ATTENTION: This section and associated topics apply to the Original WebX client only.
This topic relates to the HTTPS Support properties that are deprecated and provided as a fallback. The HTTPS Support properties will be removed in a future version of this product.
For improved security, instead of using the settings that are configured in the HTTPS Support section, Original WebX clients are now expected to connect to an IIS reverse proxy which connects to the Listen Port (see Define the Listen Port Settings for Original WebX Clients).
To help protect your system against unauthorized access, Geo SCADA Expert uses certificates for Original WebX clients.
The certificates allow the Geo SCADA Expert server to use encryption for client-server communications.
There are two types of certificates that Geo SCADA Expert can use for Original WebX. The certificates must be in PEM or DER format.
- Trusted certificates—These SSL certificates have to be obtained from Certifcation Authorities, such as VeriSign, GlobalSign, DigiCert, GoDaddy, and StartCom.
We strongly recommend that you use trusted certificates with your Geo SCADA Expert system.
- Non-trusted certificates—Non-trusted certificates do not provide authentication, where the client cannot tell if the certificate is legitimate. NOTICE
SECURITY THREAT
Using a non-trusted certificate could compromise your system security. Installing a non-trusted certificate could compromise your system security. Potentially, it could lead to unauthorized access. For this reason, we strongly recommend that you use a trusted certificateFailure to follow these instructions can result in equipment damage.However, if you are willing to acknowledge a lower level of security, you can use the default non-trusted certificate provided with Geo SCADA Expert in an internally managed network environment.
You can either:
- Obtain a public signed certificate from a zero cost provider.
- Create a self-signed certificate.
For more information, see the Geo SCADA Expert Knowledge Base.
If a server generated non-trusted SSL certificate is used, the client will display warning messages when users access the system. The exact warning message depends on the browsers, but typically might be "There is a problem with this website’s security certificate". Some users may find these warning messages distracting, although they do not affect their ability to interact with your Geo SCADA Expert system.
If a trusted SSL certificate is used, the client is able to verify that it is connecting to the expected server, and so there are no warning messages shown when a client accesses the secure web server ports.
We recommend that you obtain trusted SSL certificates for your web servers so that users do not receive distracting warning messages. We also recommend you review your security options and establish appropriate security for your web server.
You cannot install a new SSL certificate using the above properties if the Geo SCADA Expert database is in an invalid state. This is by design. With such a scenario, you should resolve the database configuration issue first and then restart the Geo SCADA Expert server. Once the server and database are running, you can then install the required SSL certificate.
Recommended security:
- Obtain and install a web server certificate
- Disable "Allow logon and database writes over non-secure HTTP"
- Use a proxy server or proxy firewall for communications with Original WebX clients.
Maximum security:
- Obtain and install a web server certificate
- Disable "Allow logon and database writes over non-secure HTTP"
- Disable HTTP port(s)
- Use a proxy server or proxy firewall for communications with Original WebX clients.
Not recommended:
- Use the default server generated non-trusted web server certificate
- Enable "Allow logon and database writes over non-secure HTTP".