ThingWorx Edge ADO Service > Configuring the ADO Service > How to Configure a Secure Connection to a ThingWorx Platform from the ADO Service
  
How to Configure a Secure Connection to a ThingWorx Platform from the ADO Service
Several elements of the AdoThing.config file provide settings for certificate files used to validate the server and the client for a secure connection between the ADO service (client) and the ThingWorx platform (server). While you are developing an application, you can configure the ADO service to allow self-signed certificates, as explained in the section, How to Perform a Basic Configuration and then set up the self-signed certificate by following the steps for configuring the server certificate file below.
* 
The ADO Service has two versions, one with a built-in axTLS library for secure connections and one with the OpenSSL library and FIPS module. It is important to note that the axTLS library does not support client authentication when it is used in a client-side application (i.e., for an edge device). It does support it when used in a server-side application. If you require client authentication for an application that you are developing with the ADO Service, you must use the version of the ADO Service that has OpenSSL library and FIPS module instead of the version with the axTLS. The name of the bundle with OpenSSL and FIPS support has -fips in its name.
During development, you can also disable certificate validation. If you chose to disable validation and want to test the connection, continue to the section, How to Configure Settings for Windows Service, to set up the Windows service.
* 
For a production environment, always use a secure connection. If you allowed self-signed certificates during development, disable it and follow the instructions here to configure a secure connection. If you disabled certificate validation, enable it before using the ADO service in a production environment.
Configuring the Server Certificate File
To edit the settings of the server certificate:
1. Locate the element, ServerCertFileSettings.
2. Locate the following lines for the server certificate:
"rows": [
{
"IsEnabled": false,
"FilePath": "",
"CertType": 0
3. Change the value of the IsEnabled parameter to true.
4. For the FilePath parameter, type the full path to the local certificate file (PEM or DER format) that is used to validate the server.
5. If you are using axTLS, leave the default setting for the CertType parameter.
6. Save the file.
Configuring the Client Certificate File
Use of a client-side certificate is optional. If you plan to use it, edit the following lines for your environment. The definitions in the table above apply to these parameters.
To edit the settings of a client-side certificate:
1. Locate the ClientCertFileSettings element.
2. Locate the following lines:
"rows": [
{
"IsEnabled": false,
"FilePath": "",
"CertType": 0
3. Change the value of the IsEnabled parameter to true.
4. For the FilePath parameter, type the full path to the local certificate file (PEM or DER format) used to validate the client to the server.
5. If you are using axTLS, leave the default setting for the CertType parameter.
6. Save the file.
Configuring the Client Key File
If you are using a key file for client authentication, follow these steps to configure the key file:
1. Locate the ClientKeyFileSettings element.
2. Locate the following lines:
"rows": [
{
"IsEnabled": false,
"FilePath": "",
"Passphrase": "",
"KeyType": 0
3. Change the value of the IsEnabled parameter to true.
4. For the FilePath parameter, type the full path to the file that contains the encrypted key (PEM or DER format).
5. For the Passphrase parameter, type the passphrase to use to open the key file. To encrypt this value, use the option, -encrypt, of the service executable.
6. If you are using axTLS, leave the default setting for the KeyType parameter.
7. Save the file.
Configuring the X.509 Fields
If you are using X.509 validation, you need to define the fields of an X.509 certificate (in PEM or DER format) that are validated. Null values are not checked against the received certificate, while non-null values are checked. Follow these steps:
1. Locate the X509FieldSettings element.
2. Locate the following lines:
"rows": [
{
"IsEnabled": false,
"Subject_cn": "",
"Subject_o": "",
"Subject_ou": "",
"Issuer_cn": "",
"Issuer_o": "",
"Issuer_ou": ""
3. Change the value of the IsEnabled parameter to true.
4. For the Subject_cn parameter, type the common name of the subject in the certificate.
5. For the Subject_o parameter, type the name of the organization specified for the subject in the certificate.
6. For the Subject_ou parameter, type the name of the organizational unit specified for the subject in the certificate.
7. For the Issuer_cn parameter, type the common name of the issuer in the certificate.
8. For the Issuer_o parameter, type the name of the organization specified for the issuer in the certificate.
9. For the Issuer_ou parameter, type the name of the organizational unit specified for the issuer in the certificate.
10. Save the configuration file.
FIPS Support
As of version 5.6.1, the ADO service supports the use of an embedded FIPS module. All you need to do to use FIPS mode is to download the FIPS version of the ADO service package.
What’s Next?
You have a few choices from this point:
Desired Configuration
Link to Procedure
Configure a proxy server
Configure duty cycle modulation to control the amount of time the ADO service is online
Start the service