Gateway Security

By default, the Configure section of the Gateway is password protected, and this cannot be removed. You can also optionally protect the Status and the Home sections. You can also change the roles that are required to access any of these sections under Configuration > Gateway Settings.

Changing the 'admin' Password

The first step in securing your Ignition installation is to change the default username/password.

Locking The Gateway

You can set up security for the Gateway webpage sections and Designer. The Gateway can use any existing authentication profile independent of any projects. Each of the Status, Home, and Configure pages can be restricted by role. Outside of logging into a Client, the Designer as well can require a special role.

To setup security for the Gateway

  1. Go to the Configure section of the Gateway.

  2. Choose Configuration > Gateway Settings from the menu on the left.
    The Gateway Settings page is displayed.

  3. Enter the roles the user must have in order to access the Gateway Config Roles, Status Page Roles, Home Page Roles, and Designer Roles.
    Each option can accept any number of roles as long as they are separated by commas. Also, if the option is blank, any user with any role can log in. The Global Resource Protection will shelter the Global Resources from edits by users with roles other than what is stated here.

Enabling SSL

To enhance security in Ignition, you may opt to enable SSL encryption. This will affect all communication to and from the Gateway that is done over the HTTP protocol. This includes not only browsers interacting with the Gateway's web interface, but all Vision Client communication as well. Turning on SSL will encrypt all data sent over HTTP. This protects your installation from anyone "snooping" the data as it passes over the network. This may be important if data transferred between the Gateway and Clients is sensitive in nature. This also helps to thwart a security vulnerability known as "session hijacking".

To turn on SSL

  1. Go to the Configure section of the Gateway.

  2. Choose Configuration > Gateway Settings from the menus on the left.

  3. Select the check box for Use SSL and click on Save Changes at the very bottom of the page.
    After SSL is enabled, all Clients, Designers, and web browsers are redirected to the SSL port if they try to use the standard HTTP port. By default, the SSL port is 8043. You can change it to the standard SSL port of 443. To do this, follow the directions in Setting the Port.

When Using SSL

Enable SSL communications in Ignition to set up secure communication to the Gateway webpage as well as Client/Designer communication with the Gateway. You need to acquire and install an SSL Certificate for Ignition. It is highly recommended that you purchase an SSL certificate from a certificate authority if you turn this feature on, make sure you install a Genuine SSL Certificate.

Installing a Genuine SSL Certificate

When you turn on SSL in Ignition, the web browser uses what is called a "self-signed" certificate. This gives you the encryption benefits of SSL, but not the identity validation, and it isn't a "real" certificate. This is why a web browser will display nasty warnings to users that they shouldn't trust the website.

We are not able to ship a real certificate with Ignition because SSL certificates have to be purchased individually from a certificate authority, such as Verisign, GoDaddy, or Comodo.

This guide shows you how to purchase and install a real SSL certificate from a certificate authority and install it in Ignition. You'll need to be comfortable executing command-line programs to complete this guide. The examples in this guide assume a Windows environment, but the general procedure would be identical in Linux.

  1. Install the Java Development Kit (JDK).
    There are some command-line tools you'll need to use to create a certificate request and to install your certificate. These tools come with the Java Development Kit (JDK). It is likely that you only have the Java Runtime Environment (JRE) installed. Go to http://java.oracle.com and click on Java SE. Download the Java SE 6 JDK and install it.

  2. Open a command prompt.
    Open a command prompt from Start > Run > cmd and change directory into your JDK tools directory.
    cd C:\Program Files\Java\jdk1.6.0_24\bin

  3. Create your keystore.
    SSL certificates for Ignition are stored in a file called a keystore. You'll need to create your own keystore file with a certificate in it before you can purchase the SSL certificate.

    1. Enter the following command:
      keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore C:\ssl.key
      you can put the file wherever you want for now, but you should call it ssl.key

    2. At the prompt, enter a password. Use the password: ignition

    3. At the prompt, you are asked for your first and last name. Do not use your first and last name. This value must be one of the following for your Ignition Gateway:

      1. Fully Qualified Domain Name, for example secure.yourdomain.com

      2. Public IP address, for example 202.144.8.10

      3. Full Server Name of your internal server, for example scadaserver

      4. Private IP address, for example 192.168.0.1

    4. At the prompt, you are asked for information about your company. Input all data accurately, as the certificate authority needs to verify this information.

    5. Lastly, at the prompt, you are asked for the password for alias <tomcat>. Press RETURN to use the same password as the keystore file.

  4. Generate a Certificate Signing Request.
    You have a keystore file named ssl.key at the root of your C:\ drive (or wherever you specified it to be in step 3a).

    In your command prompt window, enter this command:
    keytool -certreq -alias tomcat -file C:\csr.txt -keystore C:\ssl.key

    It will prompt you for the keystore password (ignition). You now have a certificate request file at C:\csr.txt

  5. Buy the SSL certificate.
    Now you need to get your SSL certificate signed by a certificate authority. When you go to a certificate authority (Verisign, GoDaddy, Comodo, and so on), they'll ask for your CSR, which is the csr.txt file that you created in step 4. Typically they'll ask you to paste your CSR into their web form. Open csr.txt in notepad, and copy-and-paste it into the certificate authority's form.
    If prompted what software generated the CSR, choose Tomcat or Java. After the certificate authority has processed your payment and reviewed your CSR, they will send you your certificate via email.

  6. Install the SSL certificate.
    After your SSL certificate has been emailed to you, follow the instructions provided for installing the certificate into a Java keystore. Your certificate authority provides these instructions. The following is the procedure for installing a Comodo SSL certificate, provided as an example:

    1. Extract the certificate files that were emailed to you, in this example they were extracted to C:\cert

    2. Install the root certificate with the following command:
      keytool -import -trustcacerts -alias root -file C:\cert\AddTrustExternalCARoot.crt -keystore C:\ssl.key

    3. Install the COMODO intermediate certificate:
      keytool -import -trustcacerts -alias INTER -file C:\cert\COMODOHigh-AssuranceSecureServerCA.crt -keystore C:\ssl.key

    4. Install your server's certificate:
      keytool -import -trustcacerts -alias tomcat -file C:\cert\192_168_1_7.crt -keystore C:\ssl.key

  7. Replace Ignition's default keystore.
    You now have a keystore file at C:\ssl.key that holds your SSL certificate. The certificate alias is tomcat and the password is ignition. You can now replace the keystore file that ships with Ignition with your file. Make a backup of the file at C:\Program Files\Inductive Automation\Ignition\tomcat\ssl.key and replace it with your keystore file. You need to restart the Ignition service after replacing this file.
    Make sure your SSL port is allowed through your server's firewall. The default SSL port is 8043, and can be changed to the standard SSL port (443) through the Gateway Control Utility (GCU).
    If you have a redundant installation, you'll need to repeat this procedure on your backup server and buy a second certificate for it.

Next ...