Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
en:sw:01-mervis:ssl-certification-validation-hidden [2022/10/05 17:58] avsetula |
en:sw:01-mervis:ssl-certification-validation-hidden [2022/10/11 14:58] (current) avsetula [What is needed?] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== SSL Certification validity ====== | ====== SSL Certification validity ====== | ||
| - | Protokol SSL (Secure Socket Layer) je bezpečnostní vrstva vložená mezi vrstvu transportní (TCP/IP) a vrstvu aplikační (např. HTTP), která poskytuje zabezpečení komunikace šifrováním a umožní autentizaci (ověření totožnosti) komunikujících stran. Výsledkem je pak zabezpečené (šifrované) připojení, např. protokolem HTTP**S**. | + | The SSL (Secure Socket Layer) protocol is a security layer inserted between the transport layer (TCP/IP) and the application layer (e.g., HTTP), which provides communication security by encryption and enables an authentication (identity verification) of communicating parties. The result is a secure (encrypted) connection, e.g., using the HTTP**S** protocol. |
| + | <WRAP center round important 90%> | ||
| + | **Warning:** use certificate validation only if you are aware of the possible consequences of enabling this function. Due to the temporary validity of certificates, it may happen that the validity of the certificate expires after a certain period of time (validity is different for each certificate). | ||
| - | ===== Co je k tomu potřeba? ===== | + | As a result, PLC will not be enabled for secure communication via Internet, so it will stop communicating with Mervis Proxy, Mervis DB, or other servers. Subsequent uploading of valid certificates to the PLC is now only possible locally and a service trip to the PLC is therefore required. |
| + | </WRAP> | ||
| + | |||
| + | |||
| + | ===== What is needed? ===== | ||
| - | Validace certifikátu, případně Ověření certifikátu znamená, že Mervis RT komunikuje s cloudovými servery (Proxy, DB, SCADA) pomocí zabezpečeného šifrovaného připojení SSL a zabezpečení ověřuje vůči dostupným certifikátům, ty jsou vydávány certifikačními autoritami. | + | Certificate validation, or certificate verification, means that Mervis RT communicates with cloud servers (Proxy, DB, SCADA) using a secure encrypted SSL connection and verifies security against available certificates, which are issued by certification authorities. |
| - | Aby bylo možné využít této funkce je nutné zajistit: | + | In order to use this function, it is necessary to ensure: |
| - | - Dostupnost aktuálních certifikátů | + | - Availability of current certificates |
| - | * certifikáty jsou aktuální v době vydání operačního systému Mervis OS, počínaje verzí Mervis OS 2.4.2.28 | + | * certificates are up-to-date at the moment of release of the Mervis OS operating system, starting with Mervis OS version 2.4.2.28 |
| - | * certifikáty je možné aktualizovat nahráním z Mervis IDE (návod na konci článku ) | + | * certificates can be updated by uploading Mervis IDE ([[#uploading_certificates_from_the_mervis_ide|instructions below]]) |
| - | - Nastavení SSL adres ke cloudovým službám, případně povolení SSL | + | - Setting SSL addresses to cloud services, or enabling SSL |
| * Mervis DB: <code>https://db.unipi.technology/plc/save</code> | * Mervis DB: <code>https://db.unipi.technology/plc/save</code> | ||
| * Mervis Proxy: <code>https://proxy.unipi.technology:6678</code> | * Mervis Proxy: <code>https://proxy.unipi.technology:6678</code> | ||
| - | - Povolení validace certifikátu v konfiguraci RT | + | - Enable certificate validation in RT configuration |
| - | Pokud výše uvedené nebude dodrženo, komunikace se nenaváže. | + | If the above is not met, communication will not be established. |
| - | ==== Ukázka nastavení Mervis Proxy a DB v konfiguraci RT: ==== | + | ==== Example of Mervis Proxy and DB settings in RT configuration: ==== |
| ;#; | ;#; | ||
| - | //Konfigurace Mervis Proxy// | + | //Mervis Proxy parameters// |
| ;#; | ;#; | ||
| - | {{ :cs:sw:01-mervis:val-cert_proxy_cz.png?direct |}} | + | {{ :en:sw:01-mervis:val-cert_proxy_en.png?direct |}} |
| \\ | \\ | ||
| ;#; | ;#; | ||
| - | //Konfigurace Mervis DB// | + | //Mervis DB parameters// |
| ;#; | ;#; | ||
| - | {{ :cs:sw:01-mervis:val-cert_db_cz.png?direct |}} | + | {{ :en:sw:01-mervis:val-cert_db_en.png?direct |}} |
| - | ===== Nahrání certifikátů z Mervis IDE ===== | + | ===== Uploading certificates from the Mervis IDE ===== |
| - | Pro nahrání certifikátů do PLC je nutné mít založenu sestavu v Mervis IDE a přiřazené PLC. | + | To upload certificates to the PLC, it is necessary to have a Mervis IDE solution installed and an assigned PLC. |
| - | Pro přidání/nahrazení certifikátů klikněte pravým tlačítkem na položku PLC a v nabídce vyberte: \\ | + | To add/replace certificates, right-click on the PLC, select: \\ |
| - | Operace s PLC -> Nahrání certifikátů. | + | PLC Operation -> Upload Certificates |
| - | {{ :cs:sw:01-mervis:ca1_cz.png?direct |}} | + | {{ :en:sw:01-mervis:ca1_en.png?direct |}} |
| \\ | \\ | ||
| - | Otevře se dialog, kde máte celkem 4 řádky, níže naleznete popis prvních dvou: | + | A dialog will open where you have a total of 4 lines, but we will only be interested in the first two: |
| - | {{ :cs:sw:01-mervis:ca2_cz.png?direct |}} | + | {{ :en:sw:01-mervis:ca2_en.png?direct |}} |
| - | * Výchozí CA: tyto certifikáty jsou aktuální v době generování obrazu Mervis OS, jejich nahráním se nahradí výchozí certifikáty | + | * Default CA: these certificates are up-to-date at the time of Mervis OS image generation, uploading them will replace the default certificates |
| - | * Uživatelská CA: tyto certifikáty nejsou ve výchozím stavu v RT obsaženy, nahráním lze doplnit chybějící certifikáty, výchozí CA nejsou nijak ovlivněny | + | * User CA: these certificates are not included in the default state of RT, missing certificates can be added by uploading, default CAs are not affected in any way |
| - | Po kliknutí na OK budou certifikáty nahrány do PLC. | + | After clicking OK, the certificates will be uploaded to the PLC. |
| <WRAP center round info 70%> | <WRAP center round info 70%> | ||
| - | **Poznámka:** přípona názvu souboru může být libovolná | + | **Note:** the file name extension can be arbitrary. |
| </WRAP> | </WRAP> | ||
| + | |||
| + | |||
| + | ===== Use cases: ===== | ||
| + | |||
| + | === Updating certificates due to expiration === | ||
| + | Certificates issued after September 1st, 2022 are valid for a maximum of 1 year, so it is important to update the certificates regularly. The update is possible by replacing the default CA with the new public certificates (certificate file) according to the [[#uploading_certificates_from_the_mervis_ide|instructions above]], or by uploading the [[en:files:software:os-images:00-start|most current version of Mervis OS]] to the PLC. | ||
| + | |||
| + | <WRAP center round info 90%> | ||
| + | **Note:** download current certificates only from trusted sites. | ||
| + | </WRAP> | ||
| + | |||
| + | === Replacing the default certificates with your own === | ||
| + | In some cases (e.g., within an intranet) it is also useful to secure with your own certificates, when, on the other hand, you do not use public certificates at all. In this case, prepare a certificate file and upload it as the default CA, replacing the default certificates with your own. | ||
| + | \\ | ||
| + | \\ | ||
| + | |||
| + | === Adding your own certificates without affecting the default certificates === | ||
| + | In cases where the PLC is, for example, in a large corporate network, but also has access to the Internet, it is advisable to choose a combination of public and own certificates. | ||
| + | |||
| + | Therefore, upload your certificate file as a user CA, but it is also possible to upload an update of the default CA. If you do not want to update the default certificates, leave the box blank. | ||
| + | |||
| + | |||
| + | |||
