This section describes how to enable secure networking communication between the different components of the ROB-EX system. Enabling SSL means that traffic between server and clients are encrypted and that web-server sessions with the Shop Floor client must be accessed through https in the browser.

This manual is divided into the following sections, explaining how to enable secure communication for the different components (the number refers to the number on the drawing above)

Multiuser Server

SSL communication between the Multiuser Server and ROB-EX cliens is by default turned off. To enable this feature change the configuration by hand editing file application.yml. Read more about the settings of this file here.

Start out by locating the location on the file system where your server is installed. If in doubt locate the Server service (Run->Services.msc and locate the ROB-EX Multiuser Service for instance X). Double click on the service and take a note of the “Path to executable:” – the application.yml file will be in the same directory as the executable. The default location will be in C:\Program Files (x86)\ROB-EX\ganttServerG2\application.yml.

Add these lines to the file, changing the grpc.server.security.enabled value to true

grpc:
   port: 6566  # client http port
   server:
      security:
         enabled: true

Generating ROB-EX Scheduler Server certificates

This explains how to generate self-signed certificates for the components 1+2 on the top drawing.

The default certicate installed out-of-the-box is located in ganttServerG2\certificates. This certificate is locked to the localhost domain and should only be used for testing, i.e. the default certificates will only work for ROB-EX clients connecting to https://localhost:6565. You need to generate your own private self-signed certificates where you bake the hostname of your server into.

To generate new self-signed certificates

  1. Install the Openssl command line tool from a trusted location. See e.g. wiki.openssl.org/index.php/Binaries . You can test a valid openssl tool by opening a command prompt with cmd.exe and run the command openssl version -a . The following has been tested to work with the v1.1.1 of the Openssl tool.
  2. Edit ganttServerG2\create-selfsigned-certificate.bat, replacing robex-srv1 in the line set SRV_NAME=robex-srv1 with the actual name of your ROB-EX server. Then save the file
  3. Run the ganttServerG2\create-selfsigned-certificate.bat script, by double clicking the file from Windows File Explorer. Verify that new *.pem and *.pfx files were generated to the ganttServerG2\certificates folder.

Finally copy the two files selfsigned-public-key-cert.pem and selfsigned-key-store.pfx to the <sch_client_dir>\config\certificates folder of your ROB-EX Scheduler Client installation directory. This will ensure that the ROB-EX Scheduler clients know the new certificates.

Web-admin

For now only http is supported, so if https access is required, we recommend to setup a proxy like Traefik.

Shop Floor

Changes must be made to the <client_dir>\plugins\shopfloor\site\conf\server.xml file. If Shop Floor is available as a public service on the internet, then it is strongly recommended to secure the communication with SSL.

The normal http connector should be commented out, like this:

<!--
 <Connector className="org.apache.catalina.connector.http.HttpConnector"
               port="80" minProcessors="5" maxProcessors="75"
               enableLookups="true" redirectPort="18443"
               acceptCount="10" debug="0" connectionTimeout="60000"/>
-->

Then paste this SSL part just below the out-commented section.

<Connector className="org.apache.catalina.connector.http.HttpConnector"
               port="443" minProcessors="5" maxProcessors="75"
               enableLookups="true"
           acceptCount="10" debug="0" scheme="https" secure="true"/>

The default https port is 443 and Shopfloor can be accessed on https://localhost (i.e. notice it is not necessary to specify the port number, as 443 is the default port for https communication). If another port is preferred the port attribute should be changed.

More information about how to install your own certificate files can be found in the chapter Keystore and truststore. Note that if you install your own certificates, then In addition the client must be configured with updated SSL settings as described in ROB-EX Client configuration.

REST Server Service

To enable SSL for the REST Server Service integration (used as example for communication with .NET based clients) add the https scheme usage as a parameter on the short cut for starting ROB-EX, or alternatively insert this line in custom/GanttSetup.properties:

-Dgantt.rest.scheme=https

More information about how to install your own certificate files can be found in the chapter Keystore and truststore. Note that if you install your own certificates, then In addition the client must be configured with updated SSL settings as described in ROB-EX Client configuration.

REST clients connecting to a https enabled REST service, must be configured to allow and accept self-signed certificates. The details of this depends on the coding language used, but should be straight forward to implement.

Installing your own Shop Floor and REST certificate

This explains how to generate self-signed certificates for the components 3+4 on the top drawing.

The default certicate installed out-of-the-box is located in <sch_client_dir>\config\ssl. These default certificates are not locked to the localhost domain and could be used out-of-the-box. However for improved safety is is always good to generate your own self signed certificates.

This section describes what tools to use in case you would like to install and use your own certificate, e.g. your own self signed certificates or a certificate obtained from a trusted certificate authority (CA). The certificate provided out of the box with ROB-EX, is a self signed certificate. This certificate type has the following pros and cons:

  • (+) it is free to use
  • (+) it never expires (a certificate issues by a CA, will typically expire after 1-2 years)
  • (+) it is secure, in the sense that transmitted data is encrypted in a robust and secure fashion
  • (-) a browser will warn that the certificate is not issued by a trusted certificate authority. If you want to avoid the warning, the different browsers all have options a user can accept a self signed certificate as being safe (search the Internet for a how-to on the subject).

If you would like to install your own certificate, the certificate should be generated and added to the keystore for the ROB-EX client sides. A tool that is part of the JDK from Oracle/OpenJDK, called keytool and is located in the bin folder, is used for working with certificate stores

To generate your own certificate.

keytool -genkey -alias gantt -keyalg RSA -validity 36500 -keystore .keystore

If you wish to add an existing signed primary certificate use this:

keytool -import -trustcacerts -alias gantt -file mycertificate.crt -keystore .keystore

The client side need to use a truststore with the certificate. To do this, export from the keystore with the keytool:

Export the certificate from the keystore

keytool -export -alias gantt -keystore .keystore -rfc -file provider.cer

Import the certificate into the truststore

keytool -import -alias gantt -file provider.cer -keystore .truststore

New keystore and truststore files should be placed into the <sch_client_dir>\config\ssl folder (client side)

ROB-EX Client

The client setup properties for Shop Floor and REST Server Service must be changed by adding/modifying the lines below to the <client_dir>\custom\GanttSetup.properties file (typically add these lines at the top of the file):

-Djavax.net.ssl.keyStore=./config/ssl/.keystore
-Djavax.net.ssl.keyStorePassword=

-Djavax.net.ssl.trustStore=./config/ssl/.truststore
-Djavax.net.ssl.trustStorePassword=

Note that when using the internal ROB-EX generated certificate, passwords can be left as blank. Passwords needs only be specified when you want to use your own generated certificate.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment