The D2000 system can be configured to ensure that communication between the server and clients takes place through a secure encrypted communication channel. Security is implemented by Transport Layer Security (TLS v1.2).
The following steps are required to enable secure communication:
1. For the server, it is necessary to obtain/generate the encryption key and certificate. The certificate has to be distributed through the client process.
The key and certificate can be generated, for example, using the openssl utility (https://slproweb.com/products/Win32OpenSSL.html).
Generating an encryption key
openssl genrsa -out server.key 4096
Generating a certificate signing request
openssl req -new -key server.key -out server.csr
Generating a self-signed certificate
openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
2. Setting up TLS support in the kernel registers
HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Server\TLS_CertFile = c:\<cesta>\server.crt HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Server\TLS_KeyFile = c:\<cesta>\server.key HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Server\TLS_RequiredLevel = <level>
Setting the required security level of the connecting client <level>:
- None - kernel allows client to connect without security and also with security
- TLSNoPeerAuth - kernel allows connection only from a client who communicates securely (but may not be verified with a certificate)
3. Setting up TLS support in the registers for clients
HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Client\TLS_TrustedCerts = c:\<cesta>\server.crt HKEY_LOCAL_MACHINE\SOFTWARE\Ipesoft\<instalacia>\cfg_<aplikacia>\TLS_Client\TLS_RequiredLevel = <level>
TLS_TrustedCerts: the path to the server certificate. It is also possible to enter multiple certificates separated by a semicolon (;). This is applicable for redundant systems or in a certificate exchange process when both an old and a new server certificate can be configured.
TLS_RequiredLevel: the required security level of the connecting client <level>:
- None - the client will connect to the kernel if the kernel supports secure communication and even if it does not support secure communication
- TLSNoPeerAuth - the client will only connect to the kernel ensuring secure communication (but the kernel does not need to be verified by a certificate, i.e. its certificate is not compared with the TLS_TrustedCerts list)
- TLSPeerAuth - the client will only connect to the kernel ensuring secure communication and it is verifiable by the certificate
4. To use TLS, the client must also start with @<application_name> parameter in addition to the usual parameters (/S, /RD or /RF)
The reason is to already know the name of the application before connecting to the application server and loading the parameters from the TLS registers (see point 3).
The alternative is to set the DefaultApplication parameter in the registry.
Change of keys and certificates
The D2000 Server reads the TLS configuration each time the client is connected, so it is possible to change the configuration of the D2000 Server (including the change of files with a certificate and private key) during the D2000 Server runtime without any restart.
Related pages: