Client authentication, Configuring security, Client authentication 3.8.2. configuring security – Comtrol Modbus TCP User Guide User Manual
Page 59
DeviceMaster UP Modbus/TCP User Guide: 2000447 Rev. I
Chapter 3. Embedded Configuration Pages- 59
Client Authentication
3.8.1. Client Authentication
If desired, controlled access to SSL/TLS protected features can be configured by uploading a client
authentication certificate to the DeviceMaster UP. By default, the DeviceMaster UP is shipped without a CA
(Certificate Authority) and therefore allows connections from any SSL/TLS client.
If a CA certificate is uploaded, the DeviceMaster UP only allows SSL/TLS connections from client
applications that provide to the DeviceMaster UP an identity certificate that has been signed by the CA
certificate that was uploaded to the DeviceMaster UP.
This uploaded CA certificate that is used to validate a client's identity is sometimes referred to as a trusted
root certificate, a trusted authority certificate, or a trusted CA certificate. This CA certificate might be that of a
trusted commercial certificate authority or it may be a privately generated certificate that an organization
creates internally to provide a mechanism to control access to resources that are protected by the SSL/TLS
protocols.
To control access to the DeviceMaster UP’s SSL/TLS protected resources you should create your own custom
CA certificate and then configure authorized client applications with identity certificates signed by the
custom CA certificate.
3.8.2. Configuring Security
Use the following procedure to configure DeviceMaster UP security.
Note: All DeviceMaster units are shipped from the factory with identical configurations. They all have the
identical, self-signed, Comtrol Server RSA Certificates, Server RSA Keys, Server DH Keys, and no
Client Authentication Certificates.
For maximum data and access security, you should configure all DeviceMaster units with custom
certificates and keys.
1.
If necessary, access the Server Configuration web page by entering the DeviceMaster UP IP address in
your web browser or by highlighting the DeviceMaster UP in PortVision DX and clicking Webpage.
2.
If desired, enable Secure Config Mode.
RSA Server Certificate
used by SSL servers
This is the RSA identity certificate that the DeviceMaster UP uses during SSL/
TLS handshaking to identify itself. It is used most frequently by SSL server
code in the DeviceMaster UP when clients open connections to the
DeviceMaster's secure web server or other secure TCP ports. If a DeviceMaster
UP serial port configuration is set up to open (as a client) a TCP connection to
another server device, the DeviceMaster UP also uses this certificate to identify
itself as an SSL client if requested by the server.
In order to function properly, this certificate must be signed using the Server
RSA Key. This means that the server RSA certificate and server RSA key must
be replaced as a pair.
DH Key pair used by
SSL servers
This is a private/public key pair that is used by some cipher suites to encrypt
the SSL/TLS handshaking messages.
Note: Possession of the private portion of the key pair allows an eavesdropper to
decrypt traffic on SSL/TLS connections that use DH encryption during
handshaking.
Client Authentication
Certificate used by SSL
servers
If configured with a CA certificate, the DeviceMaster UP requires all SSL/TLS
clients to present an RSA identity certificate that has been signed by the
configured CA certificate. As shipped, the DeviceMaster UP is not configured
with a CA certificate and all SSL/TLS clients are allowed.
See
on Page 59 for more detailed information.
Edit Security Configuration Page