Porovnávané verzie

Stará verzia 13

changes.mady.by.user D2000 Dev Team

Uložené

porovnané s

Nová verzia 14

changes.mady.by.user D2000 Dev Team

Uložené

Kľúč

  • Tento riadok sa pridal
  • Riadok je odstránený.
  • Formátovanie sa zmenilo.

...

It is used for the configuration of a specific parameter in selected protocols, ; in other protocols, it is not used, and it can be set to any numeric value (e.g., 0).


"TLS - Certificates" section

Parameters that allow you to configure TLS encryption based on public and private keys. TLS encryption is enabled if the "Partner Certificate(s)" parameter and/or the "My Certificate"/"My Key" pair is configured.
Note: TLS certificate-based encryption takes precedence over pre-shared keys key (PSK)-based encryption.

Partner certificate(s)

...

This parameter specifies the path to the certificates. Multiple certificates can be specified and separated by a comma. The path may contain the symbolic constant #APPDIR# indicating the application directory (e.g., D:\D2000\D2000_APP\MyApp).

Example: D:\some.crt,#APPDIR#/another.crt

Note: the The /DC start parameter can be used to disable verification of the other party at the D2000 KOM process level - e.g., if the other party's certificate expires or another emergency situation occurs, and it is not possible to reconfigure the other party operationally.

Note: The certificate must contain the public key of the certification authority (if the other party's certificate is signed by a chain of authorities, it must contain all of them). It does not need to contain the other party's public key itself.

My certificate

Certificate (public key) used by the D2000 KOM process. The path may contain the symbolic constant #APPDIR# indicating the application directory (e.g,. D:\D2000\D2000_APP\MyApp).

...

Private key used by the D2000 KOM process. The path may contain the symbolic constant #APPDIR# indicating the application directory (e.g., D:\D2000\D2000_APP\MyApp).

...

Info
titleKey protection

Note 1: For security reasons, we recommend setting access to the private key so that it is only accessible to the user under which the D2000 KOM process is running (by default Local System on Windows and d2000 on Linux/RPI)

Note 2: The private key can be protected by password encryption. In this case, enter the password for the key in the "Pre shared key" item in the "TLS pre shared key" section.

Note 3: Setting a password for the private key is possible with the OpenSSL utility.

Example of execution: the input is the unprotected key my.key, the output is the password-encrypted key my_protected.key, and the encryption method AES-256 is used.

openssl.exe rsa -aes256 -in my.key -out my_protected.key

The following encryption methods can be used:

ParameterEncryption method
-aes128AES-128-CBC: 128-bit key in CBC mode
-aes192AES-192-CBC: 192-bit key in CBC mode
-aes256AES-256-CBC: 256-bit key in CBC mode
-des33DES (Triple DES)
-aria128ARIA-128: ARIA with a 128-bit key
-aria192ARIA-192: ARIA with a 192-bit key
-aria256ARIA-256: ARIA with a 256-bit key
-camellia128Camellia-128: 128-bit key
-camellia192Camellia-192: 192-bit key
-camellia256Camellia-256: 256-bit key

OpenSSL-3.4 library no longer supports the following encryption types:

ParameterEncryption method
-des-ecbDES-ECB: DES in ECB (Electronic Codebook) mode
-des-cbcDES-CBC: DES in CBC (Cipher Block Chaining) mode
-ideaIDEA
-bfBlowfish
-rc2RC2

If you use diacritics (national characters) in your password, you must set the Windows code page to UTF-8 before using the OpenSSL utility with the command

chcp 65001

since in D2000, the texts are stored in UTF-8 encoding.

...

If this option is not selected, the KOM process does not connect to the backup IP address, and the line works like a TCP/IP-TCP line, i.e,. without redundancy.

Host

The secondary IP address of the communication partner to which the KOM process connects. If the name is configured (and not an IP address X.X.X.X), it will be converted into an IP address using the standard name resolution mechanism provided by the OS (hosts, DNS, WINS...).
Note: implementation Implementation of redundancy is protocol-dependent. For some of the protocols (e.g., IEC 870-5-104), a parallel connection to the backup device is created. For some protocols (e.g., Modbus Client), the KOM process creates a single connection, alternately (after the connection is broken or cannot be established) using all IP addresses/names configured as Primary/Backup Devices.

...

Parameter Host can contain several (up to 8) IP addresses or network names of computers separated by a comma or a semicolon, e.g., 172.16.0.1; 172.16.0.2 (spaces are permitted before and after the IP address due to readability). See the documentation of a used communication protocol to find out whether it can utilize more than one IP address. For example, the protocol IEC 870-5-104: if several IP addresses are configured (on TCP/IP-TCP or TCP/IP-TCP Redundant lines), the connection is initially established to the first IP address. If the connection breaks, the KOM process tries to reconnect to the second IP address, then to the third, etc... After all configured IP addresses are tried, it uses again the first IP address.
This configuration can be used if several communication partners exist and they either provide the same valid data or only the one which that is active, i.e., it communicates (and all others refuse the connections).
Other protocols (e.g., MODBUS Client) currently use only the first configured IP address.

...

Currently, only two protocols supporting the TCP/IP-TCP redundant line are implemented. Protocol IEC 870-5-104 Sinaut is a specific implementation of the protocol IEC104 IEC 104 designed for redundant communication with the Sinaut Spectrum system. Much more frequently, you can meet the protocol IEC 870-5-104, which has many options related to communication redundancy implemented.

...