Professional Documents
Culture Documents
Security and Certificate - Configuration and Troubleshooting Guide
Security and Certificate - Configuration and Troubleshooting Guide
Security and Certificate - Configuration and Troubleshooting Guide
Table of Contents
Overview ........................................................................................................................................... 4
Introduction ........................................................................................................................................... 4
CLI ................................................................................................................................................... 4
OPC UA .................................................................................................................................................. 5
CAT ................................................................................................................................................... 6
Configuring HTTPS Web Production Panel / WEB API / CAT (operator panel) .............................. 8
Revision History
Overview
This guide provides information on the configuration and troubleshooting of the CoLOS security settings
and certificate.
Introduction
CoLOS provides multiple endpoints with different protocols (e.g., OPC/TCP, CLI/TCP, Web API/HTTP, etc.).
CoLOS allows securing the endpoint via a TLS/SSL, for which a certificate will be required for signing and
encrypting the data being exchanged.
CLI
On CoLOS Administrator left side panel, go to Control Panel > Integration Services > CLI Service >
Properties > Configuration.
OPC UA
On CoLOS Administrator left side panel, go to Control Panel > Integration Services > OPC UA Server >
Properties > Configuration.
Web API
On CoLOS Administrator left side panel, go to Control Panel > Integration Services > Web API > Properties
> Configuration.
CAT
On CoLOS Administrator left side panel, go to Control Panel > CAT > Properties > Configuration.
Any changes in the security settings require a restart of the Markem-Imaje Connectivity service for the
changes to take effect.
Certificate Management
CoLOS endpoint certificates can be managed under:
On CoLOS Administrator left side panel, go to Control Panel > System > Properties > Certificate
management.
Note: Importing of Certificate is allowed only from the Server Computer and not from Client Computer (This
is done for security reasons as it is not recommended to transfer certificates with Private key over network.)
Self-signed certificates are commonly used in networks within a firewall and to test the deployments.
CoLOS creates the self-signed certificate right from the CoLOS installation. It is recommended to use the
certificates signed by the known signing authorities.
It is also common for large organizations to use their signing authority to create certificates.
Users can import the certificates using the CoLOS administrator and secure the endpoints using the given
certificate.
Configuring HTTPS Web Production Panel / WEB API / CAT (operator panel)
CoLOS generates a self-signed certificate for these endpoints.
The certificate generated for Web API and be reused for CAT also (by importing the certificate from the
windows store)
The CAT certificate can be overridden at the Project level by adding the certificate thumbnail in the
project profile (under the key HTTPThumbprint).
Some of the references to create an SSL certificate to secure web server endpoints,
If a custom certificate is used, the certificate needs to be imported using the import link in CoLOS. The
imported certificate is automatically added to the personal folder of the Windows certificate store.
This enables Customer IT to manage the certificate through the Windows certificate manager.
After setting up the certificate for the endpoint (server), the server certificate can be exported using CoLOS
Administrator, which will export the certificate having only the public key. These exported certificates need
to be installed in Enterprise Trusted folder at all client computers from where this is being accessed.
Even though the server endpoints are secured with an SSL certificate, third-party clients like browsers may
put additional restrictions on the certificate usage.
Even though the CoLOS endpoint is secured, the clients may show a warning since they cannot
verify/establish the certificate's trust or match the server's name with the one accessed in the URL.
The use of Common Name (CN) from the certificate is getting obsoleted, and Chrome works only if the
identity is provided in the "Subject Alternate Name" of the certificate. Ensure the certificate is generated
with the Server details on the 'Subject Alternate Name.'
This comes under the customer IT team's responsibility to provide the right certificate with the required keys
and usage.
Configuring CLI
After enabling the setting from the Administrator, To access CLI over TLS from the Client, make sure to use
the same TLS version as configured for CLI and the CLI client application need to trust the CLI certificate
used. For this, the public key of the CLI certificate can be exposed through the CoLOS Administrator Export
link.
C:\ProgramData\Markem-Imaje\CA\v6.3\Certificates
Own folder
Certificate in the own/ folder is used for OPC UA endpoint identity and used to protect the data exchange
between client and server
The certificate should have both the public and private key in the 'own/private' folder, and the certificate
with the only public key in the 'own' folder
Rejected folder
All certificates from rejected and untrusted connections will be added to this folder. If you need to trust
any of the certificates in this folder, move the certificate to the trusted folder.
Trusted folder
Issuer's folder
If there are multiple certificates to be trusted and all from the same issuer, they can be added to this folder.
Each endpoint standard is different, and there can be additional requirements for creating a certificate.
Some endpoints require a simple SSL certificate, whereas other endpoints require specific usages to be
mentioned on the certificate. OPC UA supports additional keys like application URI to be encoded on the
certificate so that clients can make use of that information.
CoLOS creates a self-signed certificate for OPC UA, and it can be used as a reference for creating a new
certificate for OPC UA.