Temporary WebSocket Endpoint and Nonce Keys for Remote Access
To ensure only RAC connections can connect and perform RAC activities on a ThingWorx Platform endpoint, a new WebSocket (WS) endpoint has been added to the ThingWorx Platform for 8.5.2. This new endpoint enhances security for RAC connections and, more generally, provides additional options in managing edge connectivity. The feature includes:
• A new ThingWorx Temporary WebSocket (TWS) endpoint on the ThingWorx Platform to handle short-lived, user traffic. This WebSocket is created and available when the ThingWorx Platform starts. It uses the ThingWorx AlwaysOn protocol.
• A new single-use authentication key, called a nonce key. This WebSocket accepts nonce keys only when authenticating a connection. It does not accept application keys. In all other aspects, the TWS acts like the WS endpoint.
The WebSocket Endpoint for Remote Access
The new TWS endpoint enables the separation of user-based WebSocket traffic from remote device traffic. This endpoint is specifically designed to handle temporary remote access client and other short-lived traffic.
The TWS connection and endpoint requirements include:
• A connection must be established using a one-time key called a NonceKey.
◦ A NonceKey is short-lived and associated with the user that creates it.
◦ A NonceKey is created via the raClientLinker widget. It calls the EntityServices.GetClientNonce() service on the ThingWorx Platform.
◦ A
NonceKey is removed from the
ThingWorx Platform once it is used to authenticate a
ThingWorx connection or once the
NonceKey expires. The Time-To-Live setting is 15 seconds. In ThingWorx 9.4.1 or later, you can configure the default time out of nonce keys using the
NonceKeyTimeout parameter of the
PlatformSettings.json file. For more information, see
platform-settings.json Configuration Details in the Platform Help Center.
• The ThingWorx Always On protocol is the only protocol supported over this connection.