HomeInterfacesRecipesChangelogFAQ
Log In
Interfaces
  1. Summary

Configuring Encryption (HTTPS, TLS)

AS Interface

⚠️

HTTPS is supported by default in AS Interface V2.

To use it, HTTPS must be enabled by configuring an endpoint in appsettings.json with the appropriate certificates.

It is assumed that the client already has the required certificates for HTTPS support. Therefore, this manual does not cover the generation or signing of certificates.

Configuration is done by using the configuration provided by the Kestrel server used to run the AutoStore Interface. For a complete overview, refer to the official Microsoft documentation.

Defining HTTPS Endpoint

The HTTPS endpoints must be defined inside a "Kestrel" category, which itself must define "Endpoints". For each endpoint, a category with an arbitrary name must be defined to represent the endpoint. The endpoint category must contain a "Url" and paths to any certificate files under a "Certificate" category. It must also contain "ClientCertificateMode": "RequireCertificate" in order to make client certificates mandatory.

"Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://localhost:44000",
        "Certificate": {
          "Path": "<path_to_cert_file>",
          "KeyPath": "<path_to_key_file>",
          "Password": "<cert_password>"
        },
        "ClientCertificateMode": "RequireCertificate"
      }
    }
  }
📘

Configure endpoints for the ASP.NET Core Kestrel web server

The excerpt below is taken from the official Microsoft documentation and illustrates how to configure Kestrel using various certificate files.

{
  "Kestrel": {
    "Endpoints": {
      "Http": {
        "Url": "http://localhost:5000"
      },
      "HttpsInlineCertFile": {
        "Url": "https://localhost:5001",
        "Certificate": {
          "Path": "<path to .pfx file>",
          "Password": "$CREDENTIAL_PLACEHOLDER$"
        }
      },
      "HttpsInlineCertAndKeyFile": {
        "Url": "https://localhost:5002",
        "Certificate": {
          "Path": "<path to .pem/.crt file>",
          "KeyPath": "<path to .key file>",
          "Password": "$CREDENTIAL_PLACEHOLDER$"
        }
      },
      "HttpsInlineCertStore": {
        "Url": "https://localhost:5003",
        "Certificate": {
          "Subject": "<subject; required>",
          "Store": "<certificate store; required>",
          "Location": "<location; defaults to CurrentUser>",
          "AllowInvalid": "<true or false; defaults to false>"
        }
      },
      "HttpsDefaultCert": {
        "Url": "https://localhost:5004"
      }
    },
    "Certificates": {
      "Default": {
        "Path": "<path to .pfx file>",
        "Password": "$CREDENTIAL_PLACEHOLDER$"
      }
    }
  }
}
📘

It is recommended to use the standard AS Interface port 44000 when configuring HTTPS endpoints.

Removing The Default HTTP Endpoint

The default HTTP endpoint is determined by the Urls field in appsettings.json. This field should be removed entirely, as any value left in the configuration will be overridden by the settings defined under the "Kestrel":"Endpoints" category.

"Urls": "http://0.0.0.0:44000",

Enabling Interface-Side Certificate Only

If only the Interface is required to present a certificate, the "ClientCertificateMode": "RequireCertificate" field can be omitted.

AS Log Publisher

⚠️

TLS-encrypted connections are supported starting from AS Log Publisher version 1.23.0.


Newer versions of Log Publisher provides a separate channel for secure communication using TLS between Log Publisher and the Log Publisher client.

OpenSSL is used to provide this functionality.

Install OpenSSL

OpenSSL can be downloaded and compiled from https://openssl-library.org/source/ or a list of precompiled versions can be found at https://wiki.openssl.org/index.php/Binaries.

For development, OpenSSL is also available through vcpkg at https://vcpkg.io/en/package/openssl.html.

Creating Certificates

Self-signed SSL certificates can be created by using OpenSSL. When installed, OpenSSL can be used directly from git bash.

Execute the following command for an interactive certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

Execute the following command for a non-interactive certificate with 10 years expiration:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"

The certificate file needs to contain both the certificate and the private key. If a certificate file is provided, Log Publisher will establish encrypted client listening sockets, else it will keep running, but will only provide the usual non-encrypted channel.

The certificates need to be combined into one file using the following command:

Get-Content cert.pem, key.pem | Set-Content server.pem

Building

Run with the following command:

cmake --preset msvc -DOPENSSL_ROOT_DIR="C:\\Program Files\\FireDaemon OpenSSL 3

You need to install OpenSSL. OPENSSL_ROOT_DIR should be path to your OpenSSL installation.

Configuring Log Publisher

For Log Publisher to be able to provide the channel for secure communication, a certificate file must be properly set in the App.config.

The default port number for connecting to this encrypted channel is 44101. However, this can be changed in the App.config file by editing the "secureclientport" setting.

Connect to TLS LP port 44101 and verify that it works:

openssl s_client -connect localhost:44101 -showcerts

Updated 2 months ago