This section describes how to enable secure networking communication between the different components of the ROB-EX system. Enabling SSL means that traffic between server and clients are encrypted and that web-server sessions with the Shop Floor client must be accessed through https in the browser.
This manual is divided into the following sections, explaining how to enable secure communication for the different components (the number refers to the number on the drawing above)
SSL communication between the Multiuser Server and ROB-EX cliens is by default turned off. To enable this feature change the configuration by hand editing file
application.yml. Read more about the settings of this file here.
Start out by locating the location on the file system where your server is installed. If in doubt locate the Server service (Run->Services.msc and locate the ROB-EX Multiuser Service for instance X). Double click on the service and take a note of the “Path to executable:” – the application.yml file will be in the same directory as the executable. The default location will be in
C:\Program Files (x86)\ROB-EX\ganttServerG2\application.yml.
Add these lines to the file, changing the
grpc.server.security.enabled value to true
grpc: port: 6566 # client http port server: security: enabled: true
Generating ROB-EX Scheduler Server certificates
This explains how to generate self-signed certificates for the components 1+2 on the top drawing.
The default certicate installed out-of-the-box is located in
ganttServerG2\certificates. This certificate is locked to the localhost domain and should only be used for testing, i.e. the default certificates will only work for ROB-EX clients connecting to https://localhost:6565. You need to generate your own private self-signed certificates where you bake the hostname of your server into.
To generate new self-signed certificates
- Install the Openssl command line tool from a trusted location. See e.g. wiki.openssl.org/index.php/Binaries . You can test a valid openssl tool by opening a command prompt with cmd.exe and run the command
openssl version -a. The following has been tested to work with the v1.1.1 of the Openssl tool.
robex-srv1in the line
set SRV_NAME=robex-srv1with the actual name of your ROB-EX server. Then save the file
- Run the
ganttServerG2\create-selfsigned-certificate.batscript, by double clicking the file from Windows File Explorer. Verify that new *.pem and *.pfx files were generated to the
Finally copy the two files selfsigned-public-key-cert.pem and selfsigned-key-store.pfx to the
\config\certificates folder of your ROB-EX Scheduler Client installation directory. This will ensure that the ROB-EX Scheduler clients know the new certificates.
Common issues and debugging pointers.
If self signed certificates are used the property gantt.certificates.local has to be set to true, if not the client wont be able to connect to the server. By default there will be nothing in the log file indicating that an error has happened, besides the time out when connecting. To obtain the information that the TLS handshake failed, because the client doesn’t trust the certificate, the log level for the name space io.grpc.netty need to be set to trace. The same problem will happen if host name does not match the name in the generated certificate.
In general issues with the certificates wont be shown at the error log level, so it is necessary to edit the logback.xml of the client or server to debug issues with certificates.
For now only http is supported, so if https access is required, we recommend to setup a proxy like Traefik.
Changes must be made to the
\plugins\shopfloor\site\conf\server.xml file. If Shop Floor is available as a public service on the internet, then it is strongly recommended to secure the communication with SSL.
The normal http connector should be commented out, like this:
<!-- <Connector className="org.apache.catalina.connector.http.HttpConnector" port="80" minProcessors="5" maxProcessors="75" enableLookups="true" redirectPort="18443" acceptCount="10" debug="0" connectionTimeout="60000"/> -->
Below the above connector is another with scheme=https. This needs to be commented-in by removing the immediate surrounding
<Connector className="org.apache.catalina.connector.http.HttpConnector" port="443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true"> <Factory className= "org.apache.catalina.net.SSLServerSocketFactory" clientAuth="false" keystoreFile="/config/ssl/.keystore" keystorePass="xxxxxxxxxx" protocol="TLS" keyAlias="gantt" /> </Connector>
The important parts are the marked areas for
secure. The default https port is 443 and Shopfloor can be accessed on https://localhost (i.e. notice it is not necessary to specify the port number, as 443 is the default port for https communication). If another port is preferred the
port attribute should be changed.
More information about how to install your own certificate files can be found in the chapter Keystore and truststore. Note that if you install your own certificates, then In addition the client must be configured with updated SSL settings as described in ROB-EX Client configuration.
REST Server Service
To enable SSL for the REST Server Service integration (used as example for communication with .NET based clients) add the https scheme usage as a parameter on the short cut for starting ROB-EX, or alternatively insert this line in
More information about how to install your own certificate files can be found in the chapter Installing your own Shop Floor and REST certificate. Note that if you install your own certificates, then In addition the client must be configured with updated SSL settings as described in ROB-EX Client configuration.
REST clients connecting to a https enabled REST service, must be configured to allow and accept self-signed certificates. The details of this depends on the coding language used, but should be straight forward to implement.
Installing your own Shop Floor and REST certificate
This explains how to generate self-signed certificates for the components 3+4 on the top drawing.
The default certicate installed out-of-the-box is located in
\config\ssl. These default certificates are not locked to the localhost domain and could be used out-of-the-box. However for improved safety is is always good to generate your own self signed certificates.
This section describes what tools to use in case you would like to install and use your own certificate, e.g. your own self signed certificates or a certificate obtained from a trusted certificate authority (CA). The certificate provided out of the box with ROB-EX, is a self signed certificate. This certificate type has the following pros and cons:
- (+) it is free to use
- (+) it never expires (a certificate issues by a CA, will typically expire after 1-2 years)
- (+) it is secure, in the sense that transmitted data is encrypted in a robust and secure fashion
- (-) a browser will warn that the certificate is not issued by a trusted certificate authority. If you want to avoid the warning, the different browsers all have options a user can accept a self signed certificate as being safe (search the Internet for a how-to on the subject).
If you would like to install your own certificate, the certificate should be generated and added to the keystore for the ROB-EX client sides. A tool that is part of the JDK from Oracle/OpenJDK, called keytool and is located in the bin folder, is used for working with certificate stores
To generate your own certificate.
keytool -genkey -alias gantt -keyalg RSA -validity 36500 -keystore .keystore
If you wish to add an existing signed primary certificate use this:
keytool -import -trustcacerts -alias gantt -file mycertificate.crt -keystore .keystore
The client side need to use a truststore with the certificate. To do this, export from the keystore with the keytool:
Export the certificate from the keystore
keytool -export -alias gantt -keystore .keystore -rfc -file provider.cer
Import the certificate into the truststore
keytool -import -alias gantt -file provider.cer -keystore .truststore
New keystore and truststore files should be placed into the
\config\ssl folder (client side)
The client setup properties for Shop Floor and REST Server Service must be changed by adding/modifying the lines below to the
\custom\GanttSetup.properties file (typically add these lines at the top of the file):
-Djavax.net.ssl.keyStore=./config/ssl/.keystore -Djavax.net.ssl.keyStorePassword= -Djavax.net.ssl.trustStore=./config/ssl/.truststore -Djavax.net.ssl.trustStorePassword=
Note that when using the internal ROB-EX generated certificate, passwords can be left as blank and it will automatically use the password defined in the server.xml config. Passwords need only be specified when you want to use your own generated certificate.