Advanced SSL/TLS Configuration
 |
Since the default value of TWX_PLATFORM_TLS_ENABLED and CXSERVER_SSL_ENABLED is true, the customer needs to update the key store and trust store paths and passwords
|
Follow these steps for configuring advanced options for SSL/TLS connection between the Connection Server and a single-server ThingWorx Platform installation or between a Connection Server and a ThingWorx High Availability Clustering environment:
1. To specify additional cipher suites to enable for the TLS context, set them up in the additional-cipher-suites group. For example:
cx-server {
. . .
health-check {
port = 9009
}
protocol {
http-server.ssl.enabled = true
http-server.ssl.key-store.file = "./keysstore.pfx"
http-server.ssl.key-store.password = "changeit"
http-server.ssl.additional-cipher-suites = [
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA=AES128-GCM-SHA256"
]
. . .
}
. . .
}
2. If you want to use client authentication, enable client authentication and configure the Java trust store. By default client authentication is disabled (a value of "none") and the trust store defaults to Java's default trust store ("cacerts"). To enable client authentication and specify how it should work, set the http-server.ssl.client-authentication.authentication-mode property to either of the following values:
◦ request — Validate client certificate if presented by the client.
◦ required — Validate client certificate, which is required.
cx-server {
. . .
health-check {
port = 9009
}
protocol {
http-server.ssl.enabled = true
http-server.ssl.key-store.file = "./keysstore.pfx"
http-server.ssl.key-store.password = "changeit"
http-server.ssl.additional-cipher-suites = [
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA=AES128-GCM-SHA256"
]
http-server.ssl.client-authentication.authentication-mode = "none"
http-server.ssl.client-authentication.trust-store.file = ${java.home}/lib/security/cacerts
http-server.ssl.client-authentication.trust-store.password = "changeit"
}
}
3. If you are using X.509 authentication, configure the files that specify X.509 certificate revocation lists by specifying a path for the property, http-server.ssl.client-authentication.certificate-revocation-list-files.
|
|
The wildcard or glob patterns, such as /path/*.pen, are not supported.
|
For example:
cx-server {
. . .
protocol {
http-server.ssl.enabled = true
http-server.ssl.key-store.file = "./keysstore.pfx"
http-server.ssl.key-store.password = "changeit"
http-server.ssl.additional-cipher-suites = [
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA=AES128-GCM-SHA256"
]
http-server.ssl.client-authentication.authentication-mode = "none"
http-server.ssl.client-authentication.trust-store.file = ${java.home}/lib/security/cacerts
http-server.ssl.client-authentication.trust-store.password = "changeit"
http-server.ssl.client-authentication.certificate-revocation-list-files = [
"/some/path/to/crl.pem"
]
}
. . .
}
 |
When the Connection Server uses SSL/TLS to communicate with the ThingWorx Platform, make sure that the clients sending requests via the Connection Server to the ThingWorx Platform also use SSL/TLS. Otherwise, the client will repeatedly receive authentication requests for every resource in the request.
|
|
|
By default, the Connection server supports TLS v1.0, TLS v1.1 and TLS v1.2 as server-side protocols for device communication. It is not possible to limit these edge devices communication protocols. Please note that Java options “jdk.tls.server.protocols” will not work as the connection server overwrites this setting with its default protocols.
|