Porovnávané verzie

Stará verzia 14

changes.mady.by.user D2000 Dev Team

Uložené

porovnané s

Nová verzia Aktuálny

changes.mady.by.user D2000 Dev Team

Uložené

Kľúč

  • Tento riadok sa pridal
  • Riadok je odstránený.
  • Formátovanie sa zmenilo.

...

Example: D:\some.crt,#APPDIR#/another.crt

Note: The /DC start parameter can be used to disable verification of the other party at the D2000 KOM process level - e.g., if the other party's certificate expires or another emergency situation occurs, and it is not possible to reconfigure the other party operationally.

Note: The certificate must contain the public key of the certification authority (if the other party's certificate is signed by a chain of authorities, it must contain all of them). It does not need to contain the other party's public key itself.

...

Example: #APPDIR#/my.key

Info
titleKey protection

Kotva
key_password
key_password
Note 1: For security reasons, we recommend setting access to the private key so that it is only accessible to the user under which the D2000 KOM process is running (by default Local System on Windows and d2000 on Linux/RPI)

Note 2: The private key can be protected by password encryption. In this case, enter the password for the key in the "Pre shared key" item in the "TLS pre shared key" section.

Note 3: Setting a password for the private key is possible with the OpenSSL utility.

Example of execution: the input is the unprotected key my.key, the output is the password-encrypted key my_protected.key, and the encryption method AES-256 is used.

openssl.exe rsa -aes256 -in my.key -out my_protected.key

The following encryption methods can be used:

ParameterEncryption method
-aes128AES-128-CBC: 128-bit key in CBC mode
-aes192AES-192-CBC: 192-bit key in CBC mode
-aes256AES-256-CBC: 256-bit key in CBC mode
-des33DES (Triple DES)
-aria128ARIA-128: ARIA with a 128-bit key
-aria192ARIA-192: ARIA with a 192-bit key
-aria256ARIA-256: ARIA with a 256-bit key
-camellia128Camellia-128: 128-bit key
-camellia192Camellia-192: 192-bit key
-camellia256Camellia-256: 256-bit key

OpenSSL-3.4 library no longer supports the following encryption types:

ParameterEncryption method
-des-ecbDES-ECB: DES in ECB (Electronic Codebook) mode
-des-cbcDES-CBC: DES in CBC (Cipher Block Chaining) mode
-ideaIDEA
-bfBlowfish
-rc2RC2

If you use diacritics (national characters) in your password, you must set the Windows code page to UTF-8 before using the OpenSSL utility with the command

chcp 65001

since in D2000, the texts are stored in UTF-8 encoding.

...

Note about the redundancy of network communication

Currently, only two a few protocols supporting the TCP/IP-TCP redundant line are implemented. Protocol :

  • Protocol IEC 870-5-104 Sinaut is a specific implementation of the protocol IEC 104 designed for redundant communication with the Sinaut Spectrum system.

...

  • The IEC 870-5-104 protocol, which implements multiple options for setting redundancy parameters, is much more common in practice.
  • The MQTT Client protocol allows connection to two independent MQTT brokers on a TCP/IP-TCP Redundant line.


Note on TLS communication to the cloud

In the TLS implementation in the D2000 KOM process, the TLS extension "server_name" was added to the TLS Client Hello message (establishing a TLS connection), whereby the symbolic name specified in the "TCP/IP - TCP" or "TCP/IP - TCP Redundant" line configuration is sent as "server_name". This enables, for example, the functionality of the MQTTS protocol in the AWS environment, where there are multiple customers on one IP address, and it is necessary to determine which hostname the client is connecting to.
Note: If the IP address is not specified, the TLS extension "server_name" is not used in the TLS Client Hello message has many options related to communication redundancy implemented.


Info
titleBlog

You can also read about TCP/IP-TCP line encryption in the blog Communication - encryption.

...