Configure the Client Connection Security Settings

Geo SCADA Expert supports the use of certificates to initiate secure connections and encrypt the data that is transmitted between Geo SCADA Expert servers and clients. Geo SCADA Expert supports two sets of certificates:

• Server certificates that the Geo SCADA Expert server provides to the clients, so that the clients can verify that the server is a valid Geo SCADA Expert server.
• Client certificates that the clients provide to the Geo SCADA Expert server, so that the server can verify that the clients are valid clients.

  You can optionally require the client certificates to map to a Windows user account.

We strongly recommend that you set up your system to use trusted certificates to initiate secure connections and encrypt the data that is transmitted between Geo SCADA Expert servers and clients.

This topic explains how to set up the connection security settings on your client machines, including specifying whether those client machines use client certificates. With systems on which client certificates are required, each client connection configuration should have its own unique certificate(s), each of which must have an associated private key. (Each client connection configuration appears as a separate entry in the Geo SCADA Expert Client applet.) Obtain the required certificates from a trusted certification authority and load each client certificate into the Windows certificate store on the relevant client machine. For more information about certificate stores, see the Windows help.

On each client machine, set up the required client connection security for the client:

1. Display the Client Configuration Window for the client connection on you want to add or edit the connection security settings.
2. Select the Security button on the Client Configuration Window.
   The Connection Security window is displayed.
   

   

3. Either:
   • Select the Validate Server Certificate check box if the server machines to which the client is to connect use certificates that have been obtained from a trusted certification authority.

   Or:

   • Clear the Validate Server Certificate check box if the server machines use self-signed certificates. (If this is the case, the Use Temporary Certificates check box has to be selected in the Connection Security section on the Server Configuration Tool of the server machines (see Configure the Connection Security Settings in the Geo SCADA Expert Guide to Server Administration).)
4. Specify the required Client Certificate Mode. Choose from:
   • Disabled—Not recommended. The client does not use client certificates for communications with Geo SCADA Expert servers. Select this option if none of the servers with which the client is to communicate are configured to Require Client Certificates (see Configure the Connection Security Settings in the Geo SCADA Expert Guide to Server Administration).

     The fields in the Client Certificate Selection section of the window will be 'grayed out' and unavailable for use.

   • Automatic—Choose this option or the Specified option (see below) if any of the servers with which the client is to communicate are configured to Require Client Certificates (see Configure the Connection Security Settings in the Geo SCADA Expert Guide to Server Administration). If the server requests a certificate when communications are initiated, the client will provide one. The client certificate will be selected automatically, based on the CA root certificates that the server trusts. The fields in the Client Certificate Selection section of the window will be 'grayed out' and unavailable for use.
   • Specified—Choose this option or the Automatic option (see above) if any of the servers with which the client is to communicate are configured to Require Client Certificates (see Configure the Connection Security Settings in the Geo SCADA Expert Guide to Server Administration). If the server requests a certificate when communications are initiated, the client will provide one. Select this option if you want to specify the certificate that the client uses for communications with Geo SCADA Expert servers. Use the fields within the Client Certificate Selection section of the window to do this.
5. If the Client Certificate Mode is set to 'Specified', use the fields in the Client Certificate Selection section of the window to specify one of the following:
   • Subject Name Search—Use to restrict the available client certificates to just those that meet the search criteria specified in this field. This field is a 'contains' field, so the search results (access via the Results button) list those valid certificates that contain the character or character combination that you specify in this field. For example, if you specify the letter a, it will display those certificates that include the letter a in their Subject Name field. Likewise, if you specify the text e.1, it will display those certificates that include that specific string in their Subject Name field.

     When communications are initiated, if multiple valid certificates match the search string, they will be filtered based on the CA root certificates that the server trusts, after which a certificate will be selected arbitrarily. As the certificate is selected at the time that the client connects to the server, a different certificate could be selected for each Windows user that is logged on to the computer.

     Be aware that the actual search will be performed at the time that the client connection is initiated. As such, the client certificates that are available at that time might differ to those shown in the Results window when you are setting up the search criteria. For example, certificates that have expired will no longer meet the search criteria, while other newly added certificates might fulfill the search criteria.

   • Specify Certificate—Use this option to specify a particular certificate.

     If you choose this option, be aware that this configuration will need updating whenever a new certificate is issued.

     Select the Choose button to display a window from which you can select the relevant certificate, from the certificates that are loaded into the client machine's Windows certificate store. The following details are displayed about the chosen client certificate, in the Connection Security window:

     • Subject—The entity with which the certificate's public key is associated.
     • Issuer—Information that identifies the organization that issued the certificate.
     • Expiry—The date and time at which the certificate will expire (shown in Local Time). It is important to renew client certificates well in advance of their expiry time. (Remember to update the Specify Certificate configuration as soon as the certificate has been renewed.)
6. With the Allow use of legacy protocol check box either:
   • Clear the check box (the default on new installations) for this client to only connect to Geo SCADA Expert servers that support the new more secure protocol (Geo SCADA Expert 2020 onwards).
   • Select the check box (the default on upgrades from older system definitions) to enable the client to connect to all Geo SCADA Expert servers that are running a supported version of Geo SCADA Expert, regardless of protocol. The client will use the legacy protocol when connecting to servers that are running Geo SCADA Expert 2019 or earlier versions of software.

     We recommend that you clear this check box once all of your servers have been upgraded to use the new more secure protocol.

7. Select the OK button to confirm the configuration and close the Connection Security window.
8. Select the OK button on the Client Configuration window to confirm the configuration on that window.
9. Perform similar updates on other client connections as required.
10. Use the Close button to close the client applet.
11. Perform similar updates on other client machines as required.