I can’t set up STTPS subscriptions (STTP over TLS I imagine).
Publisher : OpenHistorian 2.8.52 on Windows 2012.
IP address : 188.8.131.52
Part of openHistorian.exe.config containing tls configuration :
add name=“ConfigurationString” value=“port=6177” description=“Data required by the server to initialize.” encrypted=“false”
add name=“CertificateFile” value=“F:\openHistorian\Certs\locals\OHIST-Replay.cer”
description=“Path to the local certificate used by this server for authentication.”
add name=“TrustedCertificatesPath” value=“F:\openHistorian\Certs\Remotes”
description=“Not used by the TLS data publisher.” encrypted=“false”
Subscriber : OpenPDC 2.9.43 on Windows 2012.
IP address : 184.108.40.206
Part of openPDC.exe.config containing tls configuration
add name=“ConfigurationString” value=“port=6167” description=“Data required by the server to initialize.” encrypted=“false” scope=“Application”
add name=“CertificateFile” value=“E:\openPDC29\Certs\locals\OPDC-Replay.cer” description=“Path to the local certificate used by this server for authentication.” encrypted=“false” scope=“Application”
add name=“TrustedCertificatesPath” value=“E:\openPDC29\Certs\Remotes” description=“Not used by the TLS data publisher.” encrypted=“false” scope=“Application”
Step 1 : On PDC subscriber, I try to create a subscription :
Step 1.1 : I open the window Inputs > Subscription Based Inputs > Create Authorization request
Step 1.2 : I create a local certificate by clickink on the ‘Advanced’ button, then Filling the CN (common name) filed with OPDC-Replay
Then click to Generate and store it as a OPDC-Replay.cer file in E:\openPDC29\Certs\locals. It works well :
The 2 paths automatically filled in the window seems OK :
Step 1.3 : On the OpenHistorian publisher side, I do so to generate a publisher local certificate (which will be the remote certificate of the PDC subscriber) :
The CN is OHIST-Replay and the file is stored in F:\openHistorian\Certs\locals\OHIST-Replay.cer
Step 1.4 : I copy the OHIST-Replay.cer local publisher certificate in the E:\openPDC29\Certs\remotes folder of the PDC subscriber.
Step 1.5 : On the PDC Subscriber, I then click on the Import CER button of the Advanced window, and select the E:\openPDC29\Certs\remotes\OHIST-Replay.cer file just copied from the OpenHistorian publisher. I have the following screen :
I then clic on ‘Close’.
Step 1.6 : I tick the ‘Self-signed ?’ option and have the following screen :
Note : the port number doesn’t change if we select GEP ou STTP. I guess that I’ll be able to change it in the connection string after in order to put the correct port number (6177 as mentionned in the « ConfigurationString" value="port=6177 of the OpenHistorian.exe.config file
Step 1.7 : I click on ‘Create’, then selecting a folder to store the request.srq file :
By doing this, I have the following error message :
=> The remote certificate mentionned in the Advanced window cannot be imported : why ?
Step 2 : I tried to make it work without having the previous message.
Step 2.1 : I deleted all, then try again from start, but without putting a value for the remote certificate in the Advanced window :
=>The request file is created and the Input Device OHIST-REPLAY is successfully created
On the Input Device just created, I have the following connection string :
interface=0.0.0.0; useSourcePrefixNames=true; compression=true; autoConnect=true; securityMode=TLS; server=220.127.116.11:6167; localCertificate=E:\openPDC29\Certs\locals\OPDC-Replay.cer; remoteCertificate=OHIST-REPLAY.cer; validPolicyErrors=RemoteCertificateChainErrors; validChainFlags=UntrustedRoot; checkCertificateRevocation=False
Step 2.2 : I modify the connection string to put the « ConfigurationString" value="port=6177 from the OpenHistorian.exe.config file ; then Save
Step 2.3 : I copied the request.srq file on the OpenHistorian Publisher, then Actions > Data Publisher Configuration > Authorize subscribers
Step2.4 : On this window I click on ‘Import SRQ’, then selecting the request.srq file.
Step 2.5 : I tick ‘Self-signed ?’ then ‘Save’.
The new subscriber OPDC-REPLAY is well inserted in the list and the OPDC-REPLAY.cer file is automatically stored in the F:\openHistorian\Certs\Remotes folder
Step 2.6 : On the OpenHistorian Publisher, I then tick ‘Self-Signed ?’ and ‘Enable PG Connection’ ; then ‘Save’ :
Step 2.7 : On the PDC subscriber, I then Enabled the OHIST-REPLAY input Device, then ‘Save’ :
I’ve got the following error in the PDC subscriber part console :
And this one in the Historian publisher part :
Step 2.8 : At this point, I checked with the MMC.exe console with snap-in ‘Certificates’ on the two servers if both respectives local and remotes certificates were stored :
- On the PDC subscriber there was only the local OPDC-REPLAY certificate (in Local Computer > Personal).
- On the Historian publisher ther was only the local OHIST-REPLAY certificate (in Local Computer > Personal).
I then successfully use the Window way to install the remote ones on both of the servers (right clic on the .cer file, then install) :
Step 2.9 : I then stopped and started again the publisher part and the subscriber part but with the same results.
I also tried the ‘Import CER’ button on the publisher part oin order to insert the remote OPDC-Replay.cer (remote certificate for the Publisher), but I have the following error :
Off course the manager is connected to the service :
I don’t know what is going wrong and what to do next to make it works. It’s quite annoying because the TLS security layer would be a great security improvement for us.