ThingWorx WebSocket-based Edge MicroServer (WS EMS) and Lua Script Resource (LSR) > Configuring a Lua Script Resource > Configuring the HTTP Server for the LSR (SSL/TLS Certificate)
Configuring the HTTP Server for the LSR (SSL/TLS Certificate)
Suppose you want to set up a Lua Script Resource on a device that is external to the WS EMS. To prevent external sources from sniffing packets on your network, it is strongly recommended that you enable SSL/TLS on the HTTP servers on both the WS EMS and the Lua Script Resource. You can also require a user name and password for both HTTP server to ensure that only authenticated applications can access the LSR model and WS EMS communication channels.
Always configure a secure HTTP server. Otherwise, the WS EMS and LSR will log warning messages when any one or more of the following conditions is true:
SSL is disabled. That is, the ssl property is set to false
Authentication is disabled.
Certificate validation is disabled.
Self-signed certificates are allowed.
For examples of secure configurations for communications between the WS EMS and the LSR, see Setting Up Secure Communications for WS EMS and LSR. These examples are presented in order of least secure (testing purposes ONLY) to most secure (strongly recommended for production environments).
As of release 5.4.0 of the WS EMS, the Lua Script Resource (LSR) is configured to secure HTTP connections by default.
To load a PEM-encoded certificate for use by the LSR’s HTTP server when TLS is enabled, you need to configure the following properties in your config.lua file:
-- HTTP Server Configuration
scripts.script_resource_host = "localhost"
scripts.script_resource_port = "8001"
scripts.script_resource_ssl = "true"
scripts.script_resource_certificate_chain = "/path/to/lsr_http_server_certificate_chain/file"

scripts.script_resource_private_key = "/path/to/private/key"
scripts.script_resource_passphrase = "some_encrypted_passphrase"
scripts.script_resource_authenticate = "true"
scripts.script_resource_userid = "johnsmith"
scripts.script_resource_password = "some_encrypted_password"

scripts.script_resource_enable_csrf_tokens = true
scripts.script_resource_csrf_token_rotation_period = 10
scripts.script_resource_enable_rest_services = false

The use of double quotation marks in config.lua is required only for Strings. For numbers and Boolean values, you do not need to use them. The LSR will work if you do use them for Booleans or numbers.
The port number is 8001 by default. You can choose whatever port is available for the HTTP server of the LSR.
To encrypt the passphrase and password, see Encrypting Application Keys, Passwords, and Passphrases.
The following table lists and briefly describes the properties for the HTTP Server of the LSR:
The host name or IP address of the machine where the LSR is running. The default value is "localhost"
The number of the port used on the host for communicating with the WS EMS. The default value is "8001". Choose whichever port is available on the device for the HTTP Server of the LSR.
Whether to use SSL/TLS for communication (Boolean). The default value is "true"
The path to the PEM-encoded certificate file. Use forward slashes when specifying the path, regardless of the operating system of the device.
The path to the private key for the certificate. Use forward slashes when specifying the path, regardless of the operating system of the device..
The passphrase for the private key and certificate. Enclose the string in double quotation marks. For best security, encrypt the passphrase, as explained in Encrypting Application Keys, Passwords, and Passphrases.
Whether to authenticate the sender of an incoming request (Boolean). The default value is "true".
The user name that will be presented for authentication when attempting to access the LSR..
The AES encrypted password that the user should present when attempting to access the LSR. For information about encryption, see Encrypting Application Keys, Passwords, and Passphrases.
scripts.script_resource_enable_csrf_tokens = true
Flag that enables (true) or disables (false) the use of CSRF tokens for REST APIs with the LSR. By default, use of CSRF tokens is enabled. See also CSRF Token Support.
scripts.script_resource_csrf_token_rotation_period = 10
The number of minutes between changes to the CSRF token for a given session. The default value is 10 minutes.
scripts.script_resource_enable_rest_services = false
Flag that enables (true) or disables (false) the use of REST services with the LSR. By default, use of REST services is disabled.
Changes were made for WS EMS/LSR v.5.4.2 to how the Lua Script Resource’s /script and /scriptcontrol REST endpoints work out-of-the-box. By default, you will not be able to use these endpoints to dynamically create, update, delete, or restart scripts using the REST API. Any requests to these services will result in a 405 – Method Not Allowed error. This feature can be enabled by adding the line scripts.script_resource_enable_rest_services = true to your config.lua, as shown here.