complain that the site is not secure.

The use of Common Name (CN) from the certificate is getting obsoleted, and Chrome works only if the
identity is provided in the "Subject Alternate Name" of the certificate. Ensure the certificate is generated
with the Server details on the 'Subject Alternate Name.'

This comes under the customer IT team's responsibility to provide the right certificate with the required keys
and usage.

Systech Proprietary and Confidential Page 8 of 10

 Security and Certificate – Configuration and Troubleshooting guide REV.:1

Configuring CLI
After enabling the setting from the Administrator, To access CLI over TLS from the Client, make sure to use
the same TLS version as configured for CLI and the CLI client application need to trust the CLI certificate
used. For this, the public key of the CLI certificate can be exposed through the CoLOS Administrator Export
link.

Configuring Certificates for OPC UA

The OPC UA certificates are managed through the file system.

For CAT, the certificate store location is:

C:\ProgramData\Markem-Imaje\CA\v6.3\Certificates

For CoLOS Enterprise, the location is:

C:\ProgramData\Markem-Imaje\NGW\v6.3\Certificates -> For CE OPC UA (client and server)

The details of the store locations are outlined below:

Own folder

Certificate in the own/ folder is used for OPC UA endpoint identity and used to protect the data exchange
between client and server

The certificate should have both the public and private key in the 'own/private' folder, and the certificate
with the only public key in the 'own' folder

Rejected folder

All certificates from rejected and untrusted connections will be added to this folder. If you need to trust
any of the certificates in this folder, move the certificate to the trusted folder.

Trusted folder

Add the certificates of clients required to be trusted into this folder.

Issuer's folder

If there are multiple certificates to be trusted and all from the same issuer, they can be added to this folder.

Points to note when using a custom certificate for OPC UA:

Each endpoint standard is different, and there can be additional requirements for creating a certificate.
Some endpoints require a simple SSL certificate, whereas other endpoints require specific usages to be
mentioned on the certificate. OPC UA supports additional keys like application URI to be encoded on the
certificate so that clients can make use of that information.

Systech Proprietary and Confidential Page 9 of 10

 Security and Certificate – Configuration and Troubleshooting guide REV.:1

CoLOS creates a self-signed certificate for OPC UA, and it can be used as a reference for creating a new
certificate for OPC UA.

Configuring Certificates for SAML

In the case of SAML, the IDP server needs to be trusted by the CoLOS server to know that the Auth callback
is from the trusted IDP, so the certificate needs to be exported from IDP and imported into SAML.

Systech Proprietary and Confidential Page 10 of 10